/*
- * Copyright (c) 2007 Apple Inc. All rights reserved.
+ * Copyright (c) 2007-2012 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
#include <sys/kauth.h>
#include <sys/sysproto.h>
+#include <mach/exception_types.h>
#include <mach/vm_types.h>
#include <mach/vm_prot.h>
SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW|CTLFLAG_LOCKED, 0,
"TrustedBSD MAC policy controls");
-
+#if DEBUG
+#define SECURITY_MAC_CTLFLAGS CTLFLAG_RW | CTLFLAG_LOCKED
+#else
+#define SECURITY_MAC_CTLFLAGS CTLFLAG_RD | CTLFLAG_LOCKED
+#endif
/*
* Declare that the kernel provides MAC support, version 1. This permits
static unsigned int mac_max_slots = MAC_MAX_SLOTS;
static unsigned int mac_slot_offsets_free = (1 << MAC_MAX_SLOTS) - 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD | CTLFLAG_LOCKED,
&mac_max_slots, 0, "");
/*
*/
#if CONFIG_MACF_NET
unsigned int mac_label_mbufs = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, label_mbufs, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, label_mbufs, SECURITY_MAC_CTLFLAGS,
&mac_label_mbufs, 0, "Label all MBUFs");
#endif
-#if !defined(CONFIG_MACF_ALWAYS_LABEL_MBUF) && 0
-static int mac_labelmbufs = 0;
-#endif
/*
* Flag to indicate whether or not we should allocate label storage for
* be a problem.
*/
unsigned int mac_label_vnodes = 0;
-SYSCTL_UINT(_security_mac, OID_AUTO, labelvnodes, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, labelvnodes, SECURITY_MAC_CTLFLAGS,
&mac_label_vnodes, 0, "Label all vnodes");
unsigned int mac_mmap_revocation = 0;
-SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation, SECURITY_MAC_CTLFLAGS,
&mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
"relabel");
unsigned int mac_mmap_revocation_via_cow = 0;
-SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation_via_cow, SECURITY_MAC_CTLFLAGS,
&mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
"copy-on-write semantics, or by removing all write access");
unsigned int mac_device_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, device_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, device_enforce, SECURITY_MAC_CTLFLAGS,
&mac_device_enforce, 0, "Enforce MAC policy on device operations");
-unsigned int mac_file_enforce = 0;
-SYSCTL_UINT(_security_mac, OID_AUTO, file_enforce, CTLFLAG_RW,
- &mac_file_enforce, 0, "Enforce MAC policy on file operations");
-
-unsigned int mac_iokit_enforce = 0;
-SYSCTL_UINT(_security_mac, OID_AUTO, iokit_enforce, CTLFLAG_RW,
- &mac_file_enforce, 0, "Enforce MAC policy on IOKit operations");
-
unsigned int mac_pipe_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, pipe_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, pipe_enforce, SECURITY_MAC_CTLFLAGS,
&mac_pipe_enforce, 0, "Enforce MAC policy on pipe operations");
unsigned int mac_posixsem_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, posixsem_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, posixsem_enforce, SECURITY_MAC_CTLFLAGS,
&mac_posixsem_enforce, 0, "Enforce MAC policy on POSIX semaphores");
unsigned int mac_posixshm_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, posixshm_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, posixshm_enforce, SECURITY_MAC_CTLFLAGS,
&mac_posixshm_enforce, 0, "Enforce MAC policy on Posix Shared Memory");
unsigned int mac_proc_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, proc_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, proc_enforce, SECURITY_MAC_CTLFLAGS,
&mac_proc_enforce, 0, "Enforce MAC policy on process operations");
unsigned int mac_socket_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, socket_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, socket_enforce, SECURITY_MAC_CTLFLAGS,
&mac_socket_enforce, 0, "Enforce MAC policy on socket operations");
