#ifndef _SECURITY_MAC_INTERNAL_H_
#define _SECURITY_MAC_INTERNAL_H_
+#ifndef PRIVATE
+#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
+#endif
+
#include <string.h>
#include <sys/param.h>
#include <sys/queue.h>
#include <security/mac_policy.h>
#include <security/mac_data.h>
#include <sys/sysctl.h>
-#include <kern/wait_queue.h>
#include <kern/locks.h>
#include <sys/kernel.h>
#include <sys/lock.h>
typedef struct mac_policy_list mac_policy_list_t;
-/*
- * Darwin functions not properly exported
- */
-extern void kmod_load_early(void); /* defined in libsa/kext.cpp */
-
/*
* Policy that has registered with the framework for a specific
* label namespace name.
LIST_HEAD(mac_label_element_list_t, mac_label_element);
-/*
- * Journal operations
- */
-
-#define MLJ_TYPE_PORT 1
-#define MLJ_TYPE_TASK 2
-
-#define MLJ_PORT_OP_INIT 0x0001
-#define MLJ_PORT_OP_CREATE_K 0x0002
-#define MLJ_PORT_OP_CREATE 0x0004
-#define MLJ_PORT_OP_UPDATE 0x0008
-
-#define MLJ_TASK_OP_INIT 0x0001
-#define MLJ_TASK_OP_CREATE_K 0x0002
-
-struct mac_label_journal {
- struct label *l;
- int type;
- int ops;
-
- int kotype; /* Kernel Port */
-
- TAILQ_ENTRY(mac_label_journal) link;
-};
-TAILQ_HEAD(mac_label_journal_list_t, mac_label_journal);
-
-int mac_label_journal_add (struct label *, int);
-int mac_label_journal_remove(struct label *);
-struct mac_label_journal *
- mac_label_journal_find (struct label *);
-int mac_label_journal (struct label *, int, ...);
-void mac_label_journal_replay(void);
-
-
/*
* MAC Framework global variables.
*/
extern struct mac_label_element_list_t mac_label_element_list;
extern struct mac_label_element_list_t mac_static_label_element_list;
-extern struct mac_label_journal_list_t mac_label_journal_list;
extern struct mac_policy_list mac_policy_list;
* at all in the system.
*/
extern unsigned int mac_device_enforce;
-extern unsigned int mac_file_enforce;
-extern unsigned int mac_iokit_enforce;
extern unsigned int mac_pipe_enforce;
extern unsigned int mac_posixsem_enforce;
extern unsigned int mac_posixshm_enforce;
extern unsigned int mac_vm_enforce;
extern unsigned int mac_vnode_enforce;
-#if CONFIG_MACF_MACH
-extern unsigned int mac_port_enforce;
-extern unsigned int mac_task_enforce;
-#endif
-
#if CONFIG_MACF_NET
extern unsigned int mac_label_mbufs;
#endif
-static int mac_proc_check_enforce(proc_t p, int enforce_flag);
+extern unsigned int mac_label_vnodes;
+
+static int mac_proc_check_enforce(proc_t p, int enforce_flags);
static __inline__ int mac_proc_check_enforce(proc_t p, int enforce_flags)
{
#if CONFIG_MACF
- return ((p->p_mac_enforce & enforce_flags) != 0);
+#if SECURITY_MAC_CHECK_ENFORCE // 21167099 - only check if we allow write
+ return ((p->p_mac_enforce & enforce_flags) != 0);
+#else
+#pragma unused(p,enforce_flags)
+ return 1;
+#endif // SECURITY_MAC_CHECK_ENFORCE
#else
+#pragma unused(p,enforce_flags)
return 0;
-#endif
+#endif // CONFIG_MACF
}
static int mac_context_check_enforce(vfs_context_t ctx, int enforce_flags);
static __inline__ void mac_context_set_enforce(vfs_context_t ctx, int enforce_flags)
{
+#if CONFIG_MACF
proc_t proc = vfs_context_proc(ctx);
if (proc == NULL)
return;
mac_proc_set_enforce(proc, enforce_flags);
+#else
+#pragma unused(ctx,enforce_flags)
+#endif
}
#endif
int mac_cred_label_externalize(struct label *, char *e, char *out, size_t olen, int flags);
-int mac_lctx_label_externalize(struct label *, char *e, char *out, size_t olen);
#if CONFIG_MACF_SOCKET
int mac_socket_label_externalize(struct label *, char *e, char *out, size_t olen);
#endif /* CONFIG_MACF_SOCKET */
char *outbuf, size_t outbuflen);
int mac_cred_label_internalize(struct label *label, char *string);
-int mac_lctx_label_internalize(struct label *label, char *string);
#if CONFIG_MACF_SOCKET
int mac_socket_label_internalize(struct label *label, char *string);
#endif /* CONFIG_MACF_SOCKET */
} \
} while (0)
+/*
+ * MAC_GRANT performs the designated check by walking the policy
+ * module list and checking with each as to how it feels about the
+ * request. Unlike MAC_CHECK, it grants if any policies return '0',
+ * and otherwise returns EPERM. Note that it returns its value via
+ * 'error' in the scope of the caller.
+ */
+#define MAC_GRANT(check, args...) do { \
+ struct mac_policy_conf *mpc; \
+ u_int i; \
+ \
+ error = EPERM; \
+ for (i = 0; i < mac_policy_list.staticmax; i++) { \
+ mpc = mac_policy_list.entries[i].mpc; \
+ if (mpc == NULL) \
+ continue; \
+ \
+ if (mpc->mpc_ops->mpo_ ## check != NULL) { \
+ if (mpc->mpc_ops->mpo_ ## check (args) == 0) \
+ error = 0; \
+ } \
+ } \
+ if (mac_policy_list_conditional_busy() != 0) { \
+ for (; i <= mac_policy_list.maxindex; i++) { \
+ mpc = mac_policy_list.entries[i].mpc; \
+ if (mpc == NULL) \
+ continue; \
+ \
+ if (mpc->mpc_ops->mpo_ ## check != NULL) { \
+ if (mpc->mpc_ops->mpo_ ## check (args) \
+ == 0) \
+ error = 0; \
+ } \
+ } \
+ mac_policy_list_unbusy(); \
+ } \
+} while (0)
+
/*
* MAC_BOOLEAN performs the designated boolean composition by walking
* the module list, invoking each instance of the operation, and
struct __mac_get_proc_args;
struct __mac_set_proc_args;
struct __mac_get_lcid_args;
-struct __mac_get_lctx_args;
-struct __mac_set_lctx_args;
struct __mac_get_fd_args;
struct __mac_get_file_args;
struct __mac_get_link_args;