]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (c) 2007-2010 Apple Inc. All rights reserved. | |
3 | * | |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ | |
5 | * | |
6 | * This file contains Original Code and/or Modifications of Original Code | |
7 | * as defined in and that are subject to the Apple Public Source License | |
8 | * Version 2.0 (the 'License'). You may not use this file except in | |
9 | * compliance with the License. The rights granted to you under the License | |
10 | * may not be used to create, or enable the creation or redistribution of, | |
11 | * unlawful or unlicensed copies of an Apple operating system, or to | |
12 | * circumvent, violate, or enable the circumvention or violation of, any | |
13 | * terms of an Apple operating system software license agreement. | |
14 | * | |
15 | * Please obtain a copy of the License at | |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. | |
17 | * | |
18 | * The Original Code and all software distributed under the License are | |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
23 | * Please see the License for the specific language governing rights and | |
24 | * limitations under the License. | |
25 | * | |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ | |
27 | */ | |
28 | /*- | |
29 | * Copyright (c) 1999-2002 Robert N. M. Watson | |
30 | * Copyright (c) 2001-2005 Networks Associates Technology, Inc. | |
31 | * Copyright (c) 2005-2007 SPARTA, Inc. | |
32 | * All rights reserved. | |
33 | * | |
34 | * This software was developed by Robert Watson for the TrustedBSD Project. | |
35 | * | |
36 | * This software was developed for the FreeBSD Project in part by Network | |
37 | * Associates Laboratories, the Security Research Division of Network | |
38 | * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), | |
39 | * as part of the DARPA CHATS research program. | |
40 | * | |
41 | * This software was enhanced by SPARTA ISSO under SPAWAR contract | |
42 | * N66001-04-C-6019 ("SEFOS"). | |
43 | * | |
44 | * Redistribution and use in source and binary forms, with or without | |
45 | * modification, are permitted provided that the following conditions | |
46 | * are met: | |
47 | * 1. Redistributions of source code must retain the above copyright | |
48 | * notice, this list of conditions and the following disclaimer. | |
49 | * 2. Redistributions in binary form must reproduce the above copyright | |
50 | * notice, this list of conditions and the following disclaimer in the | |
51 | * documentation and/or other materials provided with the distribution. | |
52 | * | |
53 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |
54 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
55 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
56 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
57 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
58 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
59 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
60 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
61 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
62 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
63 | * SUCH DAMAGE. | |
64 | * | |
65 | * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ | |
66 | */ | |
67 | ||
68 | /** | |
69 | @file mac_policy.h | |
70 | @brief Kernel Interfaces for MAC policy modules | |
71 | ||
72 | This header defines the list of operations that are defined by the | |
73 | TrustedBSD MAC Framwork on Darwin. MAC Policy modules register | |
74 | with the framework to declare interest in a specific set of | |
75 | operations. If interest in an entry point is not declared, then | |
76 | the policy will be ignored when the Framework evaluates that entry | |
77 | point. | |
78 | */ | |
79 | ||
80 | #ifndef _SECURITY_MAC_POLICY_H_ | |
81 | #define _SECURITY_MAC_POLICY_H_ | |
82 | ||
83 | #ifndef PRIVATE | |
84 | #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" | |
85 | #endif | |
86 | ||
87 | #include <security/_label.h> | |
88 | ||
89 | struct attrlist; | |
90 | struct auditinfo; | |
91 | struct bpf_d; | |
92 | struct devnode; | |
93 | struct fileglob; | |
94 | struct ifnet; | |
95 | struct inpcb; | |
96 | struct ipq; | |
97 | struct label; | |
98 | struct lctx; | |
99 | struct mac_module_data; | |
100 | struct mac_policy_conf; | |
101 | struct mbuf; | |
102 | struct mount; | |
103 | struct msg; | |
104 | struct msqid_kernel; | |
105 | struct pipe; | |
106 | struct pseminfo; | |
107 | struct pshminfo; | |
108 | struct sbuf; | |
109 | struct semid_kernel; | |
110 | struct shmid_kernel; | |
111 | struct socket; | |
112 | struct sockopt; | |
113 | struct task; | |
114 | struct thread; | |
115 | struct tty; | |
116 | struct ucred; | |
117 | struct vfs_attr; | |
118 | struct vnode; | |
119 | /** @struct dummy */ | |
120 | ||
121 | ||
122 | ||
123 | #ifndef _KAUTH_CRED_T | |
124 | #define _KAUTH_CRED_T | |
125 | typedef struct ucred *kauth_cred_t; | |
126 | #endif /* !_KAUTH_CRED_T */ | |
127 | ||
128 | #ifndef __IOKIT_PORTS_DEFINED__ | |
129 | #define __IOKIT_PORTS_DEFINED__ | |
130 | #ifdef __cplusplus | |
131 | class OSObject; | |
132 | typedef OSObject *io_object_t; | |
133 | #else | |
134 | struct OSObject; | |
135 | typedef struct OSObject *io_object_t; | |
136 | #endif | |
137 | #endif /* __IOKIT_PORTS_DEFINED__ */ | |
138 | ||
139 | /*- | |
140 | * MAC entry points are generally named using the following template: | |
141 | * | |
142 | * mpo_<object>_<operation>() | |
143 | * | |
144 | * or: | |
145 | * | |
146 | * mpo_<object>_check_<operation>() | |
147 | * | |
148 | * Entry points are sorted by object type. | |
149 | * | |
150 | * It may be desirable also to consider some subsystems as "objects", such | |
151 | * as system, iokit, etc. | |
152 | */ | |
153 | ||
154 | /** | |
155 | @name Entry Points for Label Management | |
156 | ||
157 | These are the entry points corresponding to the life cycle events for | |
158 | kernel objects, such as initialization, creation, and destruction. | |
159 | ||
160 | Most policies (that use labels) will initialize labels by allocating | |
161 | space for policy-specific data. In most cases, it is permitted to | |
162 | sleep during label initialization operations; it will be noted when | |
163 | it is not permitted. | |
164 | ||
165 | Initialization usually will not require doing more than allocating a | |
166 | generic label for the given object. What follows initialization is | |
167 | creation, where a label is made specific to the object it is associated | |
168 | with. Destruction occurs when the label is no longer needed, such as | |
169 | when the corresponding object is destroyed. All necessary cleanup should | |
170 | be performed in label destroy operations. | |
171 | ||
172 | Where possible, the label entry points have identical parameters. If | |
173 | the policy module does not require structure-specific label | |
174 | information, the same function may be registered in the policy | |
175 | operation vector. Many policies will implement two such generic | |
176 | allocation calls: one to handle sleepable requests, and one to handle | |
177 | potentially non-sleepable requests. | |
178 | */ | |
179 | ||
180 | ||
181 | /** | |
182 | @brief Audit event postselection | |
183 | @param cred Subject credential | |
184 | @param syscode Syscall number | |
185 | @param args Syscall arguments | |
186 | @param error Syscall errno | |
187 | @param retval Syscall return value | |
188 | ||
189 | This is the MAC Framework audit postselect, which is called before | |
190 | exiting a syscall to determine if an audit event should be committed. | |
191 | A return value of MAC_AUDIT_NO forces the audit record to be suppressed. | |
192 | Any other return value results in the audit record being committed. | |
193 | ||
194 | @warning The suppression behavior will probably go away in Apple's | |
195 | future version of the audit implementation. | |
196 | ||
197 | @return Return MAC_AUDIT_NO to force suppression of the audit record. | |
198 | Any other value results in the audit record being committed. | |
199 | ||
200 | */ | |
201 | typedef int mpo_audit_check_postselect_t( | |
202 | kauth_cred_t cred, | |
203 | unsigned short syscode, | |
204 | void *args, | |
205 | int error, | |
206 | int retval | |
207 | ); | |
208 | /** | |
209 | @brief Audit event preselection | |
210 | @param cred Subject credential | |
211 | @param syscode Syscall number | |
212 | @param args Syscall arguments | |
213 | ||
214 | This is the MAC Framework audit preselect, which is called before a | |
215 | syscall is entered to determine if an audit event should be created. | |
216 | If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be | |
217 | returned. A return value of MAC_AUDIT_NO causes the audit record to | |
218 | be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants | |
219 | to defer to the system's existing preselection mechanism. | |
220 | ||
221 | When policies return different preferences, the Framework decides what action | |
222 | to take based on the following policy. If any policy returns MAC_AUDIT_YES, | |
223 | then create an audit record, else if any policy returns MAC_AUDIT_NO, then | |
224 | suppress the creations of an audit record, else defer to the system's | |
225 | existing preselection mechanism. | |
226 | ||
227 | @warning The audit implementation in Apple's current version is | |
228 | incomplete, so the MAC policies have priority over the system's existing | |
229 | mechanisms. This will probably change in the future version where | |
230 | the audit implementation is more complete. | |
231 | ||
232 | @return Return MAC_AUDIT_YES to force auditing of the syscall, | |
233 | MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT | |
234 | to allow auditing mechanisms to determine if the syscall is audited. | |
235 | ||
236 | */ | |
237 | typedef int mpo_audit_check_preselect_t( | |
238 | kauth_cred_t cred, | |
239 | unsigned short syscode, | |
240 | void *args | |
241 | ); | |
242 | /** | |
243 | @brief Initialize BPF descriptor label | |
244 | @param label New label to initialize | |
245 | ||
246 | Initialize the label for a newly instantiated BPF descriptor. | |
247 | Sleeping is permitted. | |
248 | */ | |
249 | typedef void mpo_bpfdesc_label_init_t( | |
250 | struct label *label | |
251 | ); | |
252 | /** | |
253 | @brief Destroy BPF descriptor label | |
254 | @param label The label to be destroyed | |
255 | ||
256 | Destroy a BPF descriptor label. Since the BPF descriptor | |
257 | is going out of scope, policy modules should free any internal | |
258 | storage associated with the label so that it may be destroyed. | |
259 | */ | |
260 | typedef void mpo_bpfdesc_label_destroy_t( | |
261 | struct label *label | |
262 | ); | |
263 | /** | |
264 | @brief Associate a BPF descriptor with a label | |
265 | @param cred User credential creating the BPF descriptor | |
266 | @param bpf_d The BPF descriptor | |
267 | @param bpflabel The new label | |
268 | ||
269 | Set the label on a newly created BPF descriptor from the passed | |
270 | subject credential. This call will be made when a BPF device node | |
271 | is opened by a process with the passed subject credential. | |
272 | */ | |
273 | typedef void mpo_bpfdesc_label_associate_t( | |
274 | kauth_cred_t cred, | |
275 | struct bpf_d *bpf_d, | |
276 | struct label *bpflabel | |
277 | ); | |
278 | /** | |
279 | @brief Check whether BPF can read from a network interface | |
280 | @param bpf_d Subject; the BPF descriptor | |
281 | @param bpflabel Policy label for bpf_d | |
282 | @param ifp Object; the network interface | |
283 | @param ifnetlabel Policy label for ifp | |
284 | ||
285 | Determine whether the MAC framework should permit datagrams from | |
286 | the passed network interface to be delivered to the buffers of | |
287 | the passed BPF descriptor. Return (0) for success, or an errno | |
288 | value for failure. Suggested failure: EACCES for label mismatches, | |
289 | EPERM for lack of privilege. | |
290 | */ | |
291 | typedef int mpo_bpfdesc_check_receive_t( | |
292 | struct bpf_d *bpf_d, | |
293 | struct label *bpflabel, | |
294 | struct ifnet *ifp, | |
295 | struct label *ifnetlabel | |
296 | ); | |
297 | /** | |
298 | @brief Indicate desire to change the process label at exec time | |
299 | @param old Existing subject credential | |
300 | @param vp File being executed | |
301 | @param offset Offset of binary within file being executed | |
302 | @param scriptvp Script being executed by interpreter, if any. | |
303 | @param vnodelabel Label corresponding to vp | |
304 | @param scriptvnodelabel Script vnode label | |
305 | @param execlabel Userspace provided execution label | |
306 | @param proc Object process | |
307 | @param macpolicyattr MAC policy-specific spawn attribute data | |
308 | @param macpolicyattrlen Length of policy-specific spawn attribute data | |
309 | @see mac_execve | |
310 | @see mpo_cred_label_update_execve_t | |
311 | @see mpo_vnode_check_exec_t | |
312 | ||
313 | Indicate whether this policy intends to update the label of a newly | |
314 | created credential from the existing subject credential (old). This | |
315 | call occurs when a process executes the passed vnode. If a policy | |
316 | returns success from this entry point, the mpo_cred_label_update_execve | |
317 | entry point will later be called with the same parameters. Access | |
318 | has already been checked via the mpo_vnode_check_exec entry point, | |
319 | this entry point is necessary to preserve kernel locking constraints | |
320 | during program execution. | |
321 | ||
322 | The supplied vnode and vnodelabel correspond with the file actually | |
323 | being executed; in the case that the file is interpreted (for | |
324 | example, a script), the label of the original exec-time vnode has | |
325 | been preserved in scriptvnodelabel. | |
326 | ||
327 | The final label, execlabel, corresponds to a label supplied by a | |
328 | user space application through the use of the mac_execve system call. | |
329 | ||
330 | The vnode lock is held during this operation. No changes should be | |
331 | made to the old credential structure. | |
332 | ||
333 | @warning Even if a policy returns 0, it should behave correctly in | |
334 | the presence of an invocation of mpo_cred_label_update_execve, as that | |
335 | call may happen as a result of another policy requesting a transition. | |
336 | ||
337 | @return Non-zero if a transition is required, 0 otherwise. | |
338 | */ | |
339 | typedef int mpo_cred_check_label_update_execve_t( | |
340 | kauth_cred_t old, | |
341 | struct vnode *vp, | |
342 | off_t offset, | |
343 | struct vnode *scriptvp, | |
344 | struct label *vnodelabel, | |
345 | struct label *scriptvnodelabel, | |
346 | struct label *execlabel, | |
347 | struct proc *p, | |
348 | void *macpolicyattr, | |
349 | size_t macpolicyattrlen | |
350 | ); | |
351 | /** | |
352 | @brief Access control check for relabelling processes | |
353 | @param cred Subject credential | |
354 | @param newlabel New label to apply to the user credential | |
355 | @see mpo_cred_label_update_t | |
356 | @see mac_set_proc | |
357 | ||
358 | Determine whether the subject identified by the credential can relabel | |
359 | itself to the supplied new label (newlabel). This access control check | |
360 | is called when the mac_set_proc system call is invoked. A user space | |
361 | application will supply a new value, the value will be internalized | |
362 | and provided in newlabel. | |
363 | ||
364 | @return Return 0 if access is granted, otherwise an appropriate value for | |
365 | errno should be returned. | |
366 | */ | |
367 | typedef int mpo_cred_check_label_update_t( | |
368 | kauth_cred_t cred, | |
369 | struct label *newlabel | |
370 | ); | |
371 | /** | |
372 | @brief Access control check for visibility of other subjects | |
373 | @param u1 Subject credential | |
374 | @param u2 Object credential | |
375 | ||
376 | Determine whether the subject identified by the credential u1 can | |
377 | "see" other subjects with the passed subject credential u2. This call | |
378 | may be made in a number of situations, including inter-process status | |
379 | sysctls used by ps, and in procfs lookups. | |
380 | ||
381 | @return Return 0 if access is granted, otherwise an appropriate value for | |
382 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
383 | EPERM for lack of privilege, or ESRCH to hide visibility. | |
384 | */ | |
385 | typedef int mpo_cred_check_visible_t( | |
386 | kauth_cred_t u1, | |
387 | kauth_cred_t u2 | |
388 | ); | |
389 | /** | |
390 | @brief Associate a credential with a new process at fork | |
391 | @param cred credential to inherited by new process | |
392 | @param proc the new process | |
393 | ||
394 | Allow a process to associate the credential with a new | |
395 | process for reference countng purposes. | |
396 | NOTE: the credential can be dis-associated in ways other | |
397 | than exit - so this strategy is flawed - should just | |
398 | catch label destroy callback. | |
399 | */ | |
400 | typedef void mpo_cred_label_associate_fork_t( | |
401 | kauth_cred_t cred, | |
402 | proc_t proc | |
403 | ); | |
404 | /** | |
405 | @brief Create the first process | |
406 | @param cred Subject credential to be labeled | |
407 | ||
408 | Create the subject credential of process 0, the parent of all BSD | |
409 | kernel processes. Policies should update the label in the | |
410 | previously initialized credential structure. | |
411 | */ | |
412 | typedef void mpo_cred_label_associate_kernel_t( | |
413 | kauth_cred_t cred | |
414 | ); | |
415 | /** | |
416 | @brief Create a credential label | |
417 | @param parent_cred Parent credential | |
418 | @param child_cred Child credential | |
419 | ||
420 | Set the label of a newly created credential, most likely using the | |
421 | information in the supplied parent credential. | |
422 | ||
423 | @warning This call is made when crcopy or crdup is invoked on a | |
424 | newly created struct ucred, and should not be confused with a | |
425 | process fork or creation event. | |
426 | */ | |
427 | typedef void mpo_cred_label_associate_t( | |
428 | kauth_cred_t parent_cred, | |
429 | kauth_cred_t child_cred | |
430 | ); | |
431 | /** | |
432 | @brief Create the first process | |
433 | @param cred Subject credential to be labeled | |
434 | ||
435 | Create the subject credential of process 1, the parent of all BSD | |
436 | user processes. Policies should update the label in the previously | |
437 | initialized credential structure. This is the 'init' process. | |
438 | */ | |
439 | typedef void mpo_cred_label_associate_user_t( | |
440 | kauth_cred_t cred | |
441 | ); | |
442 | /** | |
443 | @brief Destroy credential label | |
444 | @param label The label to be destroyed | |
445 | ||
446 | Destroy a user credential label. Since the user credential | |
447 | is going out of scope, policy modules should free any internal | |
448 | storage associated with the label so that it may be destroyed. | |
449 | */ | |
450 | typedef void mpo_cred_label_destroy_t( | |
451 | struct label *label | |
452 | ); | |
453 | /** | |
454 | @brief Externalize a user credential label for auditing | |
455 | @param label Label to be externalized | |
456 | @param element_name Name of the label namespace for which labels should be | |
457 | externalized | |
458 | @param sb String buffer to be filled with a text representation of the label | |
459 | ||
460 | Produce an external representation of the label on a user credential for | |
461 | inclusion in an audit record. An externalized label consists of a text | |
462 | representation of the label contents that will be added to the audit record | |
463 | as part of a text token. Policy-agnostic user space tools will display | |
464 | this externalized version. | |
465 | ||
466 | @return 0 on success, return non-zero if an error occurs while | |
467 | externalizing the label data. | |
468 | ||
469 | */ | |
470 | typedef int mpo_cred_label_externalize_audit_t( | |
471 | struct label *label, | |
472 | char *element_name, | |
473 | struct sbuf *sb | |
474 | ); | |
475 | /** | |
476 | @brief Externalize a user credential label | |
477 | @param label Label to be externalized | |
478 | @param element_name Name of the label namespace for which labels should be | |
479 | externalized | |
480 | @param sb String buffer to be filled with a text representation of the label | |
481 | ||
482 | Produce an external representation of the label on a user | |
483 | credential. An externalized label consists of a text representation | |
484 | of the label contents that can be used with user applications. | |
485 | Policy-agnostic user space tools will display this externalized | |
486 | version. | |
487 | ||
488 | @return 0 on success, return non-zero if an error occurs while | |
489 | externalizing the label data. | |
490 | ||
491 | */ | |
492 | typedef int mpo_cred_label_externalize_t( | |
493 | struct label *label, | |
494 | char *element_name, | |
495 | struct sbuf *sb | |
496 | ); | |
497 | /** | |
498 | @brief Initialize user credential label | |
499 | @param label New label to initialize | |
500 | ||
501 | Initialize the label for a newly instantiated user credential. | |
502 | Sleeping is permitted. | |
503 | */ | |
504 | typedef void mpo_cred_label_init_t( | |
505 | struct label *label | |
506 | ); | |
507 | /** | |
508 | @brief Internalize a user credential label | |
509 | @param label Label to be internalized | |
510 | @param element_name Name of the label namespace for which the label should | |
511 | be internalized | |
512 | @param element_data Text data to be internalized | |
513 | ||
514 | Produce a user credential label from an external representation. An | |
515 | externalized label consists of a text representation of the label | |
516 | contents that can be used with user applications. Policy-agnostic | |
517 | user space tools will forward text version to the kernel for | |
518 | processing by individual policy modules. | |
519 | ||
520 | The policy's internalize entry points will be called only if the | |
521 | policy has registered interest in the label namespace. | |
522 | ||
523 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
524 | while internalizing the label data. | |
525 | ||
526 | */ | |
527 | typedef int mpo_cred_label_internalize_t( | |
528 | struct label *label, | |
529 | char *element_name, | |
530 | char *element_data | |
531 | ); | |
532 | /** | |
533 | @brief Update credential at exec time | |
534 | @param old_cred Existing subject credential | |
535 | @param new_cred New subject credential to be labeled | |
536 | @param p Object process. | |
537 | @param vp File being executed | |
538 | @param offset Offset of binary within file being executed | |
539 | @param scriptvp Script being executed by interpreter, if any. | |
540 | @param vnodelabel Label corresponding to vp | |
541 | @param scriptvnodelabel Script vnode label | |
542 | @param execlabel Userspace provided execution label | |
543 | @param csflags Code signing flags to be set after exec | |
544 | @param macpolicyattr MAC policy-specific spawn attribute data. | |
545 | @param macpolicyattrlen Length of policy-specific spawn attribute data. | |
546 | @see mac_execve | |
547 | @see mpo_cred_check_label_update_execve_t | |
548 | @see mpo_vnode_check_exec_t | |
549 | ||
550 | Update the label of a newly created credential (new) from the | |
551 | existing subject credential (old). This call occurs when a process | |
552 | executes the passed vnode and one of the loaded policy modules has | |
553 | returned success from the mpo_cred_check_label_update_execve entry point. | |
554 | Access has already been checked via the mpo_vnode_check_exec entry | |
555 | point, this entry point is only used to update any policy state. | |
556 | ||
557 | The supplied vnode and vnodelabel correspond with the file actually | |
558 | being executed; in the case that the file is interpreted (for | |
559 | example, a script), the label of the original exec-time vnode has | |
560 | been preserved in scriptvnodelabel. | |
561 | ||
562 | The final label, execlabel, corresponds to a label supplied by a | |
563 | user space application through the use of the mac_execve system call. | |
564 | ||
565 | If non-NULL, the value pointed to by disjointp will be set to 0 to | |
566 | indicate that the old and new credentials are not disjoint, or 1 to | |
567 | indicate that they are. | |
568 | ||
569 | The vnode lock is held during this operation. No changes should be | |
570 | made to the old credential structure. | |
571 | @return 0 on success, Otherwise, return non-zero if update results in | |
572 | termination of child. | |
573 | */ | |
574 | typedef int mpo_cred_label_update_execve_t( | |
575 | kauth_cred_t old_cred, | |
576 | kauth_cred_t new_cred, | |
577 | struct proc *p, | |
578 | struct vnode *vp, | |
579 | off_t offset, | |
580 | struct vnode *scriptvp, | |
581 | struct label *vnodelabel, | |
582 | struct label *scriptvnodelabel, | |
583 | struct label *execlabel, | |
584 | u_int *csflags, | |
585 | void *macpolicyattr, | |
586 | size_t macpolicyattrlen, | |
587 | int *disjointp | |
588 | ); | |
589 | /** | |
590 | @brief Update a credential label | |
591 | @param cred The existing credential | |
592 | @param newlabel A new label to apply to the credential | |
593 | @see mpo_cred_check_label_update_t | |
594 | @see mac_set_proc | |
595 | ||
596 | Update the label on a user credential, using the supplied new label. | |
597 | This is called as a result of a process relabel operation. Access | |
598 | control was already confirmed by mpo_cred_check_label_update. | |
599 | */ | |
600 | typedef void mpo_cred_label_update_t( | |
601 | kauth_cred_t cred, | |
602 | struct label *newlabel | |
603 | ); | |
604 | /** | |
605 | @brief Create a new devfs device | |
606 | @param dev Major and minor numbers of special file | |
607 | @param de "inode" of new device file | |
608 | @param label Destination label | |
609 | @param fullpath Path relative to mount (e.g. /dev) of new device file | |
610 | ||
611 | This entry point labels a new devfs device. The label will likely be based | |
612 | on the path to the device, or the major and minor numbers. | |
613 | The policy should store an appropriate label into 'label'. | |
614 | */ | |
615 | typedef void mpo_devfs_label_associate_device_t( | |
616 | dev_t dev, | |
617 | struct devnode *de, | |
618 | struct label *label, | |
619 | const char *fullpath | |
620 | ); | |
621 | /** | |
622 | @brief Create a new devfs directory | |
623 | @param dirname Name of new directory | |
624 | @param dirnamelen Length of 'dirname' | |
625 | @param de "inode" of new directory | |
626 | @param label Destination label | |
627 | @param fullpath Path relative to mount (e.g. /dev) of new directory | |
628 | ||
629 | This entry point labels a new devfs directory. The label will likely be | |
630 | based on the path of the new directory. The policy should store an appropriate | |
631 | label into 'label'. The devfs root directory is labelled in this way. | |
632 | */ | |
633 | typedef void mpo_devfs_label_associate_directory_t( | |
634 | const char *dirname, | |
635 | int dirnamelen, | |
636 | struct devnode *de, | |
637 | struct label *label, | |
638 | const char *fullpath | |
639 | ); | |
640 | /** | |
641 | @brief Copy a devfs label | |
642 | @param src Source devfs label | |
643 | @param dest Destination devfs label | |
644 | ||
645 | Copy the label information from src to dest. The devfs file system | |
646 | often duplicates (splits) existing device nodes rather than creating | |
647 | new ones. | |
648 | */ | |
649 | typedef void mpo_devfs_label_copy_t( | |
650 | struct label *src, | |
651 | struct label *dest | |
652 | ); | |
653 | /** | |
654 | @brief Destroy devfs label | |
655 | @param label The label to be destroyed | |
656 | ||
657 | Destroy a devfs entry label. Since the object is going out | |
658 | of scope, policy modules should free any internal storage associated | |
659 | with the label so that it may be destroyed. | |
660 | */ | |
661 | typedef void mpo_devfs_label_destroy_t( | |
662 | struct label *label | |
663 | ); | |
664 | /** | |
665 | @brief Initialize devfs label | |
666 | @param label New label to initialize | |
667 | ||
668 | Initialize the label for a newly instantiated devfs entry. Sleeping | |
669 | is permitted. | |
670 | */ | |
671 | typedef void mpo_devfs_label_init_t( | |
672 | struct label *label | |
673 | ); | |
674 | /** | |
675 | @brief Update a devfs label after relabelling its vnode | |
676 | @param mp Devfs mount point | |
677 | @param de Affected devfs directory entry | |
678 | @param delabel Label of devfs directory entry | |
679 | @param vp Vnode associated with de | |
680 | @param vnodelabel New label of vnode | |
681 | ||
682 | Update a devfs label when its vnode is manually relabelled, | |
683 | for example with setfmac(1). Typically, this will simply copy | |
684 | the vnode label into the devfs label. | |
685 | */ | |
686 | typedef void mpo_devfs_label_update_t( | |
687 | struct mount *mp, | |
688 | struct devnode *de, | |
689 | struct label *delabel, | |
690 | struct vnode *vp, | |
691 | struct label *vnodelabel | |
692 | ); | |
693 | /** | |
694 | @brief Access control for changing the offset of a file descriptor | |
695 | @param cred Subject credential | |
696 | @param fg Fileglob structure | |
697 | @param label Policy label for fg | |
698 | ||
699 | Determine whether the subject identified by the credential can | |
700 | change the offset of the file represented by fg. | |
701 | ||
702 | @return Return 0 if access if granted, otherwise an appropriate | |
703 | value for errno should be returned. | |
704 | */ | |
705 | typedef int mpo_file_check_change_offset_t( | |
706 | kauth_cred_t cred, | |
707 | struct fileglob *fg, | |
708 | struct label *label | |
709 | ); | |
710 | /** | |
711 | @brief Access control for creating a file descriptor | |
712 | @param cred Subject credential | |
713 | ||
714 | Determine whether the subject identified by the credential can | |
715 | allocate a new file descriptor. | |
716 | ||
717 | @return Return 0 if access if granted, otherwise an appropriate | |
718 | value for errno should be returned. | |
719 | */ | |
720 | typedef int mpo_file_check_create_t( | |
721 | kauth_cred_t cred | |
722 | ); | |
723 | /** | |
724 | @brief Access control for duplicating a file descriptor | |
725 | @param cred Subject credential | |
726 | @param fg Fileglob structure | |
727 | @param label Policy label for fg | |
728 | @param newfd New file descriptor number | |
729 | ||
730 | Determine whether the subject identified by the credential can | |
731 | duplicate the fileglob structure represented by fg and as file | |
732 | descriptor number newfd. | |
733 | ||
734 | @return Return 0 if access if granted, otherwise an appropriate | |
735 | value for errno should be returned. | |
736 | */ | |
737 | typedef int mpo_file_check_dup_t( | |
738 | kauth_cred_t cred, | |
739 | struct fileglob *fg, | |
740 | struct label *label, | |
741 | int newfd | |
742 | ); | |
743 | /** | |
744 | @brief Access control check for fcntl | |
745 | @param cred Subject credential | |
746 | @param fg Fileglob structure | |
747 | @param label Policy label for fg | |
748 | @param cmd Control operation to be performed; see fcntl(2) | |
749 | @param arg fcnt arguments; see fcntl(2) | |
750 | ||
751 | Determine whether the subject identified by the credential can perform | |
752 | the file control operation indicated by cmd. | |
753 | ||
754 | @return Return 0 if access is granted, otherwise an appropriate value for | |
755 | errno should be returned. | |
756 | */ | |
757 | typedef int mpo_file_check_fcntl_t( | |
758 | kauth_cred_t cred, | |
759 | struct fileglob *fg, | |
760 | struct label *label, | |
761 | int cmd, | |
762 | user_long_t arg | |
763 | ); | |
764 | /** | |
765 | @brief Access control check for mac_get_fd | |
766 | @param cred Subject credential | |
767 | @param fg Fileglob structure | |
768 | @param elements Element buffer | |
769 | @param len Length of buffer | |
770 | ||
771 | Determine whether the subject identified by the credential should be allowed | |
772 | to get an externalized version of the label on the object indicated by fd. | |
773 | ||
774 | @return Return 0 if access is granted, otherwise an appropriate value for | |
775 | errno should be returned. | |
776 | */ | |
777 | typedef int mpo_file_check_get_t( | |
778 | kauth_cred_t cred, | |
779 | struct fileglob *fg, | |
780 | char *elements, | |
781 | int len | |
782 | ); | |
783 | /** | |
784 | @brief Access control for getting the offset of a file descriptor | |
785 | @param cred Subject credential | |
786 | @param fg Fileglob structure | |
787 | @param label Policy label for fg | |
788 | ||
789 | Determine whether the subject identified by the credential can | |
790 | get the offset of the file represented by fg. | |
791 | ||
792 | @return Return 0 if access if granted, otherwise an appropriate | |
793 | value for errno should be returned. | |
794 | */ | |
795 | typedef int mpo_file_check_get_offset_t( | |
796 | kauth_cred_t cred, | |
797 | struct fileglob *fg, | |
798 | struct label *label | |
799 | ); | |
800 | /** | |
801 | @brief Access control for inheriting a file descriptor | |
802 | @param cred Subject credential | |
803 | @param fg Fileglob structure | |
804 | @param label Policy label for fg | |
805 | ||
806 | Determine whether the subject identified by the credential can | |
807 | inherit the fileglob structure represented by fg. | |
808 | ||
809 | @return Return 0 if access if granted, otherwise an appropriate | |
