security/mac_framework.h

   1 /*
   2  * Copyright (c) 2007 Apple Inc. All rights reserved.
   3  *
   4  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. The rights granted to you under the License
  10  * may not be used to create, or enable the creation or redistribution of,
  11  * unlawful or unlicensed copies of an Apple operating system, or to
  12  * circumvent, violate, or enable the circumvention or violation of, any
  13  * terms of an Apple operating system software license agreement.
  14  *
  15  * Please obtain a copy of the License at
  16  * http://www.opensource.apple.com/apsl/ and read it before using this file.
  17  *
  18  * The Original Code and all software distributed under the License are
  19  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  20  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  21  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  22  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  23  * Please see the License for the specific language governing rights and
  24  * limitations under the License.
  25  *
  26  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  27  */
  28 /*-
  29  * Copyright (c) 1999-2002 Robert N. M. Watson
  30  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  31  * Copyright (c) 2005-2007 SPARTA, Inc.
  32  * All rights reserved.
  33  *
  34  * This software was developed by Robert Watson for the TrustedBSD Project.
  35  *
  36  * This software was developed for the FreeBSD Project in part by Network
  37  * Associates Laboratories, the Security Research Division of Network
  38  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  39  * as part of the DARPA CHATS research program.
  40  *
  41  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  42  * N66001-04-C-6019 ("SEFOS").
  43  *
  44  * Redistribution and use in source and binary forms, with or without
  45  * modification, are permitted provided that the following conditions
  46  * are met:
  47  * 1. Redistributions of source code must retain the above copyright
  48  *    notice, this list of conditions and the following disclaimer.
  49  * 2. Redistributions in binary form must reproduce the above copyright
  50  *    notice, this list of conditions and the following disclaimer in the
  51  *    documentation and/or other materials provided with the distribution.
  52  *
  53  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  54  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  55  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  56  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  57  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  58  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  59  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  60  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  61  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  62  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  63  * SUCH DAMAGE.
  64  *
  65  * $FreeBSD: src/sys/sys/mac.h,v 1.40 2003/04/18 19:57:37 rwatson Exp $
  66  *
  67  */
  68 /*
  69  * Kernel interface for Mandatory Access Control -- how kernel services
  70  * interact with the TrustedBSD MAC Framework.
  71  */
  72
  73 #ifndef _SECURITY_MAC_FRAMEWORK_H_
  74 #define _SECURITY_MAC_FRAMEWORK_H_
  75
  76 #ifndef KERNEL
  77 #error "no user-serviceable parts inside"
  78 #endif
  79
  80 #ifndef PRIVATE
  81 #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
  82 #endif
  83
  84 struct attrlist;
  85 struct auditinfo;
  86 struct bpf_d;
  87 struct componentname;
  88 struct cs_blob;
  89 struct devnode;
  90 struct exception_action;
  91 struct flock;
  92 struct fdescnode;
  93 struct fileglob;
  94 struct fileproc;
  95 struct ifnet;
  96 struct ifreq;
  97 struct image_params;
  98 struct inpcb;
  99 struct ipc_port;
 100 struct ipq;
 101 struct knote;
 102 struct m_tag;
 103 struct mac;
 104 struct mac_module_data;
 105 struct mbuf;
 106 struct msg;
 107 struct msqid_kernel;
 108 struct mount;
 109 struct pipe;
 110 struct proc;
 111 struct pseminfo;
 112 struct pshminfo;
 113 struct semid_kernel;
 114 struct shmid_kernel;
 115 struct sockaddr;