unsigned int mac_system_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, system_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, system_enforce, SECURITY_MAC_CTLFLAGS,
&mac_system_enforce, 0, "Enforce MAC policy on system-wide interfaces");
unsigned int mac_sysvmsg_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, sysvmsg_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, sysvmsg_enforce, SECURITY_MAC_CTLFLAGS,
&mac_sysvmsg_enforce, 0, "Enforce MAC policy on System V IPC message queues");
unsigned int mac_sysvsem_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, sysvsem_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, sysvsem_enforce, SECURITY_MAC_CTLFLAGS,
&mac_sysvsem_enforce, 0, "Enforce MAC policy on System V IPC semaphores");
unsigned int mac_sysvshm_enforce = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, sysvshm_enforce, CTLFLAG_RW,
+SYSCTL_INT(_security_mac, OID_AUTO, sysvshm_enforce, SECURITY_MAC_CTLFLAGS,
&mac_sysvshm_enforce, 0, "Enforce MAC policy on System V Shared Memory");
unsigned int mac_vm_enforce = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, vm_enforce, CTLFLAG_RW,
+SYSCTL_INT(_security_mac, OID_AUTO, vm_enforce, SECURITY_MAC_CTLFLAGS,
&mac_vm_enforce, 0, "Enforce MAC policy on VM operations");
unsigned int mac_vnode_enforce = 1;
-SYSCTL_UINT(_security_mac, OID_AUTO, vnode_enforce, CTLFLAG_RW,
+SYSCTL_UINT(_security_mac, OID_AUTO, vnode_enforce, SECURITY_MAC_CTLFLAGS,
&mac_vnode_enforce, 0, "Enforce MAC policy on vnode operations");
-
-#if CONFIG_MACF_MACH
-unsigned int mac_port_enforce = 0;
-SYSCTL_UINT(_security_mac, OID_AUTO, port_enforce, CTLFLAG_RW,
- &mac_port_enforce, 0, "Enforce MAC policy on Mach port operations");
-
-unsigned int mac_task_enforce = 0;
-SYSCTL_UINT(_security_mac, OID_AUTO, task_enforce, CTLFLAG_RW,
- &mac_task_enforce, 0, "Enforce MAC policy on Mach task operations");
-#endif
-
#if CONFIG_AUDIT
/*
* mac_audit_data_zone is the zone used for data pushed into the audit
static void
mac_policy_updateflags(void)
{
-#if !defined(CONFIG_MACF_ALWAYS_LABEL_MBUF) && 0 /* port to new list style */
-
- struct mac_policy_conf *tmpc;
- int labelmbufs;
-
- mac_policy_assert_exclusive();
-
- labelmbufs = 0;
-
- /* XXX - convert to new list structure */
- LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) {
- if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS)
- labelmbufs++;
- }
- LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
- if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS)
- labelmbufs++;
- }
- mac_labelmbufs = (labelmbufs != 0);
-#endif
}
static __inline void
AUDIT_ARG(pid, uap->pid);
if (IS_64BIT_PROCESS(p)) {
- error = copyin(uap->mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(uap->mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(uap->mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
return (error);
size_t ulen;
if (IS_64BIT_PROCESS(p)) {
- error = copyin(uap->mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(uap->mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(uap->mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
return (error);
size_t ulen;
if (IS_64BIT_PROCESS(p)) {
- error = copyin(uap->mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(uap->mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(uap->mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
return (error);
AUDIT_ARG(value32, uap->lcid);
if (IS_64BIT_PROCESS(p)) {
- error = copyin(uap->mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(uap->mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(uap->mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
size_t ulen;
if (IS_64BIT_PROCESS(p)) {
- error = copyin(uap->mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(uap->mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(uap->mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
size_t ulen;
if (IS_64BIT_PROCESS(p)) {