810 | value for errno should be returned. | |
811 | */ | |
812 | typedef int mpo_file_check_inherit_t( | |
813 | kauth_cred_t cred, | |
814 | struct fileglob *fg, | |
815 | struct label *label | |
816 | ); | |
817 | /** | |
818 | @brief Access control check for file ioctl | |
819 | @param cred Subject credential | |
820 | @param fg Fileglob structure | |
821 | @param label Policy label for fg | |
822 | @param cmd The ioctl command; see ioctl(2) | |
823 | ||
824 | Determine whether the subject identified by the credential can perform | |
825 | the ioctl operation indicated by cmd. | |
826 | ||
827 | @warning Since ioctl data is opaque from the standpoint of the MAC | |
828 | framework, policies must exercise extreme care when implementing | |
829 | access control checks. | |
830 | ||
831 | @return Return 0 if access is granted, otherwise an appropriate value for | |
832 | errno should be returned. | |
833 | ||
834 | */ | |
835 | typedef int mpo_file_check_ioctl_t( | |
836 | kauth_cred_t cred, | |
837 | struct fileglob *fg, | |
838 | struct label *label, | |
839 | unsigned int cmd | |
840 | ); | |
841 | /** | |
842 | @brief Access control check for file locking | |
843 | @param cred Subject credential | |
844 | @param fg Fileglob structure | |
845 | @param label Policy label for fg | |
846 | @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) | |
847 | @param fl The flock structure | |
848 | ||
849 | Determine whether the subject identified by the credential can perform | |
850 | the lock operation indicated by op and fl on the file represented by fg. | |
851 | ||
852 | @return Return 0 if access is granted, otherwise an appropriate value for | |
853 | errno should be returned. | |
854 | ||
855 | */ | |
856 | typedef int mpo_file_check_lock_t( | |
857 | kauth_cred_t cred, | |
858 | struct fileglob *fg, | |
859 | struct label *label, | |
860 | int op, | |
861 | struct flock *fl | |
862 | ); | |
863 | /** | |
864 | @brief Access control check for mapping a file | |
865 | @param cred Subject credential | |
866 | @param fg fileglob representing file to map | |
867 | @param label Policy label associated with vp | |
868 | @param prot mmap protections; see mmap(2) | |
869 | @param flags Type of mapped object; see mmap(2) | |
870 | @param maxprot Maximum rights | |
871 | ||
872 | Determine whether the subject identified by the credential should be | |
873 | allowed to map the file represented by fg with the protections specified | |
874 | in prot. The maxprot field holds the maximum permissions on the new | |
875 | mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. | |
876 | To avoid overriding prior access control checks, a policy should only | |
877 | remove flags from maxprot. | |
878 | ||
879 | @return Return 0 if access is granted, otherwise an appropriate value for | |
880 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
881 | EPERM for lack of privilege. | |
882 | */ | |
883 | typedef int mpo_file_check_mmap_t( | |
884 | kauth_cred_t cred, | |
885 | struct fileglob *fg, | |
886 | struct label *label, | |
887 | int prot, | |
888 | int flags, | |
889 | int *maxprot | |
890 | ); | |
891 | /** | |
892 | @brief Downgrade the mmap protections | |
893 | @param cred Subject credential | |
894 | @param fg file to map | |
895 | @param label Policy label associated with vp | |
896 | @param prot mmap protections to be downgraded | |
897 | ||
898 | Downgrade the mmap protections based on the subject and object labels. | |
899 | */ | |
900 | typedef void mpo_file_check_mmap_downgrade_t( | |
901 | kauth_cred_t cred, | |
902 | struct fileglob *fg, | |
903 | struct label *label, | |
904 | int *prot | |
905 | ); | |
906 | /** | |
907 | @brief Access control for receiving a file descriptor | |
908 | @param cred Subject credential | |
909 | @param fg Fileglob structure | |
910 | @param label Policy label for fg | |
911 | ||
912 | Determine whether the subject identified by the credential can | |
913 | receive the fileglob structure represented by fg. | |
914 | ||
915 | @return Return 0 if access if granted, otherwise an appropriate | |
916 | value for errno should be returned. | |
917 | */ | |
918 | typedef int mpo_file_check_receive_t( | |
919 | kauth_cred_t cred, | |
920 | struct fileglob *fg, | |
921 | struct label *label | |
922 | ); | |
923 | /** | |
924 | @brief Access control check for mac_set_fd | |
925 | @param cred Subject credential | |
926 | @param fg Fileglob structure | |
927 | @param elements Elements buffer | |
928 | @param len Length of elements buffer | |
929 | ||
930 | Determine whether the subject identified by the credential can | |
931 | perform the mac_set_fd operation. The mac_set_fd operation is used | |
932 | to associate a MAC label with a file. | |
933 | ||
934 | @return Return 0 if access is granted, otherwise an appropriate value for | |
935 | errno should be returned. | |
936 | */ | |
937 | typedef int mpo_file_check_set_t( | |
938 | kauth_cred_t cred, | |
939 | struct fileglob *fg, | |
940 | char *elements, | |
941 | int len | |
942 | ); | |
943 | /** | |
944 | @brief Create file label | |
945 | @param cred Subject credential | |
946 | @param fg Fileglob structure | |
947 | @param label Policy label for fg | |
948 | */ | |
949 | typedef void mpo_file_label_associate_t( | |
950 | kauth_cred_t cred, | |
951 | struct fileglob *fg, | |
952 | struct label *label | |
953 | ); | |
954 | /** | |
955 | @brief Destroy file label | |
956 | @param label The label to be destroyed | |
957 | ||
958 | Destroy the label on a file descriptor. In this entry point, a | |
959 | policy module should free any internal storage associated with | |
960 | label so that it may be destroyed. | |
961 | */ | |
962 | typedef void mpo_file_label_destroy_t( | |
963 | struct label *label | |
964 | ); | |
965 | /** | |
966 | @brief Initialize file label | |
967 | @param label New label to initialize | |
968 | */ | |
969 | typedef void mpo_file_label_init_t( | |
970 | struct label *label | |
971 | ); | |
972 | /** | |
973 | @brief Access control check for relabeling network interfaces | |
974 | @param cred Subject credential | |
975 | @param ifp network interface being relabeled | |
976 | @param ifnetlabel Current label of the network interfaces | |
977 | @param newlabel New label to apply to the network interfaces | |
978 | @see mpo_ifnet_label_update_t | |
979 | ||
980 | Determine whether the subject identified by the credential can | |
981 | relabel the network interface represented by ifp to the supplied | |
982 | new label (newlabel). | |
983 | ||
984 | @return Return 0 if access is granted, otherwise an appropriate value for | |
985 | errno should be returned. | |
986 | */ | |
987 | typedef int mpo_ifnet_check_label_update_t( | |
988 | kauth_cred_t cred, | |
989 | struct ifnet *ifp, | |
990 | struct label *ifnetlabel, | |
991 | struct label *newlabel | |
992 | ); | |
993 | /** | |
994 | @brief Access control check for relabeling network interfaces | |
995 | @param ifp Network interface mbuf will be transmitted through | |
996 | @param ifnetlabel Label of the network interfaces | |
997 | @param m The mbuf to be transmitted | |
998 | @param mbuflabel Label of the mbuf to be transmitted | |
999 | @param family Address Family, AF_* | |
1000 | @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} | |
1001 | ||
1002 | Determine whether the mbuf with label mbuflabel may be transmitted | |
1003 | through the network interface represented by ifp that has the | |
1004 | label ifnetlabel. | |
1005 | ||
1006 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1007 | errno should be returned. | |
1008 | */ | |
1009 | typedef int mpo_ifnet_check_transmit_t( | |
1010 | struct ifnet *ifp, | |
1011 | struct label *ifnetlabel, | |
1012 | struct mbuf *m, | |
1013 | struct label *mbuflabel, | |
1014 | int family, | |
1015 | int type | |
1016 | ); | |
1017 | /** | |
1018 | @brief Create a network interface label | |
1019 | @param ifp Network interface labeled | |
1020 | @param ifnetlabel Label for the network interface | |
1021 | ||
1022 | Set the label of a newly created network interface, most likely | |
1023 | using the information in the supplied network interface struct. | |
1024 | */ | |
1025 | typedef void mpo_ifnet_label_associate_t( | |
1026 | struct ifnet *ifp, | |
1027 | struct label *ifnetlabel | |
1028 | ); | |
1029 | /** | |
1030 | @brief Copy an ifnet label | |
1031 | @param src Source ifnet label | |
1032 | @param dest Destination ifnet label | |
1033 | ||
1034 | Copy the label information from src to dest. | |
1035 | */ | |
1036 | typedef void mpo_ifnet_label_copy_t( | |
1037 | struct label *src, | |
1038 | struct label *dest | |
1039 | ); | |
1040 | /** | |
1041 | @brief Destroy ifnet label | |
1042 | @param label The label to be destroyed | |
1043 | ||
1044 | Destroy the label on an ifnet label. In this entry point, a | |
1045 | policy module should free any internal storage associated with | |
1046 | label so that it may be destroyed. | |
1047 | */ | |
1048 | typedef void mpo_ifnet_label_destroy_t( | |
1049 | struct label *label | |
1050 | ); | |
1051 | /** | |
1052 | @brief Externalize an ifnet label | |
1053 | @param label Label to be externalized | |
1054 | @param element_name Name of the label namespace for which labels should be | |
1055 | externalized | |
1056 | @param sb String buffer to be filled with a text representation of the label | |
1057 | ||
1058 | Produce an external representation of the label on an interface. | |
1059 | An externalized label consists of a text representation of the | |
1060 | label contents that can be used with user applications. | |
1061 | Policy-agnostic user space tools will display this externalized | |
1062 | version. | |
1063 | ||
1064 | @return 0 on success, return non-zero if an error occurs while | |
1065 | externalizing the label data. | |
1066 | ||
1067 | */ | |
1068 | typedef int mpo_ifnet_label_externalize_t( | |
1069 | struct label *label, | |
1070 | char *element_name, | |
1071 | struct sbuf *sb | |
1072 | ); | |
1073 | /** | |
1074 | @brief Initialize ifnet label | |
1075 | @param label New label to initialize | |
1076 | */ | |
1077 | typedef void mpo_ifnet_label_init_t( | |
1078 | struct label *label | |
1079 | ); | |
1080 | /** | |
1081 | @brief Internalize an interface label | |
1082 | @param label Label to be internalized | |
1083 | @param element_name Name of the label namespace for which the label should | |
1084 | be internalized | |
1085 | @param element_data Text data to be internalized | |
1086 | ||
1087 | Produce an interface label from an external representation. An | |
1088 | externalized label consists of a text representation of the label | |
1089 | contents that can be used with user applications. Policy-agnostic | |
1090 | user space tools will forward text version to the kernel for | |
1091 | processing by individual policy modules. | |
1092 | ||
1093 | The policy's internalize entry points will be called only if the | |
1094 | policy has registered interest in the label namespace. | |
1095 | ||
1096 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
1097 | while internalizing the label data. | |
1098 | ||
1099 | */ | |
1100 | typedef int mpo_ifnet_label_internalize_t( | |
1101 | struct label *label, | |
1102 | char *element_name, | |
1103 | char *element_data | |
1104 | ); | |
1105 | /** | |
1106 | @brief Recycle up a network interface label | |
1107 | @param label The label to be recycled | |
1108 | ||
1109 | Recycle a network interface label. Darwin caches the struct ifnet | |
1110 | of detached ifnets in a "free pool". Before ifnets are returned | |
1111 | to the "free pool", policies can cleanup or overwrite any information | |
1112 | present in the label. | |
1113 | */ | |
1114 | typedef void mpo_ifnet_label_recycle_t( | |
1115 | struct label *label | |
1116 | ); | |
1117 | /** | |
1118 | @brief Update a network interface label | |
1119 | @param cred Subject credential | |
1120 | @param ifp The network interface to be relabeled | |
1121 | @param ifnetlabel The current label of the network interface | |
1122 | @param newlabel A new label to apply to the network interface | |
1123 | @see mpo_ifnet_check_label_update_t | |
1124 | ||
1125 | Update the label on a network interface, using the supplied new label. | |
1126 | */ | |
1127 | typedef void mpo_ifnet_label_update_t( | |
1128 | kauth_cred_t cred, | |
1129 | struct ifnet *ifp, | |
1130 | struct label *ifnetlabel, | |
1131 | struct label *newlabel | |
1132 | ); | |
1133 | /** | |
1134 | @brief Access control check for delivering a packet to a socket | |
1135 | @param inp inpcb the socket is associated with | |
1136 | @param inplabel Label of the inpcb | |
1137 | @param m The mbuf being received | |
1138 | @param mbuflabel Label of the mbuf being received | |
1139 | @param family Address family, AF_* | |
1140 | @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} | |
1141 | ||
1142 | Determine whether the mbuf with label mbuflabel may be received | |
1143 | by the socket associated with inpcb that has the label inplabel. | |
1144 | ||
1145 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1146 | errno should be returned. | |
1147 | */ | |
1148 | typedef int mpo_inpcb_check_deliver_t( | |
1149 | struct inpcb *inp, | |
1150 | struct label *inplabel, | |
1151 | struct mbuf *m, | |
1152 | struct label *mbuflabel, | |
1153 | int family, | |
1154 | int type | |
1155 | ); | |
1156 | /** | |
1157 | @brief Create an inpcb label | |
1158 | @param so Socket containing the inpcb to be labeled | |
1159 | @param solabel Label of the socket | |
1160 | @param inp inpcb to be labeled | |
1161 | @param inplabel Label for the inpcb | |
1162 | ||
1163 | Set the label of a newly created inpcb, most likely | |
1164 | using the information in the socket and/or socket label. | |
1165 | */ | |
1166 | typedef void mpo_inpcb_label_associate_t( | |
1167 | struct socket *so, | |
1168 | struct label *solabel, | |
1169 | struct inpcb *inp, | |
1170 | struct label *inplabel | |
1171 | ); | |
1172 | /** | |
1173 | @brief Destroy inpcb label | |
1174 | @param label The label to be destroyed | |
1175 | ||
1176 | Destroy the label on an inpcb label. In this entry point, a | |
1177 | policy module should free any internal storage associated with | |
1178 | label so that it may be destroyed. | |
1179 | */ | |
1180 | typedef void mpo_inpcb_label_destroy_t( | |
1181 | struct label *label | |
1182 | ); | |
1183 | /** | |
1184 | @brief Initialize inpcb label | |
1185 | @param label New label to initialize | |
1186 | @param flag M_WAITOK or M_NOWAIT | |
1187 | */ | |
1188 | typedef int mpo_inpcb_label_init_t( | |
1189 | struct label *label, | |
1190 | int flag | |
1191 | ); | |
1192 | /** | |
1193 | @brief Recycle up an inpcb label | |
1194 | @param label The label to be recycled | |
1195 | ||
1196 | Recycle an inpcb label. Darwin allocates the inpcb as part of | |
1197 | the socket structure in some cases. For this case we must recycle | |
1198 | rather than destroy the inpcb as it will be reused later. | |
1199 | */ | |
1200 | typedef void mpo_inpcb_label_recycle_t( | |
1201 | struct label *label | |
1202 | ); | |
1203 | /** | |
1204 | @brief Update an inpcb label from a socket label | |
1205 | @param so Socket containing the inpcb to be relabeled | |
1206 | @param solabel New label of the socket | |
1207 | @param inp inpcb to be labeled | |
1208 | @param inplabel Label for the inpcb | |
1209 | ||
1210 | Set the label of a newly created inpcb due to a change in the | |
1211 | underlying socket label. | |
1212 | */ | |
1213 | typedef void mpo_inpcb_label_update_t( | |
1214 | struct socket *so, | |
1215 | struct label *solabel, | |
1216 | struct inpcb *inp, | |
1217 | struct label *inplabel | |
1218 | ); | |
1219 | /** | |
1220 | @brief Device hardware access control | |
1221 | @param devtype Type of device connected | |
1222 | @param properties XML-formatted property list | |
1223 | @param proplen Length of the property list | |
1224 | ||
1225 | This is the MAC Framework device access control, which is called by the I/O | |
1226 | Kit when a new device is connected to the system to determine whether that | |
1227 | device should be trusted. A list of properties associated with the device | |
1228 | is passed as an XML-formatted string. The routine should examine these | |
1229 | properties to determine the trustworthiness of the device. A return value | |
1230 | of EPERM forces the device to be claimed by a special device driver that | |
1231 | will prevent its operation. | |
1232 | ||
1233 | @warning This is an experimental interface and may change in the future. | |
1234 | ||
1235 | @return Return EPERM to indicate that the device is untrusted and should | |
1236 | not be allowed to operate. Return zero to indicate that the device is | |
1237 | trusted and should be allowed to operate normally. | |
1238 | ||
1239 | */ | |
1240 | typedef int mpo_iokit_check_device_t( | |
1241 | char *devtype, | |
1242 | struct mac_module_data *mdata | |
1243 | ); | |
1244 | /** | |
1245 | @brief Access control check for opening an I/O Kit device | |
1246 | @param cred Subject credential | |
1247 | @param device_path Device path | |
1248 | @param user_client User client instance | |
1249 | @param user_client_type User client type | |
1250 | ||
1251 | Determine whether the subject identified by the credential can open an | |
1252 | I/O Kit device at the passed path of the passed user client class and | |
1253 | type. | |
1254 | ||
1255 | @return Return 0 if access is granted, or an appropriate value for | |
1256 | errno should be returned. | |
1257 | */ | |
1258 | typedef int mpo_iokit_check_open_t( | |
1259 | kauth_cred_t cred, | |
1260 | io_object_t user_client, | |
1261 | unsigned int user_client_type | |
1262 | ); | |
1263 | /** | |
1264 | @brief Access control check for setting I/O Kit device properties | |
1265 | @param cred Subject credential | |
1266 | @param entry Target device | |
1267 | @param properties Property list | |
1268 | ||
1269 | Determine whether the subject identified by the credential can set | |
1270 | properties on an I/O Kit device. | |
1271 | ||
1272 | @return Return 0 if access is granted, or an appropriate value for | |
1273 | errno should be returned. | |
1274 | */ | |
1275 | typedef int mpo_iokit_check_set_properties_t( | |
1276 | kauth_cred_t cred, | |
1277 | io_object_t entry, | |
1278 | io_object_t properties | |
1279 | ); | |
1280 | /** | |
1281 | @brief Indicate desire to filter I/O Kit devices properties | |
1282 | @param cred Subject credential | |
1283 | @param entry Target device | |
1284 | @see mpo_iokit_check_get_property_t | |
1285 | ||
1286 | Indicate whether this policy may restrict the subject credential | |
1287 | from reading properties of the target device. | |
1288 | If a policy returns success from this entry point, the | |
1289 | mpo_iokit_check_get_property entry point will later be called | |
1290 | for each property that the subject credential tries to read from | |
1291 | the target device. | |
1292 | ||
1293 | This entry point is primarilly to optimize bulk property reads | |
1294 | by skipping calls to the mpo_iokit_check_get_property entry point | |
1295 | for credentials / devices no MAC policy is interested in. | |
1296 | ||
1297 | @warning Even if a policy returns 0, it should behave correctly in | |
1298 | the presence of an invocation of mpo_iokit_check_get_property, as that | |
1299 | call may happen as a result of another policy requesting a transition. | |
1300 | ||
1301 | @return Non-zero if a transition is required, 0 otherwise. | |
1302 | */ | |
1303 | typedef int mpo_iokit_check_filter_properties_t( | |
1304 | kauth_cred_t cred, | |
1305 | io_object_t entry | |
1306 | ); | |
1307 | /** | |
1308 | @brief Access control check for getting I/O Kit device properties | |
1309 | @param cred Subject credential | |
1310 | @param entry Target device | |
1311 | @param name Property name | |
1312 | ||
1313 | Determine whether the subject identified by the credential can get | |
1314 | properties on an I/O Kit device. | |
1315 | ||
1316 | @return Return 0 if access is granted, or an appropriate value for | |
1317 | errno. | |
1318 | */ | |
1319 | typedef int mpo_iokit_check_get_property_t( | |
1320 | kauth_cred_t cred, | |
1321 | io_object_t entry, | |
1322 | const char *name | |
1323 | ); | |
1324 | /** | |
1325 | @brief Access control check for software HID control | |
1326 | @param cred Subject credential | |
1327 | ||
1328 | Determine whether the subject identified by the credential can | |
1329 | control the HID (Human Interface Device) subsystem, such as to | |
1330 | post synthetic keypresses, pointer movement and clicks. | |
1331 | ||
1332 | @return Return 0 if access is granted, or an appropriate value for | |
1333 | errno. | |
1334 | */ | |
1335 | typedef int mpo_iokit_check_hid_control_t( | |
1336 | kauth_cred_t cred | |
1337 | ); | |
1338 | /** | |
1339 | @brief Create an IP reassembly queue label | |
1340 | @param fragment First received IP fragment | |
1341 | @param fragmentlabel Policy label for fragment | |
1342 | @param ipq IP reassembly queue to be labeled | |
1343 | @param ipqlabel Policy label to be filled in for ipq | |
1344 | ||
1345 | Set the label on a newly created IP reassembly queue from | |
1346 | the mbuf header of the first received fragment. | |
1347 | */ | |
1348 | typedef void mpo_ipq_label_associate_t( | |
1349 | struct mbuf *fragment, | |
1350 | struct label *fragmentlabel, | |
1351 | struct ipq *ipq, | |
1352 | struct label *ipqlabel | |
1353 | ); | |
1354 | /** | |
1355 | @brief Compare an mbuf header label to an ipq label | |
1356 | @param fragment IP datagram fragment | |
1357 | @param fragmentlabel Policy label for fragment | |
1358 | @param ipq IP fragment reassembly queue | |
1359 | @param ipqlabel Policy label for ipq | |
1360 | ||
1361 | Compare the label of the mbuf header containing an IP datagram | |
1362 | (fragment) fragment with the label of the passed IP fragment | |
1363 | reassembly queue (ipq). Return (1) for a successful match, or (0) | |
1364 | for no match. This call is made when the IP stack attempts to | |
1365 | find an existing fragment reassembly queue for a newly received | |
1366 | fragment; if this fails, a new fragment reassembly queue may be | |
1367 | instantiated for the fragment. Policies may use this entry point | |
1368 | to prevent the reassembly of otherwise matching IP fragments if | |
1369 | policy does not permit them to be reassembled based on the label | |
1370 | or other information. | |
1371 | */ | |
1372 | typedef int mpo_ipq_label_compare_t( | |
1373 | struct mbuf *fragment, | |
1374 | struct label *fragmentlabel, | |
1375 | struct ipq *ipq, | |
1376 | struct label *ipqlabel | |
1377 | ); | |
1378 | /** | |
1379 | @brief Destroy IP reassembly queue label | |
1380 | @param label The label to be destroyed | |
1381 | ||
1382 | Destroy the label on an IP fragment queue. In this entry point, a | |
1383 | policy module should free any internal storage associated with | |
1384 | label so that it may be destroyed. | |
1385 | */ | |
1386 | typedef void mpo_ipq_label_destroy_t( | |
1387 | struct label *label | |
1388 | ); | |
1389 | /** | |
1390 | @brief Initialize IP reassembly queue label | |
1391 | @param label New label to initialize | |
1392 | @param flag M_WAITOK or M_NOWAIT | |
1393 | ||
1394 | Initialize the label on a newly instantiated IP fragment reassembly | |
1395 | queue. The flag field may be one of M_WAITOK and M_NOWAIT, and | |
1396 | should be employed to avoid performing a sleeping malloc(9) during | |
1397 | this initialization call. IP fragment reassembly queue allocation | |
1398 | frequently occurs in performance sensitive environments, and the | |
1399 | implementation should be careful to avoid sleeping or long-lived | |
1400 | operations. This entry point is permitted to fail resulting in | |
1401 | the failure to allocate the IP fragment reassembly queue. | |
1402 | */ | |
1403 | typedef int mpo_ipq_label_init_t( | |
1404 | struct label *label, | |
1405 | int flag | |
1406 | ); | |
1407 | /** | |
1408 | @brief Update the label on an IP fragment reassembly queue | |
1409 | @param fragment IP fragment | |
1410 | @param fragmentlabel Policy label for fragment | |
1411 | @param ipq IP fragment reassembly queue | |
1412 | @param ipqlabel Policy label to be updated for ipq | |
1413 | ||
1414 | Update the label on an IP fragment reassembly queue (ipq) based | |
1415 | on the acceptance of the passed IP fragment mbuf header (fragment). | |
1416 | */ | |
1417 | typedef void mpo_ipq_label_update_t( | |
1418 | struct mbuf *fragment, | |
1419 | struct label *fragmentlabel, | |
1420 | struct ipq *ipq, | |
1421 | struct label *ipqlabel | |
1422 | ); | |
1423 | /** | |
1424 | @brief Access control check for relabelling Login Context | |
1425 | @param l Subject credential | |
1426 | @param newlabel New label to apply to the Login Context | |
1427 | @see mpo_lctx_label_update_t | |
1428 | @see mac_set_lcid | |
1429 | @see mac_set_lctx | |
1430 | ||
1431 | Determine whether the subject identified by the credential can relabel | |
1432 | itself to the supplied new label (newlabel). This access control check | |
1433 | is called when the mac_set_lctx/lcid system call is invoked. A user space | |
1434 | application will supply a new value, the value will be internalized | |
1435 | and provided in newlabel. | |
1436 | ||
1437 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1438 | errno should be returned. | |
1439 | */ | |
1440 | typedef int mpo_lctx_check_label_update_t( | |
1441 | struct lctx *l, | |
1442 | struct label *newlabel | |
1443 | ); | |
1444 | /** | |
1445 | @brief Destroy Login Context label | |
1446 | @param label The label to be destroyed | |
1447 | */ | |
1448 | typedef void mpo_lctx_label_destroy_t( | |
1449 | struct label *label | |
1450 | ); | |
1451 | /** | |
1452 | @brief Externalize a Login Context label | |
1453 | @param label Label to be externalized | |
1454 | @param element_name Name of the label namespace for which labels should be | |
1455 | externalized | |
1456 | @param sb String buffer to be filled with a text representation of the label | |
1457 | ||
1458 | Produce an external representation of the label on a Login Context. | |
1459 | An externalized label consists of a text representation | |
1460 | of the label contents that can be used with user applications. | |
1461 | Policy-agnostic user space tools will display this externalized | |
1462 | version. | |
1463 | ||
1464 | @return 0 on success, return non-zero if an error occurs while | |
1465 | externalizing the label data. | |
1466 | ||
1467 | */ | |
1468 | typedef int mpo_lctx_label_externalize_t( | |
1469 | struct label *label, | |
1470 | char *element_name, | |
1471 | struct sbuf *sb | |
1472 | ); | |
1473 | /** | |
1474 | @brief Initialize Login Context label | |
1475 | @param label New label to initialize | |
1476 | */ | |
1477 | typedef void mpo_lctx_label_init_t( | |
1478 | struct label *label | |
1479 | ); | |
1480 | /** | |
1481 | @brief Internalize a Login Context label | |
1482 | @param label Label to be internalized | |
1483 | @param element_name Name of the label namespace for which the label should | |
1484 | be internalized | |
1485 | @param element_data Text data to be internalized | |
1486 | ||
1487 | Produce a Login Context label from an external representation. An | |
1488 | externalized label consists of a text representation of the label | |
1489 | contents that can be used with user applications. Policy-agnostic | |
1490 | user space tools will forward text version to the kernel for | |
1491 | processing by individual policy modules. | |
1492 | ||
1493 | The policy's internalize entry points will be called only if the | |
1494 | policy has registered interest in the label namespace. | |
1495 | ||
1496 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
1497 | while internalizing the label data. | |
1498 | ||
1499 | */ | |
1500 | typedef int mpo_lctx_label_internalize_t( | |
1501 | struct label *label, | |
1502 | char *element_name, | |
1503 | char *element_data | |
1504 | ); | |
1505 | /** | |
1506 | @brief Update a Login Context label | |
1507 | @param l | |
1508 | @param newlabel A new label to apply to the Login Context | |
1509 | @see mpo_lctx_check_label_update_t | |
1510 | @see mac_set_lcid | |
1511 | @see mac_set_lctx | |
1512 | ||
1513 | Update the label on a login context, using the supplied new label. | |
1514 | This is called as a result of a login context relabel operation. Access | |
1515 | control was already confirmed by mpo_lctx_check_label_update. | |
1516 | */ | |
1517 | typedef void mpo_lctx_label_update_t( | |
1518 | struct lctx *l, | |
1519 | struct label *newlabel | |
1520 | ); | |
1521 | /** | |
1522 | @brief A process has created a login context | |
1523 | @param p Subject | |
1524 | @param l Login Context | |
1525 | ||
1526 | When a process creates a login context (via setlcid()) this entrypoint | |
1527 | is called to notify the policy that the process 'p' has created login | |
1528 | context 'l'. | |
1529 | */ | |
1530 | typedef void mpo_lctx_notify_create_t( | |
1531 | struct proc *p, | |
1532 | struct lctx *l | |
1533 | ); | |
1534 | /** | |
1535 | @brief A process has joined a login context | |
1536 | @param p Subject | |
1537 | @param l Login Context | |
1538 | ||
1539 | When a process joins a login context, either via setlcid() or via | |
1540 | fork() this entrypoint is called to notify the policy that process | |
1541 | 'p' is now a member of login context 'l'. | |
1542 | */ | |
1543 | typedef void mpo_lctx_notify_join_t( | |
1544 | struct proc *p, | |
1545 | struct lctx *l | |
1546 | ); | |
1547 | /** | |
1548 | @brief A process has left a login context | |
1549 | @param p Subject | |
1550 | @param l Login Context | |
1551 | ||
1552 | When a process leaves a login context either via setlcid() or as a | |
1553 | result of the process exiting this entrypoint is called to notify | |
1554 | the policy that the process 'p' is no longer a member of login context 'l'. | |
1555 | */ | |
1556 | typedef void mpo_lctx_notify_leave_t( | |
1557 | struct proc *p, | |
1558 | struct lctx *l | |
1559 | ); | |
1560 | /** | |
1561 | @brief Assign a label to a new mbuf | |
1562 | @param bpf_d BPF descriptor | |
1563 | @param b_label Policy label for bpf_d | |
1564 | @param m Object; mbuf | |
1565 | @param m_label Policy label to fill in for m | |
1566 | ||
1567 | Set the label on the mbuf header of a newly created datagram | |
1568 | generated using the passed BPF descriptor. This call is made when | |
1569 | a write is performed to the BPF device associated with the passed | |
1570 | BPF descriptor. | |
1571 | */ | |
1572 | typedef void mpo_mbuf_label_associate_bpfdesc_t( | |
1573 | struct bpf_d *bpf_d, | |
1574 | struct label *b_label, | |
1575 | struct mbuf *m, | |
1576 | struct label *m_label | |
1577 | ); | |
1578 | /** | |
1579 | @brief Assign a label to a new mbuf | |
1580 | @param ifp Interface descriptor | |
1581 | @param i_label Existing label of ifp | |
1582 | @param m Object; mbuf | |
1583 | @param m_label Policy label to fill in for m | |
1584 | ||
1585 | Label an mbuf based on the interface from which it was received. | |
1586 | */ | |
1587 | typedef void mpo_mbuf_label_associate_ifnet_t( | |
1588 | struct ifnet *ifp, | |
1589 | struct label *i_label, | |
1590 | struct mbuf *m, | |
1591 | struct label *m_label | |
1592 | ); | |
1593 | /** | |
1594 | @brief Assign a label to a new mbuf | |
1595 | @param inp inpcb structure | |
1596 | @param i_label Existing label of inp | |
1597 | @param m Object; mbuf | |
1598 | @param m_label Policy label to fill in for m | |
1599 | ||
1600 | Label an mbuf based on the inpcb from which it was derived. | |
1601 | */ | |
1602 | typedef void mpo_mbuf_label_associate_inpcb_t( | |
1603 | struct inpcb *inp, | |
1604 | struct label *i_label, | |
1605 | struct mbuf *m, | |
1606 | struct label *m_label | |
1607 | ); | |
1608 | /** | |
1609 | @brief Set the label on a newly reassembled IP datagram | |
1610 | @param ipq IP fragment reassembly queue | |
1611 | @param ipqlabel Policy label for ipq | |
1612 | @param mbuf IP datagram to be labeled | |
1613 | @param mbuflabel Policy label to be filled in for mbuf | |
1614 | ||
1615 | Set the label on a newly reassembled IP datagram (mbuf) from the IP | |
1616 | fragment reassembly queue (ipq) from which it was generated. | |
1617 | */ | |
1618 | typedef void mpo_mbuf_label_associate_ipq_t( | |
1619 | struct ipq *ipq, | |
1620 | struct label *ipqlabel, | |
1621 | struct mbuf *mbuf, | |
1622 | struct label *mbuflabel | |
1623 | ); | |
1624 | /** | |
1625 | @brief Assign a label to a new mbuf | |
1626 | @param ifp Subject; network interface | |
1627 | @param i_label Existing label of ifp | |
1628 | @param m Object; mbuf | |
1629 | @param m_label Policy label to fill in for m | |
1630 | ||
1631 | Set the label on the mbuf header of a newly created datagram | |
1632 | generated for the purposes of a link layer response for the passed | |
1633 | interface. This call may be made in a number of situations, including | |
1634 | for ARP or ND6 responses in the IPv4 and IPv6 stacks. | |
1635 | */ | |
1636 | typedef void mpo_mbuf_label_associate_linklayer_t( | |
1637 | struct ifnet *ifp, | |
1638 | struct label *i_label, | |
1639 | struct mbuf *m, | |
1640 | struct label *m_label | |
1641 | ); | |
1642 | /** | |
1643 | @brief Assign a label to a new mbuf | |
1644 | @param oldmbuf mbuf headerder for existing datagram for existing datagram | |
1645 | @param oldmbuflabel Policy label for oldmbuf | |
1646 | @param ifp Network interface | |
1647 | @param ifplabel Policy label for ifp | |