 116 struct sockopt;
 117 struct socket;
 118 struct task;
 119 struct thread;
 120 struct timespec;
 121 struct tty;
 122 struct ucred;
 123 struct uio;
 124 struct uthread;
 125 struct vfs_attr;
 126 struct vfs_context;
 127 struct vnode;
 128 struct vnode_attr;
 129 struct vop_setlabel_args;
 130
 131 #include <sys/kauth.h>
 132 #include <sys/kernel_types.h>
 133
 134 #if CONFIG_MACF
 135
 136 #ifndef __IOKIT_PORTS_DEFINED__
 137 #define __IOKIT_PORTS_DEFINED__
 138 #ifdef __cplusplus
 139 class OSObject;
 140 typedef OSObject *io_object_t;
 141 #else
 142 struct OSObject;
 143 typedef struct OSObject *io_object_t;
 144 #endif
 145 #endif /* __IOKIT_PORTS_DEFINED__ */
 146
 147 /*@ macros */
 148 #define VNODE_LABEL_CREATE      1
 149
 150 /*@ === */
 151 int     mac_audit_check_postselect(kauth_cred_t cred, unsigned short syscode,
 152     void *args, int error, int retval, int mac_forced);
 153 int     mac_audit_check_preselect(kauth_cred_t cred, unsigned short syscode,
 154     void *args);
 155 int     mac_bpfdesc_check_receive(struct bpf_d *bpf_d, struct ifnet *ifp);
 156 void    mac_bpfdesc_label_destroy(struct bpf_d *bpf_d);
 157 void    mac_bpfdesc_label_init(struct bpf_d *bpf_d);
 158 void    mac_bpfdesc_label_associate(kauth_cred_t cred, struct bpf_d *bpf_d);
 159 int     mac_cred_check_label_update(kauth_cred_t cred,
 160     struct label *newlabel);
 161 int     mac_cred_check_label_update_execve(vfs_context_t ctx,
 162     struct vnode *vp, off_t offset, struct vnode *scriptvp,
 163     struct label *scriptvnodelabel, struct label *execlabel,
 164     proc_t proc, void *macextensions);
 165 int     mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2);
 166 struct label    *mac_cred_label_alloc(void);
 167 void    mac_cred_label_associate(kauth_cred_t cred_parent,
 168     kauth_cred_t cred_child);
 169 void    mac_cred_label_associate_fork(kauth_cred_t cred, proc_t child);
 170 void    mac_cred_label_associate_kernel(kauth_cred_t cred);
 171 void    mac_cred_label_associate_user(kauth_cred_t cred);
 172 void    mac_cred_label_destroy(kauth_cred_t cred);
 173 int     mac_cred_label_externalize_audit(proc_t p, struct mac *mac);
 174 void    mac_cred_label_free(struct label *label);
 175 void    mac_cred_label_init(kauth_cred_t cred);
 176 int     mac_cred_label_compare(struct label *a, struct label *b);
 177 void    mac_cred_label_update(kauth_cred_t cred, struct label *newlabel);
 178 void    mac_cred_label_update_execve(vfs_context_t ctx, kauth_cred_t newcred,
 179     struct vnode *vp, off_t offset, struct vnode *scriptvp,
 180     struct label *scriptvnodelabel, struct label *execlabel, u_int *csflags,
 181     void *macextensions, int *disjoint, int *labelupdateerror);
 182 void    mac_devfs_label_associate_device(dev_t dev, struct devnode *de,
 183     const char *fullpath);
 184 void    mac_devfs_label_associate_directory(const char *dirname, int dirnamelen,
 185     struct devnode *de, const char *fullpath);
 186 void    mac_devfs_label_copy(struct label *, struct label *label);
 187 void    mac_devfs_label_destroy(struct devnode *de);
 188 void    mac_devfs_label_init(struct devnode *de);
 189 void    mac_devfs_label_update(struct mount *mp, struct devnode *de,
 190     struct vnode *vp);
 191 int     mac_execve_enter(user_addr_t mac_p, struct image_params *imgp);
 192 int     mac_file_check_change_offset(kauth_cred_t cred, struct fileglob *fg);
 193 int     mac_file_check_create(kauth_cred_t cred);
 194 int     mac_file_check_dup(kauth_cred_t cred, struct fileglob *fg, int newfd);
 195 int     mac_file_check_fcntl(kauth_cred_t cred, struct fileglob *fg, int cmd,
 196     user_long_t arg);
 197 int     mac_file_check_get(kauth_cred_t cred, struct fileglob *fg,
 198     char *elements, int len);
 199 int     mac_file_check_get_offset(kauth_cred_t cred, struct fileglob *fg);
 200 int     mac_file_check_inherit(kauth_cred_t cred, struct fileglob *fg);
 201 int     mac_file_check_ioctl(kauth_cred_t cred, struct fileglob *fg,
 202     unsigned int cmd);
 203 int     mac_file_check_lock(kauth_cred_t cred, struct fileglob *fg, int op,
 204     struct flock *fl);
