X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/2d21ac55c334faf3a56e5634905ed6987fc787d4..eee3565979933af707c711411001ba11fe406a3c:/security/mac_internal.h diff --git a/security/mac_internal.h b/security/mac_internal.h index e41c429af..4ea01c77a 100644 --- a/security/mac_internal.h +++ b/security/mac_internal.h @@ -67,6 +67,10 @@ #ifndef _SECURITY_MAC_INTERNAL_H_ #define _SECURITY_MAC_INTERNAL_H_ +#ifndef PRIVATE +#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" +#endif + #include #include #include @@ -75,7 +79,6 @@ #include #include #include -#include #include #include #include @@ -113,11 +116,6 @@ struct mac_policy_list { typedef struct mac_policy_list mac_policy_list_t; -/* - * Darwin functions not properly exported - */ -extern void kmod_load_early(void); /* defined in libsa/kext.cpp */ - /* * Policy that has registered with the framework for a specific * label namespace name. @@ -140,47 +138,12 @@ struct mac_label_element { LIST_HEAD(mac_label_element_list_t, mac_label_element); -/* - * Journal operations - */ - -#define MLJ_TYPE_PORT 1 -#define MLJ_TYPE_TASK 2 - -#define MLJ_PORT_OP_INIT 0x0001 -#define MLJ_PORT_OP_CREATE_K 0x0002 -#define MLJ_PORT_OP_CREATE 0x0004 -#define MLJ_PORT_OP_UPDATE 0x0008 - -#define MLJ_TASK_OP_INIT 0x0001 -#define MLJ_TASK_OP_CREATE_K 0x0002 - -struct mac_label_journal { - struct label *l; - int type; - int ops; - - int kotype; /* Kernel Port */ - - TAILQ_ENTRY(mac_label_journal) link; -}; -TAILQ_HEAD(mac_label_journal_list_t, mac_label_journal); - -int mac_label_journal_add (struct label *, int); -int mac_label_journal_remove(struct label *); -struct mac_label_journal * - mac_label_journal_find (struct label *); -int mac_label_journal (struct label *, int, ...); -void mac_label_journal_replay(void); - - /* * MAC Framework global variables. */ extern struct mac_label_element_list_t mac_label_element_list; extern struct mac_label_element_list_t mac_static_label_element_list; -extern struct mac_label_journal_list_t mac_label_journal_list; extern struct mac_policy_list mac_policy_list; @@ -189,8 +152,6 @@ extern struct mac_policy_list mac_policy_list; * at all in the system. */ extern unsigned int mac_device_enforce; -extern unsigned int mac_file_enforce; -extern unsigned int mac_iokit_enforce; extern unsigned int mac_pipe_enforce; extern unsigned int mac_posixsem_enforce; extern unsigned int mac_posixshm_enforce; @@ -203,24 +164,27 @@ extern unsigned int mac_sysvshm_enforce; extern unsigned int mac_vm_enforce; extern unsigned int mac_vnode_enforce; -#if CONFIG_MACF_MACH -extern unsigned int mac_port_enforce; -extern unsigned int mac_task_enforce; -#endif - #if CONFIG_MACF_NET extern unsigned int mac_label_mbufs; #endif -static int mac_proc_check_enforce(proc_t p, int enforce_flag); +extern unsigned int mac_label_vnodes; + +static int mac_proc_check_enforce(proc_t p, int enforce_flags); static __inline__ int mac_proc_check_enforce(proc_t p, int enforce_flags) { #if CONFIG_MACF - return ((p->p_mac_enforce & enforce_flags) != 0); +#if SECURITY_MAC_CHECK_ENFORCE // 21167099 - only check if we allow write + return ((p->p_mac_enforce & enforce_flags) != 0); +#else +#pragma unused(p,enforce_flags) + return 1; +#endif // SECURITY_MAC_CHECK_ENFORCE #else +#pragma unused(p,enforce_flags) return 0; -#endif +#endif // CONFIG_MACF } static int mac_context_check_enforce(vfs_context_t ctx, int enforce_flags); @@ -238,12 +202,16 @@ static __inline__ int mac_context_check_enforce(vfs_context_t ctx, int enforce_f static __inline__ void mac_context_set_enforce(vfs_context_t ctx, int enforce_flags) { +#if CONFIG_MACF proc_t proc = vfs_context_proc(ctx); if (proc == NULL) return; mac_proc_set_enforce(proc, enforce_flags); +#else +#pragma unused(ctx,enforce_flags) +#endif } @@ -270,7 +238,6 @@ int mac_check_structmac_consistent(struct mac *mac); #endif int mac_cred_label_externalize(struct label *, char *e, char *out, size_t olen, int flags); -int mac_lctx_label_externalize(struct label *, char *e, char *out, size_t olen); #if CONFIG_MACF_SOCKET int mac_socket_label_externalize(struct label *, char *e, char *out, size_t olen); #endif /* CONFIG_MACF_SOCKET */ @@ -279,7 +246,6 @@ int mac_pipe_label_externalize(struct label *label, char *elements, char *outbuf, size_t outbuflen); int mac_cred_label_internalize(struct label *label, char *string); -int mac_lctx_label_internalize(struct label *label, char *string); #if CONFIG_MACF_SOCKET int mac_socket_label_internalize(struct label *label, char *string); #endif /* CONFIG_MACF_SOCKET */ @@ -335,6 +301,44 @@ struct label *mac_mbuf_to_label(struct mbuf *m); } \ } while (0) +/* + * MAC_GRANT performs the designated check by walking the policy + * module list and checking with each as to how it feels about the + * request. Unlike MAC_CHECK, it grants if any policies return '0', + * and otherwise returns EPERM. Note that it returns its value via + * 'error' in the scope of the caller. + */ +#define MAC_GRANT(check, args...) do { \ + struct mac_policy_conf *mpc; \ + u_int i; \ + \ + error = EPERM; \ + for (i = 0; i < mac_policy_list.staticmax; i++) { \ + mpc = mac_policy_list.entries[i].mpc; \ + if (mpc == NULL) \ + continue; \ + \ + if (mpc->mpc_ops->mpo_ ## check != NULL) { \ + if (mpc->mpc_ops->mpo_ ## check (args) == 0) \ + error = 0; \ + } \ + } \ + if (mac_policy_list_conditional_busy() != 0) { \ + for (; i <= mac_policy_list.maxindex; i++) { \ + mpc = mac_policy_list.entries[i].mpc; \ + if (mpc == NULL) \ + continue; \ + \ + if (mpc->mpc_ops->mpo_ ## check != NULL) { \ + if (mpc->mpc_ops->mpo_ ## check (args) \ + == 0) \ + error = 0; \ + } \ + } \ + mac_policy_list_unbusy(); \ + } \ +} while (0) + /* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and @@ -414,8 +418,6 @@ struct __mac_get_pid_args; struct __mac_get_proc_args; struct __mac_set_proc_args; struct __mac_get_lcid_args; -struct __mac_get_lctx_args; -struct __mac_set_lctx_args; struct __mac_get_fd_args; struct __mac_get_file_args; struct __mac_get_link_args;