/*
- * Copyright (c) 2007 Apple Inc. All rights reserved.
+ * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
typedef struct ucred *kauth_cred_t;
#endif /* !_KAUTH_CRED_T */
+#ifndef __IOKIT_PORTS_DEFINED__
+#define __IOKIT_PORTS_DEFINED__
+#ifdef __cplusplus
+class OSObject;
+typedef OSObject *io_object_t;
+#else
+struct OSObject;
+typedef struct OSObject *io_object_t;
+#endif
+#endif /* __IOKIT_PORTS_DEFINED__ */
/*-
* MAC entry points are generally named using the following template:
char *devtype,
struct mac_module_data *mdata
);
+/**
+ @brief Access control check for opening an I/O Kit device
+ @param cred Subject credential
+ @param device_path Device path
+ @param user_client User client instance
+ @param user_client_type User client type
+
+ Determine whether the subject identified by the credential can open an
+ I/O Kit device at the passed path of the passed user client class and
+ type.
+
+ @return Return 0 if access is granted, or an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_iokit_check_open_t(
+ kauth_cred_t cred,
+ io_object_t user_client,
+ unsigned int user_client_type
+);
+/**
+ @brief Access control check for setting I/O Kit device properties
+ @param cred Subject credential
+ @param registry_entry Target device
+ @param properties Property list
+
+ Determine whether the subject identified by the credential can set
+ properties on an I/O Kit device.
+
+ @return Return 0 if access is granted, or an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_iokit_check_set_properties_t(
+ kauth_cred_t cred,
+ io_object_t entry,
+ io_object_t properties
+);
+/**
+ @brief Access control check for software HID control
+ @param cred Subject credential
+
+ Determine whether the subject identified by the credential can
+ control the HID (Human Interface Device) subsystem, such as to
+ post synthetic keypresses, pointer movement and clicks.
+
+ @return Return 0 if access is granted, or an appropriate value for
+ errno.
+*/
+typedef int mpo_iokit_check_hid_control_t(
+ kauth_cred_t cred
+);
/**
@brief Create an IP reassembly queue label
@param fragment First received IP fragment
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
- size_t len
+ off_t len
);
/**
@brief Access control check for POSIX shared memory unlink
typedef void mpo_posixshm_label_init_t(
struct label *label
);
+/**
+ @brief Access control check for privileged operations
+ @param cred Subject credential
+ @param priv Requested privilege (see sys/priv.h)
+
+ Determine whether the subject identified by the credential can perform
+ a privileged operation. Privileged operations are allowed if the cred
+ is the superuser or any policy returns zero for mpo_priv_grant, unless
+ any policy returns nonzero for mpo_priv_check.
+
+ @return Return 0 if access is granted, otherwise EPERM should be returned.
+*/
+typedef int mpo_priv_check_t(
+ kauth_cred_t cred,
+ int priv
+);
+/**
+ @brief Grant regular users the ability to perform privileged operations
+ @param cred Subject credential
+ @param priv Requested privilege (see sys/priv.h)
+
+ Determine whether the subject identified by the credential should be
+ allowed to perform a privileged operation that in the absense of any
+ MAC policy it would not be able to perform. Privileged operations are
+ allowed if the cred is the superuser or any policy returns zero for
+ mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
+
+ Unlike other MAC hooks which can only reduce the privilege of a
+ credential, this hook raises the privilege of a credential when it
+ returns 0. Extreme care must be taken when implementing this hook to
+ avoid undermining the security of the system.
+
+ @return Return 0 if additional privilege is granted, otherwise EPERM
+ should be returned.
+*/
+typedef int mpo_priv_grant_t(
+ kauth_cred_t cred,
+ int priv
+);
/**
@brief Access control check for debugging process
@param cred Subject credential
kauth_cred_t cred,
struct proc *proc
);
+/**
+ @brief Access control over pid_suspend and pid_resume
+ @param cred Subject credential
+ @param proc Subject process trying to run pid_suspend or pid_resume
+ @param sr Call is suspend (0) or resume (1)
+
+ Determine whether the subject identified is allowed to suspend or resume
+ other processes.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_proc_check_suspend_resume_t(
+ kauth_cred_t cred,
+ struct proc *proc,
+ int sr
+);
/**
@brief Access control check for retrieving audit information
@param cred Subject credential
struct proc *p,
pid_t pid
);
+/**
+ @brief Access control check for mmap MAP_ANON
+ @param proc User process requesting the memory
+ @param cred Subject credential
+ @param u_addr Start address of the memory range
+ @param u_size Length address of the memory range
+ @param prot mmap protections; see mmap(2)
+ @param flags Type of mapped object; see mmap(2)
+ @param maxprot Maximum rights
+
+ Determine whether the subject identified by the credential should be
+ allowed to obtain anonymous memory using the specified flags and
+ protections on the new mapping. MAP_ANON will always be present in the
+ flags. Certain combinations of flags with a non-NULL addr may
+ cause a mapping to be rejected before this hook is called. The maxprot field
+ holds the maximum permissions on the new mapping, a combination of
+ VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
+ access control checks, a policy should only remove flags from maxprot.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EPERM for lack of privilege.