 205 int     mac_file_check_library_validation(struct proc *proc,
 206     struct fileglob *fg, off_t slice_offset,
 207     user_long_t error_message, size_t error_message_size);
 208 int     mac_file_check_mmap(kauth_cred_t cred, struct fileglob *fg,
 209     int prot, int flags, uint64_t file_pos, int *maxprot);
 210 void    mac_file_check_mmap_downgrade(kauth_cred_t cred, struct fileglob *fg,
 211     int *prot);
 212 int     mac_file_check_receive(kauth_cred_t cred, struct fileglob *fg);
 213 int     mac_file_check_set(kauth_cred_t cred, struct fileglob *fg,
 214     char *bufp, int buflen);
 215 void    mac_file_label_associate(kauth_cred_t cred, struct fileglob *fg);
 216 void    mac_file_label_destroy(struct fileglob *fg);
 217 void    mac_file_label_init(struct fileglob *fg);
 218 int     mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf,
 219     int family, int type);
 220 void    mac_ifnet_label_associate(struct ifnet *ifp);
 221 void    mac_ifnet_label_destroy(struct ifnet *ifp);
 222 int     mac_ifnet_label_get(kauth_cred_t cred, struct ifreq *ifr,
 223     struct ifnet *ifp);
 224 void    mac_ifnet_label_init(struct ifnet *ifp);
 225 void    mac_ifnet_label_recycle(struct ifnet *ifp);
 226 int     mac_ifnet_label_set(kauth_cred_t cred, struct ifreq *ifr,
 227     struct ifnet *ifp);
 228 int     mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *mbuf,
 229     int family, int type);
 230 void    mac_inpcb_label_associate(struct socket *so, struct inpcb *inp);
 231 void    mac_inpcb_label_destroy(struct inpcb *inp);
 232 int     mac_inpcb_label_init(struct inpcb *inp, int flag);
 233 void    mac_inpcb_label_recycle(struct inpcb *inp);
 234 void    mac_inpcb_label_update(struct socket *so);
 235 int     mac_iokit_check_device(char *devtype, struct mac_module_data *mdata);
 236 int     mac_iokit_check_open(kauth_cred_t cred, io_object_t user_client, unsigned int user_client_type);
 237 int     mac_iokit_check_set_properties(kauth_cred_t cred, io_object_t registry_entry, io_object_t properties);
 238 int     mac_iokit_check_filter_properties(kauth_cred_t cred, io_object_t registry_entry);
 239 int     mac_iokit_check_get_property(kauth_cred_t cred, io_object_t registry_entry, const char *name);
 240 int     mac_iokit_check_hid_control(kauth_cred_t cred);
 241 void    mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq);
 242 int     mac_ipq_label_compare(struct mbuf *fragment, struct ipq *ipq);
 243 void    mac_ipq_label_destroy(struct ipq *ipq);
 244 int     mac_ipq_label_init(struct ipq *ipq, int flag);
 245 void    mac_ipq_label_update(struct mbuf *fragment, struct ipq *ipq);
 246 void    mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
 247 void    mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m);
 248 void    mac_mbuf_label_associate_inpcb(struct inpcb *inp, struct mbuf *m);
 249 void    mac_mbuf_label_associate_ipq(struct ipq *ipq, struct mbuf *mbuf);
 250 void    mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *m);
 251 void    mac_mbuf_label_associate_multicast_encap(struct mbuf *oldmbuf,
 252     struct ifnet *ifp, struct mbuf *newmbuf);
 253 void    mac_mbuf_label_associate_netlayer(struct mbuf *oldmbuf,
 254     struct mbuf *newmbuf);
 255 void    mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m);
 256 void    mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to);
 257 void    mac_mbuf_label_destroy(struct mbuf *m);
 258 int     mac_mbuf_label_init(struct mbuf *m, int flag);
 259 void    mac_mbuf_tag_copy(struct m_tag *m, struct m_tag *mtag);
 260 void    mac_mbuf_tag_destroy(struct m_tag *mtag);
 261 int     mac_mbuf_tag_init(struct m_tag *, int how);
 262 int     mac_mount_check_fsctl(vfs_context_t ctx, struct mount *mp,
 263     unsigned int cmd);
 264 int     mac_mount_check_getattr(vfs_context_t ctx, struct mount *mp,
 265     struct vfs_attr *vfa);
 266 int     mac_mount_check_label_update(vfs_context_t ctx, struct mount *mp);
 267 int     mac_mount_check_mount(vfs_context_t ctx, struct vnode *vp,
 268     struct componentname *cnp, const char *vfc_name);
 269 int     mac_mount_check_mount_late(vfs_context_t ctx, struct mount *mp);
 270 int     mac_mount_check_snapshot_create(vfs_context_t ctx, struct mount *mp,
