/*
- * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
+ * Copyright (c) 2007-2016 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
struct attrlist;
struct auditinfo;
struct bpf_d;
+struct cs_blob;
struct devnode;
+struct exception_action;
struct fileglob;
struct ifnet;
struct inpcb;
struct ipq;
struct label;
-struct lctx;
struct mac_module_data;
struct mac_policy_conf;
struct mbuf;
@param vnodelabel Label corresponding to vp
@param scriptvnodelabel Script vnode label
@param execlabel Userspace provided execution label
- @param proc Object process
+ @param p Object process
@param macpolicyattr MAC policy-specific spawn attribute data
@param macpolicyattrlen Length of policy-specific spawn attribute data
@see mac_execve
struct vnode *vp,
struct label *vnodelabel
);
+/**
+ @brief Access control for sending an exception to an exception action
+ @param crashlabel The crashing process's label
+ @param action Exception action
+ @param exclabel Policy label for exception action
+
+ Determine whether the the exception message caused by the victim
+ process can be sent to the exception action. The policy may compare
+ credentials in the crashlabel, which are derived from the process at
+ the time the exception occurs, with the credentials in the exclabel,
+ which was set at the time the exception port was set, to determine
+ its decision. Note that any process from which the policy derived
+ any credentials may not exist anymore at the time of this policy
+ operation. Sleeping is permitted.
+
+ @return Return 0 if the message can be sent, otherwise an
+ appropriate value for errno should be returned.
+*/
+typedef int mpo_exc_action_check_exception_send_t(
+ struct label *crashlabel,
+ struct exception_action *action,
+ struct label *exclabel
+);
+/**
+ @brief Associate an exception action label
+ @param action Exception action to label
+ @param exclabel Policy label to be filled in for exception action
+
+ Set the label on an exception action.
+*/
+typedef void mpo_exc_action_label_associate_t(
+ struct exception_action *action,
+ struct label *exclabel
+);
+/**
+ @brief Destroy exception action label
+ @param label The label to be destroyed
+
+ Destroy the label on an exception action. Since the object is going
+ out of scope, policy modules should free any internal storage
+ associated with the label so that it may be destroyed. Sleeping is
+ permitted.
+*/
+typedef void mpo_exc_action_label_destroy_t(
+ struct label *label
+);
+/**
+ @brief Populate an exception action label with process credentials
+ @param label The label to be populated
+ @param proc Process to derive credentials from
+
+ Populate a label with credentials derived from a process. At
+ exception delivery time, the policy should compare credentials of the
+ process that set an exception ports with the credentials of the
+ process or corpse that experienced the exception. Note that the
+ process that set the port may not exist at that time anymore, so
+ labels should carry copies of live credentials if necessary.
+*/
+typedef void mpo_exc_action_label_populate_t(
+ struct label *label,
+ struct proc *proc
+);
+/**
+ @brief Initialize exception action label
+ @param label New label to initialize
+
+ Initialize a label for an exception action. Usually performs
+ policy specific allocations. Sleeping is permitted.
+*/
+typedef int mpo_exc_action_label_init_t(
+ struct label *label
+);
+/**
+ @brief Update the label on an exception action
+ @param action Exception action that the label belongs to (may be
+ NULL if none)
+ @param label Policy label to update
+ @param newlabel New label for update
+
+ Update the credentials of an exception action from the given
+ label. The policy should copy over any credentials (process and
+ otherwise) from the new label into the label to update. Must not
+ sleep, must be quick and can be called with locks held.
+*/
+typedef int mpo_exc_action_label_update_t(
+ struct exception_action *action,
+ struct label *label,
+ struct label *newlabel
+);
/**
@brief Access control for changing the offset of a file descriptor
@param cred Subject credential
int op,
struct flock *fl
);
+/**
+ @brief Check with library validation if a macho slice is allowed to be combined into a proc.
+ @param p Subject process
+ @param fg Fileglob structure
+ @param slice_offset offset of the code slice
+ @param error_message error message returned to user-space in case of error (userspace pointer)
+ @param error_message_size error message size
+
+ Its a little odd that the MAC/kext writes into userspace since this
+ implies there is only one MAC module that implements this, however
+ the alterantive is to allocate memory in xnu, on the hope that
+ the MAC module will use it, or allocated in the MAC module and then
+ free it in xnu. Either of these are very appeling, so lets go with
+ the slightly more hacky way.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_file_check_library_validation_t(
+ struct proc *p,
+ struct fileglob *fg,
+ off_t slice_offset,
+ user_long_t error_message,
+ size_t error_message_size
+);
/**
@brief Access control check for mapping a file
@param cred Subject credential
struct label *label,
int prot,
int flags,
+ uint64_t file_pos,
int *maxprot
);
/**
/**
@brief Device hardware access control
@param devtype Type of device connected
- @param properties XML-formatted property list
- @param proplen Length of the property list
This is the MAC Framework device access control, which is called by the I/O
Kit when a new device is connected to the system to determine whether that
/**
@brief Access control check for opening an I/O Kit device
@param cred Subject credential
- @param device_path Device path
@param user_client User client instance
@param user_client_type User client type
struct ipq *ipq,
struct label *ipqlabel
);
-/**
- @brief Access control check for relabelling Login Context
- @param l Subject credential
- @param newlabel New label to apply to the Login Context
- @see mpo_lctx_label_update_t
- @see mac_set_lcid
- @see mac_set_lctx
-
- Determine whether the subject identified by the credential can relabel
- itself to the supplied new label (newlabel). This access control check
- is called when the mac_set_lctx/lcid system call is invoked. A user space
- application will supply a new value, the value will be internalized
- and provided in newlabel.