1648 | @param newmbuf mbuf header to be labeled for new datagram | |
1649 | @param newmbuflabel Policy label for newmbuf | |
1650 | ||
1651 | Set the label on the mbuf header of a newly created datagram | |
1652 | generated from the existing passed datagram when it is processed | |
1653 | by the passed multicast encapsulation interface. This call is made | |
1654 | when an mbuf is to be delivered using the virtual interface. | |
1655 | */ | |
1656 | typedef void mpo_mbuf_label_associate_multicast_encap_t( | |
1657 | struct mbuf *oldmbuf, | |
1658 | struct label *oldmbuflabel, | |
1659 | struct ifnet *ifp, | |
1660 | struct label *ifplabel, | |
1661 | struct mbuf *newmbuf, | |
1662 | struct label *newmbuflabel | |
1663 | ); | |
1664 | /** | |
1665 | @brief Assign a label to a new mbuf | |
1666 | @param oldmbuf Received datagram | |
1667 | @param oldmbuflabel Policy label for oldmbuf | |
1668 | @param newmbuf Newly created datagram | |
1669 | @param newmbuflabel Policy label for newmbuf | |
1670 | ||
1671 | Set the label on the mbuf header of a newly created datagram generated | |
1672 | by the IP stack in response to an existing received datagram (oldmbuf). | |
1673 | This call may be made in a number of situations, including when responding | |
1674 | to ICMP request datagrams. | |
1675 | */ | |
1676 | typedef void mpo_mbuf_label_associate_netlayer_t( | |
1677 | struct mbuf *oldmbuf, | |
1678 | struct label *oldmbuflabel, | |
1679 | struct mbuf *newmbuf, | |
1680 | struct label *newmbuflabel | |
1681 | ); | |
1682 | /** | |
1683 | @brief Assign a label to a new mbuf | |
1684 | @param so Socket to label | |
1685 | @param so_label Policy label for socket | |
1686 | @param m Object; mbuf | |
1687 | @param m_label Policy label to fill in for m | |
1688 | ||
1689 | An mbuf structure is used to store network traffic in transit. | |
1690 | When an application sends data to a socket or a pipe, it is wrapped | |
1691 | in an mbuf first. This function sets the label on a newly created mbuf header | |
1692 | based on the socket sending the data. The contents of the label should be | |
1693 | suitable for performing an access check on the receiving side of the | |
1694 | communication. | |
1695 | ||
1696 | Only labeled MBUFs will be presented to the policy via this entrypoint. | |
1697 | */ | |
1698 | typedef void mpo_mbuf_label_associate_socket_t( | |
1699 | socket_t so, | |
1700 | struct label *so_label, | |
1701 | struct mbuf *m, | |
1702 | struct label *m_label | |
1703 | ); | |
1704 | /** | |
1705 | @brief Copy a mbuf label | |
1706 | @param src Source label | |
1707 | @param dest Destination label | |
1708 | ||
1709 | Copy the mbuf label information in src into dest. | |
1710 | ||
1711 | Only called when both source and destination mbufs have labels. | |
1712 | */ | |
1713 | typedef void mpo_mbuf_label_copy_t( | |
1714 | struct label *src, | |
1715 | struct label *dest | |
1716 | ); | |
1717 | /** | |
1718 | @brief Destroy mbuf label | |
1719 | @param label The label to be destroyed | |
1720 | ||
1721 | Destroy a mbuf label. Since the | |
1722 | object is going out of scope, policy modules should free any | |
1723 | internal storage associated with the label so that it may be | |
1724 | destroyed. | |
1725 | */ | |
1726 | typedef void mpo_mbuf_label_destroy_t( | |
1727 | struct label *label | |
1728 | ); | |
1729 | /** | |
1730 | @brief Initialize mbuf label | |
1731 | @param label New label to initialize | |
1732 | @param flag Malloc flags | |
1733 | ||
1734 | Initialize the label for a newly instantiated mbuf. | |
1735 | ||
1736 | @warning Since it is possible for the flags to be set to | |
1737 | M_NOWAIT, the malloc operation may fail. | |
1738 | ||
1739 | @return On success, 0, otherwise, an appropriate errno return value. | |
1740 | */ | |
1741 | typedef int mpo_mbuf_label_init_t( | |
1742 | struct label *label, | |
1743 | int flag | |
1744 | ); | |
1745 | /** | |
1746 | @brief Access control check for fsctl | |
1747 | @param cred Subject credential | |
1748 | @param mp The mount point | |
1749 | @param label Label associated with the mount point | |
1750 | @param com Filesystem-dependent request code; see fsctl(2) | |
1751 | ||
1752 | Determine whether the subject identified by the credential can perform | |
1753 | the volume operation indicated by com. | |
1754 | ||
1755 | @warning The fsctl() system call is directly analogous to ioctl(); since | |
1756 | the associated data is opaque from the standpoint of the MAC framework | |
1757 | and since these operations can affect many aspects of system operation, | |
1758 | policies must exercise extreme care when implementing access control checks. | |
1759 | ||
1760 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1761 | errno should be returned. | |
1762 | */ | |
1763 | typedef int mpo_mount_check_fsctl_t( | |
1764 | kauth_cred_t cred, | |
1765 | struct mount *mp, | |
1766 | struct label *label, | |
1767 | unsigned int cmd | |
1768 | ); | |
1769 | /** | |
1770 | @brief Access control check for the retrieval of file system attributes | |
1771 | @param cred Subject credential | |
1772 | @param mp The mount structure of the file system | |
1773 | @param vfa The attributes requested | |
1774 | ||
1775 | This entry point determines whether given subject can get information | |
1776 | about the given file system. This check happens during statfs() syscalls, | |
1777 | but is also used by other parts within the kernel such as the audit system. | |
1778 | ||
1779 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1780 | errno should be returned. | |
1781 | */ | |
1782 | ||
1783 | typedef int mpo_mount_check_getattr_t( | |
1784 | kauth_cred_t cred, | |
1785 | struct mount *mp, | |
1786 | struct label *mp_label, | |
1787 | struct vfs_attr *vfa | |
1788 | ); | |
1789 | /** | |
1790 | @brief Access control check for mount point relabeling | |
1791 | @param cred Subject credential | |
1792 | @param mp Object file system mount point | |
1793 | @param mntlabel Policy label for fle system mount point | |
1794 | ||
1795 | Determine whether the subject identified by the credential can relabel | |
1796 | the mount point. This call is made when a file system mount is updated. | |
1797 | ||
1798 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1799 | errno should be returned. Suggested failure: EACCES for label mismatch | |
1800 | or EPERM for lack of privilege. | |
1801 | */ | |
1802 | typedef int mpo_mount_check_label_update_t( | |
1803 | kauth_cred_t cred, | |
1804 | struct mount *mp, | |
1805 | struct label *mntlabel | |
1806 | ); | |
1807 | /** | |
1808 | @brief Access control check for mounting a file system | |
1809 | @param cred Subject credential | |
1810 | @param vp Vnode that is to be the mount point | |
1811 | @param vlabel Label associated with the vnode | |
1812 | @param cnp Component name for vp | |
1813 | @param vfc_name Filesystem type name | |
1814 | ||
1815 | Determine whether the subject identified by the credential can perform | |
1816 | the mount operation on the target vnode. | |
1817 | ||
1818 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1819 | errno should be returned. | |
1820 | */ | |
1821 | typedef int mpo_mount_check_mount_t( | |
1822 | kauth_cred_t cred, | |
1823 | struct vnode *vp, | |
1824 | struct label *vlabel, | |
1825 | struct componentname *cnp, | |
1826 | const char *vfc_name | |
1827 | ); | |
1828 | /** | |
1829 | @brief Access control check remounting a filesystem | |
1830 | @param cred Subject credential | |
1831 | @param mp The mount point | |
1832 | @param mlabel Label currently associated with the mount point | |
1833 | ||
1834 | Determine whether the subject identified by the credential can perform | |
1835 | the remount operation on the target vnode. | |
1836 | ||
1837 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1838 | errno should be returned. | |
1839 | */ | |
1840 | typedef int mpo_mount_check_remount_t( | |
1841 | kauth_cred_t cred, | |
1842 | struct mount *mp, | |
1843 | struct label *mlabel | |
1844 | ); | |
1845 | /** | |
1846 | @brief Access control check for the settting of file system attributes | |
1847 | @param cred Subject credential | |
1848 | @param mp The mount structure of the file system | |
1849 | @param vfa The attributes requested | |
1850 | ||
1851 | This entry point determines whether given subject can set information | |
1852 | about the given file system, for example the volume name. | |
1853 | ||
1854 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1855 | errno should be returned. | |
1856 | */ | |
1857 | ||
1858 | typedef int mpo_mount_check_setattr_t( | |
1859 | kauth_cred_t cred, | |
1860 | struct mount *mp, | |
1861 | struct label *mp_label, | |
1862 | struct vfs_attr *vfa | |
1863 | ); | |
1864 | /** | |
1865 | @brief Access control check for file system statistics | |
1866 | @param cred Subject credential | |
1867 | @param mp Object file system mount | |
1868 | @param mntlabel Policy label for mp | |
1869 | ||
1870 | Determine whether the subject identified by the credential can see | |
1871 | the results of a statfs performed on the file system. This call may | |
1872 | be made in a number of situations, including during invocations of | |
1873 | statfs(2) and related calls, as well as to determine what file systems | |
1874 | to exclude from listings of file systems, such as when getfsstat(2) | |
1875 | is invoked. | |
1876 | ||
1877 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1878 | errno should be returned. Suggested failure: EACCES for label mismatch | |
1879 | or EPERM for lack of privilege. | |
1880 | */ | |
1881 | typedef int mpo_mount_check_stat_t( | |
1882 | kauth_cred_t cred, | |
1883 | struct mount *mp, | |
1884 | struct label *mntlabel | |
1885 | ); | |
1886 | /** | |
1887 | @brief Access control check for unmounting a filesystem | |
1888 | @param cred Subject credential | |
1889 | @param mp The mount point | |
1890 | @param mlabel Label associated with the mount point | |
1891 | ||
1892 | Determine whether the subject identified by the credential can perform | |
1893 | the unmount operation on the target vnode. | |
1894 | ||
1895 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1896 | errno should be returned. | |
1897 | */ | |
1898 | typedef int mpo_mount_check_umount_t( | |
1899 | kauth_cred_t cred, | |
1900 | struct mount *mp, | |
1901 | struct label *mlabel | |
1902 | ); | |
1903 | /** | |
1904 | @brief Create mount labels | |
1905 | @param cred Subject credential | |
1906 | @param mp Mount point of file system being mounted | |
1907 | @param mntlabel Label to associate with the new mount point | |
1908 | @see mpo_mount_label_init_t | |
1909 | ||
1910 | Fill out the labels on the mount point being created by the supplied | |
1911 | user credential. This call is made when file systems are first mounted. | |
1912 | */ | |
1913 | typedef void mpo_mount_label_associate_t( | |
1914 | kauth_cred_t cred, | |
1915 | struct mount *mp, | |
1916 | struct label *mntlabel | |
1917 | ); | |
1918 | /** | |
1919 | @brief Destroy mount label | |
1920 | @param label The label to be destroyed | |
1921 | ||
1922 | Destroy a file system mount label. Since the | |
1923 | object is going out of scope, policy modules should free any | |
1924 | internal storage associated with the label so that it may be | |
1925 | destroyed. | |
1926 | */ | |
1927 | typedef void mpo_mount_label_destroy_t( | |
1928 | struct label *label | |
1929 | ); | |
1930 | /** | |
1931 | @brief Externalize a mount point label | |
1932 | @param label Label to be externalized | |
1933 | @param element_name Name of the label namespace for which labels should be | |
1934 | externalized | |
1935 | @param sb String buffer to be filled with a text representation of the label | |
1936 | ||
1937 | Produce an external representation of the mount point label. An | |
1938 | externalized label consists of a text representation of the label | |
1939 | contents that can be used with user applications. Policy-agnostic | |
1940 | user space tools will display this externalized version. | |
1941 | ||
1942 | The policy's externalize entry points will be called only if the | |
1943 | policy has registered interest in the label namespace. | |
1944 | ||
1945 | @return 0 on success, return non-zero if an error occurs while | |
1946 | externalizing the label data. | |
1947 | ||
1948 | */ | |
1949 | typedef int mpo_mount_label_externalize_t( | |
1950 | struct label *label, | |
1951 | char *element_name, | |
1952 | struct sbuf *sb | |
1953 | ); | |
1954 | /** | |
1955 | @brief Initialize mount point label | |
1956 | @param label New label to initialize | |
1957 | ||
1958 | Initialize the label for a newly instantiated mount structure. | |
1959 | This label is typically used to store a default label in the case | |
1960 | that the file system has been mounted singlelabel. Since some | |
1961 | file systems do not support persistent labels (extended attributes) | |
1962 | or are read-only (such as CD-ROMs), it is often necessary to store | |
1963 | a default label separately from the label of the mount point | |
1964 | itself. Sleeping is permitted. | |
1965 | */ | |
1966 | typedef void mpo_mount_label_init_t( | |
1967 | struct label *label | |
1968 | ); | |
1969 | /** | |
1970 | @brief Internalize a mount point label | |
1971 | @param label Label to be internalized | |
1972 | @param element_name Name of the label namespace for which the label should | |
1973 | be internalized | |
1974 | @param element_data Text data to be internalized | |
1975 | ||
1976 | Produce a mount point file system label from an external representation. | |
1977 | An externalized label consists of a text representation of the label | |
1978 | contents that can be used with user applications. Policy-agnostic | |
1979 | user space tools will forward text version to the kernel for | |
1980 | processing by individual policy modules. | |
1981 | ||
1982 | The policy's internalize entry points will be called only if the | |
1983 | policy has registered interest in the label namespace. | |
1984 | ||
1985 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
1986 | while internalizing the label data. | |
1987 | ||
1988 | */ | |
1989 | typedef int mpo_mount_label_internalize_t( | |
1990 | struct label *label, | |
1991 | char *element_name, | |
1992 | char *element_data | |
1993 | ); | |
1994 | /** | |
1995 | @brief Set the label on an IPv4 datagram fragment | |
1996 | @param datagram Datagram being fragmented | |
1997 | @param datagramlabel Policy label for datagram | |
1998 | @param fragment New fragment | |
1999 | @param fragmentlabel Policy label for fragment | |
2000 | ||
2001 | Called when an IPv4 datagram is fragmented into several smaller datagrams. | |
2002 | Policies implementing mbuf labels will typically copy the label from the | |
2003 | source datagram to the new fragment. | |
2004 | */ | |
2005 | typedef void mpo_netinet_fragment_t( | |
2006 | struct mbuf *datagram, | |
2007 | struct label *datagramlabel, | |
2008 | struct mbuf *fragment, | |
2009 | struct label *fragmentlabel | |
2010 | ); | |
2011 | /** | |
2012 | @brief Set the label on an ICMP reply | |
2013 | @param m mbuf containing the ICMP reply | |
2014 | @param mlabel Policy label for m | |
2015 | ||
2016 | A policy may wish to update the label of an mbuf that refers to | |
2017 | an ICMP packet being sent in response to an IP packet. This may | |
2018 | be called in response to a bad packet or an ICMP request. | |
2019 | */ | |
2020 | typedef void mpo_netinet_icmp_reply_t( | |
2021 | struct mbuf *m, | |
2022 | struct label *mlabel | |
2023 | ); | |
2024 | /** | |
2025 | @brief Set the label on a TCP reply | |
2026 | @param m mbuf containing the TCP reply | |
2027 | @param mlabel Policy label for m | |
2028 | ||
2029 | Called for outgoing TCP packets not associated with an actual socket. | |
2030 | */ | |
2031 | typedef void mpo_netinet_tcp_reply_t( | |
2032 | struct mbuf *m, | |
2033 | struct label *mlabel | |
2034 | ); | |
2035 | /** | |
2036 | @brief Access control check for pipe ioctl | |
2037 | @param cred Subject credential | |
2038 | @param cpipe Object to be accessed | |
2039 | @param pipelabel The label on the pipe | |
2040 | @param cmd The ioctl command; see ioctl(2) | |
2041 | ||
2042 | Determine whether the subject identified by the credential can perform | |
2043 | the ioctl operation indicated by cmd. | |
2044 | ||
2045 | @warning Since ioctl data is opaque from the standpoint of the MAC | |
2046 | framework, policies must exercise extreme care when implementing | |
2047 | access control checks. | |
2048 | ||
2049 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2050 | errno should be returned. | |
2051 | ||
2052 | */ | |
2053 | typedef int mpo_pipe_check_ioctl_t( | |
2054 | kauth_cred_t cred, | |
2055 | struct pipe *cpipe, | |
2056 | struct label *pipelabel, | |
2057 | unsigned int cmd | |
2058 | ); | |
2059 | /** | |
2060 | @brief Access control check for pipe kqfilter | |
2061 | @param cred Subject credential | |
2062 | @param kn Object knote | |
2063 | @param cpipe Object to be accessed | |
2064 | @param pipelabel Policy label for the pipe | |
2065 | ||
2066 | Determine whether the subject identified by the credential can | |
2067 | receive the knote on the passed pipe. | |
2068 | ||
2069 | @return Return 0 if access if granted, otherwise an appropriate | |
2070 | value for errno should be returned. | |
2071 | */ | |
2072 | typedef int mpo_pipe_check_kqfilter_t( | |
2073 | kauth_cred_t cred, | |
2074 | struct knote *kn, | |
2075 | struct pipe *cpipe, | |
2076 | struct label *pipelabel | |
2077 | ); | |
2078 | /** | |
2079 | @brief Access control check for pipe relabel | |
2080 | @param cred Subject credential | |
2081 | @param cpipe Object to be accessed | |
2082 | @param pipelabel The current label on the pipe | |
2083 | @param newlabel The new label to be used | |
2084 | ||
2085 | Determine whether the subject identified by the credential can | |
2086 | perform a relabel operation on the passed pipe. The cred object holds | |
2087 | the credentials of the subject performing the operation. | |
2088 | ||
2089 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2090 | errno should be returned. | |
2091 | ||
2092 | */ | |
2093 | typedef int mpo_pipe_check_label_update_t( | |
2094 | kauth_cred_t cred, | |
2095 | struct pipe *cpipe, | |
2096 | struct label *pipelabel, | |
2097 | struct label *newlabel | |
2098 | ); | |
2099 | /** | |
2100 | @brief Access control check for pipe read | |
2101 | @param cred Subject credential | |
2102 | @param cpipe Object to be accessed | |
2103 | @param pipelabel The label on the pipe | |
2104 | ||
2105 | Determine whether the subject identified by the credential can | |
2106 | perform a read operation on the passed pipe. The cred object holds | |
2107 | the credentials of the subject performing the operation. | |
2108 | ||
2109 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2110 | errno should be returned. | |
2111 | ||
2112 | */ | |
2113 | typedef int mpo_pipe_check_read_t( | |
2114 | kauth_cred_t cred, | |
2115 | struct pipe *cpipe, | |
2116 | struct label *pipelabel | |
2117 | ); | |
2118 | /** | |
2119 | @brief Access control check for pipe select | |
2120 | @param cred Subject credential | |
2121 | @param cpipe Object to be accessed | |
2122 | @param pipelabel The label on the pipe | |
2123 | @param which The operation selected on: FREAD or FWRITE | |
2124 | ||
2125 | Determine whether the subject identified by the credential can | |
2126 | perform a select operation on the passed pipe. The cred object holds | |
2127 | the credentials of the subject performing the operation. | |
2128 | ||
2129 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2130 | errno should be returned. | |
2131 | ||
2132 | */ | |
2133 | typedef int mpo_pipe_check_select_t( | |
2134 | kauth_cred_t cred, | |
2135 | struct pipe *cpipe, | |
2136 | struct label *pipelabel, | |
2137 | int which | |
2138 | ); | |
2139 | /** | |
2140 | @brief Access control check for pipe stat | |
2141 | @param cred Subject credential | |
2142 | @param cpipe Object to be accessed | |
2143 | @param pipelabel The label on the pipe | |
2144 | ||
2145 | Determine whether the subject identified by the credential can | |
2146 | perform a stat operation on the passed pipe. The cred object holds | |
2147 | the credentials of the subject performing the operation. | |
2148 | ||
2149 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2150 | errno should be returned. | |
2151 | ||
2152 | */ | |
2153 | typedef int mpo_pipe_check_stat_t( | |
2154 | kauth_cred_t cred, | |
2155 | struct pipe *cpipe, | |
2156 | struct label *pipelabel | |
2157 | ); | |
2158 | /** | |
2159 | @brief Access control check for pipe write | |
2160 | @param cred Subject credential | |
2161 | @param cpipe Object to be accessed | |
2162 | @param pipelabel The label on the pipe | |
2163 | ||
2164 | Determine whether the subject identified by the credential can | |
2165 | perform a write operation on the passed pipe. The cred object holds | |
2166 | the credentials of the subject performing the operation. | |
2167 | ||
2168 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2169 | errno should be returned. | |
2170 | ||
2171 | */ | |
2172 | typedef int mpo_pipe_check_write_t( | |
2173 | kauth_cred_t cred, | |
2174 | struct pipe *cpipe, | |
2175 | struct label *pipelabel | |
2176 | ); | |
2177 | /** | |
2178 | @brief Create a pipe label | |
2179 | @param cred Subject credential | |
2180 | @param cpipe object to be labeled | |
2181 | @param label Label for the pipe object | |
2182 | ||
2183 | Create a label for the pipe object being created by the supplied | |
2184 | user credential. This call is made when the pipe is being created | |
2185 | XXXPIPE(for one or both sides of the pipe?). | |
2186 | ||
2187 | */ | |
2188 | typedef void mpo_pipe_label_associate_t( | |
2189 | kauth_cred_t cred, | |
2190 | struct pipe *cpipe, | |
2191 | struct label *pipelabel | |
2192 | ); | |
2193 | /** | |
2194 | @brief Copy a pipe label | |
2195 | @param src Source pipe label | |
2196 | @param dest Destination pipe label | |
2197 | ||
2198 | Copy the pipe label associated with src to dest. | |
2199 | XXXPIPE Describe when this is used: most likely during pipe creation to | |
2200 | copy from rpipe to wpipe. | |
2201 | */ | |
2202 | typedef void mpo_pipe_label_copy_t( | |
2203 | struct label *src, | |
2204 | struct label *dest | |
2205 | ); | |
2206 | /** | |
2207 | @brief Destroy pipe label | |
2208 | @param label The label to be destroyed | |
2209 | ||
2210 | Destroy a pipe label. Since the object is going out of scope, | |
2211 | policy modules should free any internal storage associated with the | |
2212 | label so that it may be destroyed. | |
2213 | */ | |
2214 | typedef void mpo_pipe_label_destroy_t( | |
2215 | struct label *label | |
2216 | ); | |
2217 | /** | |
2218 | @brief Externalize a pipe label | |
2219 | @param label Label to be externalized | |
2220 | @param element_name Name of the label namespace for which labels should be | |
2221 | externalized | |
2222 | @param sb String buffer to be filled with a text representation of the label | |
2223 | ||
2224 | Produce an external representation of the label on a pipe. | |
2225 | An externalized label consists of a text representation | |
2226 | of the label contents that can be used with user applications. | |
2227 | Policy-agnostic user space tools will display this externalized | |
2228 | version. | |
2229 | ||
2230 | The policy's externalize entry points will be called only if the | |
2231 | policy has registered interest in the label namespace. | |
2232 | ||
2233 | @return 0 on success, return non-zero if an error occurs while | |
2234 | externalizing the label data. | |
2235 | ||
2236 | */ | |
2237 | typedef int mpo_pipe_label_externalize_t( | |
2238 | struct label *label, | |
2239 | char *element_name, | |
2240 | struct sbuf *sb | |
2241 | ); | |
2242 | /** | |
2243 | @brief Initialize pipe label | |
2244 | @param label New label to initialize | |
2245 | ||
2246 | Initialize label storage for use with a newly instantiated pipe object. | |
2247 | Sleeping is permitted. | |
2248 | */ | |
2249 | typedef void mpo_pipe_label_init_t( | |
2250 | struct label *label | |
2251 | ); | |
2252 | /** | |
2253 | @brief Internalize a pipe label | |
2254 | @param label Label to be internalized | |
2255 | @param element_name Name of the label namespace for which the label should | |
2256 | be internalized | |
2257 | @param element_data Text data to be internalized | |
2258 | ||
2259 | Produce a pipe label from an external representation. An | |
2260 | externalized label consists of a text representation of the label | |
2261 | contents that can be used with user applications. Policy-agnostic | |
2262 | user space tools will forward text version to the kernel for | |
2263 | processing by individual policy modules. | |
2264 | ||
2265 | The policy's internalize entry points will be called only if the | |
2266 | policy has registered interest in the label namespace. | |
2267 | ||
2268 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
2269 | while internalizing the label data. | |
2270 | ||
2271 | */ | |
2272 | typedef int mpo_pipe_label_internalize_t( | |
2273 | struct label *label, | |
2274 | char *element_name, | |
2275 | char *element_data | |
2276 | ); | |
2277 | /** | |
2278 | @brief Update a pipe label | |
2279 | @param cred Subject credential | |
2280 | @param cpipe Object to be labeled | |
2281 | @param oldlabel Existing pipe label | |
2282 | @param newlabel New label to replace existing label | |
2283 | @see mpo_pipe_check_label_update_t | |
2284 | ||
2285 | The subject identified by the credential has previously requested | |
2286 | and was authorized to relabel the pipe; this entry point allows | |
2287 | policies to perform the actual relabel operation. Policies should | |
2288 | update oldlabel using the label stored in the newlabel parameter. | |
2289 | ||
2290 | */ | |
2291 | typedef void mpo_pipe_label_update_t( | |
2292 | kauth_cred_t cred, | |
2293 | struct pipe *cpipe, | |
2294 | struct label *oldlabel, | |
2295 | struct label *newlabel | |
2296 | ); | |
2297 | /** | |
2298 | @brief Policy unload event | |
2299 | @param mpc MAC policy configuration | |
2300 | ||
2301 | This is the MAC Framework policy unload event. This entry point will | |
2302 | only be called if the module's policy configuration allows unload (if | |
2303 | the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't | |
2304 | want to be unloaded; they should set their flags to prevent this | |
2305 | entry point from being called. | |
2306 | ||
2307 | @warning During this call, the mac policy list mutex is held, so | |
2308 | sleep operations cannot be performed, and calls out to other kernel | |
2309 | subsystems must be made with caution. | |
2310 | ||
2311 | @see MPC_LOADTIME_FLAG_UNLOADOK | |
2312 | */ | |
2313 | typedef void mpo_policy_destroy_t( | |
2314 | struct mac_policy_conf *mpc | |
2315 | ); | |
2316 | /** | |
2317 | @brief Policy initialization event | |
2318 | @param mpc MAC policy configuration | |
2319 | @see mac_policy_register | |
2320 | @see mpo_policy_initbsd_t | |
2321 | ||
2322 | This is the MAC Framework policy initialization event. This entry | |
2323 | point is called during mac_policy_register, when the policy module | |
2324 | is first registered with the MAC Framework. This is often done very | |
2325 | early in the boot process, after the kernel Mach subsystem has been | |
2326 | initialized, but prior to the BSD subsystem being initialized. | |
2327 | Since the kernel BSD services are not yet available, it is possible | |
2328 | that some initialization must occur later, possibly in the | |
2329 | mpo_policy_initbsd_t policy entry point, such as registering BSD system | |
2330 | controls (sysctls). Policy modules loaded at boot time will be | |
2331 | registered and initialized before labeled Mach objects are created. | |
2332 | ||
2333 | @warning During this call, the mac policy list mutex is held, so | |
2334 | sleep operations cannot be performed, and calls out to other kernel | |
2335 | subsystems must be made with caution. | |
2336 | */ | |
2337 | typedef void mpo_policy_init_t( | |
2338 | struct mac_policy_conf *mpc | |
2339 | ); | |
2340 | /** | |
2341 | @brief Policy BSD initialization event | |
2342 | @param mpc MAC policy configuration | |
2343 | @see mpo_policy_init_t | |
2344 | ||
2345 | This entry point is called after the kernel BSD subsystem has been | |
2346 | initialized. By this point, the module should already be loaded, | |
2347 | registered, and initialized. Since policy modules are initialized | |
2348 | before kernel BSD services are available, this second initialization | |
2349 | phase is necessary. At this point, BSD services (memory management, | |
2350 | synchronization primitives, vfs, etc.) are available, but the first | |
2351 | process has not yet been created. Mach-related objects and tasks | |
2352 | will already be fully initialized and may be in use--policies requiring | |
2353 | ubiquitous labeling may also want to implement mpo_policy_init_t. | |
2354 | ||
2355 | @warning During this call, the mac policy list mutex is held, so | |
2356 | sleep operations cannot be performed, and calls out to other kernel | |
2357 | subsystems must be made with caution. | |
2358 | */ | |
2359 | typedef void mpo_policy_initbsd_t( | |
2360 | struct mac_policy_conf *mpc | |
2361 | ); | |
2362 | /** | |
2363 | @brief Policy extension service | |
2364 | @param p Calling process | |
2365 | @param call Policy-specific syscall number | |
2366 | @param arg Pointer to syscall arguments | |
2367 | ||
2368 | This entry point provides a policy-multiplexed system call so that | |
2369 | policies may provide additional services to user processes without | |
2370 | registering specific system calls. The policy name provided during | |
2371 | registration is used to demux calls from userland, and the arguments | |
2372 | will be forwarded to this entry point. When implementing new | |
2373 | services, security modules should be sure to invoke appropriate | |
2374 | access control checks from the MAC framework as needed. For | |
2375 | example, if a policy implements an augmented signal functionality, | |
2376 | it should call the necessary signal access control checks to invoke | |
2377 | the MAC framework and other registered policies. | |
2378 | ||
2379 | @warning Since the format and contents of the policy-specific | |
2380 | arguments are unknown to the MAC Framework, modules must perform the | |
2381 | required copyin() of the syscall data on their own. No policy | |
2382 | mediation is performed, so policies must perform any necessary | |
2383 | access control checks themselves. If multiple policies are loaded, | |
2384 | they will currently be unable to mediate calls to other policies. | |
2385 | ||
2386 | @return In the event of an error, an appropriate value for errno | |
2387 | should be returned, otherwise return 0 upon success. | |
2388 | */ | |
2389 | typedef int mpo_policy_syscall_t( | |
2390 | struct proc *p, | |
2391 | int call, | |
2392 | user_addr_t arg | |
2393 | ); | |
2394 | /** | |
2395 | @brief Access control check for POSIX semaphore create | |
2396 | @param cred Subject credential | |
2397 | @param name String name of the semaphore | |
2398 | ||
2399 | Determine whether the subject identified by the credential can create | |
2400 | a POSIX semaphore specified by name. | |
2401 | ||
2402 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2403 | errno should be returned. | |
2404 | */ | |
2405 | typedef int mpo_posixsem_check_create_t( | |
2406 | kauth_cred_t cred, | |
2407 | const char *name | |
2408 | ); | |
2409 | /** | |
2410 | @brief Access control check for POSIX semaphore open | |
2411 | @param cred Subject credential | |
2412 | @param ps Pointer to semaphore information structure | |
2413 | @param semlabel Label associated with the semaphore | |
2414 | ||
2415 | Determine whether the subject identified by the credential can open | |
2416 | the named POSIX semaphore with label semlabel. | |
2417 | ||
2418 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2419 | errno should be returned. | |
2420 | */ | |
2421 | typedef int mpo_posixsem_check_open_t( | |
2422 | kauth_cred_t cred, | |
2423 | struct pseminfo *ps, | |
2424 | struct label *semlabel | |
2425 | ); | |
2426 | /** | |
2427 | @brief Access control check for POSIX semaphore post | |
2428 | @param cred Subject credential | |
2429 | @param ps Pointer to semaphore information structure | |
2430 | @param semlabel Label associated with the semaphore | |
2431 | ||
2432 | Determine whether the subject identified by the credential can unlock | |
2433 | the named POSIX semaphore with label semlabel. | |
2434 | ||
2435 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2436 | errno should be returned. | |
2437 | */ | |
2438 | typedef int mpo_posixsem_check_post_t( | |
2439 | kauth_cred_t cred, | |
2440 | struct pseminfo *ps, | |
2441 | struct label *semlabel | |
2442 | ); | |
2443 | /** | |
2444 | @brief Access control check for POSIX semaphore unlink | |
2445 | @param cred Subject credential | |
2446 | @param ps Pointer to semaphore information structure | |
2447 | @param semlabel Label associated with the semaphore | |
2448 | @param name String name of the semaphore | |
2449 | ||
2450 | Determine whether the subject identified by the credential can remove | |
2451 | the named POSIX semaphore with label semlabel. | |
2452 | ||
2453 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2454 | errno should be returned. | |
2455 | */ | |
2456 | typedef int mpo_posixsem_check_unlink_t( | |