- error = copyin(uap->mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(uap->mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(uap->mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
return (error);
AUDIT_ARG(fd, uap->fd);
if (IS_64BIT_PROCESS(p)) {
- error = copyin(uap->mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(uap->mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(uap->mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
return (error);
}
- switch (fp->f_fglob->fg_type) {
+ switch (FILEGLOB_DTYPE(fp->f_fglob)) {
case DTYPE_VNODE:
intlabel = mac_vnode_label_alloc();
if (intlabel == NULL) {
size_t ulen;
if (IS_64BIT_PROCESS(p)) {
- error = copyin(mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
ctx = vfs_context_current();
- NDINIT(&nd, LOOKUP,
+ NDINIT(&nd, LOOKUP, OP_LOOKUP,
LOCKLEAF | (follow ? FOLLOW : NOFOLLOW) | AUDITVNPATH1,
UIO_USERSPACE, path_p, ctx);
error = namei(&nd);
AUDIT_ARG(fd, uap->fd);
if (IS_64BIT_PROCESS(p)) {
- error = copyin(uap->mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(uap->mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(uap->mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
return (error);
return (error);
}
- switch (fp->f_fglob->fg_type) {
+ switch (FILEGLOB_DTYPE(fp->f_fglob)) {
case DTYPE_VNODE:
if (mac_label_vnodes == 0) {
return ENOSYS;
if (IS_64BIT_PROCESS(p)) {
- error = copyin(mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
return (error);
return (error);
}
- NDINIT(&nd, LOOKUP,
+ NDINIT(&nd, LOOKUP, OP_LOOKUP,
LOCKLEAF | (follow ? FOLLOW : NOFOLLOW) | AUDITVNPATH1,
UIO_USERSPACE, path_p, ctx);
error = namei(&nd);
size_t ulen;
if (IS_64BIT_PROCESS(current_proc())) {
- error = copyin(mac_p, &mac, sizeof(mac));
+ struct user64_mac mac64;
+ error = copyin(mac_p, &mac64, sizeof(mac64));
+ mac.m_buflen = mac64.m_buflen;
+ mac.m_string = mac64.m_string;
} else {
- struct mac mac32;
+ struct user32_mac mac32;
error = copyin(mac_p, &mac32, sizeof(mac32));
mac.m_buflen = mac32.m_buflen;
- mac.m_string = CAST_USER_ADDR_T(mac32.m_string);
+ mac.m_string = mac32.m_string;
}
if (error)
return (error);
struct mount *mp;
int error;
- NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNPATH1,
+ NDINIT(&nd, LOOKUP, OP_LOOKUP, FOLLOW | AUDITVNPATH1,
UIO_USERSPACE, uap->path, ctx);
error = namei(&nd);
if (error) {
return mac_mount_label_get(mp, uap->mac_p);
}
-#else /* MAC */
-
-int
-mac_policy_register(struct mac_policy_conf *mpc __unused,
- mac_policy_handle_t *handlep __unused, void *xd __unused)
-{
-
- return (0);
-}
-
+/*
+ * mac_schedule_userret()
+ *
+ * Schedule a callback to the mpo_thread_userret hook. The mpo_thread_userret
+ * hook is called just before the thread exit from the kernel in ast_taken().
+ *
+ * Returns: 0 Success
+ * !0 Not successful
+ */
int
-mac_policy_unregister(mac_policy_handle_t handle __unused)
+mac_schedule_userret(void)
{
+ act_set_astmacf(current_thread());
return (0);
}
+/*
+ * mac_do_machexc()
+ *
+ * Do a Mach exception. This should only be done in the mpo_thread_userret
+ * callback.
+ *
+ * params: code exception code
+ * subcode exception subcode
+ * flags flags:
+ * MAC_DOEXCF_TRACED Only do exception if being
+ * ptrace()'ed.
+ *
+ *
+ * Returns: 0 Success
+ * !0 Not successful
+ */
int
-mac_audit_text(char *text __unused, mac_policy_handle_t handle __unused)
+mac_do_machexc(int64_t code, int64_t subcode, uint32_t flags)
{
+ mach_exception_data_type_t codes[EXCEPTION_CODE_MAX];
+ proc_t p = current_proc();
- return (0);
-}
+ /* Only allow execption codes in MACF's reserved range. */
+ if ((code < EXC_MACF_MIN) || (code > EXC_MACF_MAX))
+ return (1);
-int
-mac_mount_label_get(struct mount *mp __unused, user_addr_t mac_p __unused)
-{
- return (ENOSYS);
-}
-
-int
-mac_vnop_setxattr(struct vnode *vp __unused, const char *name __unused, char *buf __unused, size_t len __unused)