-
- @return Return 0 if access is granted, otherwise an appropriate value for
- errno should be returned.
-*/
-typedef int mpo_lctx_check_label_update_t(
- struct lctx *l,
- struct label *newlabel
-);
-/**
- @brief Destroy Login Context label
- @param label The label to be destroyed
-*/
-typedef void mpo_lctx_label_destroy_t(
- struct label *label
-);
-/**
- @brief Externalize a Login Context label
- @param label Label to be externalized
- @param element_name Name of the label namespace for which labels should be
- externalized
- @param sb String buffer to be filled with a text representation of the label
-
- Produce an external representation of the label on a Login Context.
- An externalized label consists of a text representation
- of the label contents that can be used with user applications.
- Policy-agnostic user space tools will display this externalized
- version.
-
- @return 0 on success, return non-zero if an error occurs while
- externalizing the label data.
-
-*/
-typedef int mpo_lctx_label_externalize_t(
- struct label *label,
- char *element_name,
- struct sbuf *sb
-);
-/**
- @brief Initialize Login Context label
- @param label New label to initialize
-*/
-typedef void mpo_lctx_label_init_t(
- struct label *label
-);
-/**
- @brief Internalize a Login Context label
- @param label Label to be internalized
- @param element_name Name of the label namespace for which the label should
- be internalized
- @param element_data Text data to be internalized
-
- Produce a Login Context label from an external representation. An
- externalized label consists of a text representation of the label
- contents that can be used with user applications. Policy-agnostic
- user space tools will forward text version to the kernel for
- processing by individual policy modules.
-
- The policy's internalize entry points will be called only if the
- policy has registered interest in the label namespace.
-
- @return 0 on success, Otherwise, return non-zero if an error occurs
- while internalizing the label data.
-
-*/
-typedef int mpo_lctx_label_internalize_t(
- struct label *label,
- char *element_name,
- char *element_data
-);
-/**
- @brief Update a Login Context label
- @param l
- @param newlabel A new label to apply to the Login Context
- @see mpo_lctx_check_label_update_t
- @see mac_set_lcid
- @see mac_set_lctx
-
- Update the label on a login context, using the supplied new label.
- This is called as a result of a login context relabel operation. Access
- control was already confirmed by mpo_lctx_check_label_update.
-*/
-typedef void mpo_lctx_label_update_t(
- struct lctx *l,
- struct label *newlabel
-);
-/**
- @brief A process has created a login context
- @param p Subject
- @param l Login Context
-
- When a process creates a login context (via setlcid()) this entrypoint
- is called to notify the policy that the process 'p' has created login
- context 'l'.
-*/
-typedef void mpo_lctx_notify_create_t(
- struct proc *p,
- struct lctx *l
-);
-/**
- @brief A process has joined a login context
- @param p Subject
- @param l Login Context
-
- When a process joins a login context, either via setlcid() or via
- fork() this entrypoint is called to notify the policy that process
- 'p' is now a member of login context 'l'.
-*/
-typedef void mpo_lctx_notify_join_t(
- struct proc *p,
- struct lctx *l
-);
-/**
- @brief A process has left a login context
- @param p Subject
- @param l Login Context
-
- When a process leaves a login context either via setlcid() or as a
- result of the process exiting this entrypoint is called to notify
- the policy that the process 'p' is no longer a member of login context 'l'.
-*/
-typedef void mpo_lctx_notify_leave_t(
- struct proc *p,
- struct lctx *l
-);
/**
@brief Assign a label to a new mbuf
@param bpf_d BPF descriptor
@param cred Subject credential
@param mp The mount point
@param label Label associated with the mount point
- @param com Filesystem-dependent request code; see fsctl(2)
+ @param cmd Filesystem-dependent request code; see fsctl(2)
Determine whether the subject identified by the credential can perform
the volume operation indicated by com.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
+
+ @note Policies may change the contents of vfa to alter the list of
+ file system attributes returned.
*/
typedef int mpo_mount_check_getattr_t(
struct componentname *cnp,
const char *vfc_name
);
+/**
+ @brief Access control check for fs_snapshot_create
+ @param cred Subject credential
+ @mp Filesystem mount point to create snapshot of
+ @name Name of snapshot to create
+
+ Determine whether the subject identified by the credential can
+ create a snapshot of the filesystem at the given mount point.