2457 | kauth_cred_t cred, | |
2458 | struct pseminfo *ps, | |
2459 | struct label *semlabel, | |
2460 | const char *name | |
2461 | ); | |
2462 | /** | |
2463 | @brief Access control check for POSIX semaphore wait | |
2464 | @param cred Subject credential | |
2465 | @param ps Pointer to semaphore information structure | |
2466 | @param semlabel Label associated with the semaphore | |
2467 | ||
2468 | Determine whether the subject identified by the credential can lock | |
2469 | the named POSIX semaphore with label semlabel. | |
2470 | ||
2471 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2472 | errno should be returned. | |
2473 | */ | |
2474 | typedef int mpo_posixsem_check_wait_t( | |
2475 | kauth_cred_t cred, | |
2476 | struct pseminfo *ps, | |
2477 | struct label *semlabel | |
2478 | ); | |
2479 | /** | |
2480 | @brief Create a POSIX semaphore label | |
2481 | @param cred Subject credential | |
2482 | @param ps Pointer to semaphore information structure | |
2483 | @param semlabel Label to associate with the new semaphore | |
2484 | @param name String name of the semaphore | |
2485 | ||
2486 | Label a new POSIX semaphore. The label was previously | |
2487 | initialized and associated with the semaphore. At this time, an | |
2488 | appropriate initial label value should be assigned to the object and | |
2489 | stored in semalabel. | |
2490 | */ | |
2491 | typedef void mpo_posixsem_label_associate_t( | |
2492 | kauth_cred_t cred, | |
2493 | struct pseminfo *ps, | |
2494 | struct label *semlabel, | |
2495 | const char *name | |
2496 | ); | |
2497 | /** | |
2498 | @brief Destroy POSIX semaphore label | |
2499 | @param label The label to be destroyed | |
2500 | ||
2501 | Destroy a POSIX semaphore label. Since the object is | |
2502 | going out of scope, policy modules should free any internal storage | |
2503 | associated with the label so that it may be destroyed. | |
2504 | */ | |
2505 | typedef void mpo_posixsem_label_destroy_t( | |
2506 | struct label *label | |
2507 | ); | |
2508 | /** | |
2509 | @brief Initialize POSIX semaphore label | |
2510 | @param label New label to initialize | |
2511 | ||
2512 | Initialize the label for a newly instantiated POSIX semaphore. Sleeping | |
2513 | is permitted. | |
2514 | */ | |
2515 | typedef void mpo_posixsem_label_init_t( | |
2516 | struct label *label | |
2517 | ); | |
2518 | /** | |
2519 | @brief Access control check for POSIX shared memory region create | |
2520 | @param cred Subject credential | |
2521 | @param name String name of the shared memory region | |
2522 | ||
2523 | Determine whether the subject identified by the credential can create | |
2524 | the POSIX shared memory region referenced by name. | |
2525 | ||
2526 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2527 | errno should be returned. | |
2528 | */ | |
2529 | typedef int mpo_posixshm_check_create_t( | |
2530 | kauth_cred_t cred, | |
2531 | const char *name | |
2532 | ); | |
2533 | /** | |
2534 | @brief Access control check for mapping POSIX shared memory | |
2535 | @param cred Subject credential | |
2536 | @param ps Pointer to shared memory information structure | |
2537 | @param shmlabel Label associated with the shared memory region | |
2538 | @param prot mmap protections; see mmap(2) | |
2539 | @param flags shmat flags; see shmat(2) | |
2540 | ||
2541 | Determine whether the subject identified by the credential can map | |
2542 | the POSIX shared memory segment associated with shmlabel. | |
2543 | ||
2544 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2545 | errno should be returned. | |
2546 | */ | |
2547 | typedef int mpo_posixshm_check_mmap_t( | |
2548 | kauth_cred_t cred, | |
2549 | struct pshminfo *ps, | |
2550 | struct label *shmlabel, | |
2551 | int prot, | |
2552 | int flags | |
2553 | ); | |
2554 | /** | |
2555 | @brief Access control check for POSIX shared memory region open | |
2556 | @param cred Subject credential | |
2557 | @param ps Pointer to shared memory information structure | |
2558 | @param shmlabel Label associated with the shared memory region | |
2559 | @param fflags shm_open(2) open flags ('fflags' encoded) | |
2560 | ||
2561 | Determine whether the subject identified by the credential can open | |
2562 | the POSIX shared memory region. | |
2563 | ||
2564 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2565 | errno should be returned. | |
2566 | */ | |
2567 | typedef int mpo_posixshm_check_open_t( | |
2568 | kauth_cred_t cred, | |
2569 | struct pshminfo *ps, | |
2570 | struct label *shmlabel, | |
2571 | int fflags | |
2572 | ); | |
2573 | /** | |
2574 | @brief Access control check for POSIX shared memory stat | |
2575 | @param cred Subject credential | |
2576 | @param ps Pointer to shared memory information structure | |
2577 | @param shmlabel Label associated with the shared memory region | |
2578 | ||
2579 | Determine whether the subject identified by the credential can obtain | |
2580 | status for the POSIX shared memory segment associated with shmlabel. | |
2581 | ||
2582 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2583 | errno should be returned. | |
2584 | */ | |
2585 | typedef int mpo_posixshm_check_stat_t( | |
2586 | kauth_cred_t cred, | |
2587 | struct pshminfo *ps, | |
2588 | struct label *shmlabel | |
2589 | ); | |
2590 | /** | |
2591 | @brief Access control check for POSIX shared memory truncate | |
2592 | @param cred Subject credential | |
2593 | @param ps Pointer to shared memory information structure | |
2594 | @param shmlabel Label associated with the shared memory region | |
2595 | @param len Length to truncate or extend shared memory segment | |
2596 | ||
2597 | Determine whether the subject identified by the credential can truncate | |
2598 | or extend (to len) the POSIX shared memory segment associated with shmlabel. | |
2599 | ||
2600 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2601 | errno should be returned. | |
2602 | */ | |
2603 | typedef int mpo_posixshm_check_truncate_t( | |
2604 | kauth_cred_t cred, | |
2605 | struct pshminfo *ps, | |
2606 | struct label *shmlabel, | |
2607 | off_t len | |
2608 | ); | |
2609 | /** | |
2610 | @brief Access control check for POSIX shared memory unlink | |
2611 | @param cred Subject credential | |
2612 | @param ps Pointer to shared memory information structure | |
2613 | @param shmlabel Label associated with the shared memory region | |
2614 | @param name String name of the shared memory region | |
2615 | ||
2616 | Determine whether the subject identified by the credential can delete | |
2617 | the POSIX shared memory segment associated with shmlabel. | |
2618 | ||
2619 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2620 | errno should be returned. | |
2621 | */ | |
2622 | typedef int mpo_posixshm_check_unlink_t( | |
2623 | kauth_cred_t cred, | |
2624 | struct pshminfo *ps, | |
2625 | struct label *shmlabel, | |
2626 | const char *name | |
2627 | ); | |
2628 | /** | |
2629 | @brief Create a POSIX shared memory region label | |
2630 | @param cred Subject credential | |
2631 | @param ps Pointer to shared memory information structure | |
2632 | @param shmlabel Label to associate with the new shared memory region | |
2633 | @param name String name of the shared memory region | |
2634 | ||
2635 | Label a new POSIX shared memory region. The label was previously | |
2636 | initialized and associated with the shared memory region. At this | |
2637 | time, an appropriate initial label value should be assigned to the | |
2638 | object and stored in shmlabel. | |
2639 | */ | |
2640 | typedef void mpo_posixshm_label_associate_t( | |
2641 | kauth_cred_t cred, | |
2642 | struct pshminfo *ps, | |
2643 | struct label *shmlabel, | |
2644 | const char *name | |
2645 | ); | |
2646 | /** | |
2647 | @brief Destroy POSIX shared memory label | |
2648 | @param label The label to be destroyed | |
2649 | ||
2650 | Destroy a POSIX shared memory region label. Since the | |
2651 | object is going out of scope, policy modules should free any | |
2652 | internal storage associated with the label so that it may be | |
2653 | destroyed. | |
2654 | */ | |
2655 | typedef void mpo_posixshm_label_destroy_t( | |
2656 | struct label *label | |
2657 | ); | |
2658 | /** | |
2659 | @brief Initialize POSIX Shared Memory region label | |
2660 | @param label New label to initialize | |
2661 | ||
2662 | Initialize the label for newly a instantiated POSIX Shared Memory | |
2663 | region. Sleeping is permitted. | |
2664 | */ | |
2665 | typedef void mpo_posixshm_label_init_t( | |
2666 | struct label *label | |
2667 | ); | |
2668 | /** | |
2669 | @brief Access control check for privileged operations | |
2670 | @param cred Subject credential | |
2671 | @param priv Requested privilege (see sys/priv.h) | |
2672 | ||
2673 | Determine whether the subject identified by the credential can perform | |
2674 | a privileged operation. Privileged operations are allowed if the cred | |
2675 | is the superuser or any policy returns zero for mpo_priv_grant, unless | |
2676 | any policy returns nonzero for mpo_priv_check. | |
2677 | ||
2678 | @return Return 0 if access is granted, otherwise EPERM should be returned. | |
2679 | */ | |
2680 | typedef int mpo_priv_check_t( | |
2681 | kauth_cred_t cred, | |
2682 | int priv | |
2683 | ); | |
2684 | /** | |
2685 | @brief Grant regular users the ability to perform privileged operations | |
2686 | @param cred Subject credential | |
2687 | @param priv Requested privilege (see sys/priv.h) | |
2688 | ||
2689 | Determine whether the subject identified by the credential should be | |
2690 | allowed to perform a privileged operation that in the absense of any | |
2691 | MAC policy it would not be able to perform. Privileged operations are | |
2692 | allowed if the cred is the superuser or any policy returns zero for | |
2693 | mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. | |
2694 | ||
2695 | Unlike other MAC hooks which can only reduce the privilege of a | |
2696 | credential, this hook raises the privilege of a credential when it | |
2697 | returns 0. Extreme care must be taken when implementing this hook to | |
2698 | avoid undermining the security of the system. | |
2699 | ||
2700 | @return Return 0 if additional privilege is granted, otherwise EPERM | |
2701 | should be returned. | |
2702 | */ | |
2703 | typedef int mpo_priv_grant_t( | |
2704 | kauth_cred_t cred, | |
2705 | int priv | |
2706 | ); | |
2707 | /** | |
2708 | @brief Access control check for debugging process | |
2709 | @param cred Subject credential | |
2710 | @param proc Object process | |
2711 | ||
2712 | Determine whether the subject identified by the credential can debug | |
2713 | the passed process. This call may be made in a number of situations, | |
2714 | including use of the ptrace(2) and ktrace(2) APIs, as well as for some | |
2715 | types of procfs operations. | |
2716 | ||
2717 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2718 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
2719 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. | |
2720 | */ | |
2721 | typedef int mpo_proc_check_debug_t( | |
2722 | kauth_cred_t cred, | |
2723 | struct proc *proc | |
2724 | ); | |
2725 | /** | |
2726 | @brief Access control over fork | |
2727 | @param cred Subject credential | |
2728 | @param proc Subject process trying to fork | |
2729 | ||
2730 | Determine whether the subject identified is allowed to fork. | |
2731 | ||
2732 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2733 | errno should be returned. | |
2734 | */ | |
2735 | typedef int mpo_proc_check_fork_t( | |
2736 | kauth_cred_t cred, | |
2737 | struct proc *proc | |
2738 | ); | |
2739 | /** | |
2740 | @brief Access control over pid_suspend and pid_resume | |
2741 | @param cred Subject credential | |
2742 | @param proc Subject process trying to run pid_suspend or pid_resume | |
2743 | @param sr Call is suspend (0) or resume (1) | |
2744 | ||
2745 | Determine whether the subject identified is allowed to suspend or resume | |
2746 | other processes. | |
2747 | ||
2748 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2749 | errno should be returned. | |
2750 | */ | |
2751 | typedef int mpo_proc_check_suspend_resume_t( | |
2752 | kauth_cred_t cred, | |
2753 | struct proc *proc, | |
2754 | int sr | |
2755 | ); | |
2756 | /** | |
2757 | @brief Access control check for retrieving audit information | |
2758 | @param cred Subject credential | |
2759 | ||
2760 | Determine whether the subject identified by the credential can get | |
2761 | audit information such as the audit user ID, the preselection mask, | |
2762 | the terminal ID and the audit session ID, using the getaudit() system call. | |
2763 | ||
2764 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2765 | errno should be returned. | |
2766 | */ | |
2767 | typedef int mpo_proc_check_getaudit_t( | |
2768 | kauth_cred_t cred | |
2769 | ); | |
2770 | /** | |
2771 | @brief Access control check for retrieving audit user ID | |
2772 | @param cred Subject credential | |
2773 | ||
2774 | Determine whether the subject identified by the credential can get | |
2775 | the user identity being used by the auditing system, using the getauid() | |
2776 | system call. | |
2777 | ||
2778 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2779 | errno should be returned. | |
2780 | */ | |
2781 | typedef int mpo_proc_check_getauid_t( | |
2782 | kauth_cred_t cred | |
2783 | ); | |
2784 | /** | |
2785 | @brief Access control check for retrieving Login Context ID | |
2786 | @param p0 Calling process | |
2787 | @param p Effected process | |
2788 | @param pid syscall PID argument | |
2789 | ||
2790 | Determine if getlcid(2) system call is permitted. | |
2791 | ||
2792 | Information returned by this system call is similar to that returned via | |
2793 | process listings etc. | |
2794 | ||
2795 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2796 | errno should be returned. | |
2797 | */ | |
2798 | typedef int mpo_proc_check_getlcid_t( | |
2799 | struct proc *p0, | |
2800 | struct proc *p, | |
2801 | pid_t pid | |
2802 | ); | |
2803 | /** | |
2804 | @brief Access control check for retrieving ledger information | |
2805 | @param cred Subject credential | |
2806 | @param target Object process | |
2807 | @param op ledger operation | |
2808 | ||
2809 | Determine if ledger(2) system call is permitted. | |
2810 | ||
2811 | Information returned by this system call is similar to that returned via | |
2812 | process listings etc. | |
2813 | ||
2814 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2815 | errno should be returned. | |
2816 | */ | |
2817 | typedef int mpo_proc_check_ledger_t( | |
2818 | kauth_cred_t cred, | |
2819 | struct proc *target, | |
2820 | int op | |
2821 | ); | |
2822 | /** | |
2823 | @brief Access control check for escaping default CPU usage monitor parameters. | |
2824 | @param cred Subject credential | |
2825 | ||
2826 | Determine if a credential has permission to program CPU usage monitor parameters | |
2827 | that are less restrictive than the global system-wide defaults. | |
2828 | ||
2829 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2830 | errno should be returned. | |
2831 | */ | |
2832 | typedef int mpo_proc_check_cpumon_t( | |
2833 | kauth_cred_t cred | |
2834 | ); | |
2835 | /** | |
2836 | @brief Access control check for retrieving process information. | |
2837 | @param cred Subject credential | |
2838 | @param target Target process (may be null, may be zombie) | |
2839 | ||
2840 | Determine if a credential has permission to access process information as defined | |
2841 | by call number and flavor on target process | |
2842 | ||
2843 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2844 | errno should be returned. | |
2845 | */ | |
2846 | typedef int mpo_proc_check_proc_info_t( | |
2847 | kauth_cred_t cred, | |
2848 | struct proc *target, | |
2849 | int callnum, | |
2850 | int flavor | |
2851 | ); | |
2852 | /** | |
2853 | @brief Access control check for mmap MAP_ANON | |
2854 | @param proc User process requesting the memory | |
2855 | @param cred Subject credential | |
2856 | @param u_addr Start address of the memory range | |
2857 | @param u_size Length address of the memory range | |
2858 | @param prot mmap protections; see mmap(2) | |
2859 | @param flags Type of mapped object; see mmap(2) | |
2860 | @param maxprot Maximum rights | |
2861 | ||
2862 | Determine whether the subject identified by the credential should be | |
2863 | allowed to obtain anonymous memory using the specified flags and | |
2864 | protections on the new mapping. MAP_ANON will always be present in the | |
2865 | flags. Certain combinations of flags with a non-NULL addr may | |
2866 | cause a mapping to be rejected before this hook is called. The maxprot field | |
2867 | holds the maximum permissions on the new mapping, a combination of | |
2868 | VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior | |
2869 | access control checks, a policy should only remove flags from maxprot. | |
2870 | ||
2871 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2872 | errno should be returned. Suggested failure: EPERM for lack of privilege. | |
2873 | */ | |
2874 | typedef int mpo_proc_check_map_anon_t( | |
2875 | struct proc *proc, | |
2876 | kauth_cred_t cred, | |
2877 | user_addr_t u_addr, | |
2878 | user_size_t u_size, | |
2879 | int prot, | |
2880 | int flags, | |
2881 | int *maxprot | |
2882 | ); | |
2883 | /** | |
2884 | @brief Access control check for setting memory protections | |
2885 | @param cred Subject credential | |
2886 | @param proc User process requesting the change | |
2887 | @param addr Start address of the memory range | |
2888 | @param size Length address of the memory range | |
2889 | @param prot Memory protections, see mmap(2) | |
2890 | ||
2891 | Determine whether the subject identified by the credential should | |
2892 | be allowed to set the specified memory protections on memory mapped | |
2893 | in the process proc. | |
2894 | ||
2895 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2896 | errno should be returned. | |
2897 | */ | |
2898 | typedef int mpo_proc_check_mprotect_t( | |
2899 | kauth_cred_t cred, | |
2900 | struct proc *proc, | |
2901 | user_addr_t addr, | |
2902 | user_size_t size, | |
2903 | int prot | |
2904 | ); | |
2905 | /** | |
2906 | @brief Access control check for changing scheduling parameters | |
2907 | @param cred Subject credential | |
2908 | @param proc Object process | |
2909 | ||
2910 | Determine whether the subject identified by the credential can change | |
2911 | the scheduling parameters of the passed process. | |
2912 | ||
2913 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2914 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
2915 | EPERM for lack of privilege, or ESRCH to limit visibility. | |
2916 | */ | |
2917 | typedef int mpo_proc_check_sched_t( | |
2918 | kauth_cred_t cred, | |
2919 | struct proc *proc | |
2920 | ); | |
2921 | /** | |
2922 | @brief Access control check for setting audit information | |
2923 | @param cred Subject credential | |
2924 | @param ai Audit information | |
2925 | ||
2926 | Determine whether the subject identified by the credential can set | |
2927 | audit information such as the the preselection mask, the terminal ID | |
2928 | and the audit session ID, using the setaudit() system call. | |
2929 | ||
2930 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2931 | errno should be returned. | |
2932 | */ | |
2933 | typedef int mpo_proc_check_setaudit_t( | |
2934 | kauth_cred_t cred, | |
2935 | struct auditinfo_addr *ai | |
2936 | ); | |
2937 | /** | |
2938 | @brief Access control check for setting audit user ID | |
2939 | @param cred Subject credential | |
2940 | @param auid Audit user ID | |
2941 | ||
2942 | Determine whether the subject identified by the credential can set | |
2943 | the user identity used by the auditing system, using the setauid() | |
2944 | system call. | |
2945 | ||
2946 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2947 | errno should be returned. | |
2948 | */ | |
2949 | typedef int mpo_proc_check_setauid_t( | |
2950 | kauth_cred_t cred, | |
2951 | uid_t auid | |
2952 | ); | |
2953 | /** | |
2954 | @brief Access control check for setting the Login Context | |
2955 | @param p0 Calling process | |
2956 | @param p Effected process | |
2957 | @param pid syscall PID argument | |
2958 | @param lcid syscall LCID argument | |
2959 | ||
2960 | Determine if setlcid(2) system call is permitted. | |
2961 | ||
2962 | See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of | |
2963 | decoding syscall arguments to determine action desired by caller. | |
2964 | ||
2965 | Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN | |
2966 | ||
2967 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2968 | errno should be returned. | |
2969 | */ | |
2970 | typedef int mpo_proc_check_setlcid_t( | |
2971 | struct proc *p0, | |
2972 | struct proc *p, | |
2973 | pid_t pid, | |
2974 | pid_t lcid | |
2975 | ); | |
2976 | /** | |
2977 | @brief Access control check for delivering signal | |
2978 | @param cred Subject credential | |
2979 | @param proc Object process | |
2980 | @param signum Signal number; see kill(2) | |
2981 | ||
2982 | Determine whether the subject identified by the credential can deliver | |
2983 | the passed signal to the passed process. | |
2984 | ||
2985 | @warning Programs typically expect to be able to send and receive | |
2986 | signals as part or their normal process lifecycle; caution should be | |
2987 | exercised when implementing access controls over signal events. | |
2988 | ||
2989 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2990 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
2991 | EPERM for lack of privilege, or ESRCH to limit visibility. | |
2992 | */ | |
2993 | typedef int mpo_proc_check_signal_t( | |
2994 | kauth_cred_t cred, | |
2995 | struct proc *proc, | |
2996 | int signum | |
2997 | ); | |
2998 | /** | |
2999 | @brief Access control check for wait | |
3000 | @param cred Subject credential | |
3001 | @param proc Object process | |
3002 | ||
3003 | Determine whether the subject identified by the credential can wait | |
3004 | for process termination. | |
3005 | ||
3006 | @warning Caution should be exercised when implementing access | |
3007 | controls for wait, since programs often wait for child processes to | |
3008 | exit. Failure to be notified of a child process terminating may | |
3009 | cause the parent process to hang, or may produce zombie processes. | |
3010 | ||
3011 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3012 | errno should be returned. | |
3013 | */ | |
3014 | typedef int mpo_proc_check_wait_t( | |
3015 | kauth_cred_t cred, | |
3016 | struct proc *proc | |
3017 | ); | |
3018 | /** | |
3019 | @brief Destroy process label | |
3020 | @param label The label to be destroyed | |
3021 | ||
3022 | Destroy a process label. Since the object is going | |
3023 | out of scope, policy modules should free any internal storage | |
3024 | associated with the label so that it may be destroyed. | |
3025 | */ | |
3026 | typedef void mpo_proc_label_destroy_t( | |
3027 | struct label *label | |
3028 | ); | |
3029 | /** | |
3030 | @brief Initialize process label | |
3031 | @param label New label to initialize | |
3032 | @see mpo_cred_label_init_t | |
3033 | ||
3034 | Initialize the label for a newly instantiated BSD process structure. | |
3035 | Normally, security policies will store the process label in the user | |
3036 | credential rather than here in the process structure. However, | |
3037 | there are some floating label policies that may need to temporarily | |
3038 | store a label in the process structure until it is safe to update | |
3039 | the user credential label. Sleeping is permitted. | |
3040 | */ | |
3041 | typedef void mpo_proc_label_init_t( | |
3042 | struct label *label | |
3043 | ); | |
3044 | /** | |
3045 | @brief Access control check for socket accept | |
3046 | @param cred Subject credential | |
3047 | @param socket Object socket | |
3048 | @param socklabel Policy label for socket | |
3049 | ||
3050 | Determine whether the subject identified by the credential can accept() | |
3051 | a new connection on the socket from the host specified by addr. | |
3052 | ||
3053 | @return Return 0 if access if granted, otherwise an appropriate | |
3054 | value for errno should be returned. | |
3055 | */ | |
3056 | typedef int mpo_socket_check_accept_t( | |
3057 | kauth_cred_t cred, | |
3058 | socket_t so, | |
3059 | struct label *socklabel | |
3060 | ); | |
3061 | /** | |
3062 | @brief Access control check for a pending socket accept | |
3063 | @param cred Subject credential | |
3064 | @param so Object socket | |
3065 | @param socklabel Policy label for socket | |
3066 | @param addr Address of the listening socket (coming soon) | |
3067 | ||
3068 | Determine whether the subject identified by the credential can accept() | |
3069 | a pending connection on the socket from the host specified by addr. | |
3070 | ||
3071 | @return Return 0 if access if granted, otherwise an appropriate | |
3072 | value for errno should be returned. | |
3073 | */ | |
3074 | typedef int mpo_socket_check_accepted_t( | |
3075 | kauth_cred_t cred, | |
3076 | socket_t so, | |
3077 | struct label *socklabel, | |
3078 | struct sockaddr *addr | |
3079 | ); | |
3080 | /** | |
3081 | @brief Access control check for socket bind | |
3082 | @param cred Subject credential | |
3083 | @param so Object socket | |
3084 | @param socklabel Policy label for socket | |
3085 | @param addr Name to assign to the socket | |
3086 | ||
3087 | Determine whether the subject identified by the credential can bind() | |
3088 | the name (addr) to the socket. | |
3089 | ||
3090 | @return Return 0 if access if granted, otherwise an appropriate | |
3091 | value for errno should be returned. | |
3092 | */ | |
3093 | typedef int mpo_socket_check_bind_t( | |
3094 | kauth_cred_t cred, | |
3095 | socket_t so, | |
3096 | struct label *socklabel, | |
3097 | struct sockaddr *addr | |
3098 | ); | |
3099 | /** | |
3100 | @brief Access control check for socket connect | |
3101 | @param cred Subject credential | |
3102 | @param so Object socket | |
3103 | @param socklabel Policy label for socket | |
3104 | @param addr Name to assign to the socket | |
3105 | ||
3106 | Determine whether the subject identified by the credential can | |
3107 | connect() the passed socket to the remote host specified by addr. | |
3108 | ||
3109 | @return Return 0 if access if granted, otherwise an appropriate | |
3110 | value for errno should be returned. | |
3111 | */ | |
3112 | typedef int mpo_socket_check_connect_t( | |
3113 | kauth_cred_t cred, | |
3114 | socket_t so, | |
3115 | struct label *socklabel, | |
3116 | struct sockaddr *addr | |
3117 | ); | |
3118 | /** | |
3119 | @brief Access control check for socket() system call. | |
3120 | @param cred Subject credential | |
3121 | @param domain communication domain | |
3122 | @param type socket type | |
3123 | @param protocol socket protocol | |
3124 | ||
3125 | Determine whether the subject identified by the credential can | |
3126 | make the socket() call. | |
3127 | ||
3128 | @return Return 0 if access if granted, otherwise an appropriate | |
3129 | value for errno should be returned. | |
3130 | */ | |
3131 | typedef int mpo_socket_check_create_t( | |
3132 | kauth_cred_t cred, | |
3133 | int domain, | |
3134 | int type, | |
3135 | int protocol | |
3136 | ); | |
3137 | /** | |
3138 | @brief Access control check for delivering data to a user's receieve queue | |
3139 | @param so The socket data is being delivered to | |
3140 | @param so_label The label of so | |
3141 | @param m The mbuf whose data will be deposited into the receive queue | |
3142 | @param m_label The label of the sender of the data. | |
3143 | ||
3144 | A socket has a queue for receiving incoming data. When a packet arrives | |
3145 | on the wire, it eventually gets deposited into this queue, which the | |
3146 | owner of the socket drains when they read from the socket's file descriptor. | |
3147 | ||
3148 | This function determines whether the socket can receive data from | |
3149 | the sender specified by m_label. | |
3150 | ||
3151 | @warning There is an outstanding design issue surrounding the placement | |
3152 | of this function. The check must be placed either before or after the | |
3153 | TCP sequence and ACK counters are updated. Placing the check before | |
3154 | the counters are updated causes the incoming packet to be resent by | |
3155 | the remote if the check rejects it. Placing the check after the counters | |
3156 | are updated results in a completely silent drop. As far as each TCP stack | |
3157 | is concerned the packet was received, however, the data will not be in the | |
3158 | socket's receive queue. Another consideration is that the current design | |
3159 | requires using the "failed label" occasionally. In that case, on rejection, | |
3160 | we want the remote TCP to resend the data. Because of this, we chose to | |
3161 | place this check before the counters are updated, so rejected packets will be | |
3162 | resent by the remote host. | |
3163 | ||
3164 | If a policy keeps rejecting the same packet, eventually the connection will | |
3165 | be dropped. Policies have several options if this design causes problems. | |
3166 | For example, one options is to sanitize the mbuf such that it is acceptable, | |
3167 | then accept it. That may require negotiation between policies as the | |
3168 | Framework will not know to re-check the packet. | |
3169 | ||
3170 | The policy must handle NULL MBUF labels. This will likely be the case | |
3171 | for non-local TCP sockets for example. | |
3172 | ||
3173 | @return Return 0 if access if granted, otherwise an appropriate | |
3174 | value for errno should be returned. | |
3175 | */ | |
3176 | typedef int mpo_socket_check_deliver_t( | |
3177 | socket_t so, | |
3178 | struct label *so_label, | |
3179 | struct mbuf *m, | |
3180 | struct label *m_label | |
3181 | ); | |
3182 | /** | |
3183 | @brief Access control check for socket kqfilter | |
3184 | @param cred Subject credential | |
3185 | @param kn Object knote | |
3186 | @param so Object socket | |
3187 | @param socklabel Policy label for socket | |
3188 | ||
3189 | Determine whether the subject identified by the credential can | |
3190 | receive the knote on the passed socket. | |
3191 | ||
3192 | @return Return 0 if access if granted, otherwise an appropriate | |
3193 | value for errno should be returned. | |
3194 | */ | |
3195 | typedef int mpo_socket_check_kqfilter_t( | |
3196 | kauth_cred_t cred, | |
3197 | struct knote *kn, | |
3198 | socket_t so, | |
3199 | struct label *socklabel | |
3200 | ); | |
3201 | /** | |
3202 | @brief Access control check for socket relabel | |
3203 | @param cred Subject credential | |
3204 | @param so Object socket | |
3205 | @param so_label The current label of so | |
3206 | @param newlabel The label to be assigned to so | |
3207 | ||
3208 | Determine whether the subject identified by the credential can | |
3209 | change the label on the socket. | |
3210 | ||
3211 | @return Return 0 if access if granted, otherwise an appropriate | |
3212 | value for errno should be returned. | |
3213 | */ | |
3214 | typedef int mpo_socket_check_label_update_t( | |
3215 | kauth_cred_t cred, | |
3216 | socket_t so, | |
3217 | struct label *so_label, | |
3218 | struct label *newlabel | |
3219 | ); | |
3220 | /** | |
3221 | @brief Access control check for socket listen | |
3222 | @param cred Subject credential | |
3223 | @param so Object socket | |
3224 | @param socklabel Policy label for socket | |
3225 | ||
3226 | Determine whether the subject identified by the credential can | |
3227 | listen() on the passed socket. | |
3228 | ||
3229 | @return Return 0 if access if granted, otherwise an appropriate | |
3230 | value for errno should be returned. | |
3231 | */ | |
3232 | typedef int mpo_socket_check_listen_t( | |
3233 | kauth_cred_t cred, | |
3234 | socket_t so, | |
3235 | struct label *socklabel | |
3236 | ); | |
3237 | /** | |
3238 | @brief Access control check for socket receive | |
3239 | @param cred Subject credential | |
3240 | @param so Object socket | |
3241 | @param socklabel Policy label for socket | |
3242 | ||
3243 | Determine whether the subject identified by the credential can | |
3244 | receive data from the socket. | |
3245 | ||
3246 | @return Return 0 if access if granted, otherwise an appropriate | |
3247 | value for errno should be returned. | |
3248 | */ | |
3249 | typedef int mpo_socket_check_receive_t( | |
3250 | kauth_cred_t cred, | |
3251 | socket_t so, | |
3252 | struct label *socklabel | |
3253 | ); | |
3254 | ||
3255 | /** | |
3256 | @brief Access control check for socket receive | |
3257 | @param cred Subject credential | |
3258 | @param socket Object socket | |
3259 | @param socklabel Policy label for socket | |
3260 | @param addr Name of the remote socket | |
3261 | ||
3262 | Determine whether the subject identified by the credential can | |
3263 | receive data from the remote host specified by addr. | |
3264 | ||
3265 | @return Return 0 if access if granted, otherwise an appropriate | |
3266 | value for errno should be returned. | |
3267 | */ | |
3268 | typedef int mpo_socket_check_received_t( | |
3269 | kauth_cred_t cred, | |
3270 | struct socket *sock, | |
3271 | struct label *socklabel, | |
3272 | struct sockaddr *saddr | |
3273 | ); | |
3274 | ||
3275 | ||
3276 | /** | |
3277 | @brief Access control check for socket select | |
3278 | @param cred Subject credential | |
3279 | @param so Object socket | |
3280 | @param socklabel Policy label for socket | |
