X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/7e41aa883dd258f888d0470250eead40a53ef1f5..b226f5e54a60dc81db17b1260381d7dbfea3cdf1:/security/mac_policy.h diff --git a/security/mac_policy.h b/security/mac_policy.h index aa2658494..a36ebe953 100644 --- a/security/mac_policy.h +++ b/security/mac_policy.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2010 Apple Inc. All rights reserved. + * Copyright (c) 2007-2016 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -89,7 +89,9 @@ struct attrlist; struct auditinfo; struct bpf_d; +struct cs_blob; struct devnode; +struct exception_action; struct fileglob; struct ifnet; struct inpcb; @@ -302,7 +304,7 @@ typedef int mpo_bpfdesc_check_receive_t( @param vnodelabel Label corresponding to vp @param scriptvnodelabel Script vnode label @param execlabel Userspace provided execution label - @param proc Object process + @param p Object process @param macpolicyattr MAC policy-specific spawn attribute data @param macpolicyattrlen Length of policy-specific spawn attribute data @see mac_execve @@ -689,6 +691,95 @@ typedef void mpo_devfs_label_update_t( struct vnode *vp, struct label *vnodelabel ); +/** + @brief Access control for sending an exception to an exception action + @param crashlabel The crashing process's label + @param action Exception action + @param exclabel Policy label for exception action + + Determine whether the the exception message caused by the victim + process can be sent to the exception action. The policy may compare + credentials in the crashlabel, which are derived from the process at + the time the exception occurs, with the credentials in the exclabel, + which was set at the time the exception port was set, to determine + its decision. Note that any process from which the policy derived + any credentials may not exist anymore at the time of this policy + operation. Sleeping is permitted. + + @return Return 0 if the message can be sent, otherwise an + appropriate value for errno should be returned. +*/ +typedef int mpo_exc_action_check_exception_send_t( + struct label *crashlabel, + struct exception_action *action, + struct label *exclabel +); +/** + @brief Associate an exception action label + @param action Exception action to label + @param exclabel Policy label to be filled in for exception action + + Set the label on an exception action. +*/ +typedef void mpo_exc_action_label_associate_t( + struct exception_action *action, + struct label *exclabel +); +/** + @brief Destroy exception action label + @param label The label to be destroyed + + Destroy the label on an exception action. Since the object is going + out of scope, policy modules should free any internal storage + associated with the label so that it may be destroyed. Sleeping is + permitted. +*/ +typedef void mpo_exc_action_label_destroy_t( + struct label *label +); +/** + @brief Populate an exception action label with process credentials + @param label The label to be populated + @param proc Process to derive credentials from + + Populate a label with credentials derived from a process. At + exception delivery time, the policy should compare credentials of the + process that set an exception ports with the credentials of the + process or corpse that experienced the exception. Note that the + process that set the port may not exist at that time anymore, so + labels should carry copies of live credentials if necessary. +*/ +typedef void mpo_exc_action_label_populate_t( + struct label *label, + struct proc *proc +); +/** + @brief Initialize exception action label + @param label New label to initialize + + Initialize a label for an exception action. Usually performs + policy specific allocations. Sleeping is permitted. +*/ +typedef int mpo_exc_action_label_init_t( + struct label *label +); +/** + @brief Update the label on an exception action + @param action Exception action that the label belongs to (may be + NULL if none) + @param label Policy label to update + @param newlabel New label for update + + Update the credentials of an exception action from the given + label. The policy should copy over any credentials (process and + otherwise) from the new label into the label to update. Must not + sleep, must be quick and can be called with locks held. +*/ +typedef int mpo_exc_action_label_update_t( + struct exception_action *action, + struct label *label, + struct label *newlabel +); /** @brief Access control for changing the offset of a file descriptor @param cred Subject credential @@ -859,6 +950,31 @@ typedef int mpo_file_check_lock_t( int op, struct flock *fl ); +/** + @brief Check with library validation if a macho slice is allowed to be combined into a proc. + @param p Subject process + @param fg Fileglob structure + @param slice_offset offset of the code slice + @param error_message error message returned to user-space in case of error (userspace pointer) + @param error_message_size error message size + + Its a little odd that the MAC/kext writes into userspace since this + implies there is only one MAC module that implements this, however + the alterantive is to allocate memory in xnu, on the hope that + the MAC module will use it, or allocated in the MAC module and then + free it in xnu. Either of these are very appeling, so lets go with + the slightly more hacky way. + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. +*/ +typedef int