+
+ @return Return 0 if access is granted, otherwise an appropriate value
+ for errno should be returned.
+*/
+typedef int mpo_mount_check_snapshot_create_t(
+ kauth_cred_t cred,
+ struct mount *mp,
+ const char *name
+);
+/**
+ @brief Access control check for fs_snapshot_delete
+ @param cred Subject credential
+ @mp Filesystem mount point to delete snapshot of
+ @name Name of snapshot to delete
+
+ Determine whether the subject identified by the credential can
+ delete the named snapshot from the filesystem at the given
+ mount point.
+
+ @return Return 0 if access is granted, otherwise an appropriate value
+ for errno should be returned.
+*/
+typedef int mpo_mount_check_snapshot_delete_t(
+ kauth_cred_t cred,
+ struct mount *mp,
+ const char *name
+);
+/**
+ @brief Access control check for fs_snapshot_revert
+ @param cred Subject credential
+ @mp Filesystem mount point to revert to snapshot
+ @name Name of snapshot to revert to
+
+ Determine whether the subject identified by the credential can
+ revert the filesystem at the given mount point to the named snapshot.
+
+ @return Return 0 if access is granted, otherwise an appropriate value
+ for errno should be returned.
+*/
+typedef int mpo_mount_check_snapshot_revert_t(
+ kauth_cred_t cred,
+ struct mount *mp,
+ const char *name
+);
/**
@brief Access control check remounting a filesystem
@param cred Subject credential
@brief Create a pipe label
@param cred Subject credential
@param cpipe object to be labeled
- @param label Label for the pipe object
+ @param pipelabel Label for the pipe object
Create a label for the pipe object being created by the supplied
user credential. This call is made when the pipe is being created
kauth_cred_t cred,
struct proc *proc
);
+/**
+ @brief Access control check for setting host special ports.
+ @param cred Subject credential
+ @param id The host special port to set
+ @param port The new value to set for the special port
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_proc_check_set_host_special_port_t(
+ kauth_cred_t cred,
+ int id,
+ struct ipc_port *port
+);
+/**
+ @brief Access control check for setting host exception ports.
+ @param cred Subject credential
+ @param exception Exception port to set
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_proc_check_set_host_exception_port_t(
+ kauth_cred_t cred,
+ unsigned int exception
+);
/**
@brief Access control over pid_suspend and pid_resume
@param cred Subject credential
struct proc *target,
int op
);
-/**
- @brief Access control check for escaping default CPU usage monitor parameters.
- @param cred Subject credential
-
- Determine if a credential has permission to program CPU usage monitor parameters
- that are less restrictive than the global system-wide defaults.
-
- @return Return 0 if access is granted, otherwise an appropriate value for
- errno should be returned.
-*/
-typedef int mpo_proc_check_cpumon_t(
- kauth_cred_t cred
-);
/**
@brief Access control check for retrieving process information.
@param cred Subject credential
int callnum,
int flavor
);
+/**
+ @brief Access control check for retrieving code signing information.
+ @param cred Subject credential
+ @param target Target process
+ @param op Code signing operation being performed
+
+ Determine whether the subject identified by the credential should be
+ allowed to get code signing information about the target process.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_proc_check_get_cs_info_t(
+ kauth_cred_t cred,
+ struct proc *target,
+ unsigned int op
+);
+/**
+ @brief Access control check for setting code signing information.
+ @param cred Subject credential
+ @param target Target process
+ @param op Code signing operation being performed.
+
+ Determine whether the subject identified by the credential should be
+ allowed to set code signing information about the target process.
+
+ @return Return 0 if permission is granted, otherwise an appropriate
+ value of errno should be returned.
+*/
+typedef int mpo_proc_check_set_cs_info_t(
+ kauth_cred_t cred,
+ struct proc *target,
+ unsigned int op
+);
/**
@brief Access control check for mmap MAP_ANON
@param proc User process requesting the memory
kauth_cred_t cred,
struct proc *proc
);
+/**
+ @brief Inform MAC policies that a process has exited.
+ @param proc Object process
+
+ Called after all of the process's threads have terminated and
+ it has been removed from the process list. KPI that identifies
+ the process by pid will fail to find the process; KPI that
+ identifies the process by the object process pointer functions
+ normally. proc_exiting() returns true for the object process.
+*/
+typedef void mpo_proc_notify_exit_t(
+ struct proc *proc
+);
/**
@brief Destroy process label
@param label The label to be destroyed
typedef void mpo_proc_label_init_t(
struct label *label
);
+/**
+ @brief Access control check for skywalk flow connect
+ @param cred Subject credential
+ @param flow Flow object
+ @param addr Remote address for flow to send data to
+ @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM)
+ @param protocol Network protocol (e.g. IPPROTO_TCP)
+
+ Determine whether the subject identified by the credential can
+ create a flow for sending data to the remote host specified by
+ addr.