3281 | @param which The operation selected on: FREAD or FWRITE | |
3282 | ||
3283 | Determine whether the subject identified by the credential can use the | |
3284 | socket in a call to select(). | |
3285 | ||
3286 | @return Return 0 if access if granted, otherwise an appropriate | |
3287 | value for errno should be returned. | |
3288 | */ | |
3289 | typedef int mpo_socket_check_select_t( | |
3290 | kauth_cred_t cred, | |
3291 | socket_t so, | |
3292 | struct label *socklabel, | |
3293 | int which | |
3294 | ); | |
3295 | /** | |
3296 | @brief Access control check for socket send | |
3297 | @param cred Subject credential | |
3298 | @param so Object socket | |
3299 | @param socklabel Policy label for socket | |
3300 | @param addr Address being sent to | |
3301 | ||
3302 | Determine whether the subject identified by the credential can send | |
3303 | data to the socket. | |
3304 | ||
3305 | @return Return 0 if access if granted, otherwise an appropriate | |
3306 | value for errno should be returned. | |
3307 | */ | |
3308 | typedef int mpo_socket_check_send_t( | |
3309 | kauth_cred_t cred, | |
3310 | socket_t so, | |
3311 | struct label *socklabel, | |
3312 | struct sockaddr *addr | |
3313 | ); | |
3314 | /** | |
3315 | @brief Access control check for retrieving socket status | |
3316 | @param cred Subject credential | |
3317 | @param so Object socket | |
3318 | @param socklabel Policy label for so | |
3319 | ||
3320 | Determine whether the subject identified by the credential can | |
3321 | execute the stat() system call on the given socket. | |
3322 | ||
3323 | @return Return 0 if access if granted, otherwise an appropriate | |
3324 | value for errno should be returned. | |
3325 | */ | |
3326 | typedef int mpo_socket_check_stat_t( | |
3327 | kauth_cred_t cred, | |
3328 | socket_t so, | |
3329 | struct label *socklabel | |
3330 | ); | |
3331 | /** | |
3332 | @brief Access control check for setting socket options | |
3333 | @param cred Subject credential | |
3334 | @param so Object socket | |
3335 | @param socklabel Policy label for so | |
3336 | @param sopt The options being set | |
3337 | ||
3338 | Determine whether the subject identified by the credential can | |
3339 | execute the setsockopt system call on the given socket. | |
3340 | ||
3341 | @return Return 0 if access if granted, otherwise an appropriate | |
3342 | value for errno should be returned. | |
3343 | */ | |
3344 | typedef int mpo_socket_check_setsockopt_t( | |
3345 | kauth_cred_t cred, | |
3346 | socket_t so, | |
3347 | struct label *socklabel, | |
3348 | struct sockopt *sopt | |
3349 | ); | |
3350 | /** | |
3351 | @brief Access control check for getting socket options | |
3352 | @param cred Subject credential | |
3353 | @param so Object socket | |
3354 | @param socklabel Policy label for so | |
3355 | @param sopt The options to get | |
3356 | ||
3357 | Determine whether the subject identified by the credential can | |
3358 | execute the getsockopt system call on the given socket. | |
3359 | ||
3360 | @return Return 0 if access if granted, otherwise an appropriate | |
3361 | value for errno should be returned. | |
3362 | */ | |
3363 | typedef int mpo_socket_check_getsockopt_t( | |
3364 | kauth_cred_t cred, | |
3365 | socket_t so, | |
3366 | struct label *socklabel, | |
3367 | struct sockopt *sopt | |
3368 | ); | |
3369 | /** | |
3370 | @brief Label a socket | |
3371 | @param oldsock Listening socket | |
3372 | @param oldlabel Policy label associated with oldsock | |
3373 | @param newsock New socket | |
3374 | @param newlabel Policy label associated with newsock | |
3375 | ||
3376 | A new socket is created when a connection is accept(2)ed. This | |
3377 | function labels the new socket based on the existing listen(2)ing | |
3378 | socket. | |
3379 | */ | |
3380 | typedef void mpo_socket_label_associate_accept_t( | |
3381 | socket_t oldsock, | |
3382 | struct label *oldlabel, | |
3383 | socket_t newsock, | |
3384 | struct label *newlabel | |
3385 | ); | |
3386 | /** | |
3387 | @brief Assign a label to a new socket | |
3388 | @param cred Credential of the owning process | |
3389 | @param so The socket being labeled | |
3390 | @param solabel The label | |
3391 | @warning cred can be NULL | |
3392 | ||
3393 | Set the label on a newly created socket from the passed subject | |
3394 | credential. This call is made when a socket is created. The | |
3395 | credentials may be null if the socket is being created by the | |
3396 | kernel. | |
3397 | */ | |
3398 | typedef void mpo_socket_label_associate_t( | |
3399 | kauth_cred_t cred, | |
3400 | socket_t so, | |
3401 | struct label *solabel | |
3402 | ); | |
3403 | /** | |
3404 | @brief Copy a socket label | |
3405 | @param src Source label | |
3406 | @param dest Destination label | |
3407 | ||
3408 | Copy the socket label information in src into dest. | |
3409 | */ | |
3410 | typedef void mpo_socket_label_copy_t( | |
3411 | struct label *src, | |
3412 | struct label *dest | |
3413 | ); | |
3414 | /** | |
3415 | @brief Destroy socket label | |
3416 | @param label The label to be destroyed | |
3417 | ||
3418 | Destroy a socket label. Since the object is going out of | |
3419 | scope, policy modules should free any internal storage associated | |
3420 | with the label so that it may be destroyed. | |
3421 | */ | |
3422 | typedef void mpo_socket_label_destroy_t( | |
3423 | struct label *label | |
3424 | ); | |
3425 | /** | |
3426 | @brief Externalize a socket label | |
3427 | @param label Label to be externalized | |
3428 | @param element_name Name of the label namespace for which labels should be | |
3429 | externalized | |
3430 | @param sb String buffer to be filled with a text representation of label | |
3431 | ||
3432 | Produce an externalized socket label based on the label structure passed. | |
3433 | An externalized label consists of a text representation of the label | |
3434 | contents that can be used with userland applications and read by the | |
3435 | user. If element_name does not match a namespace managed by the policy, | |
3436 | simply return 0. Only return nonzero if an error occurs while externalizing | |
3437 | the label data. | |
3438 | ||
3439 | @return In the event of an error, an appropriate value for errno | |
3440 | should be returned, otherwise return 0 upon success. | |
3441 | */ | |
3442 | typedef int mpo_socket_label_externalize_t( | |
3443 | struct label *label, | |
3444 | char *element_name, | |
3445 | struct sbuf *sb | |
3446 | ); | |
3447 | /** | |
3448 | @brief Initialize socket label | |
3449 | @param label New label to initialize | |
3450 | @param waitok Malloc flags | |
3451 | ||
3452 | Initialize the label of a newly instantiated socket. The waitok | |
3453 | field may be one of M_WAITOK and M_NOWAIT, and should be employed to | |
3454 | avoid performing a sleeping malloc(9) during this initialization | |
3455 | call. It it not always safe to sleep during this entry point. | |
3456 | ||
3457 | @warning Since it is possible for the waitok flags to be set to | |
3458 | M_NOWAIT, the malloc operation may fail. | |
3459 | ||
3460 | @return In the event of an error, an appropriate value for errno | |
3461 | should be returned, otherwise return 0 upon success. | |
3462 | */ | |
3463 | typedef int mpo_socket_label_init_t( | |
3464 | struct label *label, | |
3465 | int waitok | |
3466 | ); | |
3467 | /** | |
3468 | @brief Internalize a socket label | |
3469 | @param label Label to be filled in | |
3470 | @param element_name Name of the label namespace for which the label should | |
3471 | be internalized | |
3472 | @param element_data Text data to be internalized | |
3473 | ||
3474 | Produce an internal socket label structure based on externalized label | |
3475 | data in text format. | |
3476 | ||
3477 | The policy's internalize entry points will be called only if the | |
3478 | policy has registered interest in the label namespace. | |
3479 | ||
3480 | @return In the event of an error, an appropriate value for errno | |
3481 | should be returned, otherwise return 0 upon success. | |
3482 | */ | |
3483 | typedef int mpo_socket_label_internalize_t( | |
3484 | struct label *label, | |
3485 | char *element_name, | |
3486 | char *element_data | |
3487 | ); | |
3488 | /** | |
3489 | @brief Relabel socket | |
3490 | @param cred Subject credential | |
3491 | @param so Object; socket | |
3492 | @param so_label Current label of the socket | |
3493 | @param newlabel The label to be assigned to so | |
3494 | ||
3495 | The subject identified by the credential has previously requested | |
3496 | and was authorized to relabel the socket; this entry point allows | |
3497 | policies to perform the actual label update operation. | |
3498 | ||
3499 | @warning XXX This entry point will likely change in future versions. | |
3500 | */ | |
3501 | typedef void mpo_socket_label_update_t( | |
3502 | kauth_cred_t cred, | |
3503 | socket_t so, | |
3504 | struct label *so_label, | |
3505 | struct label *newlabel | |
3506 | ); | |
3507 | /** | |
3508 | @brief Set the peer label on a socket from mbuf | |
3509 | @param m Mbuf chain received on socket so | |
3510 | @param m_label Label for m | |
3511 | @param so Current label for the socket | |
3512 | @param so_label Policy label to be filled out for the socket | |
3513 | ||
3514 | Set the peer label of a socket based on the label of the sender of the | |
3515 | mbuf. | |
3516 | ||
3517 | This is called for every TCP/IP packet received. The first call for a given | |
3518 | socket operates on a newly initialized label, and subsequent calls operate | |
3519 | on existing label data. | |
3520 | ||
3521 | @warning Because this can affect performance significantly, it has | |
3522 | different sematics than other 'set' operations. Typically, 'set' operations | |
3523 | operate on newly initialzed labels and policies do not need to worry about | |
3524 | clobbering existing values. In this case, it is too inefficient to | |
3525 | initialize and destroy a label every time data is received for the socket. | |
3526 | Instead, it is up to the policies to determine how to replace the label data. | |
3527 | Most policies should be able to replace the data inline. | |
3528 | */ | |
3529 | typedef void mpo_socketpeer_label_associate_mbuf_t( | |
3530 | struct mbuf *m, | |
3531 | struct label *m_label, | |
3532 | socket_t so, | |
3533 | struct label *so_label | |
3534 | ); | |
3535 | /** | |
3536 | @brief Set the peer label on a socket from socket | |
3537 | @param source Local socket | |
3538 | @param sourcelabel Policy label for source | |
3539 | @param target Peer socket | |
3540 | @param targetlabel Policy label to fill in for target | |
3541 | ||
3542 | Set the peer label on a stream UNIX domain socket from the passed | |
3543 | remote socket endpoint. This call will be made when the socket pair | |
3544 | is connected, and will be made for both endpoints. | |
3545 | ||
3546 | Note that this call is only made on connection; it is currently not updated | |
3547 | during communication. | |
3548 | */ | |
3549 | typedef void mpo_socketpeer_label_associate_socket_t( | |
3550 | socket_t source, | |
3551 | struct label *sourcelabel, | |
3552 | socket_t target, | |
3553 | struct label *targetlabel | |
3554 | ); | |
3555 | /** | |
3556 | @brief Destroy socket peer label | |
3557 | @param label The peer label to be destroyed | |
3558 | ||
3559 | Destroy a socket peer label. Since the object is going out of | |
3560 | scope, policy modules should free any internal storage associated | |
3561 | with the label so that it may be destroyed. | |
3562 | */ | |
3563 | typedef void mpo_socketpeer_label_destroy_t( | |
3564 | struct label *label | |
3565 | ); | |
3566 | /** | |
3567 | @brief Externalize a socket peer label | |
3568 | @param label Label to be externalized | |
3569 | @param element_name Name of the label namespace for which labels should be | |
3570 | externalized | |
3571 | @param sb String buffer to be filled with a text representation of label | |
3572 | ||
3573 | Produce an externalized socket peer label based on the label structure | |
3574 | passed. An externalized label consists of a text representation of the | |
3575 | label contents that can be used with userland applications and read by the | |
3576 | user. If element_name does not match a namespace managed by the policy, | |
3577 | simply return 0. Only return nonzero if an error occurs while externalizing | |
3578 | the label data. | |
3579 | ||
3580 | @return In the event of an error, an appropriate value for errno | |
3581 | should be returned, otherwise return 0 upon success. | |
3582 | */ | |
3583 | typedef int mpo_socketpeer_label_externalize_t( | |
3584 | struct label *label, | |
3585 | char *element_name, | |
3586 | struct sbuf *sb | |
3587 | ); | |
3588 | /** | |
3589 | @brief Initialize socket peer label | |
3590 | @param label New label to initialize | |
3591 | @param waitok Malloc flags | |
3592 | ||
3593 | Initialize the peer label of a newly instantiated socket. The | |
3594 | waitok field may be one of M_WAITOK and M_NOWAIT, and should be | |
3595 | employed to avoid performing a sleeping malloc(9) during this | |
3596 | initialization call. It it not always safe to sleep during this | |
3597 | entry point. | |
3598 | ||
3599 | @warning Since it is possible for the waitok flags to be set to | |
3600 | M_NOWAIT, the malloc operation may fail. | |
3601 | ||
3602 | @return In the event of an error, an appropriate value for errno | |
3603 | should be returned, otherwise return 0 upon success. | |
3604 | */ | |
3605 | typedef int mpo_socketpeer_label_init_t( | |
3606 | struct label *label, | |
3607 | int waitok | |
3608 | ); | |
3609 | /** | |
3610 | @brief Access control check for enabling accounting | |
3611 | @param cred Subject credential | |
3612 | @param vp Accounting file | |
3613 | @param vlabel Label associated with vp | |
3614 | ||
3615 | Determine whether the subject should be allowed to enable accounting, | |
3616 | based on its label and the label of the accounting log file. See | |
3617 | acct(5) for more information. | |
3618 | ||
3619 | As accounting is disabled by passing NULL to the acct(2) system call, | |
3620 | the policy should be prepared for both 'vp' and 'vlabel' to be NULL. | |
3621 | ||
3622 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3623 | errno should be returned. | |
3624 | */ | |
3625 | typedef int mpo_system_check_acct_t( | |
3626 | kauth_cred_t cred, | |
3627 | struct vnode *vp, | |
3628 | struct label *vlabel | |
3629 | ); | |
3630 | /** | |
3631 | @brief Access control check for audit | |
3632 | @param cred Subject credential | |
3633 | @param record Audit record | |
3634 | @param length Audit record length | |
3635 | ||
3636 | Determine whether the subject identified by the credential can submit | |
3637 | an audit record for inclusion in the audit log via the audit() system call. | |
3638 | ||
3639 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3640 | errno should be returned. | |
3641 | */ | |
3642 | typedef int mpo_system_check_audit_t( | |
3643 | kauth_cred_t cred, | |
3644 | void *record, | |
3645 | int length | |
3646 | ); | |
3647 | /** | |
3648 | @brief Access control check for controlling audit | |
3649 | @param cred Subject credential | |
3650 | @param vp Audit file | |
3651 | @param vl Label associated with vp | |
3652 | ||
3653 | Determine whether the subject should be allowed to enable auditing using | |
3654 | the auditctl() system call, based on its label and the label of the proposed | |
3655 | audit file. | |
3656 | ||
3657 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3658 | errno should be returned. | |
3659 | */ | |
3660 | typedef int mpo_system_check_auditctl_t( | |
3661 | kauth_cred_t cred, | |
3662 | struct vnode *vp, | |
3663 | struct label *vl | |
3664 | ); | |
3665 | /** | |
3666 | @brief Access control check for manipulating auditing | |
3667 | @param cred Subject credential | |
3668 | @param cmd Audit control command | |
3669 | ||
3670 | Determine whether the subject identified by the credential can perform | |
3671 | the audit subsystem control operation cmd via the auditon() system call. | |
3672 | ||
3673 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3674 | errno should be returned. | |
3675 | */ | |
3676 | typedef int mpo_system_check_auditon_t( | |
3677 | kauth_cred_t cred, | |
3678 | int cmd | |
3679 | ); | |
3680 | /** | |
3681 | @brief Access control check for using CHUD facilities | |
3682 | @param cred Subject credential | |
3683 | ||
3684 | Determine whether the subject identified by the credential can perform | |
3685 | performance-related tasks using the CHUD system call. | |
3686 | ||
3687 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3688 | errno should be returned. | |
3689 | */ | |
3690 | typedef int mpo_system_check_chud_t( | |
3691 | kauth_cred_t cred | |
3692 | ); | |
3693 | /** | |
3694 | @brief Access control check for obtaining the host control port | |
3695 | @param cred Subject credential | |
3696 | ||
3697 | Determine whether the subject identified by the credential can | |
3698 | obtain the host control port. | |
3699 | ||
3700 | @return Return 0 if access is granted, or non-zero otherwise. | |
3701 | */ | |
3702 | typedef int mpo_system_check_host_priv_t( | |
3703 | kauth_cred_t cred | |
3704 | ); | |
3705 | /** | |
3706 | @brief Access control check for obtaining system information | |
3707 | @param cred Subject credential | |
3708 | @param info_type A description of the information requested | |
3709 | ||
3710 | Determine whether the subject identified by the credential should be | |
3711 | allowed to obtain information about the system. | |
3712 | ||
3713 | This is a generic hook that can be used in a variety of situations where | |
3714 | information is being returned that might be considered sensitive. | |
3715 | Rather than adding a new MAC hook for every such interface, this hook can | |
3716 | be called with a string identifying the type of information requested. | |
3717 | ||
3718 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3719 | errno should be returned. | |
3720 | */ | |
3721 | typedef int mpo_system_check_info_t( | |
3722 | kauth_cred_t cred, | |
3723 | const char *info_type | |
3724 | ); | |
3725 | /** | |
3726 | @brief Access control check for calling NFS services | |
3727 | @param cred Subject credential | |
3728 | ||
3729 | Determine whether the subject identified by the credential should be | |
3730 | allowed to call nfssrv(2). | |
3731 | ||
3732 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3733 | errno should be returned. | |
3734 | */ | |
3735 | typedef int mpo_system_check_nfsd_t( | |
3736 | kauth_cred_t cred | |
3737 | ); | |
3738 | /** | |
3739 | @brief Access control check for reboot | |
3740 | @param cred Subject credential | |
3741 | @param howto howto parameter from reboot(2) | |
3742 | ||
3743 | Determine whether the subject identified by the credential should be | |
3744 | allowed to reboot the system in the specified manner. | |
3745 | ||
3746 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3747 | errno should be returned. | |
3748 | */ | |
3749 | typedef int mpo_system_check_reboot_t( | |
3750 | kauth_cred_t cred, | |
3751 | int howto | |
3752 | ); | |
3753 | /** | |
3754 | @brief Access control check for setting system clock | |
3755 | @param cred Subject credential | |
3756 | ||
3757 | Determine whether the subject identified by the credential should be | |
3758 | allowed to set the system clock. | |
3759 | ||
3760 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3761 | errno should be returned. | |
3762 | */ | |
3763 | typedef int mpo_system_check_settime_t( | |
3764 | kauth_cred_t cred | |
3765 | ); | |
3766 | /** | |
3767 | @brief Access control check for removing swap devices | |
3768 | @param cred Subject credential | |
3769 | @param vp Swap device | |
3770 | @param label Label associated with vp | |
3771 | ||
3772 | Determine whether the subject identified by the credential should be | |
3773 | allowed to remove vp as a swap device. | |
3774 | ||
3775 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3776 | errno should be returned. | |
3777 | */ | |
3778 | typedef int mpo_system_check_swapoff_t( | |
3779 | kauth_cred_t cred, | |
3780 | struct vnode *vp, | |
3781 | struct label *label | |
3782 | ); | |
3783 | /** | |
3784 | @brief Access control check for adding swap devices | |
3785 | @param cred Subject credential | |
3786 | @param vp Swap device | |
3787 | @param label Label associated with vp | |
3788 | ||
3789 | Determine whether the subject identified by the credential should be | |
3790 | allowed to add vp as a swap device. | |
3791 | ||
3792 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3793 | errno should be returned. | |
3794 | */ | |
3795 | typedef int mpo_system_check_swapon_t( | |
3796 | kauth_cred_t cred, | |
3797 | struct vnode *vp, | |
3798 | struct label *label | |
3799 | ); | |
3800 | /** | |
3801 | @brief Access control check for sysctl | |
3802 | @param cred Subject credential | |
3803 | @param namestring String representation of sysctl name. | |
3804 | @param name Integer name; see sysctl(3) | |
3805 | @param namelen Length of name array of integers; see sysctl(3) | |
3806 | @param old 0 or address where to store old value; see sysctl(3) | |
3807 | @param oldlen Length of old buffer; see sysctl(3) | |
3808 | @param newvalue 0 or address of new value; see sysctl(3) | |
3809 | @param newlen Length of new buffer; see sysctl(3) | |
3810 | ||
3811 | Determine whether the subject identified by the credential should be | |
3812 | allowed to make the specified sysctl(3) transaction. | |
3813 | ||
3814 | The sysctl(3) call specifies that if the old value is not desired, | |
3815 | oldp and oldlenp should be set to NULL. Likewise, if a new value is | |
3816 | not to be set, newp should be set to NULL and newlen set to 0. | |
3817 | ||
3818 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3819 | errno should be returned. | |
3820 | */ | |
3821 | typedef int mpo_system_check_sysctlbyname_t( | |
3822 | kauth_cred_t cred, | |
3823 | const char *namestring, | |
3824 | int *name, | |
3825 | u_int namelen, | |
3826 | user_addr_t old, /* NULLOK */ | |
3827 | size_t oldlen, | |
3828 | user_addr_t newvalue, /* NULLOK */ | |
3829 | size_t newlen | |
3830 | ); | |
3831 | /** | |
3832 | @brief Access control check for kas_info | |
3833 | @param cred Subject credential | |
3834 | @param selector Category of information to return. See kas_info.h | |
3835 | ||
3836 | Determine whether the subject identified by the credential can perform | |
3837 | introspection of the kernel address space layout for | |
3838 | debugging/performance analysis. | |
3839 | ||
3840 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3841 | errno should be returned. | |
3842 | */ | |
3843 | typedef int mpo_system_check_kas_info_t( | |
3844 | kauth_cred_t cred, | |
3845 | int selector | |
3846 | ); | |
3847 | /** | |
3848 | @brief Create a System V message label | |
3849 | @param cred Subject credential | |
3850 | @param msqkptr The message queue the message will be placed in | |
3851 | @param msqlabel The label of the message queue | |
3852 | @param msgptr The message | |
3853 | @param msglabel The label of the message | |
3854 | ||
3855 | Label the message as its placed in the message queue. | |
3856 | */ | |
3857 | typedef void mpo_sysvmsg_label_associate_t( | |
3858 | kauth_cred_t cred, | |
3859 | struct msqid_kernel *msqptr, | |
3860 | struct label *msqlabel, | |
3861 | struct msg *msgptr, | |
3862 | struct label *msglabel | |
3863 | ); | |
3864 | /** | |
3865 | @brief Destroy System V message label | |
3866 | @param label The label to be destroyed | |
3867 | ||
3868 | Destroy a System V message label. Since the object is | |
3869 | going out of scope, policy modules should free any internal storage | |
3870 | associated with the label so that it may be destroyed. | |
3871 | */ | |
3872 | typedef void mpo_sysvmsg_label_destroy_t( | |
3873 | struct label *label | |
3874 | ); | |
3875 | /** | |
3876 | @brief Initialize System V message label | |
3877 | @param label New label to initialize | |
3878 | ||
3879 | Initialize the label for a newly instantiated System V message. | |
3880 | */ | |
3881 | typedef void mpo_sysvmsg_label_init_t( | |
3882 | struct label *label | |
3883 | ); | |
3884 | /** | |
3885 | @brief Clean up a System V message label | |
3886 | @param label The label to be destroyed | |
3887 | ||
3888 | Clean up a System V message label. Darwin pre-allocates | |
3889 | messages at system boot time and re-uses them rather than | |
3890 | allocating new ones. Before messages are returned to the "free | |
3891 | pool", policies can cleanup or overwrite any information present in | |
3892 | the label. | |
3893 | */ | |
3894 | typedef void mpo_sysvmsg_label_recycle_t( | |
3895 | struct label *label | |
3896 | ); | |
3897 | /** | |
3898 | @brief Access control check for System V message enqueuing | |
3899 | @param cred Subject credential | |
3900 | @param msgptr The message | |
3901 | @param msglabel The message's label | |
3902 | @param msqkptr The message queue | |
3903 | @param msqlabel The message queue's label | |
3904 | ||
3905 | Determine whether the subject identified by the credential can add the | |
3906 | given message to the given message queue. | |
3907 | ||
3908 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3909 | errno should be returned. | |
3910 | */ | |
3911 | typedef int mpo_sysvmsq_check_enqueue_t( | |
3912 | kauth_cred_t cred, | |
3913 | struct msg *msgptr, | |
3914 | struct label *msglabel, | |
3915 | struct msqid_kernel *msqptr, | |
3916 | struct label *msqlabel | |
3917 | ); | |
3918 | /** | |
3919 | @brief Access control check for System V message reception | |
3920 | @param cred The credential of the intended recipient | |
3921 | @param msgptr The message | |
3922 | @param msglabel The message's label | |
3923 | ||
3924 | Determine whether the subject identified by the credential can receive | |
3925 | the given message. | |
3926 | ||
3927 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3928 | errno should be returned. | |
3929 | */ | |
3930 | typedef int mpo_sysvmsq_check_msgrcv_t( | |
3931 | kauth_cred_t cred, | |
3932 | struct msg *msgptr, | |
3933 | struct label *msglabel | |
3934 | ); | |
3935 | /** | |
3936 | @brief Access control check for System V message queue removal | |
3937 | @param cred The credential of the caller | |
3938 | @param msgptr The message | |
3939 | @param msglabel The message's label | |
3940 | ||
3941 | System V message queues are removed using the msgctl() system call. | |
3942 | The system will iterate over each messsage in the queue, calling this | |
3943 | function for each, to determine whether the caller has the appropriate | |
3944 | credentials. | |
3945 | ||
3946 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3947 | errno should be returned. | |
3948 | */ | |
3949 | typedef int mpo_sysvmsq_check_msgrmid_t( | |
3950 | kauth_cred_t cred, | |
3951 | struct msg *msgptr, | |
3952 | struct label *msglabel | |
3953 | ); | |
3954 | /** | |
3955 | @brief Access control check for msgctl() | |
3956 | @param cred The credential of the caller | |
3957 | @param msqptr The message queue | |
3958 | @param msqlabel The message queue's label | |
3959 | ||
3960 | This access check is performed to validate calls to msgctl(). | |
3961 | ||
3962 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3963 | errno should be returned. | |
3964 | */ | |
3965 | typedef int mpo_sysvmsq_check_msqctl_t( | |
3966 | kauth_cred_t cred, | |
3967 | struct msqid_kernel *msqptr, | |
3968 | struct label *msqlabel, | |
3969 | int cmd | |
3970 | ); | |
3971 | /** | |
3972 | @brief Access control check to get a System V message queue | |
3973 | @param cred The credential of the caller | |
3974 | @param msqptr The message queue requested | |
3975 | @param msqlabel The message queue's label | |
3976 | ||
3977 | On a call to msgget(), if the queue requested already exists, | |
3978 | and it is a public queue, this check will be performed before the | |
3979 | queue's ID is returned to the user. | |
3980 | ||
3981 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3982 | errno should be returned. | |
3983 | */ | |
3984 | typedef int mpo_sysvmsq_check_msqget_t( | |
3985 | kauth_cred_t cred, | |
3986 | struct msqid_kernel *msqptr, | |
3987 | struct label *msqlabel | |
3988 | ); | |
3989 | /** | |
3990 | @brief Access control check to receive a System V message from the given queue | |
3991 | @param cred The credential of the caller | |
3992 | @param msqptr The message queue to receive from | |
3993 | @param msqlabel The message queue's label | |
3994 | ||
3995 | On a call to msgrcv(), this check is performed to determine whether the | |
3996 | caller has receive rights on the given queue. | |
3997 | ||
3998 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3999 | errno should be returned. | |
4000 | */ | |
4001 | typedef int mpo_sysvmsq_check_msqrcv_t( | |
4002 | kauth_cred_t cred, | |
4003 | struct msqid_kernel *msqptr, | |
4004 | struct label *msqlabel | |
4005 | ); | |
4006 | /** | |
4007 | @brief Access control check to send a System V message to the given queue | |
4008 | @param cred The credential of the caller | |
4009 | @param msqptr The message queue to send to | |
4010 | @param msqlabel The message queue's label | |
4011 | ||
4012 | On a call to msgsnd(), this check is performed to determine whether the | |
4013 | caller has send rights on the given queue. | |
4014 | ||
4015 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4016 | errno should be returned. | |
4017 | */ | |
4018 | typedef int mpo_sysvmsq_check_msqsnd_t( | |
4019 | kauth_cred_t cred, | |
4020 | struct msqid_kernel *msqptr, | |
4021 | struct label *msqlabel | |
4022 | ); | |
4023 | /** | |
4024 | @brief Create a System V message queue label | |
4025 | @param cred Subject credential | |
4026 | @param msqkptr The message queue | |
4027 | @param msqlabel The label of the message queue | |
4028 | ||
4029 | */ | |
4030 | typedef void mpo_sysvmsq_label_associate_t( | |
4031 | kauth_cred_t cred, | |
4032 | struct msqid_kernel *msqptr, | |
4033 | struct label *msqlabel | |
4034 | ); | |
4035 | /** | |
4036 | @brief Destroy System V message queue label | |
4037 | @param label The label to be destroyed | |
4038 | ||
4039 | Destroy a System V message queue label. Since the object is | |
4040 | going out of scope, policy modules should free any internal storage | |
4041 | associated with the label so that it may be destroyed. | |
4042 | */ | |
4043 | typedef void mpo_sysvmsq_label_destroy_t( | |
4044 | struct label *label | |
4045 | ); | |
4046 | /** | |
4047 | @brief Initialize System V message queue label | |
4048 | @param label New label to initialize | |
4049 | ||
4050 | Initialize the label for a newly instantiated System V message queue. | |
4051 | */ | |
4052 | typedef void mpo_sysvmsq_label_init_t( | |
4053 | struct label *label | |
4054 | ); | |
4055 | /** | |
4056 | @brief Clean up a System V message queue label | |
4057 | @param label The label to be destroyed | |
4058 | ||
4059 | Clean up a System V message queue label. Darwin pre-allocates | |
4060 | message queues at system boot time and re-uses them rather than | |
4061 | allocating new ones. Before message queues are returned to the "free | |
4062 | pool", policies can cleanup or overwrite any information present in | |
4063 | the label. | |
4064 | */ | |
4065 | typedef void mpo_sysvmsq_label_recycle_t( | |
4066 | struct label *label | |
4067 | ); | |
4068 | /** | |
4069 | @brief Access control check for System V semaphore control operation | |
4070 | @param cred Subject credential | |
4071 | @param semakptr Pointer to semaphore identifier | |
4072 | @param semaklabel Label associated with semaphore | |
4073 | @param cmd Control operation to be performed; see semctl(2) | |
4074 | ||
4075 | Determine whether the subject identified by the credential can perform | |
4076 | the operation indicated by cmd on the System V semaphore semakptr. | |
4077 | ||
4078 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4079 | errno should be returned. | |
4080 | */ | |
4081 | typedef int mpo_sysvsem_check_semctl_t( | |
4082 | kauth_cred_t cred, | |
4083 | struct semid_kernel *semakptr, | |
4084 | struct label *semaklabel, | |
4085 | int cmd | |
4086 | ); | |
4087 | /** | |
4088 | @brief Access control check for obtaining a System V semaphore | |
4089 | @param cred Subject credential | |
4090 | @param semakptr Pointer to semaphore identifier | |
4091 | @param semaklabel Label to associate with the semaphore | |
4092 | ||
4093 | Determine whether the subject identified by the credential can | |
4094 | obtain a System V semaphore. | |
4095 | ||
4096 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4097 | errno should be returned. | |
4098 | */ | |
4099 | typedef int mpo_sysvsem_check_semget_t( | |
4100 | kauth_cred_t cred, | |
4101 | struct semid_kernel *semakptr, | |
4102 | struct label *semaklabel | |
4103 | ); | |
4104 | /** | |
4105 | @brief Access control check for System V semaphore operations | |
4106 | @param cred Subject credential | |
4107 | @param semakptr Pointer to semaphore identifier | |
4108 | @param semaklabel Label associated with the semaphore | |
4109 | @param accesstype Flags to indicate access (read and/or write) | |
4110 | ||
4111 | Determine whether the subject identified by the credential can | |
4112 | perform the operations on the System V semaphore indicated by | |
4113 | semakptr. The accesstype flags hold the maximum set of permissions | |
4114 | from the sem_op array passed to the semop system call. It may | |