 271     const char *name);
 272 int     mac_mount_check_snapshot_delete(vfs_context_t ctx, struct mount *mp,
 273     const char *name);
 274 int     mac_mount_check_snapshot_mount(vfs_context_t ctx, struct vnode *rvp,
 275     struct vnode *vp, struct componentname *cnp, const char *name,
 276     const char *vfc_name);
 277 int     mac_mount_check_snapshot_revert(vfs_context_t ctx, struct mount *mp,
 278     const char *name);
 279 int     mac_mount_check_remount(vfs_context_t ctx, struct mount *mp);
 280 int     mac_mount_check_setattr(vfs_context_t ctx, struct mount *mp,
 281     struct vfs_attr *vfa);
 282 int     mac_mount_check_stat(vfs_context_t ctx, struct mount *mp);
 283 int     mac_mount_check_umount(vfs_context_t ctx, struct mount *mp);
 284 void    mac_mount_label_associate(vfs_context_t ctx, struct mount *mp);
 285 void    mac_mount_label_destroy(struct mount *mp);
 286 int     mac_mount_label_externalize(struct label *label, char *elements,
 287     char *outbuf, size_t outbuflen);
 288 int     mac_mount_label_get(struct mount *mp, user_addr_t mac_p);
 289 void    mac_mount_label_init(struct mount *);
 290 int     mac_mount_label_internalize(struct label *, char *string);
 291 void    mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment);
 292 void    mac_netinet_icmp_reply(struct mbuf *m);
 293 void    mac_netinet_tcp_reply(struct mbuf *m);
 294 int     mac_pipe_check_ioctl(kauth_cred_t cred, struct pipe *cpipe,
 295     unsigned int cmd);
 296 int     mac_pipe_check_kqfilter(kauth_cred_t cred, struct knote *kn,
 297     struct pipe *cpipe);
 298 int     mac_pipe_check_read(kauth_cred_t cred, struct pipe *cpipe);
 299 int     mac_pipe_check_select(kauth_cred_t cred, struct pipe *cpipe,
 300     int which);
 301 int     mac_pipe_check_stat(kauth_cred_t cred, struct pipe *cpipe);
 302 int     mac_pipe_check_write(kauth_cred_t cred, struct pipe *cpipe);
 303 struct label    *mac_pipe_label_alloc(void);
 304 void    mac_pipe_label_associate(kauth_cred_t cred, struct pipe *cpipe);
 305 void    mac_pipe_label_copy(struct label *src, struct label *dest);
 306 void    mac_pipe_label_destroy(struct pipe *cpipe);
 307 void    mac_pipe_label_free(struct label *label);
 308 void    mac_pipe_label_init(struct pipe *cpipe);
 309 int     mac_pipe_label_update(kauth_cred_t cred, struct pipe *cpipe,
 310     struct label *label);
 311 void    mac_policy_initbsd(void);
 312 int     mac_posixsem_check_create(kauth_cred_t cred, const char *name);
 313 int     mac_posixsem_check_open(kauth_cred_t cred, struct pseminfo *psem);
 314 int     mac_posixsem_check_post(kauth_cred_t cred, struct pseminfo *psem);
 315 int     mac_posixsem_check_unlink(kauth_cred_t cred, struct pseminfo *psem,
 316     const char *name);
 317 int     mac_posixsem_check_wait(kauth_cred_t cred, struct pseminfo *psem);
 318 void    mac_posixsem_vnode_label_associate(kauth_cred_t cred,
 319     struct pseminfo *psem, struct label *plabel,
 320     vnode_t vp, struct label *vlabel);
 321 void    mac_posixsem_label_associate(kauth_cred_t cred,
 322     struct pseminfo *psem, const char *name);
 323 void    mac_posixsem_label_destroy(struct pseminfo *psem);
 324 void    mac_posixsem_label_init(struct pseminfo *psem);
 325 int     mac_posixshm_check_create(kauth_cred_t cred, const char *name);
 326 int     mac_posixshm_check_mmap(kauth_cred_t cred, struct pshminfo *pshm,
 327     int prot, int flags);
 328 int     mac_posixshm_check_open(kauth_cred_t cred, struct pshminfo *pshm,
 329     int fflags);
 330 int     mac_posixshm_check_stat(kauth_cred_t cred, struct pshminfo *pshm);
 331 int     mac_posixshm_check_truncate(kauth_cred_t cred, struct pshminfo *pshm,
 332     off_t s);
 333 int     mac_posixshm_check_unlink(kauth_cred_t cred, struct pshminfo *pshm,
 334     const char *name);
 335 void    mac_posixshm_vnode_label_associate(kauth_cred_t cred,
 336     struct pshminfo *pshm, struct label *plabel,
 337     vnode_t vp, struct label *vlabel);
 338 void    mac_posixshm_label_associate(kauth_cred_t cred,
 339     struct pshminfo *pshm, const char *name);
 340 void    mac_posixshm_label_destroy(struct pshminfo *pshm);