+
+ @return Return 0 if access if granted, otherwise an appropriate
+ value for errno should be returned.
+*/
+typedef int mpo_skywalk_flow_check_connect_t(
+ kauth_cred_t cred,
+ void *flow,
+ const struct sockaddr *addr,
+ int type,
+ int protocol
+);
+/**
+ @brief Access control check for skywalk flow listen
+ @param cred Subject credential
+ @param flow Flow object
+ @param addr Local address for flow to listen on
+ @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM)
+ @param protocol Network protocol (e.g. IPPROTO_TCP)
+
+ Determine whether the subject identified by the credential can
+ create a flow for receiving data on the local address specified
+ by addr.
+
+ @return Return 0 if access if granted, otherwise an appropriate
+ value for errno should be returned.
+*/
+typedef int mpo_skywalk_flow_check_listen_t(
+ kauth_cred_t cred,
+ void *flow,
+ const struct sockaddr *addr,
+ int type,
+ int protocol
+);
/**
@brief Access control check for socket accept
@param cred Subject credential
- @param socket Object socket
+ @param so Object socket
@param socklabel Policy label for socket
Determine whether the subject identified by the credential can accept()
struct mbuf *m,
struct label *m_label
);
+/**
+ @brief Access control check for socket ioctl.
+ @param cred Subject credential
+ @param so Object socket
+ @param cmd The ioctl command; see ioctl(2)
+ @param socklabel Policy label for socket
+
+ Determine whether the subject identified by the credential can perform
+ the ioctl operation indicated by cmd on the given socket.
+
+ @warning Since ioctl data is opaque from the standpoint of the MAC
+ framework, and since ioctls can affect many aspects of system
+ operation, policies must exercise extreme care when implementing
+ access control checks.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_socket_check_ioctl_t(
+ kauth_cred_t cred,
+ socket_t so,
+ unsigned int cmd,
+ struct label *socklabel
+);
/**
@brief Access control check for socket kqfilter
@param cred Subject credential
/**
@brief Access control check for socket receive
@param cred Subject credential
- @param socket Object socket
+ @param sock Object socket
@param socklabel Policy label for socket
- @param addr Name of the remote socket
+ @param saddr Name of the remote socket
Determine whether the subject identified by the credential can
receive data from the remote host specified by addr.
@param cred Subject credential
Determine whether the subject identified by the credential can perform
- performance-related tasks using the CHUD system call.
+ performance-related tasks using the CHUD system call. This interface is
+ deprecated.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_chud_t(
- kauth_cred_t cred
+ kauth_cred_t cred
);
/**
@brief Access control check for obtaining the host control port
/**
@brief Create a System V message label
@param cred Subject credential
- @param msqkptr The message queue the message will be placed in
+ @param msqptr The message queue the message will be placed in
@param msqlabel The label of the message queue
@param msgptr The message
@param msglabel The label of the message
@param cred Subject credential
@param msgptr The message
@param msglabel The message's label
- @param msqkptr The message queue
+ @param msqptr The message queue
@param msqlabel The message queue's label
Determine whether the subject identified by the credential can add the
/**
@brief Create a System V message queue label
@param cred Subject credential
- @param msqkptr The message queue
+ @param msqptr The message queue
@param msqlabel The label of the message queue
*/
/**
@brief Access control check for getting a process's task name
@param cred Subject credential
- @param proc Object process
+ @param p Object process
Determine whether the subject identified by the credential can get
the passed process's task name port.
/**
@brief Access control check for getting a process's task port
@param cred Subject credential
- @param proc Object process
+ @param p Object process
Determine whether the subject identified by the credential can get
the passed process's task control port.
struct proc *p
);
+/**
+ @brief Access control check for exposing a process's task port
+ @param cred Subject credential
+ @param p Object process
+
+ Determine whether the subject identified by the credential can expose
+ the passed process's task control port.
+ This call is used by the accessor APIs like processor_set_tasks() and
+ processor_set_threads().
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EACCES for label mismatch,
+ EPERM for lack of privilege, or ESRCH to hide visibility of the target.
+*/
+typedef int mpo_proc_check_expose_task_t(
+ kauth_cred_t cred,
+ struct proc *p
+);
+
/**
@brief Check whether task's IPC may inherit across process exec
- @param proc current process instance
+ @param p current process instance
@param cur_vp vnode pointer to current instance
@param cur_offset offset of binary of currently executing image
@param img_vp vnode pointer to to be exec'ed image
*/
typedef int mpo_proc_check_inherit_ipc_ports_t(
struct proc *p,
- struct vnode *cur_vp,
- off_t cur_offset,
- struct vnode *img_vp,
- off_t img_offset,
- struct vnode *scriptvp
+ struct vnode *cur_vp,
+ off_t cur_offset,
+ struct vnode *img_vp,
+ off_t img_offset,
+ struct vnode *scriptvp
);
/**
@brief Privilege check for a process to run invalid
- @param proc Object process
+ @param p Object process
Determine whether the process may execute even though the system determined
that it is untrusted (eg unidentified / modified code).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
-typedef int mac_proc_check_run_cs_invalid_t(
+typedef int mpo_proc_check_run_cs_invalid_t(
+ struct proc *p
+);
+
+/**
+ @brief Notification a process is finished with exec and will jump to userspace
+ @param p Object process
+
+ Notifies all MAC policies that a process has completed an exec and is about to
+ jump to userspace to continue execution. This may result in process termination
+ via signals. Hook is designed to hold no/minimal locks so it can be used for any
+ necessary upcalls.