-{
+ if (flags & MAC_DOEXCF_TRACED &&
+ !(p->p_lflag & P_LTRACED && (p->p_lflag & P_LPPWAIT) == 0))
+ return (0);
- return (ENOENT);
-}
-int
-mac_vnop_getxattr(struct vnode *vp __unused, const char *name __unused,
- char *buf __unused, size_t len __unused, size_t *attrlen __unused)
-{
+ /* Send the Mach exception */
+ codes[0] = (mach_exception_data_type_t)code;
+ codes[1] = (mach_exception_data_type_t)subcode;
- return (ENOENT);
+ return (bsd_exception(EXC_SOFTWARE, codes, 2) != KERN_SUCCESS);
}
-int
-mac_vnop_removexattr(struct vnode *vp __unused, const char *name __unused)
-{
-
- return (ENOENT);
-}
+#else /* MAC */
-int
-__mac_get_pid(proc_t p __unused, struct __mac_get_pid_args *uap __unused, int *ret __unused)
-{
+void (*load_security_extensions_function)(void) = 0;
- return (ENOSYS);
-}
+struct sysctl_oid_list sysctl__security_mac_children;
int
-__mac_get_proc(proc_t p __unused, struct __mac_get_proc_args *uap __unused, int *ret __unused)
+mac_policy_register(struct mac_policy_conf *mpc __unused,
+ mac_policy_handle_t *handlep __unused, void *xd __unused)
{
- return (ENOSYS);
+ return (0);
}
int
-__mac_set_proc(proc_t p __unused, struct __mac_set_proc_args *uap __unused, int *ret __unused)
+mac_policy_unregister(mac_policy_handle_t handle __unused)
{
- return (ENOSYS);
+ return (0);
}
int
-__mac_get_file(proc_t p __unused, struct __mac_get_file_args *uap __unused, int *ret __unused)
+mac_audit_text(char *text __unused, mac_policy_handle_t handle __unused)
{
- return (ENOSYS);
+ return (0);
}
int
-__mac_get_link(proc_t p __unused, struct __mac_get_link_args *uap __unused, int *ret __unused)
+mac_vnop_setxattr(struct vnode *vp __unused, const char *name __unused, char *buf __unused, size_t len __unused)
{
- return (ENOSYS);
+ return (ENOENT);
}
int
-__mac_set_file(proc_t p __unused, struct __mac_set_file_args *uap __unused, int *ret __unused)
+mac_vnop_getxattr(struct vnode *vp __unused, const char *name __unused,
+ char *buf __unused, size_t len __unused, size_t *attrlen __unused)
{
- return (ENOSYS);
+ return (ENOENT);
}
int
-__mac_set_link(proc_t p __unused, struct __mac_set_link_args *uap __unused, int *ret __unused)
+mac_vnop_removexattr(struct vnode *vp __unused, const char *name __unused)
{
- return (ENOSYS);
+ return (ENOENT);
}
-int
-__mac_get_fd(proc_t p __unused, struct __mac_get_fd_args *uap __unused, int *ret __unused)
+intptr_t mac_label_get(struct label *l __unused, int slot __unused)
{
-
- return (ENOSYS);
+ return 0;
}
-int
-__mac_set_fd(proc_t p __unused, struct __mac_set_fd_args *uap __unused, int *ret __unused)
+void mac_label_set(struct label *l __unused, int slot __unused, intptr_t v __unused)
{
-
- return (ENOSYS);
+ return;
}
-int
-__mac_syscall(proc_t p __unused, struct __mac_syscall_args *uap __unused, int *ret __unused)
+struct label *mac_thread_get_threadlabel(struct thread *thread __unused)
{
-
- return (ENOSYS);
+ return NULL;
}
-int
-__mac_get_lcid(proc_t p __unused, struct __mac_get_lcid_args *uap __unused, int *ret __unused)
+struct label *mac_thread_get_uthreadlabel(struct uthread *uthread __unused)
{
-
- return (ENOSYS);
+ return NULL;
}
-int
-__mac_get_lctx(proc_t p __unused, struct __mac_get_lctx_args *uap __unused, int *ret __unused)
+void mac_proc_set_enforce(proc_t p, int enforce_flags);
+void mac_proc_set_enforce(proc_t p __unused, int enforce_flags __unused)
{
-
- return (ENOSYS);
+ return;
}
-int
-__mac_set_lctx(proc_t p __unused, struct __mac_set_lctx_args *uap __unused, int *ret __unused)
+int mac_iokit_check_hid_control(kauth_cred_t cred __unused);
+int mac_iokit_check_hid_control(kauth_cred_t cred __unused)
{
-
- return (ENOSYS);
+ return 0;
}
-int
-__mac_get_mount(proc_t p __unused,
- struct __mac_get_mount_args *uap __unused, int *ret __unused)
-{
-
- return (ENOSYS);
-}
#endif /* !MAC */
projects / apple / xnu.git / blobdiff