 341 void    mac_posixshm_label_init(struct pshminfo *pshm);
 342 int     mac_priv_check(kauth_cred_t cred, int priv);
 343 int     mac_priv_grant(kauth_cred_t cred, int priv);
 344 int     mac_proc_check_debug(proc_t proc1, proc_t proc2);
 345 int     mac_proc_check_dump_core(proc_t proc);
 346 int     mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor);
 347 int     mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op);
 348 int     mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op);
 349 int     mac_proc_check_fork(proc_t proc);
 350 int     mac_proc_check_suspend_resume(proc_t proc, int sr);
 351 int     mac_proc_check_get_task_name(kauth_cred_t cred, struct proc *p);
 352 int     mac_proc_check_get_task(kauth_cred_t cred, struct proc *p);
 353 int     mac_proc_check_expose_task(kauth_cred_t cred, struct proc *p);
 354 int     mac_proc_check_inherit_ipc_ports(struct proc *p, struct vnode *cur_vp, off_t cur_offset, struct vnode *img_vp, off_t img_offset, struct vnode *scriptvp);
 355 int     mac_proc_check_getaudit(proc_t proc);
 356 int     mac_proc_check_getauid(proc_t proc);
 357 int     mac_proc_check_getlcid(proc_t proc1, proc_t proc2,
 358     pid_t pid);
 359 int     mac_proc_check_ledger(proc_t curp, proc_t target, int op);
 360 int     mac_proc_check_map_anon(proc_t proc, user_addr_t u_addr,
 361     user_size_t u_size, int prot, int flags, int *maxprot);
 362 int     mac_proc_check_mprotect(proc_t proc,
 363     user_addr_t addr, user_size_t size, int prot);
 364 int     mac_proc_check_run_cs_invalid(proc_t proc);
 365 int     mac_proc_check_sched(proc_t proc, proc_t proc2);
 366 int     mac_proc_check_setaudit(proc_t proc, struct auditinfo_addr *ai);
 367 int     mac_proc_check_setauid(proc_t proc, uid_t auid);
 368 int     mac_proc_check_setlcid(proc_t proc1, proc_t proc2,
 369     pid_t pid1, pid_t pid2);
 370 int     mac_proc_check_signal(proc_t proc1, proc_t proc2,
 371     int signum);
 372 int     mac_proc_check_syscall_unix(proc_t proc, int scnum);
 373 int     mac_proc_check_wait(proc_t proc1, proc_t proc2);
 374 void    mac_proc_notify_exit(proc_t proc);
 375 int     mac_setsockopt_label(kauth_cred_t cred, struct socket *so,
 376     struct mac *extmac);
 377 int     mac_socket_check_accept(kauth_cred_t cred, struct socket *so);
 378 int     mac_socket_check_accepted(kauth_cred_t cred, struct socket *so);
 379 int     mac_socket_check_bind(kauth_cred_t cred, struct socket *so,
 380     struct sockaddr *addr);
 381 int     mac_socket_check_connect(kauth_cred_t cred, struct socket *so,
 382     struct sockaddr *addr);
 383 int     mac_socket_check_create(kauth_cred_t cred, int domain,
 384     int type, int protocol);
 385 int     mac_socket_check_deliver(struct socket *so, struct mbuf *m);
 386 int     mac_socket_check_ioctl(kauth_cred_t cred, struct socket *so,
 387     unsigned int cmd);
 388 int     mac_socket_check_kqfilter(kauth_cred_t cred, struct knote *kn,
 389     struct socket *so);
 390 int     mac_socket_check_listen(kauth_cred_t cred, struct socket *so);
 391 int     mac_socket_check_receive(kauth_cred_t cred, struct socket *so);
 392 int     mac_socket_check_received(kauth_cred_t cred, struct socket *so,
 393     struct sockaddr *saddr);
 394 int     mac_socket_check_select(kauth_cred_t cred, struct socket *so,
 395     int which);
 396 int     mac_socket_check_send(kauth_cred_t cred, struct socket *so,
 397     struct sockaddr *addr);
 398 int     mac_socket_check_getsockopt(kauth_cred_t cred, struct socket *so,
 399     struct sockopt *sopt);
 400 int     mac_socket_check_setsockopt(kauth_cred_t cred, struct socket *so,
 401     struct sockopt *sopt);
 402 int     mac_socket_check_stat(kauth_cred_t cred, struct socket *so);
 403 void    mac_socket_label_associate(kauth_cred_t cred, struct socket *so);
 404 void    mac_socket_label_associate_accept(struct socket *oldsocket,
 405     struct socket *newsocket);
 406 void    mac_socket_label_copy(struct label *from, struct label *to);
 407 void    mac_socket_label_destroy(struct socket *);
 408 int     mac_socket_label_get(kauth_cred_t cred, struct socket *so,
 409     struct mac *extmac);
 410 int     mac_socket_label_init(struct socket *, int waitok);