4115 | contain SEM_R for read-only operations or SEM_A for read/write | |
4116 | operations. | |
4117 | ||
4118 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4119 | errno should be returned. | |
4120 | */ | |
4121 | typedef int mpo_sysvsem_check_semop_t( | |
4122 | kauth_cred_t cred, | |
4123 | struct semid_kernel *semakptr, | |
4124 | struct label *semaklabel, | |
4125 | size_t accesstype | |
4126 | ); | |
4127 | /** | |
4128 | @brief Create a System V semaphore label | |
4129 | @param cred Subject credential | |
4130 | @param semakptr The semaphore being created | |
4131 | @param semalabel Label to associate with the new semaphore | |
4132 | ||
4133 | Label a new System V semaphore. The label was previously | |
4134 | initialized and associated with the semaphore. At this time, an | |
4135 | appropriate initial label value should be assigned to the object and | |
4136 | stored in semalabel. | |
4137 | */ | |
4138 | typedef void mpo_sysvsem_label_associate_t( | |
4139 | kauth_cred_t cred, | |
4140 | struct semid_kernel *semakptr, | |
4141 | struct label *semalabel | |
4142 | ); | |
4143 | /** | |
4144 | @brief Destroy System V semaphore label | |
4145 | @param label The label to be destroyed | |
4146 | ||
4147 | Destroy a System V semaphore label. Since the object is | |
4148 | going out of scope, policy modules should free any internal storage | |
4149 | associated with the label so that it may be destroyed. | |
4150 | */ | |
4151 | typedef void mpo_sysvsem_label_destroy_t( | |
4152 | struct label *label | |
4153 | ); | |
4154 | /** | |
4155 | @brief Initialize System V semaphore label | |
4156 | @param label New label to initialize | |
4157 | ||
4158 | Initialize the label for a newly instantiated System V semaphore. Sleeping | |
4159 | is permitted. | |
4160 | */ | |
4161 | typedef void mpo_sysvsem_label_init_t( | |
4162 | struct label *label | |
4163 | ); | |
4164 | /** | |
4165 | @brief Clean up a System V semaphore label | |
4166 | @param label The label to be cleaned | |
4167 | ||
4168 | Clean up a System V semaphore label. Darwin pre-allocates | |
4169 | semaphores at system boot time and re-uses them rather than | |
4170 | allocating new ones. Before semaphores are returned to the "free | |
4171 | pool", policies can cleanup or overwrite any information present in | |
4172 | the label. | |
4173 | */ | |
4174 | typedef void mpo_sysvsem_label_recycle_t( | |
4175 | struct label *label | |
4176 | ); | |
4177 | /** | |
4178 | @brief Access control check for mapping System V shared memory | |
4179 | @param cred Subject credential | |
4180 | @param shmsegptr Pointer to shared memory segment identifier | |
4181 | @param shmseglabel Label associated with the shared memory segment | |
4182 | @param shmflg shmat flags; see shmat(2) | |
4183 | ||
4184 | Determine whether the subject identified by the credential can map | |
4185 | the System V shared memory segment associated with shmsegptr. | |
4186 | ||
4187 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4188 | errno should be returned. | |
4189 | */ | |
4190 | typedef int mpo_sysvshm_check_shmat_t( | |
4191 | kauth_cred_t cred, | |
4192 | struct shmid_kernel *shmsegptr, | |
4193 | struct label *shmseglabel, | |
4194 | int shmflg | |
4195 | ); | |
4196 | /** | |
4197 | @brief Access control check for System V shared memory control operation | |
4198 | @param cred Subject credential | |
4199 | @param shmsegptr Pointer to shared memory segment identifier | |
4200 | @param shmseglabel Label associated with the shared memory segment | |
4201 | @param cmd Control operation to be performed; see shmctl(2) | |
4202 | ||
4203 | Determine whether the subject identified by the credential can perform | |
4204 | the operation indicated by cmd on the System V shared memory segment | |
4205 | shmsegptr. | |
4206 | ||
4207 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4208 | errno should be returned. | |
4209 | */ | |
4210 | typedef int mpo_sysvshm_check_shmctl_t( | |
4211 | kauth_cred_t cred, | |
4212 | struct shmid_kernel *shmsegptr, | |
4213 | struct label *shmseglabel, | |
4214 | int cmd | |
4215 | ); | |
4216 | /** | |
4217 | @brief Access control check for unmapping System V shared memory | |
4218 | @param cred Subject credential | |
4219 | @param shmsegptr Pointer to shared memory segment identifier | |
4220 | @param shmseglabel Label associated with the shared memory segment | |
4221 | ||
4222 | Determine whether the subject identified by the credential can unmap | |
4223 | the System V shared memory segment associated with shmsegptr. | |
4224 | ||
4225 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4226 | errno should be returned. | |
4227 | */ | |
4228 | typedef int mpo_sysvshm_check_shmdt_t( | |
4229 | kauth_cred_t cred, | |
4230 | struct shmid_kernel *shmsegptr, | |
4231 | struct label *shmseglabel | |
4232 | ); | |
4233 | /** | |
4234 | @brief Access control check obtaining System V shared memory identifier | |
4235 | @param cred Subject credential | |
4236 | @param shmsegptr Pointer to shared memory segment identifier | |
4237 | @param shmseglabel Label associated with the shared memory segment | |
4238 | @param shmflg shmget flags; see shmget(2) | |
4239 | ||
4240 | Determine whether the subject identified by the credential can get | |
4241 | the System V shared memory segment address. | |
4242 | ||
4243 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4244 | errno should be returned. | |
4245 | */ | |
4246 | typedef int mpo_sysvshm_check_shmget_t( | |
4247 | kauth_cred_t cred, | |
4248 | struct shmid_kernel *shmsegptr, | |
4249 | struct label *shmseglabel, | |
4250 | int shmflg | |
4251 | ); | |
4252 | /** | |
4253 | @brief Create a System V shared memory region label | |
4254 | @param cred Subject credential | |
4255 | @param shmsegptr The shared memory region being created | |
4256 | @param shmlabel Label to associate with the new shared memory region | |
4257 | ||
4258 | Label a new System V shared memory region. The label was previously | |
4259 | initialized and associated with the shared memory region. At this | |
4260 | time, an appropriate initial label value should be assigned to the | |
4261 | object and stored in shmlabel. | |
4262 | */ | |
4263 | typedef void mpo_sysvshm_label_associate_t( | |
4264 | kauth_cred_t cred, | |
4265 | struct shmid_kernel *shmsegptr, | |
4266 | struct label *shmlabel | |
4267 | ); | |
4268 | /** | |
4269 | @brief Destroy System V shared memory label | |
4270 | @param label The label to be destroyed | |
4271 | ||
4272 | Destroy a System V shared memory region label. Since the | |
4273 | object is going out of scope, policy modules should free any | |
4274 | internal storage associated with the label so that it may be | |
4275 | destroyed. | |
4276 | */ | |
4277 | typedef void mpo_sysvshm_label_destroy_t( | |
4278 | struct label *label | |
4279 | ); | |
4280 | /** | |
4281 | @brief Initialize System V Shared Memory region label | |
4282 | @param label New label to initialize | |
4283 | ||
4284 | Initialize the label for a newly instantiated System V Shared Memory | |
4285 | region. Sleeping is permitted. | |
4286 | */ | |
4287 | typedef void mpo_sysvshm_label_init_t( | |
4288 | struct label *label | |
4289 | ); | |
4290 | /** | |
4291 | @brief Clean up a System V Share Memory Region label | |
4292 | @param shmlabel The label to be cleaned | |
4293 | ||
4294 | Clean up a System V Shared Memory Region label. Darwin | |
4295 | pre-allocates these objects at system boot time and re-uses them | |
4296 | rather than allocating new ones. Before the memory regions are | |
4297 | returned to the "free pool", policies can cleanup or overwrite any | |
4298 | information present in the label. | |
4299 | */ | |
4300 | typedef void mpo_sysvshm_label_recycle_t( | |
4301 | struct label *shmlabel | |
4302 | ); | |
4303 | /** | |
4304 | @brief Access control check for getting a process's task name | |
4305 | @param cred Subject credential | |
4306 | @param proc Object process | |
4307 | ||
4308 | Determine whether the subject identified by the credential can get | |
4309 | the passed process's task name port. | |
4310 | This call is used by the task_name_for_pid(2) API. | |
4311 | ||
4312 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4313 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
4314 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. | |
4315 | */ | |
4316 | typedef int mpo_proc_check_get_task_name_t( | |
4317 | kauth_cred_t cred, | |
4318 | struct proc *p | |
4319 | ); | |
4320 | /** | |
4321 | @brief Access control check for getting a process's task port | |
4322 | @param cred Subject credential | |
4323 | @param proc Object process | |
4324 | ||
4325 | Determine whether the subject identified by the credential can get | |
4326 | the passed process's task control port. | |
4327 | This call is used by the task_for_pid(2) API. | |
4328 | ||
4329 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4330 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
4331 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. | |
4332 | */ | |
4333 | typedef int mpo_proc_check_get_task_t( | |
4334 | kauth_cred_t cred, | |
4335 | struct proc *p | |
4336 | ); | |
4337 | ||
4338 | /** | |
4339 | @brief Check whether task's IPC may inherit across process exec | |
4340 | @param proc current process instance | |
4341 | @param cur_vp vnode pointer to current instance | |
4342 | @param cur_offset offset of binary of currently executing image | |
4343 | @param img_vp vnode pointer to to be exec'ed image | |
4344 | @param img_offset offset into file which is selected for execution | |
4345 | @param scriptvp vnode pointer of script file if any. | |
4346 | @return Return 0 if access is granted. | |
4347 | EPERM if parent does not have any entitlements. | |
4348 | EACCESS if mismatch in entitlements | |
4349 | */ | |
4350 | typedef int mpo_proc_check_inherit_ipc_ports_t( | |
4351 | struct proc *p, | |
4352 | struct vnode *cur_vp, | |
4353 | off_t cur_offset, | |
4354 | struct vnode *img_vp, | |
4355 | off_t img_offset, | |
4356 | struct vnode *scriptvp | |
4357 | ); | |
4358 | ||
4359 | /** | |
4360 | @brief Privilege check for a process to run invalid | |
4361 | @param proc Object process | |
4362 | ||
4363 | Determine whether the process may execute even though the system determined | |
4364 | that it is untrusted (eg unidentified / modified code). | |
4365 | ||
4366 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4367 | errno should be returned. | |
4368 | */ | |
4369 | typedef int mac_proc_check_run_cs_invalid_t( | |
4370 | struct proc *p | |
4371 | ); | |
4372 | ||
4373 | /** | |
4374 | @brief Perform MAC-related events when a thread returns to user space | |
4375 | @param thread Mach (not BSD) thread that is returning | |
4376 | ||
4377 | This entry point permits policy modules to perform MAC-related | |
4378 | events when a thread returns to user space, via a system call | |
4379 | return or trap return. | |
4380 | */ | |
4381 | typedef void mpo_thread_userret_t( | |
4382 | struct thread *thread | |
4383 | ); | |
4384 | /** | |
4385 | @brief Initialize per thread label | |
4386 | @param label New label to initialize | |
4387 | ||
4388 | Initialize the label for a newly instantiated thread. | |
4389 | Sleeping is permitted. | |
4390 | */ | |
4391 | typedef void mpo_thread_label_init_t( | |
4392 | struct label *label | |
4393 | ); | |
4394 | /** | |
4395 | @brief Destroy thread label | |
4396 | @param label The label to be destroyed | |
4397 | ||
4398 | Destroy a user thread label. Since the user thread | |
4399 | is going out of scope, policy modules should free any internal | |
4400 | storage associated with the label so that it may be destroyed. | |
4401 | */ | |
4402 | typedef void mpo_thread_label_destroy_t( | |
4403 | struct label *label | |
4404 | ); | |
4405 | /** | |
4406 | @brief Check vnode access | |
4407 | @param cred Subject credential | |
4408 | @param vp Object vnode | |
4409 | @param label Label for vp | |
4410 | @param acc_mode access(2) flags | |
4411 | ||
4412 | Determine how invocations of access(2) and related calls by the | |
4413 | subject identified by the credential should return when performed | |
4414 | on the passed vnode using the passed access flags. This should | |
4415 | generally be implemented using the same semantics used in | |
4416 | mpo_vnode_check_open. | |
4417 | ||
4418 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4419 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4420 | EPERM for lack of privilege. | |
4421 | */ | |
4422 | typedef int mpo_vnode_check_access_t( | |
4423 | kauth_cred_t cred, | |
4424 | struct vnode *vp, | |
4425 | struct label *label, | |
4426 | int acc_mode | |
4427 | ); | |
4428 | /** | |
4429 | @brief Access control check for changing working directory | |
4430 | @param cred Subject credential | |
4431 | @param dvp Object; vnode to chdir(2) into | |
4432 | @param dlabel Policy label for dvp | |
4433 | ||
4434 | Determine whether the subject identified by the credential can change | |
4435 | the process working directory to the passed vnode. | |
4436 | ||
4437 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4438 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4439 | EPERM for lack of privilege. | |
4440 | */ | |
4441 | typedef int mpo_vnode_check_chdir_t( | |
4442 | kauth_cred_t cred, | |
4443 | struct vnode *dvp, | |
4444 | struct label *dlabel | |
4445 | ); | |
4446 | /** | |
4447 | @brief Access control check for changing root directory | |
4448 | @param cred Subject credential | |
4449 | @param dvp Directory vnode | |
4450 | @param dlabel Policy label associated with dvp | |
4451 | @param cnp Component name for dvp | |
4452 | ||
4453 | Determine whether the subject identified by the credential should be | |
4454 | allowed to chroot(2) into the specified directory (dvp). | |
4455 | ||
4456 | @return In the event of an error, an appropriate value for errno | |
4457 | should be returned, otherwise return 0 upon success. | |
4458 | */ | |
4459 | typedef int mpo_vnode_check_chroot_t( | |
4460 | kauth_cred_t cred, | |
4461 | struct vnode *dvp, | |
4462 | struct label *dlabel, | |
4463 | struct componentname *cnp | |
4464 | ); | |
4465 | /** | |
4466 | @brief Access control check for creating vnode | |
4467 | @param cred Subject credential | |
4468 | @param dvp Directory vnode | |
4469 | @param dlabel Policy label for dvp | |
4470 | @param cnp Component name for dvp | |
4471 | @param vap vnode attributes for vap | |
4472 | ||
4473 | Determine whether the subject identified by the credential can create | |
4474 | a vnode with the passed parent directory, passed name information, | |
4475 | and passed attribute information. This call may be made in a number of | |
4476 | situations, including as a result of calls to open(2) with O_CREAT, | |
4477 | mknod(2), mkfifo(2), and others. | |
4478 | ||
4479 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4480 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4481 | EPERM for lack of privilege. | |
4482 | */ | |
4483 | typedef int mpo_vnode_check_create_t( | |
4484 | kauth_cred_t cred, | |
4485 | struct vnode *dvp, | |
4486 | struct label *dlabel, | |
4487 | struct componentname *cnp, | |
4488 | struct vnode_attr *vap | |
4489 | ); | |
4490 | /** | |
4491 | @brief Access control check for deleting extended attribute | |
4492 | @param cred Subject credential | |
4493 | @param vp Object vnode | |
4494 | @param vlabel Label associated with vp | |
4495 | @param name Extended attribute name | |
4496 | ||
4497 | Determine whether the subject identified by the credential can delete | |
4498 | the extended attribute from the passed vnode. | |
4499 | ||
4500 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4501 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4502 | EPERM for lack of privilege. | |
4503 | */ | |
4504 | typedef int mpo_vnode_check_deleteextattr_t( | |
4505 | kauth_cred_t cred, | |
4506 | struct vnode *vp, | |
4507 | struct label *vlabel, | |
4508 | const char *name | |
4509 | ); | |
4510 | /** | |
4511 | @brief Access control check for exchanging file data | |
4512 | @param cred Subject credential | |
4513 | @param v1 vnode 1 to swap | |
4514 | @param vl1 Policy label for v1 | |
4515 | @param v2 vnode 2 to swap | |
4516 | @param vl2 Policy label for v2 | |
4517 | ||
4518 | Determine whether the subject identified by the credential can swap the data | |
4519 | in the two supplied vnodes. | |
4520 | ||
4521 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4522 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4523 | EPERM for lack of privilege. | |
4524 | */ | |
4525 | typedef int mpo_vnode_check_exchangedata_t( | |
4526 | kauth_cred_t cred, | |
4527 | struct vnode *v1, | |
4528 | struct label *vl1, | |
4529 | struct vnode *v2, | |
4530 | struct label *vl2 | |
4531 | ); | |
4532 | /** | |
4533 | @brief Access control check for executing the vnode | |
4534 | @param cred Subject credential | |
4535 | @param vp Object vnode to execute | |
4536 | @param scriptvp Script being executed by interpreter, if any. | |
4537 | @param vnodelabel Label corresponding to vp | |
4538 | @param scriptvnodelabel Script vnode label | |
4539 | @param execlabel Userspace provided execution label | |
4540 | @param cnp Component name for file being executed | |
4541 | @param macpolicyattr MAC policy-specific spawn attribute data. | |
4542 | @param macpolicyattrlen Length of policy-specific spawn attribute data. | |
4543 | ||
4544 | Determine whether the subject identified by the credential can execute | |
4545 | the passed vnode. Determination of execute privilege is made separately | |
4546 | from decisions about any process label transitioning event. | |
4547 | ||
4548 | The final label, execlabel, corresponds to a label supplied by a | |
4549 | user space application through the use of the mac_execve system call. | |
4550 | This label will be NULL if the user application uses the the vendor | |
4551 | execve(2) call instead of the MAC Framework mac_execve() call. | |
4552 | ||
4553 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4554 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4555 | EPERM for lack of privilege. | |
4556 | */ | |
4557 | typedef int mpo_vnode_check_exec_t( | |
4558 | kauth_cred_t cred, | |
4559 | struct vnode *vp, | |
4560 | struct vnode *scriptvp, | |
4561 | struct label *vnodelabel, | |
4562 | struct label *scriptlabel, | |
4563 | struct label *execlabel, /* NULLOK */ | |
4564 | struct componentname *cnp, | |
4565 | u_int *csflags, | |
4566 | void *macpolicyattr, | |
4567 | size_t macpolicyattrlen | |
4568 | ); | |
4569 | /** | |
4570 | @brief Access control check for fsgetpath | |
4571 | @param cred Subject credential | |
4572 | @param vp Vnode for which a path will be returned | |
4573 | @param label Label associated with the vnode | |
4574 | ||
4575 | Determine whether the subject identified by the credential can get the path | |
4576 | of the given vnode with fsgetpath. | |
4577 | ||
4578 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4579 | errno should be returned. | |
4580 | */ | |
4581 | typedef int mpo_vnode_check_fsgetpath_t( | |
4582 | kauth_cred_t cred, | |
4583 | struct vnode *vp, | |
4584 | struct label *label | |
4585 | ); | |
4586 | /** | |
4587 | @brief Access control check after determining the code directory hash | |
4588 | */ | |
4589 | typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label, | |
4590 | off_t macho_offset, unsigned char *sha1, | |
4591 | const void *signature, int size, | |
4592 | int *is_platform_binary); | |
4593 | ||
4594 | /** | |
4595 | @brief Access control check for retrieving file attributes | |
4596 | @param cred Subject credential | |
4597 | @param vp Object vnode | |
4598 | @param vlabel Policy label for vp | |
4599 | @param alist List of attributes to retrieve | |
4600 | ||
4601 | Determine whether the subject identified by the credential can read | |
4602 | various attributes of the specified vnode, or the filesystem or volume on | |
4603 | which that vnode resides. See <sys/attr.h> for definitions of the | |
4604 | attributes. | |
4605 | ||
4606 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4607 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4608 | EPERM for lack of privilege. Access control covers all attributes requested | |
4609 | with this call; the security policy is not permitted to change the set of | |
4610 | attributes requested. | |
4611 | */ | |
4612 | typedef int mpo_vnode_check_getattrlist_t( | |
4613 | kauth_cred_t cred, | |
4614 | struct vnode *vp, | |
4615 | struct label *vlabel, | |
4616 | struct attrlist *alist | |
4617 | ); | |
4618 | /** | |
4619 | @brief Access control check for retrieving an extended attribute | |
4620 | @param cred Subject credential | |
4621 | @param vp Object vnode | |
4622 | @param label Policy label for vp | |
4623 | @param name Extended attribute name | |
4624 | @param uio I/O structure pointer | |
4625 | ||
4626 | Determine whether the subject identified by the credential can retrieve | |
4627 | the extended attribute from the passed vnode. The uio parameter | |
4628 | will be NULL when the getxattr(2) call has been made with a NULL data | |
4629 | value; this is done to request the size of the data only. | |
4630 | ||
4631 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4632 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4633 | EPERM for lack of privilege. | |
4634 | */ | |
4635 | typedef int mpo_vnode_check_getextattr_t( | |
4636 | kauth_cred_t cred, | |
4637 | struct vnode *vp, | |
4638 | struct label *label, /* NULLOK */ | |
4639 | const char *name, | |
4640 | struct uio *uio /* NULLOK */ | |
4641 | ); | |
4642 | /** | |
4643 | @brief Access control check for ioctl | |
4644 | @param cred Subject credential | |
4645 | @param vp Object vnode | |
4646 | @param label Policy label for vp | |
4647 | @param com Device-dependent request code; see ioctl(2) | |
4648 | ||
4649 | Determine whether the subject identified by the credential can perform | |
4650 | the ioctl operation indicated by com. | |
4651 | ||
4652 | @warning Since ioctl data is opaque from the standpoint of the MAC | |
4653 | framework, and since ioctls can affect many aspects of system | |
4654 | operation, policies must exercise extreme care when implementing | |
4655 | access control checks. | |
4656 | ||
4657 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4658 | errno should be returned. | |
4659 | */ | |
4660 | typedef int mpo_vnode_check_ioctl_t( | |
4661 | kauth_cred_t cred, | |
4662 | struct vnode *vp, | |
4663 | struct label *label, | |
4664 | unsigned int cmd | |
4665 | ); | |
4666 | /** | |
4667 | @brief Access control check for vnode kqfilter | |
4668 | @param cred Subject credential | |
4669 | @param kn Object knote | |
4670 | @param vp Object vnode | |
4671 | @param label Policy label for vp | |
4672 | ||
4673 | Determine whether the subject identified by the credential can | |
4674 | receive the knote on the passed vnode. | |
4675 | ||
4676 | @return Return 0 if access if granted, otherwise an appropriate | |
4677 | value for errno should be returned. | |
4678 | */ | |
4679 | typedef int mpo_vnode_check_kqfilter_t( | |
4680 | kauth_cred_t active_cred, | |
4681 | kauth_cred_t file_cred, /* NULLOK */ | |
4682 | struct knote *kn, | |
4683 | struct vnode *vp, | |
4684 | struct label *label | |
4685 | ); | |
4686 | /** | |
4687 | @brief Access control check for relabel | |
4688 | @param cred Subject credential | |
4689 | @param vp Object vnode | |
4690 | @param vnodelabel Existing policy label for vp | |
4691 | @param newlabel Policy label update to later be applied to vp | |
4692 | @see mpo_relable_vnode_t | |
4693 | ||
4694 | Determine whether the subject identified by the credential can relabel | |
4695 | the passed vnode to the passed label update. If all policies permit | |
4696 | the label change, the actual relabel entry point (mpo_vnode_label_update) | |
4697 | will follow. | |
4698 | ||
4699 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4700 | errno should be returned. | |
4701 | */ | |
4702 | typedef int mpo_vnode_check_label_update_t( | |
4703 | struct ucred *cred, | |
4704 | struct vnode *vp, | |
4705 | struct label *vnodelabel, | |
4706 | struct label *newlabel | |
4707 | ); | |
4708 | /** | |
4709 | @brief Access control check for creating link | |
4710 | @param cred Subject credential | |
4711 | @param dvp Directory vnode | |
4712 | @param dlabel Policy label associated with dvp | |
4713 | @param vp Link destination vnode | |
4714 | @param label Policy label associated with vp | |
4715 | @param cnp Component name for the link being created | |
4716 | ||
4717 | Determine whether the subject identified by the credential should be | |
4718 | allowed to create a link to the vnode vp with the name specified by cnp. | |
4719 | ||
4720 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4721 | errno should be returned. | |
4722 | */ | |
4723 | typedef int mpo_vnode_check_link_t( | |
4724 | kauth_cred_t cred, | |
4725 | struct vnode *dvp, | |
4726 | struct label *dlabel, | |
4727 | struct vnode *vp, | |
4728 | struct label *label, | |
4729 | struct componentname *cnp | |
4730 | ); | |
4731 | /** | |
4732 | @brief Access control check for listing extended attributes | |
4733 | @param cred Subject credential | |
4734 | @param vp Object vnode | |
4735 | @param vlabel Policy label associated with vp | |
4736 | ||
4737 | Determine whether the subject identified by the credential can retrieve | |
4738 | a list of named extended attributes from a vnode. | |
4739 | ||
4740 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4741 | errno should be returned. | |
4742 | */ | |
4743 | typedef int mpo_vnode_check_listextattr_t( | |
4744 | kauth_cred_t cred, | |
4745 | struct vnode *vp, | |
4746 | struct label *vlabel | |
4747 | ); | |
4748 | /** | |
4749 | @brief Access control check for lookup | |
4750 | @param cred Subject credential | |
4751 | @param dvp Object vnode | |
4752 | @param dlabel Policy label for dvp | |
4753 | @param cnp Component name being looked up | |
4754 | ||
4755 | Determine whether the subject identified by the credential can perform | |
4756 | a lookup in the passed directory vnode for the passed name (cnp). | |
4757 | ||
4758 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4759 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4760 | EPERM for lack of privilege. | |
4761 | */ | |
4762 | typedef int mpo_vnode_check_lookup_t( | |
4763 | kauth_cred_t cred, | |
4764 | struct vnode *dvp, | |
4765 | struct label *dlabel, | |
4766 | struct componentname *cnp | |
4767 | ); | |
4768 | /** | |
4769 | @brief Access control check for open | |
4770 | @param cred Subject credential | |
4771 | @param vp Object vnode | |
4772 | @param label Policy label associated with vp | |
4773 | @param acc_mode open(2) access mode | |
4774 | ||
4775 | Determine whether the subject identified by the credential can perform | |
4776 | an open operation on the passed vnode with the passed access mode. | |
4777 | ||
4778 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4779 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4780 | EPERM for lack of privilege. | |
4781 | */ | |
4782 | typedef int mpo_vnode_check_open_t( | |
4783 | kauth_cred_t cred, | |
4784 | struct vnode *vp, | |
4785 | struct label *label, | |
4786 | int acc_mode | |
4787 | ); | |
4788 | /** | |
4789 | @brief Access control check for read | |
4790 | @param active_cred Subject credential | |
4791 | @param file_cred Credential associated with the struct fileproc | |
4792 | @param vp Object vnode | |
4793 | @param label Policy label for vp | |
4794 | ||
4795 | Determine whether the subject identified by the credential can perform | |
4796 | a read operation on the passed vnode. The active_cred hold the credentials | |
4797 | of the subject performing the operation, and file_cred holds the | |
4798 | credentials of the subject that originally opened the file. | |
4799 | ||
4800 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4801 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4802 | EPERM for lack of privilege. | |
4803 | */ | |
4804 | typedef int mpo_vnode_check_read_t( | |
4805 | kauth_cred_t active_cred, /* SUBJECT */ | |
4806 | kauth_cred_t file_cred, /* NULLOK */ | |
4807 | struct vnode *vp, /* OBJECT */ | |
4808 | struct label *label /* LABEL */ | |
4809 | ); | |
4810 | /** | |
4811 | @brief Access control check for read directory | |
4812 | @param cred Subject credential | |
4813 | @param dvp Object directory vnode | |
4814 | @param dlabel Policy label for dvp | |
4815 | ||
4816 | Determine whether the subject identified by the credential can | |
4817 | perform a readdir operation on the passed directory vnode. | |
4818 | ||
4819 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4820 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4821 | EPERM for lack of privilege. | |
4822 | */ | |
4823 | typedef int mpo_vnode_check_readdir_t( | |
4824 | kauth_cred_t cred, /* SUBJECT */ | |
4825 | struct vnode *dvp, /* OBJECT */ | |
4826 | struct label *dlabel /* LABEL */ | |
4827 | ); | |
4828 | /** | |
4829 | @brief Access control check for read link | |
4830 | @param cred Subject credential | |
4831 | @param vp Object vnode | |
4832 | @param label Policy label for vp | |
4833 | ||
4834 | Determine whether the subject identified by the credential can perform | |
4835 | a readlink operation on the passed symlink vnode. This call can be made | |
4836 | in a number of situations, including an explicit readlink call by the | |
4837 | user process, or as a result of an implicit readlink during a name | |
4838 | lookup by the process. | |
4839 | ||
4840 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4841 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4842 | EPERM for lack of privilege. | |
4843 | */ | |
4844 | typedef int mpo_vnode_check_readlink_t( | |
4845 | kauth_cred_t cred, | |
4846 | struct vnode *vp, | |
4847 | struct label *label | |
4848 | ); | |
4849 | /** | |
4850 | @brief Access control check for rename | |
4851 | @param cred Subject credential | |
4852 | @param dvp Directory vnode | |
4853 | @param dlabel Policy label associated with dvp | |
4854 | @param vp vnode to be renamed | |
4855 | @param label Policy label associated with vp | |
4856 | @param cnp Component name for vp | |
4857 | @param tdvp Destination directory vnode | |
4858 | @param tdlabel Policy label associated with tdvp | |
4859 | @param tvp Overwritten vnode | |
4860 | @param tlabel Policy label associated with tvp | |
4861 | @param tcnp Destination component name | |
4862 | ||
4863 | Determine whether the subject identified by the credential should be allowed | |
4864 | to rename the vnode vp to something else. | |
4865 | ||
4866 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4867 | errno should be returned. | |
4868 | */ | |
4869 | typedef int mpo_vnode_check_rename_t( | |
4870 | kauth_cred_t cred, | |
4871 | struct vnode *dvp, | |
4872 | struct label *dlabel, | |
4873 | struct vnode *vp, | |
4874 | struct label *label, | |
4875 | struct componentname *cnp, | |
4876 | struct vnode *tdvp, | |
4877 | struct label *tdlabel, | |
4878 | struct vnode *tvp, | |
4879 | struct label *tlabel, | |
4880 | struct componentname *tcnp | |
4881 | ); | |
4882 | /** | |
4883 | @brief Access control check for rename from | |
4884 | @param cred Subject credential | |
4885 | @param dvp Directory vnode | |
4886 | @param dlabel Policy label associated with dvp | |
4887 | @param vp vnode to be renamed | |
4888 | @param label Policy label associated with vp | |
4889 | @param cnp Component name for vp | |
4890 | @see mpo_vnode_check_rename_t | |
4891 | @see mpo_vnode_check_rename_to_t | |
4892 | ||
4893 | Determine whether the subject identified by the credential should be | |
4894 | allowed to rename the vnode vp to something else. | |
4895 | ||
4896 | Due to VFS locking constraints (to make sure proper vnode locks are | |
4897 | held during this entry point), the vnode relabel checks had to be | |
4898 | split into two parts: relabel_from and relabel to. | |
4899 | ||
4900 | This hook is deprecated, mpo_vnode_check_rename_t should be used instead. | |
4901 | ||
4902 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4903 | errno should be returned. | |
4904 | */ | |
4905 | typedef int mpo_vnode_check_rename_from_t( | |
4906 | kauth_cred_t cred, | |
4907 | struct vnode *dvp, | |
4908 | struct label *dlabel, | |
4909 | struct vnode *vp, | |
4910 | struct label *label, | |
4911 | struct componentname *cnp | |
4912 | ); | |
4913 | /** | |
4914 | @brief Access control check for rename to | |
4915 | @param cred Subject credential | |
4916 | @param dvp Directory vnode | |
4917 | @param dlabel Policy label associated with dvp | |
4918 | @param vp Overwritten vnode | |
4919 | @param label Policy label associated with vp | |
4920 | @param samedir Boolean; 1 if the source and destination directories are the same | |
4921 | @param cnp Destination component name | |
4922 | @see mpo_vnode_check_rename_t | |
4923 | @see mpo_vnode_check_rename_from_t | |
4924 | ||
4925 | Determine whether the subject identified by the credential should be | |
4926 | allowed to rename to the vnode vp, into the directory dvp, or to the | |
4927 | name represented by cnp. If there is no existing file to overwrite, | |
4928 | vp and label will be NULL. | |
4929 | ||
4930 | Due to VFS locking constraints (to make sure proper vnode locks are | |
4931 | held during this entry point), the vnode relabel checks had to be | |
4932 | split into two parts: relabel_from and relabel to. | |
4933 | ||