+ */
+typedef void mpo_proc_notify_exec_complete_t(
struct proc *p
);
typedef void mpo_thread_userret_t(
struct thread *thread
);
-/**
- @brief Initialize per thread label
- @param label New label to initialize
- Initialize the label for a newly instantiated thread.
- Sleeping is permitted.
-*/
-typedef void mpo_thread_label_init_t(
- struct label *label
-);
-/**
- @brief Destroy thread label
- @param label The label to be destroyed
-
- Destroy a user thread label. Since the user thread
- is going out of scope, policy modules should free any internal
- storage associated with the label so that it may be destroyed.
-*/
-typedef void mpo_thread_label_destroy_t(
- struct label *label
-);
/**
@brief Check vnode access
@param cred Subject credential
struct label *dlabel,
struct componentname *cnp
);
+/**
+ @brief Access control check for creating clone
+ @param cred Subject credential
+ @param dvp Vnode of directory to create the clone in
+ @param dlabel Policy label associated with dvp
+ @param vp Vnode of the file to clone from
+ @param label Policy label associated with vp
+ @param cnp Component name for the clone being created
+
+ Determine whether the subject identified by the credential should be
+ allowed to create a clone of the vnode vp with the name specified by cnp.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_vnode_check_clone_t(
+ kauth_cred_t cred,
+ struct vnode *dvp,
+ struct label *dlabel,
+ struct vnode *vp,
+ struct label *label,
+ struct componentname *cnp
+);
/**
@brief Access control check for creating vnode
@param cred Subject credential
@param vp Object vnode to execute
@param scriptvp Script being executed by interpreter, if any.
@param vnodelabel Label corresponding to vp
- @param scriptvnodelabel Script vnode label
+ @param scriptlabel Script vnode label
@param execlabel Userspace provided execution label
@param cnp Component name for file being executed
@param macpolicyattr MAC policy-specific spawn attribute data.
struct label *label
);
/**
- @brief Access control check after determining the code directory hash
- */
-typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label,
- off_t macho_offset, unsigned char *sha1,
- const void *signature, int size,
- int flags, int *is_platform_binary);
+ @brief Access control check for retrieving file attributes
+ @param active_cred Subject credential
+ @param file_cred Credential associated with the struct fileproc
+ @param vp Object vnode
+ @param vlabel Policy label for vp
+ @param va Vnode attributes to retrieve
+ Determine whether the subject identified by the credential can
+ get information about the passed vnode. The active_cred hold
+ the credentials of the subject performing the operation, and
+ file_cred holds the credentials of the subject that originally
+ opened the file. This check happens during stat(), lstat(),
+ fstat(), and getattrlist() syscalls. See <sys/vnode.h> for
+ definitions of the attributes.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+
+ @note Policies may change the contents of va to alter the list of
+ file attributes returned.
+*/
+typedef int mpo_vnode_check_getattr_t(
+ kauth_cred_t active_cred,
+ kauth_cred_t file_cred, /* NULLOK */
+ struct vnode *vp,
+ struct label *vlabel,
+ struct vnode_attr *va
+);
/**
@brief Access control check for retrieving file attributes
@param cred Subject credential
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
- @param com Device-dependent request code; see ioctl(2)
+ @param cmd Device-dependent request code; see ioctl(2)
Determine whether the subject identified by the credential can perform
the ioctl operation indicated by com.
);
/**
@brief Access control check for vnode kqfilter
- @param cred Subject credential
+ @param active_cred Subject credential
@param kn Object knote
@param vp Object vnode
@param label Policy label for vp
struct vnode *vp,
struct label *vlabel
);
+/**
+ @brief Access control check for lookup
+ @param cred Subject credential
+ @param dvp Directory vnode
+ @param dlabel Policy label for dvp
+ @param path Path being looked up
+ @param pathlen Length of path in bytes
+
+ Determine whether the subject identified by the credential can perform
+ a lookup of the passed path relative to the passed directory vnode.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EACCES for label mismatch or
+ EPERM for lack of privilege.
+
+ @note The path may contain untrusted input. If approved, lookup proceeds
+ on the path; if a component is found to be a symlink then this hook is
+ called again with the updated path.