 411 void    mac_socketpeer_label_associate_mbuf(struct mbuf *m, struct socket *so);
 412 void    mac_socketpeer_label_associate_socket(struct socket *peersocket,
 413     struct socket *socket_to_modify);
 414 int     mac_socketpeer_label_get(kauth_cred_t cred, struct socket *so,
 415     struct mac *extmac);
 416 int     mac_system_check_acct(kauth_cred_t cred, struct vnode *vp);
 417 int     mac_system_check_audit(kauth_cred_t cred, void *record, int length);
 418 int     mac_system_check_auditctl(kauth_cred_t cred, struct vnode *vp);
 419 int     mac_system_check_auditon(kauth_cred_t cred, int cmd);
 420 int     mac_system_check_host_priv(kauth_cred_t cred);
 421 int     mac_system_check_info(kauth_cred_t, const char *info_type);
 422 int     mac_system_check_nfsd(kauth_cred_t cred);
 423 int     mac_system_check_reboot(kauth_cred_t cred, int howto);
 424 int     mac_system_check_settime(kauth_cred_t cred);
 425 int     mac_system_check_swapoff(kauth_cred_t cred, struct vnode *vp);
 426 int     mac_system_check_swapon(kauth_cred_t cred, struct vnode *vp);
 427 int     mac_system_check_sysctlbyname(kauth_cred_t cred, const char *namestring, int *name,
 428     u_int namelen, user_addr_t oldctl, size_t oldlen,
 429     user_addr_t newctl, size_t newlen);
 430 int     mac_system_check_kas_info(kauth_cred_t cred, int selector);
 431 void    mac_sysvmsg_label_associate(kauth_cred_t cred,
 432     struct msqid_kernel *msqptr, struct msg *msgptr);
 433 void    mac_sysvmsg_label_init(struct msg *msgptr);
 434 void    mac_sysvmsg_label_recycle(struct msg *msgptr);
 435 int     mac_sysvmsq_check_enqueue(kauth_cred_t cred, struct msg *msgptr,
 436     struct msqid_kernel *msqptr);
 437 int     mac_sysvmsq_check_msgrcv(kauth_cred_t cred, struct msg *msgptr);
 438 int     mac_sysvmsq_check_msgrmid(kauth_cred_t cred, struct msg *msgptr);
 439 int     mac_sysvmsq_check_msqctl(kauth_cred_t cred,
 440     struct msqid_kernel *msqptr, int cmd);
 441 int     mac_sysvmsq_check_msqget(kauth_cred_t cred,
 442     struct msqid_kernel *msqptr);
 443 int     mac_sysvmsq_check_msqrcv(kauth_cred_t cred,
 444     struct msqid_kernel *msqptr);
 445 int     mac_sysvmsq_check_msqsnd(kauth_cred_t cred,
 446     struct msqid_kernel *msqptr);
 447 void    mac_sysvmsq_label_associate(kauth_cred_t cred,
 448     struct msqid_kernel *msqptr);
 449 void    mac_sysvmsq_label_init(struct msqid_kernel *msqptr);
 450 void    mac_sysvmsq_label_recycle(struct msqid_kernel *msqptr);
 451 int     mac_sysvsem_check_semctl(kauth_cred_t cred,
 452     struct semid_kernel *semakptr, int cmd);
 453 int     mac_sysvsem_check_semget(kauth_cred_t cred,
 454     struct semid_kernel *semakptr);
 455 int     mac_sysvsem_check_semop(kauth_cred_t cred,
 456     struct semid_kernel *semakptr, size_t accesstype);
 457 void    mac_sysvsem_label_associate(kauth_cred_t cred,
 458     struct semid_kernel *semakptr);
 459 void    mac_sysvsem_label_destroy(struct semid_kernel *semakptr);
 460 void    mac_sysvsem_label_init(struct semid_kernel *semakptr);
 461 void    mac_sysvsem_label_recycle(struct semid_kernel *semakptr);
 462 int     mac_sysvshm_check_shmat(kauth_cred_t cred,
 463     struct shmid_kernel *shmsegptr, int shmflg);
 464 int     mac_sysvshm_check_shmctl(kauth_cred_t cred,
 465     struct shmid_kernel *shmsegptr, int cmd);
 466 int     mac_sysvshm_check_shmdt(kauth_cred_t cred,
 467     struct shmid_kernel *shmsegptr);
 468 int     mac_sysvshm_check_shmget(kauth_cred_t cred,
 469     struct shmid_kernel *shmsegptr, int shmflg);
 470 void    mac_sysvshm_label_associate(kauth_cred_t cred,
 471     struct shmid_kernel *shmsegptr);
 472 void    mac_sysvshm_label_destroy(struct shmid_kernel *shmsegptr);
 473 void    mac_sysvshm_label_init(struct shmid_kernel* shmsegptr);
 474 void    mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr);
 475 int     mac_vnode_check_access(vfs_context_t ctx, struct vnode *vp,
 476     int acc_mode);
 477 int     mac_vnode_check_chdir(vfs_context_t ctx, struct vnode *dvp);
 478 int     mac_vnode_check_chroot(vfs_context_t ctx, struct vnode *dvp,
 479     struct componentname *cnp);
