xnu-7195.101.1.tar.gz

[apple/xnu.git] / osfmk / kern / cs_blobs.h

diff --git a/osfmk/kern/cs_blobs.h b/osfmk/kern/cs_blobs.h
index cf83fb96e964b4958fd8fd70e27d167c3bf2d54e..899a6a27f5e6d6e15f7cf704742a1943b21e5250 100644 (file)
--- a/osfmk/kern/cs_blobs.h
+++ b/osfmk/kern/cs_blobs.h
@@ -29,6 +29,8 @@
 #ifndef _KERN_CODESIGN_H_
 #define _KERN_CODESIGN_H_
 
 #ifndef _KERN_CODESIGN_H_
 #define _KERN_CODESIGN_H_
 

+#include <stdint.h>
+

 /* code signing attributes of a process */
 #define CS_VALID                    0x00000001  /* dynamically valid */
 #define CS_ADHOC                    0x00000002  /* ad hoc signed */
 /* code signing attributes of a process */
 #define CS_VALID                    0x00000001  /* dynamically valid */
 #define CS_ADHOC                    0x00000002  /* ad hoc signed */


@@ -48,10 +50,11 @@
 #define CS_ENTITLEMENTS_VALIDATED   0x00004000  /* code signature permits restricted entitlements */
 #define CS_NVRAM_UNRESTRICTED       0x00008000  /* has com.apple.rootless.restricted-nvram-variables.heritable entitlement */
 
 #define CS_ENTITLEMENTS_VALIDATED   0x00004000  /* code signature permits restricted entitlements */
 #define CS_NVRAM_UNRESTRICTED       0x00008000  /* has com.apple.rootless.restricted-nvram-variables.heritable entitlement */
 

-#define CS_RUNTIME                                      0x00010000  /* Apply hardened runtime policies */
+#define CS_RUNTIME                  0x00010000  /* Apply hardened runtime policies */
+#define CS_LINKER_SIGNED            0x00020000  /* Automatically signed by the linker */

 
 #define CS_ALLOWED_MACHO            (CS_ADHOC | CS_HARD | CS_KILL | CS_CHECK_EXPIRATION | \
 
 #define CS_ALLOWED_MACHO            (CS_ADHOC | CS_HARD | CS_KILL | CS_CHECK_EXPIRATION | \

-                                    CS_RESTRICT | CS_ENFORCEMENT | CS_REQUIRE_LV | CS_RUNTIME)
+                                    CS_RESTRICT | CS_ENFORCEMENT | CS_REQUIRE_LV | CS_RUNTIME | CS_LINKER_SIGNED)

 
 #define CS_EXEC_SET_HARD            0x00100000  /* set CS_HARD on any exec'ed process */
 #define CS_EXEC_SET_KILL            0x00200000  /* set CS_KILL on any exec'ed process */
 
 #define CS_EXEC_SET_HARD            0x00100000  /* set CS_HARD on any exec'ed process */
 #define CS_EXEC_SET_KILL            0x00200000  /* set CS_KILL on any exec'ed process */


@@ -72,11 +75,11 @@
 
 /* executable segment flags */
 
 
 /* executable segment flags */
 

-#define CS_EXECSEG_MAIN_BINARY          0x1                     /* executable segment denotes main binary */
+#define CS_EXECSEG_MAIN_BINARY          0x1             /* executable segment denotes main binary */

 #define CS_EXECSEG_ALLOW_UNSIGNED       0x10            /* allow unsigned pages (for debugging) */
 #define CS_EXECSEG_ALLOW_UNSIGNED       0x10            /* allow unsigned pages (for debugging) */

-#define CS_EXECSEG_DEBUGGER                     0x20            /* main binary is debugger */
-#define CS_EXECSEG_JIT                          0x40            /* JIT enabled */
-#define CS_EXECSEG_SKIP_LV                      0x80            /* OBSOLETE: skip library validation */
+#define CS_EXECSEG_DEBUGGER             0x20            /* main binary is debugger */
+#define CS_EXECSEG_JIT                  0x40            /* JIT enabled */
+#define CS_EXECSEG_SKIP_LV              0x80            /* OBSOLETE: skip library validation */