+*/
+typedef int mpo_vnode_check_lookup_preflight_t(
+ kauth_cred_t cred,
+ struct vnode *dvp,
+ struct label *dlabel,
+ const char *path,
+ size_t pathlen
+);
/**
@brief Access control check for lookup
@param cred Subject credential
struct label *label,
int which
);
+/**
+ @brief Access control check for setting ACL
+ @param cred Subject credential
+ @param vp Object node
+ @param label Policy label for vp
+ @param acl ACL structure pointer
+
+ Determine whether the subject identified by the credential can set an ACL
+ on the specified vnode. The ACL pointer will be NULL when removing an ACL.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EACCES for label mismatch or
+ EPERM for lack of privilege.
+*/
+typedef int mpo_vnode_check_setacl_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ struct kauth_acl *acl
+);
/**
@brief Access control check for setting file attributes
@param cred Subject credential
struct timespec atime,
struct timespec mtime
);
+/**
+ @brief Access control check after determining the code directory hash
+ @param vp vnode vnode to combine into proc
+ @param label label associated with the vnode
+ @param cpu_type cpu type of the signature being checked
+ @param cs_blob the code signature to check
+ @param cs_flags update code signing flags if needed
+ @param signer_type output parameter for the code signature's signer type
+ @param flags operational flag to mpo_vnode_check_signature
+ @param fatal_failure_desc description of fatal failure
+ @param fatal_failure_desc_len failure description len, failure is fatal if non-0
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+ */
+typedef int mpo_vnode_check_signature_t(
+ struct vnode *vp,
+ struct label *label,
+ cpu_type_t cpu_type,
+ struct cs_blob *cs_blob,
+ unsigned int *cs_flags,
+ unsigned int *signer_type,
+ int flags,
+ char **fatal_failure_desc, size_t *fatal_failure_desc_len
+);
/**
@brief Access control check for stat
@param active_cred Subject credential
struct vnode *vp,
struct label *label
);
+/**
+ @brief Access control check for vnode trigger resolution
+ @param cred Subject credential
+ @param dvp Object vnode
+ @param dlabel Policy label for dvp
+ @param cnp Component name that triggered resolution
+
+ Determine whether the subject identified by the credential can trigger
+ resolution of the passed name (cnp) in the passed directory vnode
+ via an external trigger resolver.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EACCES for label mismatch or
+ EPERM for lack of privilege.
+*/
+typedef int mpo_vnode_check_trigger_resolve_t(
+ kauth_cred_t cred,
+ struct vnode *dvp,
+ struct label *dlabel,
+ struct componentname *cnp
+);
/**
@brief Access control check for truncate/ftruncate
@param active_cred Subject credential
@param cred Subject credential
@param vp Object vnode
@param label Policy label associated with vp
+ @param so Socket
Determine whether the subject identified by the credential can perform a
connect operation on the passed UNIX domain socket vnode.
typedef int mpo_vnode_check_uipc_connect_t(
kauth_cred_t cred,
struct vnode *vp,
- struct label *label
+ struct label *label,
+ socket_t so
);
/**
@brief Access control check for deleting vnode
struct componentname *cnp
);
+/**
+ @brief Inform MAC policies that an extended attribute has been removed from a vnode
+ @param cred Subject credential
+ @param vp Object node
+ @param label Policy label for vp
+ @param name Extended attribute name
+
+ Inform MAC policies that an extended attribute has been removed from a vnode.
+*/
+typedef void mpo_vnode_notify_deleteextattr_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ const char *name
+);
+
+
+/**
+ @brief Inform MAC policies that an ACL has been set on a vnode
+ @param cred Subject credential
+ @param vp Object node
+ @param label Policy label for vp
+ @param acl ACL structure pointer
+
+ Inform MAC policies that an ACL has been set on a vnode.
+*/
+typedef void mpo_vnode_notify_setacl_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ struct kauth_acl *acl
+);
+
+/**
+ @brief Inform MAC policies that an attributes have been set on a vnode
+ @param cred Subject credential
+ @param vp Object vnode
+ @param label Policy label for vp
+ @param alist List of attributes to set
+
+ Inform MAC policies that an attributes have been set on a vnode.
+*/
+typedef void mpo_vnode_notify_setattrlist_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ struct attrlist *alist
+);
+
+/**
+ @brief Inform MAC policies that an extended attribute has been set on a vnode
+ @param cred Subject credential
+ @param vp Object vnode
+ @param label Policy label for vp
+ @param name Extended attribute name
+ @param uio I/O structure pointer
+
+ Inform MAC policies that an extended attribute has been set on a vnode.
+*/
+typedef void mpo_vnode_notify_setextattr_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ const char *name,
+ struct uio *uio
+);
+
+/**
+ @brief Inform MAC policies that flags have been set on a vnode
+ @param cred Subject credential
+ @param vp Object vnode
+ @param label Policy label for vp
+ @param flags File flags; see chflags(2)
+
+ Inform MAC policies that flags have been set on a vnode.