 480 int     mac_vnode_check_clone(vfs_context_t ctx, struct vnode *dvp,
 481     struct vnode *vp, struct componentname *cnp);
 482 int     mac_vnode_check_create(vfs_context_t ctx, struct vnode *dvp,
 483     struct componentname *cnp, struct vnode_attr *vap);
 484 int     mac_vnode_check_deleteextattr(vfs_context_t ctx, struct vnode *vp,
 485     const char *name);
 486 int     mac_vnode_check_exchangedata(vfs_context_t ctx, struct vnode *v1,
 487     struct vnode *v2);
 488 int     mac_vnode_check_exec(vfs_context_t ctx, struct vnode *vp,
 489     struct image_params *imgp);
 490 int     mac_vnode_check_fsgetpath(vfs_context_t ctx, struct vnode *vp);
 491 int     mac_vnode_check_getattr(vfs_context_t ctx, struct ucred *file_cred,
 492     struct vnode *vp, struct vnode_attr *va);
 493 int     mac_vnode_check_getattrlist(vfs_context_t ctx, struct vnode *vp,
 494     struct attrlist *alist);
 495 int     mac_vnode_check_getextattr(vfs_context_t ctx, struct vnode *vp,
 496     const char *name, struct uio *uio);
 497 int     mac_vnode_check_ioctl(vfs_context_t ctx, struct vnode *vp,
 498     unsigned int cmd);
 499 int     mac_vnode_check_kqfilter(vfs_context_t ctx,
 500     kauth_cred_t file_cred, struct knote *kn, struct vnode *vp);
 501 int     mac_vnode_check_label_update(vfs_context_t ctx, struct vnode *vp,
 502     struct label *newlabel);
 503 int     mac_vnode_check_link(vfs_context_t ctx, struct vnode *dvp,
 504     struct vnode *vp, struct componentname *cnp);
 505 int     mac_vnode_check_listextattr(vfs_context_t ctx, struct vnode *vp);
 506 int     mac_vnode_check_lookup(vfs_context_t ctx, struct vnode *dvp,
 507     struct componentname *cnp);
 508 int     mac_vnode_check_lookup_preflight(vfs_context_t ctx, struct vnode *dvp,
 509     const char *path, size_t pathlen);
 510 int     mac_vnode_check_open(vfs_context_t ctx, struct vnode *vp,
 511     int acc_mode);
 512 int     mac_vnode_check_read(vfs_context_t ctx,
 513     kauth_cred_t file_cred, struct vnode *vp);
 514 int     mac_vnode_check_readdir(vfs_context_t ctx, struct vnode *vp);
 515 int     mac_vnode_check_readlink(vfs_context_t ctx, struct vnode *vp);
 516 int     mac_vnode_check_rename(vfs_context_t ctx, struct vnode *dvp,
 517     struct vnode *vp, struct componentname *cnp, struct vnode *tdvp,
 518     struct vnode *tvp, struct componentname *tcnp);
 519 int     mac_vnode_check_revoke(vfs_context_t ctx, struct vnode *vp);
 520 int     mac_vnode_check_searchfs(vfs_context_t ctx, struct vnode *vp,
 521     struct attrlist *alist);
 522 int     mac_vnode_check_select(vfs_context_t ctx, struct vnode *vp,
 523     int which);
 524 int     mac_vnode_check_setacl(vfs_context_t ctx, struct vnode *vp,
 525     struct kauth_acl *acl);
 526 int     mac_vnode_check_setattrlist(vfs_context_t ctxd, struct vnode *vp,
 527     struct attrlist *alist);
 528 int     mac_vnode_check_setextattr(vfs_context_t ctx, struct vnode *vp,
 529     const char *name, struct uio *uio);
 530 int     mac_vnode_check_setflags(vfs_context_t ctx, struct vnode *vp,
 531     u_long flags);
 532 int     mac_vnode_check_setmode(vfs_context_t ctx, struct vnode *vp,
 533     mode_t mode);
 534 int     mac_vnode_check_setowner(vfs_context_t ctx, struct vnode *vp,
 535     uid_t uid, gid_t gid);
 536 int     mac_vnode_check_setutimes(vfs_context_t ctx, struct vnode *vp,
 537     struct timespec atime, struct timespec mtime);
 538 int     mac_vnode_check_signature(struct vnode *vp,
 539     struct cs_blob *cs_blob, struct image_params *imgp,
 540     unsigned int *cs_flags, unsigned int *signer_type,
 541     int flags);
 542 int     mac_vnode_check_stat(vfs_context_t ctx,
 543     kauth_cred_t file_cred, struct vnode *vp);
 544 int     mac_vnode_check_trigger_resolve(vfs_context_t ctx, struct vnode *dvp,
 545     struct componentname *cnp);
 546 int     mac_vnode_check_truncate(vfs_context_t ctx,
 547     kauth_cred_t file_cred, struct vnode *vp);
 548 int     mac_vnode_check_uipc_bind(vfs_context_t ctx, struct vnode *dvp,
 549     struct componentname *cnp, struct vnode_attr *vap);
 550 int     mac_vnode_check_uipc_connect(vfs_context_t ctx, struct vnode *vp, struct socket *so);