4934 | This hook is deprecated, mpo_vnode_check_rename_t should be used instead. | |
4935 | ||
4936 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4937 | errno should be returned. | |
4938 | */ | |
4939 | typedef int mpo_vnode_check_rename_to_t( | |
4940 | kauth_cred_t cred, | |
4941 | struct vnode *dvp, | |
4942 | struct label *dlabel, | |
4943 | struct vnode *vp, /* NULLOK */ | |
4944 | struct label *label, /* NULLOK */ | |
4945 | int samedir, | |
4946 | struct componentname *cnp | |
4947 | ); | |
4948 | /** | |
4949 | @brief Access control check for revoke | |
4950 | @param cred Subject credential | |
4951 | @param vp Object vnode | |
4952 | @param label Policy label for vp | |
4953 | ||
4954 | Determine whether the subject identified by the credential can revoke | |
4955 | access to the passed vnode. | |
4956 | ||
4957 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4958 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4959 | EPERM for lack of privilege. | |
4960 | */ | |
4961 | typedef int mpo_vnode_check_revoke_t( | |
4962 | kauth_cred_t cred, | |
4963 | struct vnode *vp, | |
4964 | struct label *label | |
4965 | ); | |
4966 | /** | |
4967 | @brief Access control check for searchfs | |
4968 | @param cred Subject credential | |
4969 | @param vp Object vnode | |
4970 | @param vlabel Policy label for vp | |
4971 | @param alist List of attributes used as search criteria | |
4972 | ||
4973 | Determine whether the subject identified by the credential can search the | |
4974 | vnode using the searchfs system call. | |
4975 | ||
4976 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4977 | errno should be returned. | |
4978 | */ | |
4979 | typedef int mpo_vnode_check_searchfs_t( | |
4980 | kauth_cred_t cred, | |
4981 | struct vnode *vp, | |
4982 | struct label *vlabel, | |
4983 | struct attrlist *alist | |
4984 | ); | |
4985 | /** | |
4986 | @brief Access control check for select | |
4987 | @param cred Subject credential | |
4988 | @param vp Object vnode | |
4989 | @param label Policy label for vp | |
4990 | @param which The operation selected on: FREAD or FWRITE | |
4991 | ||
4992 | Determine whether the subject identified by the credential can select | |
4993 | the vnode. | |
4994 | ||
4995 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4996 | errno should be returned. | |
4997 | */ | |
4998 | typedef int mpo_vnode_check_select_t( | |
4999 | kauth_cred_t cred, | |
5000 | struct vnode *vp, | |
5001 | struct label *label, | |
5002 | int which | |
5003 | ); | |
5004 | /** | |
5005 | @brief Access control check for setting file attributes | |
5006 | @param cred Subject credential | |
5007 | @param vp Object vnode | |
5008 | @param vlabel Policy label for vp | |
5009 | @param alist List of attributes to set | |
5010 | ||
5011 | Determine whether the subject identified by the credential can set | |
5012 | various attributes of the specified vnode, or the filesystem or volume on | |
5013 | which that vnode resides. See <sys/attr.h> for definitions of the | |
5014 | attributes. | |
5015 | ||
5016 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5017 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5018 | EPERM for lack of privilege. Access control covers all attributes requested | |
5019 | with this call. | |
5020 | */ | |
5021 | typedef int mpo_vnode_check_setattrlist_t( | |
5022 | kauth_cred_t cred, | |
5023 | struct vnode *vp, | |
5024 | struct label *vlabel, | |
5025 | struct attrlist *alist | |
5026 | ); | |
5027 | /** | |
5028 | @brief Access control check for setting extended attribute | |
5029 | @param cred Subject credential | |
5030 | @param vp Object vnode | |
5031 | @param label Policy label for vp | |
5032 | @param name Extended attribute name | |
5033 | @param uio I/O structure pointer | |
5034 | ||
5035 | Determine whether the subject identified by the credential can set the | |
5036 | extended attribute of passed name and passed namespace on the passed | |
5037 | vnode. Policies implementing security labels backed into extended | |
5038 | attributes may want to provide additional protections for those | |
5039 | attributes. Additionally, policies should avoid making decisions based | |
5040 | on the data referenced from uio, as there is a potential race condition | |
5041 | between this check and the actual operation. The uio may also be NULL | |
5042 | if a delete operation is being performed. | |
5043 | ||
5044 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5045 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5046 | EPERM for lack of privilege. | |
5047 | */ | |
5048 | typedef int mpo_vnode_check_setextattr_t( | |
5049 | kauth_cred_t cred, | |
5050 | struct vnode *vp, | |
5051 | struct label *label, | |
5052 | const char *name, | |
5053 | struct uio *uio | |
5054 | ); | |
5055 | /** | |
5056 | @brief Access control check for setting flags | |
5057 | @param cred Subject credential | |
5058 | @param vp Object vnode | |
5059 | @param label Policy label for vp | |
5060 | @param flags File flags; see chflags(2) | |
5061 | ||
5062 | Determine whether the subject identified by the credential can set | |
5063 | the passed flags on the passed vnode. | |
5064 | ||
5065 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5066 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5067 | EPERM for lack of privilege. | |
5068 | */ | |
5069 | typedef int mpo_vnode_check_setflags_t( | |
5070 | kauth_cred_t cred, | |
5071 | struct vnode *vp, | |
5072 | struct label *label, | |
5073 | u_long flags | |
5074 | ); | |
5075 | /** | |
5076 | @brief Access control check for setting mode | |
5077 | @param cred Subject credential | |
5078 | @param vp Object vnode | |
5079 | @param label Policy label for vp | |
5080 | @param mode File mode; see chmod(2) | |
5081 | ||
5082 | Determine whether the subject identified by the credential can set | |
5083 | the passed mode on the passed vnode. | |
5084 | ||
5085 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5086 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5087 | EPERM for lack of privilege. | |
5088 | */ | |
5089 | typedef int mpo_vnode_check_setmode_t( | |
5090 | kauth_cred_t cred, | |
5091 | struct vnode *vp, | |
5092 | struct label *label, | |
5093 | mode_t mode | |
5094 | ); | |
5095 | /** | |
5096 | @brief Access control check for setting uid and gid | |
5097 | @param cred Subject credential | |
5098 | @param vp Object vnode | |
5099 | @param label Policy label for vp | |
5100 | @param uid User ID | |
5101 | @param gid Group ID | |
5102 | ||
5103 | Determine whether the subject identified by the credential can set | |
5104 | the passed uid and passed gid as file uid and file gid on the passed | |
5105 | vnode. The IDs may be set to (-1) to request no update. | |
5106 | ||
5107 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5108 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5109 | EPERM for lack of privilege. | |
5110 | */ | |
5111 | typedef int mpo_vnode_check_setowner_t( | |
5112 | kauth_cred_t cred, | |
5113 | struct vnode *vp, | |
5114 | struct label *label, | |
5115 | uid_t uid, | |
5116 | gid_t gid | |
5117 | ); | |
5118 | /** | |
5119 | @brief Access control check for setting timestamps | |
5120 | @param cred Subject credential | |
5121 | @param vp Object vnode | |
5122 | @param label Policy label for vp | |
5123 | @param atime Access time; see utimes(2) | |
5124 | @param mtime Modification time; see utimes(2) | |
5125 | ||
5126 | Determine whether the subject identified by the credential can set | |
5127 | the passed access timestamps on the passed vnode. | |
5128 | ||
5129 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5130 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5131 | EPERM for lack of privilege. | |
5132 | */ | |
5133 | typedef int mpo_vnode_check_setutimes_t( | |
5134 | kauth_cred_t cred, | |
5135 | struct vnode *vp, | |
5136 | struct label *label, | |
5137 | struct timespec atime, | |
5138 | struct timespec mtime | |
5139 | ); | |
5140 | /** | |
5141 | @brief Access control check for stat | |
5142 | @param active_cred Subject credential | |
5143 | @param file_cred Credential associated with the struct fileproc | |
5144 | @param vp Object vnode | |
5145 | @param label Policy label for vp | |
5146 | ||
5147 | Determine whether the subject identified by the credential can stat | |
5148 | the passed vnode. See stat(2) for more information. The active_cred | |
5149 | hold the credentials of the subject performing the operation, and | |
5150 | file_cred holds the credentials of the subject that originally | |
5151 | opened the file. | |
5152 | ||
5153 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5154 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5155 | EPERM for lack of privilege. | |
5156 | */ | |
5157 | typedef int mpo_vnode_check_stat_t( | |
5158 | struct ucred *active_cred, | |
5159 | struct ucred *file_cred, /* NULLOK */ | |
5160 | struct vnode *vp, | |
5161 | struct label *label | |
5162 | ); | |
5163 | /** | |
5164 | @brief Access control check for truncate/ftruncate | |
5165 | @param active_cred Subject credential | |
5166 | @param file_cred Credential associated with the struct fileproc | |
5167 | @param vp Object vnode | |
5168 | @param label Policy label for vp | |
5169 | ||
5170 | Determine whether the subject identified by the credential can | |
5171 | perform a truncate operation on the passed vnode. The active_cred hold | |
5172 | the credentials of the subject performing the operation, and | |
5173 | file_cred holds the credentials of the subject that originally | |
5174 | opened the file. | |
5175 | ||
5176 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5177 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5178 | EPERM for lack of privilege. | |
5179 | */ | |
5180 | typedef int mpo_vnode_check_truncate_t( | |
5181 | kauth_cred_t active_cred, | |
5182 | kauth_cred_t file_cred, /* NULLOK */ | |
5183 | struct vnode *vp, | |
5184 | struct label *label | |
5185 | ); | |
5186 | /** | |
5187 | @brief Access control check for binding UNIX domain socket | |
5188 | @param cred Subject credential | |
5189 | @param dvp Directory vnode | |
5190 | @param dlabel Policy label for dvp | |
5191 | @param cnp Component name for dvp | |
5192 | @param vap vnode attributes for vap | |
5193 | ||
5194 | Determine whether the subject identified by the credential can perform a | |
5195 | bind operation on a UNIX domain socket with the passed parent directory, | |
5196 | passed name information, and passed attribute information. | |
5197 | ||
5198 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5199 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5200 | EPERM for lack of privilege. | |
5201 | */ | |
5202 | typedef int mpo_vnode_check_uipc_bind_t( | |
5203 | kauth_cred_t cred, | |
5204 | struct vnode *dvp, | |
5205 | struct label *dlabel, | |
5206 | struct componentname *cnp, | |
5207 | struct vnode_attr *vap | |
5208 | ); | |
5209 | /** | |
5210 | @brief Access control check for connecting UNIX domain socket | |
5211 | @param cred Subject credential | |
5212 | @param vp Object vnode | |
5213 | @param label Policy label associated with vp | |
5214 | ||
5215 | Determine whether the subject identified by the credential can perform a | |
5216 | connect operation on the passed UNIX domain socket vnode. | |
5217 | ||
5218 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5219 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5220 | EPERM for lack of privilege. | |
5221 | */ | |
5222 | typedef int mpo_vnode_check_uipc_connect_t( | |
5223 | kauth_cred_t cred, | |
5224 | struct vnode *vp, | |
5225 | struct label *label | |
5226 | ); | |
5227 | /** | |
5228 | @brief Access control check for deleting vnode | |
5229 | @param cred Subject credential | |
5230 | @param dvp Parent directory vnode | |
5231 | @param dlabel Policy label for dvp | |
5232 | @param vp Object vnode to delete | |
5233 | @param label Policy label for vp | |
5234 | @param cnp Component name for vp | |
5235 | @see mpo_check_rename_to_t | |
5236 | ||
5237 | Determine whether the subject identified by the credential can delete | |
5238 | a vnode from the passed parent directory and passed name information. | |
5239 | This call may be made in a number of situations, including as a | |
5240 | results of calls to unlink(2) and rmdir(2). Policies implementing | |
5241 | this entry point should also implement mpo_check_rename_to to | |
5242 | authorize deletion of objects as a result of being the target of a rename. | |
5243 | ||
5244 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5245 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5246 | EPERM for lack of privilege. | |
5247 | */ | |
5248 | typedef int mpo_vnode_check_unlink_t( | |
5249 | kauth_cred_t cred, | |
5250 | struct vnode *dvp, | |
5251 | struct label *dlabel, | |
5252 | struct vnode *vp, | |
5253 | struct label *label, | |
5254 | struct componentname *cnp | |
5255 | ); | |
5256 | /** | |
5257 | @brief Access control check for write | |
5258 | @param active_cred Subject credential | |
5259 | @param file_cred Credential associated with the struct fileproc | |
5260 | @param vp Object vnode | |
5261 | @param label Policy label for vp | |
5262 | ||
5263 | Determine whether the subject identified by the credential can | |
5264 | perform a write operation on the passed vnode. The active_cred hold | |
5265 | the credentials of the subject performing the operation, and | |
5266 | file_cred holds the credentials of the subject that originally | |
5267 | opened the file. | |
5268 | ||
5269 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5270 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5271 | EPERM for lack of privilege. | |
5272 | */ | |
5273 | typedef int mpo_vnode_check_write_t( | |
5274 | kauth_cred_t active_cred, | |
5275 | kauth_cred_t file_cred, /* NULLOK */ | |
5276 | struct vnode *vp, | |
5277 | struct label *label | |
5278 | ); | |
5279 | /** | |
5280 | @brief Associate a vnode with a devfs entry | |
5281 | @param mp Devfs mount point | |
5282 | @param mntlabel Devfs mount point label | |
5283 | @param de Devfs directory entry | |
5284 | @param delabel Label associated with de | |
5285 | @param vp vnode associated with de | |
5286 | @param vlabel Label associated with vp | |
5287 | ||
5288 | Fill in the label (vlabel) for a newly created devfs vnode. The | |
5289 | label is typically derived from the label on the devfs directory | |
5290 | entry or the label on the filesystem, supplied as parameters. | |
5291 | */ | |
5292 | typedef void mpo_vnode_label_associate_devfs_t( | |
5293 | struct mount *mp, | |
5294 | struct label *mntlabel, | |
5295 | struct devnode *de, | |
5296 | struct label *delabel, | |
5297 | struct vnode *vp, | |
5298 | struct label *vlabel | |
5299 | ); | |
5300 | /** | |
5301 | @brief Associate a label with a vnode | |
5302 | @param mp File system mount point | |
5303 | @param mntlabel File system mount point label | |
5304 | @param vp Vnode to label | |
5305 | @param vlabel Label associated with vp | |
5306 | ||
5307 | Attempt to retrieve label information for the vnode, vp, from the | |
5308 | file system extended attribute store. The label should be stored in | |
5309 | the supplied vlabel parameter. If a policy cannot retrieve an | |
5310 | extended attribute, sometimes it is acceptible to fallback to using | |
5311 | the mntlabel. | |
5312 | ||
5313 | If the policy requires vnodes to have a valid label elsewhere it | |
5314 | MUST NOT return other than temporary errors, and must always provide | |
5315 | a valid label of some sort. Returning an error will cause vnode | |
5316 | labeling to be retried at a later access. Failure to handle policy | |
5317 | centric errors internally (corrupt labels etc.) will result in | |
5318 | inaccessible files. | |
5319 | ||
5320 | @return In the event of an error, an appropriate value for errno | |
5321 | should be returned, otherwise return 0 upon success. | |
5322 | */ | |
5323 | typedef int mpo_vnode_label_associate_extattr_t( | |
5324 | struct mount *mp, | |
5325 | struct label *mntlabel, | |
5326 | struct vnode *vp, | |
5327 | struct label *vlabel | |
5328 | ); | |
5329 | /** | |
5330 | @brief Associate a file label with a vnode | |
5331 | @param cred User credential | |
5332 | @param mp Fdesc mount point | |
5333 | @param mntlabel Fdesc mount point label | |
5334 | @param fg Fileglob structure | |
5335 | @param label Policy label for fg | |
5336 | @param vp Vnode to label | |
5337 | @param vlabel Label associated with vp | |
5338 | ||
5339 | Associate label information for the vnode, vp, with the label of | |
5340 | the open file descriptor described by fg. | |
5341 | The label should be stored in the supplied vlabel parameter. | |
5342 | */ | |
5343 | typedef void mpo_vnode_label_associate_file_t( | |
5344 | struct ucred *cred, | |
5345 | struct mount *mp, | |
5346 | struct label *mntlabel, | |
5347 | struct fileglob *fg, | |
5348 | struct label *label, | |
5349 | struct vnode *vp, | |
5350 | struct label *vlabel | |
5351 | ); | |
5352 | /** | |
5353 | @brief Associate a pipe label with a vnode | |
5354 | @param cred User credential for the process that opened the pipe | |
5355 | @param cpipe Pipe structure | |
5356 | @param pipelabel Label associated with pipe | |
5357 | @param vp Vnode to label | |
5358 | @param vlabel Label associated with vp | |
5359 | ||
5360 | Associate label information for the vnode, vp, with the label of | |
5361 | the pipe described by the pipe structure cpipe. | |
5362 | The label should be stored in the supplied vlabel parameter. | |
5363 | */ | |
5364 | typedef void mpo_vnode_label_associate_pipe_t( | |
5365 | struct ucred *cred, | |
5366 | struct pipe *cpipe, | |
5367 | struct label *pipelabel, | |
5368 | struct vnode *vp, | |
5369 | struct label *vlabel | |
5370 | ); | |
5371 | /** | |
5372 | @brief Associate a POSIX semaphore label with a vnode | |
5373 | @param cred User credential for the process that create psem | |
5374 | @param psem POSIX semaphore structure | |
5375 | @param psemlabel Label associated with psem | |
5376 | @param vp Vnode to label | |
5377 | @param vlabel Label associated with vp | |
5378 | ||
5379 | Associate label information for the vnode, vp, with the label of | |
5380 | the POSIX semaphore described by psem. | |
5381 | The label should be stored in the supplied vlabel parameter. | |
5382 | */ | |
5383 | typedef void mpo_vnode_label_associate_posixsem_t( | |
5384 | struct ucred *cred, | |
5385 | struct pseminfo *psem, | |
5386 | struct label *psemlabel, | |
5387 | struct vnode *vp, | |
5388 | struct label *vlabel | |
5389 | ); | |
5390 | /** | |
5391 | @brief Associate a POSIX shared memory label with a vnode | |
5392 | @param cred User credential for the process that created pshm | |
5393 | @param pshm POSIX shared memory structure | |
5394 | @param pshmlabel Label associated with pshm | |
5395 | @param vp Vnode to label | |
5396 | @param vlabel Label associated with vp | |
5397 | ||
5398 | Associate label information for the vnode, vp, with the label of | |
5399 | the POSIX shared memory region described by pshm. | |
5400 | The label should be stored in the supplied vlabel parameter. | |
5401 | */ | |
5402 | typedef void mpo_vnode_label_associate_posixshm_t( | |
5403 | struct ucred *cred, | |
5404 | struct pshminfo *pshm, | |
5405 | struct label *pshmlabel, | |
5406 | struct vnode *vp, | |
5407 | struct label *vlabel | |
5408 | ); | |
5409 | /** | |
5410 | @brief Associate a label with a vnode | |
5411 | @param mp File system mount point | |
5412 | @param mntlabel File system mount point label | |
5413 | @param vp Vnode to label | |
5414 | @param vlabel Label associated with vp | |
5415 | ||
5416 | On non-multilabel file systems, set the label for a vnode. The | |
5417 | label will most likely be based on the file system label. | |
5418 | */ | |
5419 | typedef void mpo_vnode_label_associate_singlelabel_t( | |
5420 | struct mount *mp, | |
5421 | struct label *mntlabel, | |
5422 | struct vnode *vp, | |
5423 | struct label *vlabel | |
5424 | ); | |
5425 | /** | |
5426 | @brief Associate a socket label with a vnode | |
5427 | @param cred User credential for the process that opened the socket | |
5428 | @param so Socket structure | |
5429 | @param solabel Label associated with so | |
5430 | @param vp Vnode to label | |
5431 | @param vlabel Label associated with vp | |
5432 | ||
5433 | Associate label information for the vnode, vp, with the label of | |
5434 | the open socket described by the socket structure so. | |
5435 | The label should be stored in the supplied vlabel parameter. | |
5436 | */ | |
5437 | typedef void mpo_vnode_label_associate_socket_t( | |
5438 | kauth_cred_t cred, | |
5439 | socket_t so, | |
5440 | struct label *solabel, | |
5441 | struct vnode *vp, | |
5442 | struct label *vlabel | |
5443 | ); | |
5444 | /** | |
5445 | @brief Copy a vnode label | |
5446 | @param src Source vnode label | |
5447 | @param dest Destination vnode label | |
5448 | ||
5449 | Copy the vnode label information from src to dest. On Darwin, this | |
5450 | is currently only necessary when executing interpreted scripts, but | |
5451 | will later be used if vnode label externalization cannot be an | |
5452 | atomic operation. | |
5453 | */ | |
5454 | typedef void mpo_vnode_label_copy_t( | |
5455 | struct label *src, | |
5456 | struct label *dest | |
5457 | ); | |
5458 | /** | |
5459 | @brief Destroy vnode label | |
5460 | @param label The label to be destroyed | |
5461 | ||
5462 | Destroy a vnode label. Since the object is going out of scope, | |
5463 | policy modules should free any internal storage associated with the | |
5464 | label so that it may be destroyed. | |
5465 | */ | |
5466 | typedef void mpo_vnode_label_destroy_t( | |
5467 | struct label *label | |
5468 | ); | |
5469 | /** | |
5470 | @brief Externalize a vnode label for auditing | |
5471 | @param label Label to be externalized | |
5472 | @param element_name Name of the label namespace for which labels should be | |
5473 | externalized | |
5474 | @param sb String buffer to be filled with a text representation of the label | |
5475 | ||
5476 | Produce an external representation of the label on a vnode suitable for | |
5477 | inclusion in an audit record. An externalized label consists of a text | |
5478 | representation of the label contents that will be added to the audit record | |
5479 | as part of a text token. Policy-agnostic user space tools will display | |
5480 | this externalized version. | |
5481 | ||
5482 | @return 0 on success, return non-zero if an error occurs while | |
5483 | externalizing the label data. | |
5484 | ||
5485 | */ | |
5486 | typedef int mpo_vnode_label_externalize_audit_t( | |
5487 | struct label *label, | |
5488 | char *element_name, | |
5489 | struct sbuf *sb | |
5490 | ); | |
5491 | /** | |
5492 | @brief Externalize a vnode label | |
5493 | @param label Label to be externalized | |
5494 | @param element_name Name of the label namespace for which labels should be | |
5495 | externalized | |
5496 | @param sb String buffer to be filled with a text representation of the label | |
5497 | ||
5498 | Produce an external representation of the label on a vnode. An | |
5499 | externalized label consists of a text representation of the label | |
5500 | contents that can be used with user applications. Policy-agnostic | |
5501 | user space tools will display this externalized version. | |
5502 | ||
5503 | @return 0 on success, return non-zero if an error occurs while | |
5504 | externalizing the label data. | |
5505 | ||
5506 | */ | |
5507 | typedef int mpo_vnode_label_externalize_t( | |
5508 | struct label *label, | |
5509 | char *element_name, | |
5510 | struct sbuf *sb | |
5511 | ); | |
5512 | /** | |
5513 | @brief Initialize vnode label | |
5514 | @param label New label to initialize | |
5515 | ||
5516 | Initialize label storage for use with a newly instantiated vnode, or | |
5517 | for temporary storage associated with the copying in or out of a | |
5518 | vnode label. While it is necessary to allocate space for a | |
5519 | kernel-resident vnode label, it is not yet necessary to link this vnode | |
5520 | with persistent label storage facilities, such as extended attributes. | |
5521 | Sleeping is permitted. | |
5522 | */ | |
5523 | typedef void mpo_vnode_label_init_t( | |
5524 | struct label *label | |
5525 | ); | |
5526 | /** | |
5527 | @brief Internalize a vnode label | |
5528 | @param label Label to be internalized | |
5529 | @param element_name Name of the label namespace for which the label should | |
5530 | be internalized | |
5531 | @param element_data Text data to be internalized | |
5532 | ||
5533 | Produce a vnode label from an external representation. An | |
5534 | externalized label consists of a text representation of the label | |
5535 | contents that can be used with user applications. Policy-agnostic | |
5536 | user space tools will forward text version to the kernel for | |
5537 | processing by individual policy modules. | |
5538 | ||
5539 | The policy's internalize entry points will be called only if the | |
5540 | policy has registered interest in the label namespace. | |
5541 | ||
5542 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
5543 | while internalizing the label data. | |
5544 | */ | |
5545 | typedef int mpo_vnode_label_internalize_t( | |
5546 | struct label *label, | |
5547 | char *element_name, | |
5548 | char *element_data | |
5549 | ); | |
5550 | /** | |
5551 | @brief Clean up a vnode label | |
5552 | @param label The label to be cleaned for re-use | |
5553 | ||
5554 | Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but | |
5555 | typically never frees them. Before vnodes are placed back on free lists for | |
5556 | re-use, policies can cleanup or overwrite any information present in the label. | |
5557 | */ | |
5558 | typedef void mpo_vnode_label_recycle_t( | |
5559 | struct label *label | |
5560 | ); | |
5561 | /** | |
5562 | @brief Write a label to a extended attribute | |
5563 | @param cred Subject credential | |
5564 | @param vp The vnode for which the label is being stored | |
5565 | @param vlabel Label associated with vp | |
5566 | @param intlabel The new label to store | |
5567 | ||
5568 | Store a new label in the extended attribute corresponding to the | |
5569 | supplied vnode. The policy has already authorized the operation; | |
5570 | this call must be implemented in order to perform the actual | |
5571 | operation. | |
5572 | ||
5573 | @return In the event of an error, an appropriate value for errno | |
5574 | should be returned, otherwise return 0 upon success. | |
5575 | ||
5576 | @warning XXX After examining the extended attribute implementation on | |
5577 | Apple's future release, this entry point may be changed. | |
5578 | */ | |
5579 | typedef int mpo_vnode_label_store_t( | |
5580 | kauth_cred_t cred, | |
5581 | struct vnode *vp, | |
5582 | struct label *vlabel, | |
5583 | struct label *intlabel | |
5584 | ); | |
5585 | /** | |
5586 | @brief Update vnode label from extended attributes | |
5587 | @param mp File system mount point | |
5588 | @param mntlabel Mount point label | |
5589 | @param vp Vnode to label | |
5590 | @param vlabel Label associated with vp | |
5591 | @param name Name of the xattr | |
5592 | @see mpo_vnode_check_setextattr_t | |
5593 | ||
5594 | When an extended attribute is updated via the Vendor attribute management | |
5595 | functions, the MAC vnode label might also require an update. | |
5596 | Policies should first determine if 'name' matches their xattr label | |
5597 | name. If it does, the kernel is has either replaced or removed the | |
5598 | named extended attribute that was previously associated with the | |
5599 | vnode. Normally labels should only be modified via MAC Framework label | |
5600 | management calls, but sometimes the user space components will directly | |
5601 | modify extended attributes. For example, 'cp', 'tar', etc. manage | |
5602 | extended attributes in userspace, not the kernel. | |
5603 | ||
5604 | This entry point is called after the label update has occurred, so | |
5605 | it cannot return a failure. However, the operation is preceded by | |
5606 | the mpo_vnode_check_setextattr() access control check. | |
5607 | ||
5608 | If the vnode label needs to be updated the policy should return | |
5609 | a non-zero value. The vnode label will be marked for re-association | |
5610 | by the framework. | |
5611 | */ | |
5612 | typedef int mpo_vnode_label_update_extattr_t( | |
5613 | struct mount *mp, | |
5614 | struct label *mntlabel, | |
5615 | struct vnode *vp, | |
5616 | struct label *vlabel, | |
5617 | const char *name | |
5618 | ); | |
5619 | /** | |
5620 | @brief Update a vnode label | |
5621 | @param cred Subject credential | |
5622 | @param vp The vnode to relabel | |
5623 | @param vnodelabel Existing vnode label | |
5624 | @param label New label to replace existing label | |
5625 | @see mpo_vnode_check_label_update_t | |
5626 | ||
5627 | The subject identified by the credential has previously requested | |
5628 | and was authorized to relabel the vnode; this entry point allows | |
5629 | policies to perform the actual relabel operation. Policies should | |
5630 | update vnodelabel using the label stored in the label parameter. | |
5631 | */ | |
5632 | typedef void mpo_vnode_label_update_t( | |
5633 | kauth_cred_t cred, | |
5634 | struct vnode *vp, | |
5635 | struct label *vnodelabel, | |
5636 | struct label *label | |
5637 | ); | |
5638 | /** | |
5639 | @brief Find deatched signatures for a shared library | |
5640 | @param p file trying to find the signature | |
5641 | @param vp The vnode to relabel | |
5642 | @param offset offset in the macho that the signature is requested for (for fat binaries) | |
5643 | @param label Existing vnode label | |
5644 | ||
5645 | */ | |
5646 | typedef int mpo_vnode_find_sigs_t( | |
5647 | struct proc *p, | |
5648 | struct vnode *vp, | |
5649 | off_t offset, | |
5650 | struct label *label | |
5651 | ); | |
5652 | /** | |
5653 | @brief Create a new vnode, backed by extended attributes | |
5654 | @param cred User credential for the creating process | |
5655 | @param mp File system mount point | |
5656 | @param mntlabel File system mount point label | |
5657 | @param dvp Parent directory vnode | |
5658 | @param dlabel Parent directory vnode label | |
5659 | @param vp Newly created vnode | |
5660 | @param vlabel Label to associate with the new vnode | |
5661 | @param cnp Component name for vp | |
5662 | ||
5663 | Write out the label for the newly created vnode, most likely storing | |
5664 | the results in a file system extended attribute. Most policies will | |
5665 | derive the new vnode label using information from a combination | |
5666 | of the subject (user) credential, the file system label, the parent | |
5667 | directory label, and potentially the path name component. | |
5668 | ||
5669 | @return If the operation succeeds, store the new label in vlabel and | |
5670 | return 0. Otherwise, return an appropriate errno value. | |
5671 | */ | |
5672 | typedef int mpo_vnode_notify_create_t( | |
5673 | kauth_cred_t cred, | |
5674 | struct mount *mp, | |
5675 | struct label *mntlabel, | |
5676 | struct vnode *dvp, | |
5677 | struct label *dlabel, | |
5678 | struct vnode *vp, | |
5679 | struct label *vlabel, | |
5680 | struct componentname *cnp | |
5681 | ); | |
5682 | ||
5683 | /** | |
5684 | @brief Inform MAC policies that a vnode has been opened | |
5685 | @param cred User credential for the creating process | |
5686 | @param vp vnode opened | |
5687 | @param label Policy label for the vp | |
5688 | @param acc_mode open(2) access mode used | |
5689 | ||
5690 | Inform Mac policies that a vnode have been successfully opened | |
5691 | (passing all MAC polices and DAC). | |
5692 | */ | |
5693 | typedef void mpo_vnode_notify_open_t( | |
5694 | kauth_cred_t cred, | |
5695 | struct vnode *vp, | |
5696 | struct label *label, | |
5697 | int acc_mode | |
5698 | ); | |
5699 | ||
5700 | /** | |
5701 | @brief Inform MAC policies that a vnode has been renamed | |
5702 | @param cred User credential for the renaming process | |
5703 | @param vp Vnode that's being renamed | |
5704 | @param label Policy label for vp | |
5705 | @param dvp Parent directory for the destination | |
5706 | @param dlabel Policy label for dvp | |
5707 | @param cnp Component name for the destination | |
5708 | ||
5709 | Inform MAC policies that a vnode has been renamed. | |
5710 | */ | |
5711 | typedef void mpo_vnode_notify_rename_t( | |
5712 | kauth_cred_t cred, | |
5713 | struct vnode *vp, | |
5714 | struct label *label, | |
5715 | struct vnode *dvp, | |
5716 | struct label *dlabel, | |
5717 | struct componentname *cnp | |
5718 | ); | |
5719 | ||
5720 | /** | |
5721 | @brief Inform MAC policies that a vnode has been linked | |
5722 | @param cred User credential for the renaming process | |
5723 | @param dvp Parent directory for the destination | |
5724 | @param dlabel Policy label for dvp | |
5725 | @param vp Vnode that's being linked | |
5726 | @param vlabel Policy label for vp | |
5727 | @param cnp Component name for the destination | |
5728 | ||
5729 | Inform MAC policies that a vnode has been linked. | |
5730 | */ | |
5731 | typedef void mpo_vnode_notify_link_t( | |
5732 | kauth_cred_t cred, | |
5733 | struct vnode *dvp, | |
5734 | struct label *dlabel, | |
5735 | struct vnode *vp, | |
5736 | struct label *vlabel, | |
5737 | struct componentname *cnp | |
5738 | ); | |
5739 | ||
5740 | /** | |
5741 | @brief Inform MAC policies that a pty slave has been granted | |
5742 | @param p Responsible process | |
5743 | @param tp tty data structure | |
5744 | @param dev Major and minor numbers of device | |
5745 | @param label Policy label for tp | |