+*/
+typedef void mpo_vnode_notify_setflags_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ u_long flags
+);
+
+/**
+ @brief Inform MAC policies that a new mode has been set on a vnode
+ @param cred Subject credential
+ @param vp Object vnode
+ @param label Policy label for vp
+ @param mode File mode; see chmod(2)
+
+ Inform MAC policies that a new mode has been set on a vnode.
+*/
+typedef void mpo_vnode_notify_setmode_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ mode_t mode
+);
+
+/**
+ @brief Inform MAC policies that new uid/gid have been set on a vnode
+ @param cred Subject credential
+ @param vp Object vnode
+ @param label Policy label for vp
+ @param uid User ID
+ @param gid Group ID
+
+ Inform MAC policies that new uid/gid have been set on a vnode.
+*/
+typedef void mpo_vnode_notify_setowner_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ uid_t uid,
+ gid_t gid
+);
+
+/**
+ @brief Inform MAC policies that new timestamps have been set on a vnode
+ @param cred Subject credential
+ @param vp Object vnode
+ @param label Policy label for vp
+ @param atime Access time; see utimes(2)
+ @param mtime Modification time; see utimes(2)
+
+ Inform MAC policies that new timestamps have been set on a vnode.
+*/
+typedef void mpo_vnode_notify_setutimes_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ struct timespec atime,
+ struct timespec mtime
+);
+
+/**
+ @brief Inform MAC policies that a vnode has been truncated
+ @param cred Subject credential
+ @param file_cred Credential associated with the struct fileproc
+ @param vp Object vnode
+ @param label Policy label for vp
+
+ Inform MAC policies that a vnode has been truncated.
+*/
+typedef void mpo_vnode_notify_truncate_t(
+ kauth_cred_t cred,
+ kauth_cred_t file_cred,
+ struct vnode *vp,
+ struct label *label
+);
+
+
/**
@brief Inform MAC policies that a pty slave has been granted
@param p Responsible process
const char *identifier
);
+/**
+ @brief Access control check for querying information about loaded kexts
+ @param cred Subject credential
+
+ Determine whether the subject identified by the credential can query
+ information about loaded kexts.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EPERM for lack of privilege.
+*/
+typedef int mpo_kext_check_query_t(
+ kauth_cred_t cred
+);
+
/*
* Placeholder for future events that may need mac hooks.
*/
* Please note that this should be kept in sync with the check assumptions
* policy in bsd/kern/policy_check.c (policy_ops struct).
*/
-#define MAC_POLICY_OPS_VERSION 32 /* inc when new reserved slots are taken */
+#define MAC_POLICY_OPS_VERSION 55 /* inc when new reserved slots are taken */
struct mac_policy_ops {
mpo_audit_check_postselect_t *mpo_audit_check_postselect;
mpo_audit_check_preselect_t *mpo_audit_check_preselect;
mpo_ipq_label_init_t *mpo_ipq_label_init;
mpo_ipq_label_update_t *mpo_ipq_label_update;
- mpo_lctx_check_label_update_t *mpo_lctx_check_label_update;
- mpo_lctx_label_destroy_t *mpo_lctx_label_destroy;
- mpo_lctx_label_externalize_t *mpo_lctx_label_externalize;
- mpo_lctx_label_init_t *mpo_lctx_label_init;
- mpo_lctx_label_internalize_t *mpo_lctx_label_internalize;
- mpo_lctx_label_update_t *mpo_lctx_label_update;
- mpo_lctx_notify_create_t *mpo_lctx_notify_create;
- mpo_lctx_notify_join_t *mpo_lctx_notify_join;
- mpo_lctx_notify_leave_t *mpo_lctx_notify_leave;
+ mpo_file_check_library_validation_t *mpo_file_check_library_validation;
+ mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl;
+ mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist;
+ mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr;
+ mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags;
+ mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode;
+ mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner;
+ mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes;
+ mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate;
mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname;
mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports;
mpo_vnode_check_rename_t *mpo_vnode_check_rename;
- mpo_reserved_hook_t *mpo_reserved4;
+ mpo_kext_check_query_t *mpo_kext_check_query;
+ mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete;
mpo_reserved_hook_t *mpo_reserved5;
mpo_reserved_hook_t *mpo_reserved6;
- mpo_reserved_hook_t *mpo_reserved7;
- mpo_reserved_hook_t *mpo_reserved8;
- mpo_reserved_hook_t *mpo_reserved9;
- mpo_reserved_hook_t *mpo_reserved10;
- mpo_reserved_hook_t *mpo_reserved11;
- mpo_reserved_hook_t *mpo_reserved12;
- mpo_reserved_hook_t *mpo_reserved13;
- mpo_reserved_hook_t *mpo_reserved14;
- mpo_reserved_hook_t *mpo_reserved15;
- mpo_reserved_hook_t *mpo_reserved16;
- mpo_reserved_hook_t *mpo_reserved17;
- mpo_reserved_hook_t *mpo_reserved18;
- mpo_reserved_hook_t *mpo_reserved19;
- mpo_reserved_hook_t *mpo_reserved20;
- mpo_reserved_hook_t *mpo_reserved21;
- mpo_reserved_hook_t *mpo_reserved22;