+*/
+typedef int mpo_proc_check_map_anon_t(
+ struct proc *proc,
+ kauth_cred_t cred,
+ user_addr_t u_addr,
+ user_size_t u_size,
+ int prot,
+ int flags,
+ int *maxprot
+);
/**
@brief Access control check for setting memory protections
@param cred Subject credential
*/
typedef int mpo_proc_check_setaudit_t(
kauth_cred_t cred,
- struct auditinfo *ai
+ struct auditinfo_addr *ai
);
/**
@brief Access control check for setting audit user ID
kauth_cred_t cred,
int cmd
);
+/**
+ @brief Access control check for using CHUD facilities
+ @param cred Subject credential
+
+ Determine whether the subject identified by the credential can perform
+ performance-related tasks using the CHUD system call.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_system_check_chud_t(
+ kauth_cred_t cred
+);
/**
@brief Access control check for obtaining the host control port
@param cred Subject credential
kauth_cred_t cred,
struct proc *p
);
-
-
/**
- @brief Access control check for manipulating a proc's vm_map
- @param cred Subject credential
+ @brief Privilege check for a process to run invalid
@param proc Object process
- Determine whether the vm_map map belonging to process proc with
- credential cred allows the VM_PROT_COPY operation.
+ Determine whether the process may execute even though the system determined
+ that it is untrusted (eg unidentified / modified code).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
-typedef int mpo_proc_check_map_prot_copy_allow_t(
- kauth_cred_t cred,
+typedef int mac_proc_check_run_cs_invalid_t(
struct proc *p
);
struct label *cred,
struct label *task
);
-/**
- @brief Perform MAC-related events when a thread returns to user space
- @param code The number of the syscall/trap that has finished
- @param error The error code that will be returned to user space
- @param thread Mach (not BSD) thread that is returning
-
- This entry point permits policy modules to perform MAC-related
- events when a thread returns to user space, via a system call
- return, trap return, or otherwise.
-*/
-typedef void mpo_thread_userret_t(
- int code,
- int error,
- struct thread *thread
-);
/**
@brief Check vnode access
@param cred Subject credential
struct componentname *cnp,
u_int *csflags
);
+/**
+ @brief Access control check for fsgetpath
+ @param cred Subject credential
+ @param vp Vnode for which a path will be returned
+ @param label Label associated with the vnode
+
+ Determine whether the subject identified by the credential can get the path
+ of the given vnode with fsgetpath.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_vnode_check_fsgetpath_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label
+);
/**
@brief Access control check after determining the code directory hash
*/
struct vnode *vp,
struct label *label
);
+/**
+ @brief Access control check for searchfs
+ @param cred Subject credential
+ @param vp Object vnode
+ @param vlabel Policy label for vp
+ @param alist List of attributes used as search criteria
+
+ Determine whether the subject identified by the credential can search the
+ vnode using the searchfs system call.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
+*/
+typedef int mpo_vnode_check_searchfs_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *vlabel,
+ struct attrlist *alist
+);
/**
@brief Access control check for select
@param cred Subject credential
struct vnode *vp,
struct label *label
);
+/**
+ @brief Access control check for binding UNIX domain socket
+ @param cred Subject credential
+ @param dvp Directory vnode
+ @param dlabel Policy label for dvp
+ @param cnp Component name for dvp
+ @param vap vnode attributes for vap
+
+ Determine whether the subject identified by the credential can perform a
+ bind operation on a UNIX domain socket with the passed parent directory,
+ passed name information, and passed attribute information.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EACCES for label mismatch or
+ EPERM for lack of privilege.
