X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/2d21ac55c334faf3a56e5634905ed6987fc787d4..a1c7dba18ef36983396c282fe85292db066e39db:/security/mac_internal.h?ds=sidebyside diff --git a/security/mac_internal.h b/security/mac_internal.h index e41c429af..153e7d727 100644 --- a/security/mac_internal.h +++ b/security/mac_internal.h @@ -67,6 +67,10 @@ #ifndef _SECURITY_MAC_INTERNAL_H_ #define _SECURITY_MAC_INTERNAL_H_ +#ifndef PRIVATE +#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" +#endif + #include #include #include @@ -113,11 +117,6 @@ struct mac_policy_list { typedef struct mac_policy_list mac_policy_list_t; -/* - * Darwin functions not properly exported - */ -extern void kmod_load_early(void); /* defined in libsa/kext.cpp */ - /* * Policy that has registered with the framework for a specific * label namespace name. @@ -140,47 +139,12 @@ struct mac_label_element { LIST_HEAD(mac_label_element_list_t, mac_label_element); -/* - * Journal operations - */ - -#define MLJ_TYPE_PORT 1 -#define MLJ_TYPE_TASK 2 - -#define MLJ_PORT_OP_INIT 0x0001 -#define MLJ_PORT_OP_CREATE_K 0x0002 -#define MLJ_PORT_OP_CREATE 0x0004 -#define MLJ_PORT_OP_UPDATE 0x0008 - -#define MLJ_TASK_OP_INIT 0x0001 -#define MLJ_TASK_OP_CREATE_K 0x0002 - -struct mac_label_journal { - struct label *l; - int type; - int ops; - - int kotype; /* Kernel Port */ - - TAILQ_ENTRY(mac_label_journal) link; -}; -TAILQ_HEAD(mac_label_journal_list_t, mac_label_journal); - -int mac_label_journal_add (struct label *, int); -int mac_label_journal_remove(struct label *); -struct mac_label_journal * - mac_label_journal_find (struct label *); -int mac_label_journal (struct label *, int, ...); -void mac_label_journal_replay(void); - - /* * MAC Framework global variables. */ extern struct mac_label_element_list_t mac_label_element_list; extern struct mac_label_element_list_t mac_static_label_element_list; -extern struct mac_label_journal_list_t mac_label_journal_list; extern struct mac_policy_list mac_policy_list; @@ -189,8 +153,6 @@ extern struct mac_policy_list mac_policy_list; * at all in the system. */ extern unsigned int mac_device_enforce; -extern unsigned int mac_file_enforce; -extern unsigned int mac_iokit_enforce; extern unsigned int mac_pipe_enforce; extern unsigned int mac_posixsem_enforce; extern unsigned int mac_posixshm_enforce; @@ -203,22 +165,20 @@ extern unsigned int mac_sysvshm_enforce; extern unsigned int mac_vm_enforce; extern unsigned int mac_vnode_enforce; -#if CONFIG_MACF_MACH -extern unsigned int mac_port_enforce; -extern unsigned int mac_task_enforce; -#endif - #if CONFIG_MACF_NET extern unsigned int mac_label_mbufs; #endif -static int mac_proc_check_enforce(proc_t p, int enforce_flag); +extern unsigned int mac_label_vnodes; + +static int mac_proc_check_enforce(proc_t p, int enforce_flags); static __inline__ int mac_proc_check_enforce(proc_t p, int enforce_flags) { #if CONFIG_MACF return ((p->p_mac_enforce & enforce_flags) != 0); #else +#pragma unused(p,enforce_flags) return 0; #endif } @@ -238,12 +198,16 @@ static __inline__ int mac_context_check_enforce(vfs_context_t ctx, int enforce_f static __inline__ void mac_context_set_enforce(vfs_context_t ctx, int enforce_flags) { +#if CONFIG_MACF proc_t proc = vfs_context_proc(ctx); if (proc == NULL) return; mac_proc_set_enforce(proc, enforce_flags); +#else +#pragma unused(ctx,enforce_flags) +#endif } @@ -335,6 +299,44 @@ struct label *mac_mbuf_to_label(struct mbuf *m); } \ } while (0) +/* + * MAC_GRANT performs the designated check by walking the policy + * module list and checking with each as to how it feels about the + * request. Unlike MAC_CHECK, it grants if any policies return '0', + * and otherwise returns EPERM. Note that it returns its value via + * 'error' in the scope of the caller. + */ +#define MAC_GRANT(check, args...) do { \ + struct mac_policy_conf *mpc; \ + u_int i; \ + \ + error = EPERM; \ + for (i = 0; i < mac_policy_list.staticmax; i++) { \ + mpc = mac_policy_list.entries[i].mpc; \ + if (mpc == NULL) \ + continue; \ + \ + if (mpc->mpc_ops->mpo_ ## check != NULL) { \ + if (mpc->mpc_ops->mpo_ ## check (args) == 0) \ + error = 0; \ + } \ + } \ + if (mac_policy_list_conditional_busy() != 0) { \ + for (; i <= mac_policy_list.maxindex; i++) { \ + mpc = mac_policy_list.entries[i].mpc; \ + if (mpc == NULL) \ + continue; \ + \ + if (mpc->mpc_ops->mpo_ ## check != NULL) { \ + if (mpc->mpc_ops->mpo_ ## check (args) \ + == 0) \ + error = 0; \ + } \ + } \ + mac_policy_list_unbusy(); \ + } \ +} while (0) + /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and