 #define CS_EXECSEG_CAN_LOAD_CDHASH      0x100           /* can bless cdhash for execution */
 #define CS_EXECSEG_CAN_EXEC_CDHASH      0x200           /* can execute blessed cdhash */
 
 #define CS_EXECSEG_CAN_LOAD_CDHASH      0x100           /* can bless cdhash for execution */
 #define CS_EXECSEG_CAN_EXEC_CDHASH      0x200           /* can execute blessed cdhash */
 


@@ -97,6 +100,8 @@ enum {
        CS_SUPPORTSTEAMID = 0x20200,
        CS_SUPPORTSCODELIMIT64 = 0x20300,
        CS_SUPPORTSEXECSEG = 0x20400,
        CS_SUPPORTSTEAMID = 0x20200,
        CS_SUPPORTSCODELIMIT64 = 0x20300,
        CS_SUPPORTSEXECSEG = 0x20400,

+       CS_SUPPORTSRUNTIME = 0x20500,
+       CS_SUPPORTSLINKAGE = 0x20600,

 
        CSSLOT_CODEDIRECTORY = 0,                               /* slot index for CodeDirectory */
        CSSLOT_INFOSLOT = 1,
 
        CSSLOT_CODEDIRECTORY = 0,                               /* slot index for CodeDirectory */
        CSSLOT_INFOSLOT = 1,


@@ -129,11 +134,16 @@ enum {
        CS_HASH_MAX_SIZE = 48, /* max size of the hash we'll support */
 
 /*
        CS_HASH_MAX_SIZE = 48, /* max size of the hash we'll support */
 
 /*

- * Currently only to support Legacy VPN plugins,
+ * Currently only to support Legacy VPN plugins, and Mac App Store

  * but intended to replace all the various platform code, dev code etc. bits.
  */
        CS_SIGNER_TYPE_UNKNOWN = 0,
        CS_SIGNER_TYPE_LEGACYVPN = 5,
  * but intended to replace all the various platform code, dev code etc. bits.
  */
        CS_SIGNER_TYPE_UNKNOWN = 0,
        CS_SIGNER_TYPE_LEGACYVPN = 5,

+       CS_SIGNER_TYPE_MAC_APP_STORE = 6,
+
+       CS_SUPPL_SIGNER_TYPE_UNKNOWN = 0,
+       CS_SUPPL_SIGNER_TYPE_TRUSTCACHE = 7,
+       CS_SUPPL_SIGNER_TYPE_LOCAL = 8,

 };
 
 #define KERNEL_HAVE_CS_CODEDIRECTORY 1
 };
 
 #define KERNEL_HAVE_CS_CODEDIRECTORY 1


@@ -178,6 +188,19 @@ typedef struct __CodeDirectory {
        uint64_t execSegLimit;                  /* limit of executable segment */
        uint64_t execSegFlags;                  /* executable segment flags */
        char end_withExecSeg[0];
        uint64_t execSegLimit;                  /* limit of executable segment */
        uint64_t execSegFlags;                  /* executable segment flags */
        char end_withExecSeg[0];

+       /* Version 0x20500 */
+       uint32_t runtime;
+       uint32_t preEncryptOffset;
+       char end_withPreEncryptOffset[0];
+
+       /* Version 0x20600 */
+       uint8_t linkageHashType;
+       uint8_t linkageTruncated;
+       uint16_t spare4;
+       uint32_t linkageOffset;
+       uint32_t linkageSize;
+       char end_withLinkage[0];
+

 
        /* followed by dynamic content as located by offset fields above */
 } CS_CodeDirectory
 
        /* followed by dynamic content as located by offset fields above */
 } CS_CodeDirectory