+*/
+typedef int mpo_vnode_check_uipc_bind_t(
+ kauth_cred_t cred,
+ struct vnode *dvp,
+ struct label *dlabel,
+ struct componentname *cnp,
+ struct vnode_attr *vap
+);
+/**
+ @brief Access control check for connecting UNIX domain socket
+ @param cred Subject credential
+ @param vp Object vnode
+ @param label Policy label associated with vp
+
+ Determine whether the subject identified by the credential can perform a
+ connect operation on the passed UNIX domain socket vnode.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EACCES for label mismatch or
+ EPERM for lack of privilege.
+*/
+typedef int mpo_vnode_check_uipc_connect_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label
+);
/**
@brief Access control check for deleting vnode
@param cred Subject credential
struct componentname *cnp
);
+/**
+ @brief Inform MAC policies that a vnode has been renamed
+ @param cred User credential for the renaming process
+ @param vp Vnode that's being renamed
+ @param label Policy label for vp
+ @param dvp Parent directory for the destination
+ @param dlabel Policy label for dvp
+ @param cnp Component name for the destination
+
+ Inform MAC policies that a vnode has been renamed.
+ */
+typedef void mpo_vnode_notify_rename_t(
+ kauth_cred_t cred,
+ struct vnode *vp,
+ struct label *label,
+ struct vnode *dvp,
+ struct label *dlabel,
+ struct componentname *cnp
+);
+
/*
* Placeholder for future events that may need mac hooks.
*/
/*!
\struct mac_policy_ops
*/
+#define MAC_POLICY_OPS_VERSION 11 /* inc when new reserved slots are taken */
struct mac_policy_ops {
mpo_audit_check_postselect_t *mpo_audit_check_postselect;
mpo_audit_check_preselect_t *mpo_audit_check_preselect;
mpo_task_label_init_t *mpo_task_label_init;
mpo_task_label_internalize_t *mpo_task_label_internalize;
mpo_task_label_update_t *mpo_task_label_update;
- mpo_thread_userret_t *mpo_thread_userret;
+ mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
mpo_vnode_check_access_t *mpo_vnode_check_access;
mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
mpo_vnode_label_update_t *mpo_vnode_label_update;
mpo_vnode_notify_create_t *mpo_vnode_notify_create;
mpo_vnode_check_signature_t *mpo_vnode_check_signature;
- mpo_proc_check_map_prot_copy_allow_t *mpo_proc_check_map_prot_copy_allow;
- mpo_reserved_hook_t *mpo_reserved2;
- mpo_reserved_hook_t *mpo_reserved3;
- mpo_reserved_hook_t *mpo_reserved4;
- mpo_reserved_hook_t *mpo_reserved5;
- mpo_reserved_hook_t *mpo_reserved6;
- mpo_reserved_hook_t *mpo_reserved7;
- mpo_reserved_hook_t *mpo_reserved8;
- mpo_reserved_hook_t *mpo_reserved9;
+ mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
+ mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
+ mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
+ mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
+ mpo_reserved_hook_t *mpo_reserved12;
+ mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
+ mpo_system_check_chud_t *mpo_system_check_chud;
+ mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
+ mpo_priv_check_t *mpo_priv_check;
+ mpo_priv_grant_t *mpo_priv_grant;
+ mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
+ mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
+ mpo_iokit_check_open_t *mpo_iokit_check_open;
+ mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
+ mpo_reserved_hook_t *mpo_reserved14;
+ mpo_reserved_hook_t *mpo_reserved15;
+ mpo_reserved_hook_t *mpo_reserved16;
+ mpo_reserved_hook_t *mpo_reserved17;
+ mpo_reserved_hook_t *mpo_reserved18;
+ mpo_reserved_hook_t *mpo_reserved19;
+ mpo_reserved_hook_t *mpo_reserved20;
+ mpo_reserved_hook_t *mpo_reserved21;
+ mpo_reserved_hook_t *mpo_reserved22;
+ mpo_reserved_hook_t *mpo_reserved23;
+ mpo_reserved_hook_t *mpo_reserved24;
+ mpo_reserved_hook_t *mpo_reserved25;
+ mpo_reserved_hook_t *mpo_reserved26;
+ mpo_reserved_hook_t *mpo_reserved27;
+ mpo_reserved_hook_t *mpo_reserved28;
+ mpo_reserved_hook_t *mpo_reserved29;
};
/**
#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
+/*
+ * Policy interface to map a struct label pointer to per-policy data.
+ * Typically, policies wrap this in their own accessor macro that casts an
+ * intptr_t to a policy-specific data type.
+ */
+intptr_t mac_label_get(struct label *l, int slot);
+void mac_label_set(struct label *l, int slot, intptr_t v);
+
#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
/**
projects / apple / xnu.git / blobdiff