 551 int     mac_vnode_check_unlink(vfs_context_t ctx, struct vnode *dvp,
 552     struct vnode *vp, struct componentname *cnp);
 553 int     mac_vnode_check_write(vfs_context_t ctx,
 554     kauth_cred_t file_cred, struct vnode *vp);
 555 struct label    *mac_vnode_label_alloc(void);
 556 int     mac_vnode_label_associate(struct mount *mp, struct vnode *vp,
 557     vfs_context_t ctx);
 558 void    mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de,
 559     struct vnode *vp);
 560 int     mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp);
 561 int     mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp,
 562     struct vnode *vp, vfs_context_t ctx);
 563 void    mac_vnode_label_associate_singlelabel(struct mount *mp,
 564     struct vnode *vp);
 565 void    mac_vnode_label_copy(struct label *l1, struct label *l2);
 566 void    mac_vnode_label_destroy(struct vnode *vp);
 567 int     mac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac);
 568 void    mac_vnode_label_free(struct label *label);
 569 void    mac_vnode_label_init(struct vnode *vp);
 570 int     mac_vnode_label_init_needed(struct vnode *vp);
 571 struct label *mac_vnode_label_allocate(vnode_t vp);
 572 void    mac_vnode_label_recycle(struct vnode *vp);
 573 void    mac_vnode_label_update(vfs_context_t ctx, struct vnode *vp,
 574     struct label *newlabel);
 575 void    mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp,
 576     const char *name);
 577 int     mac_vnode_notify_create(vfs_context_t ctx, struct mount *mp,
 578     struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
 579 void    mac_vnode_notify_deleteextattr(vfs_context_t ctx, struct vnode *vp, const char *name);
 580 void    mac_vnode_notify_link(vfs_context_t ctx, struct vnode *vp,
 581     struct vnode *dvp, struct componentname *cnp);
 582 void    mac_vnode_notify_open(vfs_context_t ctx, struct vnode *vp, int acc_flags);
 583 void    mac_vnode_notify_rename(vfs_context_t ctx, struct vnode *vp,
 584     struct vnode *dvp, struct componentname *cnp);
 585 void    mac_vnode_notify_setacl(vfs_context_t ctx, struct vnode *vp, struct kauth_acl *acl);
 586 void    mac_vnode_notify_setattrlist(vfs_context_t ctx, struct vnode *vp, struct attrlist *alist);
 587 void    mac_vnode_notify_setextattr(vfs_context_t ctx, struct vnode *vp, const char *name, struct uio *uio);
 588 void    mac_vnode_notify_setflags(vfs_context_t ctx, struct vnode *vp, u_long flags);
 589 void    mac_vnode_notify_setmode(vfs_context_t ctx, struct vnode *vp, mode_t mode);
 590 void    mac_vnode_notify_setowner(vfs_context_t ctx, struct vnode *vp, uid_t uid, gid_t gid);
 591 void    mac_vnode_notify_setutimes(vfs_context_t ctx, struct vnode *vp, struct timespec atime, struct timespec mtime);
 592 void    mac_vnode_notify_truncate(vfs_context_t ctx, kauth_cred_t file_cred, struct vnode *vp);
 593 int     mac_vnode_find_sigs(struct proc *p, struct vnode *vp, off_t offsetInMacho);
 594 int     vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp,
 595     struct componentname *cnp, int flags, vfs_context_t ctx);
 596 void    vnode_relabel(struct vnode *vp);
 597 void    mac_pty_notify_grant(proc_t p, struct tty *tp, dev_t dev, struct label *label);
 598 void    mac_pty_notify_close(proc_t p, struct tty *tp, dev_t dev, struct label *label);
 599 int     mac_kext_check_load(kauth_cred_t cred, const char *identifier);
 600 int     mac_kext_check_unload(kauth_cred_t cred, const char *identifier);
 601 int     mac_kext_check_query(kauth_cred_t cred);
 602 int     mac_skywalk_flow_check_connect(proc_t p, void *flow, const struct sockaddr *addr, int type, int protocol);
 603 int     mac_skywalk_flow_check_listen(proc_t p, void *flow, const struct sockaddr *addr, int type, int protocol);
 604
 605 void psem_label_associate(struct fileproc *fp, struct vnode *vp, struct vfs_context *ctx);
 606 void pshm_label_associate(struct fileproc *fp, struct vnode *vp, struct vfs_context *ctx);
 607
 608 #if CONFIG_MACF_NET
 609 struct label *mac_bpfdesc_label_get(struct bpf_d *d);
 610 void mac_bpfdesc_label_set(struct bpf_d *d, struct label *label);
 611 #endif
 612
 613 #endif  /* CONFIG_MACF */
 614
 615 #endif /* !_SECURITY_MAC_FRAMEWORK_H_ */