5746 | ||
5747 | Inform MAC policies that a pty slave has been granted. | |
5748 | */ | |
5749 | typedef void mpo_pty_notify_grant_t( | |
5750 | proc_t p, | |
5751 | struct tty *tp, | |
5752 | dev_t dev, | |
5753 | struct label *label | |
5754 | ); | |
5755 | ||
5756 | /** | |
5757 | @brief Inform MAC policies that a pty master has been closed | |
5758 | @param p Responsible process | |
5759 | @param tp tty data structure | |
5760 | @param dev Major and minor numbers of device | |
5761 | @param label Policy label for tp | |
5762 | ||
5763 | Inform MAC policies that a pty master has been closed. | |
5764 | */ | |
5765 | typedef void mpo_pty_notify_close_t( | |
5766 | proc_t p, | |
5767 | struct tty *tp, | |
5768 | dev_t dev, | |
5769 | struct label *label | |
5770 | ); | |
5771 | ||
5772 | /** | |
5773 | @brief Access control check for kext loading | |
5774 | @param cred Subject credential | |
5775 | @param identifier Kext identifier | |
5776 | ||
5777 | Determine whether the subject identified by the credential can load the | |
5778 | specified kext. | |
5779 | ||
5780 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5781 | errno should be returned. Suggested failure: EPERM for lack of privilege. | |
5782 | */ | |
5783 | typedef int mpo_kext_check_load_t( | |
5784 | kauth_cred_t cred, | |
5785 | const char *identifier | |
5786 | ); | |
5787 | ||
5788 | /** | |
5789 | @brief Access control check for kext unloading | |
5790 | @param cred Subject credential | |
5791 | @param identifier Kext identifier | |
5792 | ||
5793 | Determine whether the subject identified by the credential can unload the | |
5794 | specified kext. | |
5795 | ||
5796 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5797 | errno should be returned. Suggested failure: EPERM for lack of privilege. | |
5798 | */ | |
5799 | typedef int mpo_kext_check_unload_t( | |
5800 | kauth_cred_t cred, | |
5801 | const char *identifier | |
5802 | ); | |
5803 | ||
5804 | /* | |
5805 | * Placeholder for future events that may need mac hooks. | |
5806 | */ | |
5807 | typedef void mpo_reserved_hook_t(void); | |
5808 | ||
5809 | /* | |
5810 | * Policy module operations. | |
5811 | * | |
5812 | * Please note that this should be kept in sync with the check assumptions | |
5813 | * policy in bsd/kern/policy_check.c (policy_ops struct). | |
5814 | */ | |
5815 | #define MAC_POLICY_OPS_VERSION 31 /* inc when new reserved slots are taken */ | |
5816 | struct mac_policy_ops { | |
5817 | mpo_audit_check_postselect_t *mpo_audit_check_postselect; | |
5818 | mpo_audit_check_preselect_t *mpo_audit_check_preselect; | |
5819 | ||
5820 | mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate; | |
5821 | mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy; | |
5822 | mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init; | |
5823 | mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive; | |
5824 | ||
5825 | mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; | |
5826 | mpo_cred_check_label_update_t *mpo_cred_check_label_update; | |
5827 | mpo_cred_check_visible_t *mpo_cred_check_visible; | |
5828 | mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; | |
5829 | mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; | |
5830 | mpo_cred_label_associate_t *mpo_cred_label_associate; | |
5831 | mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; | |
5832 | mpo_cred_label_destroy_t *mpo_cred_label_destroy; | |
5833 | mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; | |
5834 | mpo_cred_label_externalize_t *mpo_cred_label_externalize; | |
5835 | mpo_cred_label_init_t *mpo_cred_label_init; | |
5836 | mpo_cred_label_internalize_t *mpo_cred_label_internalize; | |
5837 | mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; | |
5838 | mpo_cred_label_update_t *mpo_cred_label_update; | |
5839 | ||
5840 | mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; | |
5841 | mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; | |
5842 | mpo_devfs_label_copy_t *mpo_devfs_label_copy; | |
5843 | mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; | |
5844 | mpo_devfs_label_init_t *mpo_devfs_label_init; | |
5845 | mpo_devfs_label_update_t *mpo_devfs_label_update; | |
5846 | ||
5847 | mpo_file_check_change_offset_t *mpo_file_check_change_offset; | |
5848 | mpo_file_check_create_t *mpo_file_check_create; | |
5849 | mpo_file_check_dup_t *mpo_file_check_dup; | |
5850 | mpo_file_check_fcntl_t *mpo_file_check_fcntl; | |
5851 | mpo_file_check_get_offset_t *mpo_file_check_get_offset; | |
5852 | mpo_file_check_get_t *mpo_file_check_get; | |
5853 | mpo_file_check_inherit_t *mpo_file_check_inherit; | |
5854 | mpo_file_check_ioctl_t *mpo_file_check_ioctl; | |
5855 | mpo_file_check_lock_t *mpo_file_check_lock; | |
5856 | mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; | |
5857 | mpo_file_check_mmap_t *mpo_file_check_mmap; | |
5858 | mpo_file_check_receive_t *mpo_file_check_receive; | |
5859 | mpo_file_check_set_t *mpo_file_check_set; | |
5860 | mpo_file_label_init_t *mpo_file_label_init; | |
5861 | mpo_file_label_destroy_t *mpo_file_label_destroy; | |
5862 | mpo_file_label_associate_t *mpo_file_label_associate; | |
5863 | ||
5864 | mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update; | |
5865 | mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit; | |
5866 | mpo_ifnet_label_associate_t *mpo_ifnet_label_associate; | |
5867 | mpo_ifnet_label_copy_t *mpo_ifnet_label_copy; | |
5868 | mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy; | |
5869 | mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize; | |
5870 | mpo_ifnet_label_init_t *mpo_ifnet_label_init; | |
5871 | mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize; | |
5872 | mpo_ifnet_label_update_t *mpo_ifnet_label_update; | |
5873 | mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle; | |
5874 | ||
5875 | mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver; | |
5876 | mpo_inpcb_label_associate_t *mpo_inpcb_label_associate; | |
5877 | mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy; | |
5878 | mpo_inpcb_label_init_t *mpo_inpcb_label_init; | |
5879 | mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle; | |
5880 | mpo_inpcb_label_update_t *mpo_inpcb_label_update; | |
5881 | ||
5882 | mpo_iokit_check_device_t *mpo_iokit_check_device; | |
5883 | ||
5884 | mpo_ipq_label_associate_t *mpo_ipq_label_associate; | |
5885 | mpo_ipq_label_compare_t *mpo_ipq_label_compare; | |
5886 | mpo_ipq_label_destroy_t *mpo_ipq_label_destroy; | |
5887 | mpo_ipq_label_init_t *mpo_ipq_label_init; | |
5888 | mpo_ipq_label_update_t *mpo_ipq_label_update; | |
5889 | ||
5890 | mpo_lctx_check_label_update_t *mpo_lctx_check_label_update; | |
5891 | mpo_lctx_label_destroy_t *mpo_lctx_label_destroy; | |
5892 | mpo_lctx_label_externalize_t *mpo_lctx_label_externalize; | |
5893 | mpo_lctx_label_init_t *mpo_lctx_label_init; | |
5894 | mpo_lctx_label_internalize_t *mpo_lctx_label_internalize; | |
5895 | mpo_lctx_label_update_t *mpo_lctx_label_update; | |
5896 | mpo_lctx_notify_create_t *mpo_lctx_notify_create; | |
5897 | mpo_lctx_notify_join_t *mpo_lctx_notify_join; | |
5898 | mpo_lctx_notify_leave_t *mpo_lctx_notify_leave; | |
5899 | ||
5900 | mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; | |
5901 | mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; | |
5902 | mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb; | |
5903 | mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq; | |
5904 | mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer; | |
5905 | mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap; | |
5906 | mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer; | |
5907 | mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket; | |
5908 | mpo_mbuf_label_copy_t *mpo_mbuf_label_copy; | |
5909 | mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy; | |
5910 | mpo_mbuf_label_init_t *mpo_mbuf_label_init; | |
5911 | ||
5912 | mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; | |
5913 | mpo_mount_check_getattr_t *mpo_mount_check_getattr; | |
5914 | mpo_mount_check_label_update_t *mpo_mount_check_label_update; | |
5915 | mpo_mount_check_mount_t *mpo_mount_check_mount; | |
5916 | mpo_mount_check_remount_t *mpo_mount_check_remount; | |
5917 | mpo_mount_check_setattr_t *mpo_mount_check_setattr; | |
5918 | mpo_mount_check_stat_t *mpo_mount_check_stat; | |
5919 | mpo_mount_check_umount_t *mpo_mount_check_umount; | |
5920 | mpo_mount_label_associate_t *mpo_mount_label_associate; | |
5921 | mpo_mount_label_destroy_t *mpo_mount_label_destroy; | |
5922 | mpo_mount_label_externalize_t *mpo_mount_label_externalize; | |
5923 | mpo_mount_label_init_t *mpo_mount_label_init; | |
5924 | mpo_mount_label_internalize_t *mpo_mount_label_internalize; | |
5925 | ||
5926 | mpo_netinet_fragment_t *mpo_netinet_fragment; | |
5927 | mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply; | |
5928 | mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply; | |
5929 | ||
5930 | mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; | |
5931 | mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; | |
5932 | mpo_pipe_check_label_update_t *mpo_pipe_check_label_update; | |
5933 | mpo_pipe_check_read_t *mpo_pipe_check_read; | |
5934 | mpo_pipe_check_select_t *mpo_pipe_check_select; | |
5935 | mpo_pipe_check_stat_t *mpo_pipe_check_stat; | |
5936 | mpo_pipe_check_write_t *mpo_pipe_check_write; | |
5937 | mpo_pipe_label_associate_t *mpo_pipe_label_associate; | |
5938 | mpo_pipe_label_copy_t *mpo_pipe_label_copy; | |
5939 | mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; | |
5940 | mpo_pipe_label_externalize_t *mpo_pipe_label_externalize; | |
5941 | mpo_pipe_label_init_t *mpo_pipe_label_init; | |
5942 | mpo_pipe_label_internalize_t *mpo_pipe_label_internalize; | |
5943 | mpo_pipe_label_update_t *mpo_pipe_label_update; | |
5944 | ||
5945 | mpo_policy_destroy_t *mpo_policy_destroy; | |
5946 | mpo_policy_init_t *mpo_policy_init; | |
5947 | mpo_policy_initbsd_t *mpo_policy_initbsd; | |
5948 | mpo_policy_syscall_t *mpo_policy_syscall; | |
5949 | ||
5950 | mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; | |
5951 | mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; | |
5952 | mpo_vnode_check_rename_t *mpo_vnode_check_rename; | |
5953 | mpo_reserved_hook_t *mpo_reserved4; | |
5954 | mpo_reserved_hook_t *mpo_reserved5; | |
5955 | mpo_reserved_hook_t *mpo_reserved6; | |
5956 | mpo_reserved_hook_t *mpo_reserved7; | |
5957 | mpo_reserved_hook_t *mpo_reserved8; | |
5958 | mpo_reserved_hook_t *mpo_reserved9; | |
5959 | mpo_reserved_hook_t *mpo_reserved10; | |
5960 | mpo_reserved_hook_t *mpo_reserved11; | |
5961 | mpo_reserved_hook_t *mpo_reserved12; | |
5962 | mpo_reserved_hook_t *mpo_reserved13; | |
5963 | mpo_reserved_hook_t *mpo_reserved14; | |
5964 | mpo_reserved_hook_t *mpo_reserved15; | |
5965 | mpo_reserved_hook_t *mpo_reserved16; | |
5966 | mpo_reserved_hook_t *mpo_reserved17; | |
5967 | mpo_reserved_hook_t *mpo_reserved18; | |
5968 | mpo_reserved_hook_t *mpo_reserved19; | |
5969 | mpo_reserved_hook_t *mpo_reserved20; | |
5970 | mpo_reserved_hook_t *mpo_reserved21; | |
5971 | mpo_reserved_hook_t *mpo_reserved22; | |
5972 | ||
5973 | mpo_posixsem_check_create_t *mpo_posixsem_check_create; | |
5974 | mpo_posixsem_check_open_t *mpo_posixsem_check_open; | |
5975 | mpo_posixsem_check_post_t *mpo_posixsem_check_post; | |
5976 | mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; | |
5977 | mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; | |
5978 | mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; | |
5979 | mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; | |
5980 | mpo_posixsem_label_init_t *mpo_posixsem_label_init; | |
5981 | mpo_posixshm_check_create_t *mpo_posixshm_check_create; | |
5982 | mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; | |
5983 | mpo_posixshm_check_open_t *mpo_posixshm_check_open; | |
5984 | mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; | |
5985 | mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; | |
5986 | mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; | |
5987 | mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; | |
5988 | mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; | |
5989 | mpo_posixshm_label_init_t *mpo_posixshm_label_init; | |
5990 | ||
5991 | mpo_proc_check_debug_t *mpo_proc_check_debug; | |
5992 | mpo_proc_check_fork_t *mpo_proc_check_fork; | |
5993 | mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name; | |
5994 | mpo_proc_check_get_task_t *mpo_proc_check_get_task; | |
5995 | mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; | |
5996 | mpo_proc_check_getauid_t *mpo_proc_check_getauid; | |
5997 | mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; | |
5998 | mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; | |
5999 | mpo_proc_check_sched_t *mpo_proc_check_sched; | |
6000 | mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; | |
6001 | mpo_proc_check_setauid_t *mpo_proc_check_setauid; | |
6002 | mpo_proc_check_setlcid_t *mpo_proc_check_setlcid; | |
6003 | mpo_proc_check_signal_t *mpo_proc_check_signal; | |
6004 | mpo_proc_check_wait_t *mpo_proc_check_wait; | |
6005 | mpo_proc_label_destroy_t *mpo_proc_label_destroy; | |
6006 | mpo_proc_label_init_t *mpo_proc_label_init; | |
6007 | ||
6008 | mpo_socket_check_accept_t *mpo_socket_check_accept; | |
6009 | mpo_socket_check_accepted_t *mpo_socket_check_accepted; | |
6010 | mpo_socket_check_bind_t *mpo_socket_check_bind; | |
6011 | mpo_socket_check_connect_t *mpo_socket_check_connect; | |
6012 | mpo_socket_check_create_t *mpo_socket_check_create; | |
6013 | mpo_socket_check_deliver_t *mpo_socket_check_deliver; | |
6014 | mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter; | |
6015 | mpo_socket_check_label_update_t *mpo_socket_check_label_update; | |
6016 | mpo_socket_check_listen_t *mpo_socket_check_listen; | |
6017 | mpo_socket_check_receive_t *mpo_socket_check_receive; | |
6018 | mpo_socket_check_received_t *mpo_socket_check_received; | |
6019 | mpo_socket_check_select_t *mpo_socket_check_select; | |
6020 | mpo_socket_check_send_t *mpo_socket_check_send; | |
6021 | mpo_socket_check_stat_t *mpo_socket_check_stat; | |
6022 | mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; | |
6023 | mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; | |
6024 | mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept; | |
6025 | mpo_socket_label_associate_t *mpo_socket_label_associate; | |
6026 | mpo_socket_label_copy_t *mpo_socket_label_copy; | |
6027 | mpo_socket_label_destroy_t *mpo_socket_label_destroy; | |
6028 | mpo_socket_label_externalize_t *mpo_socket_label_externalize; | |
6029 | mpo_socket_label_init_t *mpo_socket_label_init; | |
6030 | mpo_socket_label_internalize_t *mpo_socket_label_internalize; | |
6031 | mpo_socket_label_update_t *mpo_socket_label_update; | |
6032 | ||
6033 | mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf; | |
6034 | mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket; | |
6035 | mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy; | |
6036 | mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize; | |
6037 | mpo_socketpeer_label_init_t *mpo_socketpeer_label_init; | |
6038 | ||
6039 | mpo_system_check_acct_t *mpo_system_check_acct; | |
6040 | mpo_system_check_audit_t *mpo_system_check_audit; | |
6041 | mpo_system_check_auditctl_t *mpo_system_check_auditctl; | |
6042 | mpo_system_check_auditon_t *mpo_system_check_auditon; | |
6043 | mpo_system_check_host_priv_t *mpo_system_check_host_priv; | |
6044 | mpo_system_check_nfsd_t *mpo_system_check_nfsd; | |
6045 | mpo_system_check_reboot_t *mpo_system_check_reboot; | |
6046 | mpo_system_check_settime_t *mpo_system_check_settime; | |
6047 | mpo_system_check_swapoff_t *mpo_system_check_swapoff; | |
6048 | mpo_system_check_swapon_t *mpo_system_check_swapon; | |
6049 | mpo_reserved_hook_t *mpo_reserved31; | |
6050 | ||
6051 | mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; | |
6052 | mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; | |
6053 | mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; | |
6054 | mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; | |
6055 | mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; | |
6056 | mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; | |
6057 | mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; | |
6058 | mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; | |
6059 | mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; | |
6060 | mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; | |
6061 | mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; | |
6062 | mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; | |
6063 | mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; | |
6064 | mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; | |
6065 | mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; | |
6066 | mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; | |
6067 | mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; | |
6068 | mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; | |
6069 | mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; | |
6070 | mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; | |
6071 | mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; | |
6072 | mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; | |
6073 | mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; | |
6074 | mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; | |
6075 | mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; | |
6076 | mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; | |
6077 | mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; | |
6078 | mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; | |
6079 | mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; | |
6080 | mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; | |
6081 | ||
6082 | mpo_reserved_hook_t *mpo_reserved23; | |
6083 | mpo_reserved_hook_t *mpo_reserved24; | |
6084 | mpo_reserved_hook_t *mpo_reserved25; | |
6085 | mpo_reserved_hook_t *mpo_reserved26; | |
6086 | mpo_reserved_hook_t *mpo_reserved27; | |
6087 | mpo_reserved_hook_t *mpo_reserved28; | |
6088 | mpo_reserved_hook_t *mpo_reserved29; | |
6089 | mpo_reserved_hook_t *mpo_reserved30; | |
6090 | ||
6091 | mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; | |
6092 | ||
6093 | mpo_vnode_check_access_t *mpo_vnode_check_access; | |
6094 | mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; | |
6095 | mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; | |
6096 | mpo_vnode_check_create_t *mpo_vnode_check_create; | |
6097 | mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; | |
6098 | mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; | |
6099 | mpo_vnode_check_exec_t *mpo_vnode_check_exec; | |
6100 | mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; | |
6101 | mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; | |
6102 | mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; | |
6103 | mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; | |
6104 | mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; | |
6105 | mpo_vnode_check_link_t *mpo_vnode_check_link; | |
6106 | mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; | |
6107 | mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; | |
6108 | mpo_vnode_check_open_t *mpo_vnode_check_open; | |
6109 | mpo_vnode_check_read_t *mpo_vnode_check_read; | |
6110 | mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; | |
6111 | mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; | |
6112 | mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; | |
6113 | mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; | |
6114 | mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; | |
6115 | mpo_vnode_check_select_t *mpo_vnode_check_select; | |
6116 | mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; | |
6117 | mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; | |
6118 | mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; | |
6119 | mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; | |
6120 | mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; | |
6121 | mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; | |
6122 | mpo_vnode_check_stat_t *mpo_vnode_check_stat; | |
6123 | mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; | |
6124 | mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; | |
6125 | mpo_vnode_check_write_t *mpo_vnode_check_write; | |
6126 | mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; | |
6127 | mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; | |
6128 | mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; | |
6129 | mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; | |
6130 | mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; | |
6131 | mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; | |
6132 | mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; | |
6133 | mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; | |
6134 | mpo_vnode_label_copy_t *mpo_vnode_label_copy; | |
6135 | mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; | |
6136 | mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; | |
6137 | mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; | |
6138 | mpo_vnode_label_init_t *mpo_vnode_label_init; | |
6139 | mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; | |
6140 | mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; | |
6141 | mpo_vnode_label_store_t *mpo_vnode_label_store; | |
6142 | mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; | |
6143 | mpo_vnode_label_update_t *mpo_vnode_label_update; | |
6144 | mpo_vnode_notify_create_t *mpo_vnode_notify_create; | |
6145 | mpo_vnode_check_signature_t *mpo_vnode_check_signature; | |
6146 | mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; | |
6147 | mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; | |
6148 | ||
6149 | mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; | |
6150 | mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; | |
6151 | ||
6152 | mpo_thread_userret_t *mpo_thread_userret; | |
6153 | ||
6154 | mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; | |
6155 | ||
6156 | mpo_system_check_chud_t *mpo_system_check_chud; | |
6157 | ||
6158 | mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; | |
6159 | ||
6160 | mpo_priv_check_t *mpo_priv_check; | |
6161 | mpo_priv_grant_t *mpo_priv_grant; | |
6162 | ||
6163 | mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; | |
6164 | ||
6165 | mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; | |
6166 | ||
6167 | mpo_iokit_check_open_t *mpo_iokit_check_open; | |
6168 | ||
6169 | mpo_proc_check_ledger_t *mpo_proc_check_ledger; | |
6170 | ||
6171 | mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; | |
6172 | ||
6173 | mpo_thread_label_init_t *mpo_thread_label_init; | |
6174 | mpo_thread_label_destroy_t *mpo_thread_label_destroy; | |
6175 | ||
6176 | mpo_system_check_kas_info_t *mpo_system_check_kas_info; | |
6177 | ||
6178 | mpo_proc_check_cpumon_t *mpo_proc_check_cpumon; | |
6179 | ||
6180 | mpo_vnode_notify_open_t *mpo_vnode_notify_open; | |
6181 | ||
6182 | mpo_system_check_info_t *mpo_system_check_info; | |
6183 | ||
6184 | mpo_pty_notify_grant_t *mpo_pty_notify_grant; | |
6185 | mpo_pty_notify_close_t *mpo_pty_notify_close; | |
6186 | ||
6187 | mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; | |
6188 | ||
6189 | mpo_kext_check_load_t *mpo_kext_check_load; | |
6190 | mpo_kext_check_unload_t *mpo_kext_check_unload; | |
6191 | ||
6192 | mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; | |
6193 | mpo_vnode_notify_link_t *mpo_vnode_notify_link; | |
6194 | mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; | |
6195 | mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; | |
6196 | }; | |
6197 | ||
6198 | /** | |
6199 | @brief MAC policy handle type | |
6200 | ||
6201 | The MAC handle is used to uniquely identify a loaded policy within | |
6202 | the MAC Framework. | |
6203 | ||
6204 | A variable of this type is set by mac_policy_register(). | |
6205 | */ | |
6206 | typedef unsigned int mac_policy_handle_t; | |
6207 | ||
6208 | #define mpc_t struct mac_policy_conf * | |
6209 | ||
6210 | /** | |
6211 | @brief Mac policy configuration | |
6212 | ||
6213 | This structure specifies the configuration information for a | |
6214 | MAC policy module. A policy module developer must supply | |
6215 | a short unique policy name, a more descriptive full name, a list of label | |
6216 | namespaces and count, a pointer to the registered enty point operations, | |
6217 | any load time flags, and optionally, a pointer to a label slot identifier. | |
6218 | ||
6219 | The Framework will update the runtime flags (mpc_runtime_flags) to | |
6220 | indicate that the module has been registered. | |
6221 | ||
6222 | If the label slot identifier (mpc_field_off) is NULL, the Framework | |
6223 | will not provide label storage for the policy. Otherwise, the | |
6224 | Framework will store the label location (slot) in this field. | |
6225 | ||
6226 | The mpc_list field is used by the Framework and should not be | |
6227 | modified by policies. | |
6228 | */ | |
6229 | /* XXX - reorder these for better aligment on 64bit platforms */ | |
6230 | struct mac_policy_conf { | |
6231 | const char *mpc_name; /** policy name */ | |
6232 | const char *mpc_fullname; /** full name */ | |
6233 | const char **mpc_labelnames; /** managed label namespaces */ | |
6234 | unsigned int mpc_labelname_count; /** number of managed label namespaces */ | |
6235 | struct mac_policy_ops *mpc_ops; /** operation vector */ | |
6236 | int mpc_loadtime_flags; /** load time flags */ | |
6237 | int *mpc_field_off; /** label slot */ | |
6238 | int mpc_runtime_flags; /** run time flags */ | |
6239 | mpc_t mpc_list; /** List reference */ | |
6240 | void *mpc_data; /** module data */ | |
6241 | }; | |
6242 | ||
6243 | /** | |
6244 | @brief MAC policy module registration routine | |
6245 | ||
6246 | This function is called to register a policy with the | |
6247 | MAC framework. A policy module will typically call this from the | |
6248 | Darwin KEXT registration routine. | |
6249 | */ | |
6250 | int mac_policy_register(struct mac_policy_conf *mpc, | |
6251 | mac_policy_handle_t *handlep, void *xd); | |
6252 | ||
6253 | /** | |
6254 | @brief MAC policy module de-registration routine | |
6255 | ||
6256 | This function is called to de-register a policy with theD | |
6257 | MAC framework. A policy module will typically call this from the | |
6258 | Darwin KEXT de-registration routine. | |
6259 | */ | |
6260 | int mac_policy_unregister(mac_policy_handle_t handle); | |
6261 | ||
6262 | /* | |
6263 | * Framework entry points for the policies to add audit data. | |
6264 | */ | |
6265 | int mac_audit_text(char *text, mac_policy_handle_t handle); | |
6266 | ||
6267 | /* | |
6268 | * Calls to assist with use of Apple XATTRs within policy modules. | |
6269 | */ | |
6270 | int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); | |
6271 | int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, | |
6272 | size_t *); | |
6273 | int mac_vnop_removexattr(struct vnode *, const char *); | |
6274 | ||
6275 | /* | |
6276 | * Arbitrary limit on how much data will be logged by the audit | |
6277 | * entry points above. | |
6278 | */ | |
6279 | #define MAC_AUDIT_DATA_LIMIT 1024 | |
6280 | ||
6281 | /* | |
6282 | * Values returned by mac_audit_{pre,post}select. To combine the responses | |
6283 | * of the security policies into a single decision, | |
6284 | * mac_audit_{pre,post}select() choose the greatest value returned. | |
6285 | */ | |
6286 | #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ | |
6287 | #define MAC_AUDIT_NO 1 /* force not auditing this event */ | |
6288 | #define MAC_AUDIT_YES 2 /* force auditing this event */ | |
6289 | ||
6290 | // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field | |
6291 | ||
6292 | /** | |
6293 | @name Flags for the mpc_loadtime_flags field | |
6294 | @see mac_policy_conf | |
6295 | ||
6296 | This is the complete list of flags that are supported by the | |
6297 | mpc_loadtime_flags field of the mac_policy_conf structure. These | |
6298 | flags specify the load time behavior of MAC Framework policy | |
6299 | modules. | |
6300 | */ | |
6301 | ||
6302 | /*@{*/ | |
6303 | ||
6304 | /** | |
6305 | @brief Flag to indicate registration preference | |
6306 | ||
6307 | This flag indicates that the policy module must be loaded and | |
6308 | initialized early in the boot process. If the flag is specified, | |
6309 | attempts to register the module following boot will be rejected. The | |
6310 | flag may be used by policies that require pervasive labeling of all | |
6311 | system objects, and cannot handle objects that have not been | |
6312 | properly initialized by the policy. | |
6313 | */ | |
6314 | #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 | |
6315 | ||
6316 | /** | |
6317 | @brief Flag to indicate unload preference | |
6318 | ||
6319 | This flag indicates that the policy module may be unloaded. If this | |
6320 | flag is not set, then the policy framework will reject requests to | |
6321 | unload the module. This flag might be used by modules that allocate | |
6322 | label state and are unable to free that state at runtime, or for | |
6323 | modules that simply do not want to permit unload operations. | |
6324 | */ | |
6325 | #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 | |
6326 | ||
6327 | /** | |
6328 | @brief Unsupported | |
6329 | ||
6330 | XXX This flag is not yet supported. | |
6331 | */ | |
6332 | #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 | |
6333 | ||
6334 | /** | |
6335 | @brief Flag to indicate a base policy | |
6336 | ||
6337 | This flag indicates that the policy module is a base policy. Only | |
6338 | one module can declare itself as base, otherwise the boot process | |
6339 | will be halted. | |
6340 | */ | |
6341 | #define MPC_LOADTIME_BASE_POLICY 0x00000008 | |
6342 | ||
6343 | /*@}*/ | |
6344 | ||
6345 | /** | |
6346 | @brief Policy registration flag | |
6347 | @see mac_policy_conf | |
6348 | ||
6349 | This flag indicates that the policy module has been successfully | |
6350 | registered with the TrustedBSD MAC Framework. The Framework will | |
6351 | set this flag in the mpc_runtime_flags field of the policy's | |
6352 | mac_policy_conf structure after registering the policy. | |
6353 | */ | |
6354 | #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 | |
6355 | ||
6356 | /* | |
6357 | * Depends on POLICY_VER | |
6358 | */ | |
6359 | ||
6360 | #ifndef POLICY_VER | |
6361 | #define POLICY_VER 1.0 | |
6362 | #endif | |
6363 | ||
6364 | #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ | |
6365 | static struct mac_policy_conf mpname##_mac_policy_conf = { \ | |
6366 | .mpc_name = #mpname, \ | |
6367 | .mpc_fullname = mpfullname, \ | |
6368 | .mpc_labelnames = lnames, \ | |
6369 | .mpc_labelname_count = lcount, \ | |
6370 | .mpc_ops = mpops, \ | |
6371 | .mpc_loadtime_flags = lflags, \ | |
6372 | .mpc_field_off = slot, \ | |
6373 | .mpc_runtime_flags = rflags \ | |
6374 | }; \ | |
6375 | \ | |
6376 | static kern_return_t \ | |
6377 | kmod_start(kmod_info_t *ki, void *xd) \ | |
6378 | { \ | |
6379 | return mac_policy_register(&mpname##_mac_policy_conf, \ | |
6380 | &handle, xd); \ | |
6381 | } \ | |
6382 | \ | |
6383 | static kern_return_t \ | |
6384 | kmod_stop(kmod_info_t *ki, void *xd) \ | |
6385 | { \ | |
6386 | return mac_policy_unregister(handle); \ | |
6387 | } \ | |
6388 | \ | |
6389 | extern kern_return_t _start(kmod_info_t *ki, void *data); \ | |
6390 | extern kern_return_t _stop(kmod_info_t *ki, void *data); \ | |
6391 | \ | |
6392 | KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ | |
6393 | kmod_start_func_t *_realmain = kmod_start; \ | |
6394 | kmod_stop_func_t *_antimain = kmod_stop; \ | |
6395 | int _kext_apple_cc = __APPLE_CC__ | |
6396 | ||
6397 | ||
6398 | #define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s] | |
6399 | ||
6400 | /* | |
6401 | * Policy interface to map a struct label pointer to per-policy data. | |
6402 | * Typically, policies wrap this in their own accessor macro that casts an | |
6403 | * intptr_t to a policy-specific data type. | |
6404 | */ | |
6405 | intptr_t mac_label_get(struct label *l, int slot); | |
6406 | void mac_label_set(struct label *l, int slot, intptr_t v); | |
6407 | ||
6408 | #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) | |
6409 | ||
6410 | /** | |
6411 | @name Flags for MAC allocator interfaces | |
6412 | ||
6413 | These flags are passed to the Darwin kernel allocator routines to | |
6414 | indicate whether the allocation is permitted to block or not. | |
6415 | Caution should be taken; some operations are not permitted to sleep, | |
6416 | and some types of locks cannot be held when sleeping. | |
6417 | */ | |
6418 | ||
6419 | /*@{*/ | |
6420 | ||
6421 | /** | |
6422 | @brief Allocation operations may block | |
6423 | ||
6424 | If memory is not immediately available, the allocation routine | |
6425 | will block (typically sleeping) until memory is available. | |
6426 | ||
6427 | @warning Inappropriate use of this flag may cause kernel panics. | |
6428 | */ | |
6429 | #define MAC_WAITOK 0 | |
6430 | ||
6431 | /** | |
6432 | @brief Allocation operations may not block | |
6433 | ||
6434 | Rather than blocking, the allocator may return an error if memory | |
6435 | is not immediately available. This type of allocation will not | |
6436 | sleep, preserving locking semantics. | |
6437 | */ | |
6438 | #define MAC_NOWAIT 1 | |
6439 | ||
6440 | /*@}*/ | |
6441 | ||
6442 | #endif /* !_SECURITY_MAC_POLICY_H_ */ |