+ mpo_proc_check_expose_task_t *mpo_proc_check_expose_task;
+ mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port;
+ mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port;
+ mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send;
+ mpo_exc_action_label_associate_t *mpo_exc_action_label_associate;
+ mpo_exc_action_label_populate_t *mpo_exc_action_label_populate;
+ mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy;
+ mpo_exc_action_label_init_t *mpo_exc_action_label_init;
+ mpo_exc_action_label_update_t *mpo_exc_action_label_update;
+
+ mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve;
+ mpo_reserved_hook_t *mpo_reserved1;
+ mpo_reserved_hook_t *mpo_reserved2;
+ mpo_reserved_hook_t *mpo_reserved3;
+ mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect;
+ mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen;
mpo_posixsem_check_create_t *mpo_posixsem_check_create;
mpo_posixsem_check_open_t *mpo_posixsem_check_open;
mpo_system_check_settime_t *mpo_system_check_settime;
mpo_system_check_swapoff_t *mpo_system_check_swapoff;
mpo_system_check_swapon_t *mpo_system_check_swapon;
- mpo_reserved_hook_t *mpo_reserved31;
+ mpo_socket_check_ioctl_t *mpo_socket_check_ioctl;
mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
- mpo_reserved_hook_t *mpo_reserved23;
- mpo_reserved_hook_t *mpo_reserved24;
- mpo_reserved_hook_t *mpo_reserved25;
- mpo_reserved_hook_t *mpo_reserved26;
- mpo_reserved_hook_t *mpo_reserved27;
- mpo_reserved_hook_t *mpo_reserved28;
- mpo_reserved_hook_t *mpo_reserved29;
- mpo_reserved_hook_t *mpo_reserved30;
+ mpo_proc_notify_exit_t *mpo_proc_notify_exit;
+ mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert;
+ mpo_vnode_check_getattr_t *mpo_vnode_check_getattr;
+ mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create;
+ mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete;
+ mpo_vnode_check_clone_t *mpo_vnode_check_clone;
+ mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info;
+ mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info;
mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
- mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
+ mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
mpo_thread_userret_t *mpo_thread_userret;
mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
- mpo_thread_label_init_t *mpo_thread_label_init;
- mpo_thread_label_destroy_t *mpo_thread_label_destroy;
+ mpo_vnode_check_setacl_t *mpo_vnode_check_setacl;
+
+ mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr;
mpo_system_check_kas_info_t *mpo_system_check_kas_info;
- mpo_proc_check_cpumon_t *mpo_proc_check_cpumon;
+ mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight;
mpo_vnode_notify_open_t *mpo_vnode_notify_open;
struct mac_policy_conf {
const char *mpc_name; /** policy name */
const char *mpc_fullname; /** full name */
- const char **mpc_labelnames; /** managed label namespaces */
+ char const * const *mpc_labelnames; /** managed label namespaces */
unsigned int mpc_labelname_count; /** number of managed label namespaces */
- struct mac_policy_ops *mpc_ops; /** operation vector */
+ const struct mac_policy_ops *mpc_ops; /** operation vector */
int mpc_loadtime_flags; /** load time flags */
int *mpc_field_off; /** label slot */
int mpc_runtime_flags; /** run time flags */
size_t *);
int mac_vnop_removexattr(struct vnode *, const char *);
+/**
+ @brief Set an extended attribute on a vnode-based fileglob.
+ @param fg fileglob representing file to attach the extended attribute
+ @param name extended attribute name
+ @param buf buffer of data to use as the extended attribute value
+ @param len size of buffer
+
+ Sets the value of an extended attribute on a file.
+
+ Caller must hold an iocount on the vnode represented by the fileglob.
+*/
+int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len);
+
+/**
+ @brief Get an extended attribute from a vnode-based fileglob.
+ @param fg fileglob representing file to read the extended attribute
+ @param name extended attribute name
+ @param buf buffer of data to hold the extended attribute value
+ @param len size of buffer
+ @param attrlen size of full extended attribute value
+
+ Gets the value of an extended attribute on a file.
+
+ Caller must hold an iocount on the vnode represented by the fileglob.
+*/
+int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len,
+ size_t *attrlen);
+
+/**
+ @brief Remove an extended attribute from a vnode-based fileglob.
+ @param fg fileglob representing file to remove the extended attribute
+ @param name extended attribute name
+
+ Removes the named extended attribute from the file.
+
+ Caller must hold an iocount on the vnode represented by the fileglob.
+*/
+int mac_file_removexattr(struct fileglob *fg, const char *name);
+
+
/*
* Arbitrary limit on how much data will be logged by the audit
* entry points above.
projects / apple / xnu.git / blobdiff