mpo_file_check_library_validation_t( + struct proc *p, + struct fileglob *fg, + off_t slice_offset, + user_long_t error_message, + size_t error_message_size +); /** @brief Access control check for mapping a file @param cred Subject credential @@ -1219,8 +1335,6 @@ typedef void mpo_inpcb_label_update_t( /** @brief Device hardware access control @param devtype Type of device connected - @param properties XML-formatted property list - @param proplen Length of the property list This is the MAC Framework device access control, which is called by the I/O Kit when a new device is connected to the system to determine whether that @@ -1244,7 +1358,6 @@ typedef int mpo_iokit_check_device_t( /** @brief Access control check for opening an I/O Kit device @param cred Subject credential - @param device_path Device path @param user_client User client instance @param user_client_type User client type @@ -1610,7 +1723,7 @@ typedef int mpo_mbuf_label_init_t( @param cred Subject credential @param mp The mount point @param label Label associated with the mount point - @param com Filesystem-dependent request code; see fsctl(2) + @param cmd Filesystem-dependent request code; see fsctl(2) Determine whether the subject identified by the credential can perform the volume operation indicated by com. @@ -1641,6 +1754,9 @@ typedef int mpo_mount_check_fsctl_t( @return Return 0 if access is granted, otherwise an appropriate value for errno should be returned. + + @note Policies may change the contents of vfa to alter the list of + file system attributes returned. */ typedef int mpo_mount_check_getattr_t( @@ -1688,6 +1804,58 @@ typedef int mpo_mount_check_mount_t( struct componentname *cnp, const char *vfc_name ); +/** + @brief Access control check for fs_snapshot_create + @param cred Subject credential + @mp Filesystem mount point to create snapshot of + @name Name of snapshot to create + + Determine whether the subject identified by the credential can + create a snapshot of the filesystem at the given mount point. + + @return Return 0 if access is granted, otherwise an appropriate value + for errno should be returned. +*/ +typedef int mpo_mount_check_snapshot_create_t( + kauth_cred_t cred, + struct mount *mp, + const char *name +); +/** + @brief Access control check for fs_snapshot_delete + @param cred Subject credential + @mp Filesystem mount point to delete snapshot of + @name Name of snapshot to delete + + Determine whether the subject identified by the credential can + delete the named snapshot from the filesystem at the given + mount point. + + @return Return 0 if access is granted, otherwise an appropriate value + for errno should be returned. +*/ +typedef int mpo_mount_check_snapshot_delete_t( + kauth_cred_t cred, + struct mount *mp, + const char *name +); +/** + @brief Access control check for fs_snapshot_revert + @param cred Subject credential + @mp Filesystem mount point to revert to snapshot + @name Name of snapshot to revert to + + Determine whether the subject identified by the credential can + revert the filesystem at the given mount point to the named snapshot. + + @return Return 0 if access is granted, otherwise an appropriate value + for errno should be returned. +*/ +typedef int mpo_mount_check_snapshot_revert_t( + kauth_cred_t cred, + struct mount *mp, + const char *name +); /** @brief Access control check remounting a filesystem @param cred Subject credential @@ -2041,7 +2209,7 @@ typedef int mpo_pipe_check_write_t( @brief Create a pipe label @param cred Subject credential @param cpipe object to be labeled - @param label Label for the pipe object + @param pipelabel Label for the pipe object Create a label for the pipe object being created by the supplied user credential. This call is made when the pipe is being created @@ -2616,7 +2784,7 @@ typedef int mpo_proc_check_set_host_special_port_t( /** @brief Access control check for setting host exception ports. @param cred Subject credential - @param exceptions Exception port to set + @param exception Exception port to set @return Return 0 if access is granted, otherwise an appropriate value for errno should be returned. @@ -2708,19 +2876,6 @@ typedef int mpo_proc_check_ledger_t( struct proc *target, int op ); -/** - @brief Access control check for escaping default CPU usage monitor parameters. - @param cred Subject credential - - Determine if a credential has permission to program CPU usage monitor parameters - that are less restrictive than the global system-wide defaults. - - @return Return 0 if access is granted, otherwise an appropriate value for - errno should be returned. -*/ -typedef int mpo_proc_check_cpumon_t( - kauth_cred_t cred -); /** @brief Access control check for retrieving process information. @param cred Subject credential @@ -2938,6 +3093,19 @@ typedef int mpo_proc_check_wait_t( kauth_cred_t cred, struct proc *proc ); +/** + @brief Inform MAC policies that a process has exited. + @param proc Object process + + Called after all of the process's threads have terminated and + it has been removed from the process list. KPI that identifies + the process by pid will fail to find the process; KPI that + identifies the process by the object process pointer functions + normally. proc_exiting() returns true for the object process. +*/ +typedef void mpo_proc_notify_exit_t( + struct proc *proc +); /** @brief Destroy process label @param label The label to be destroyed @@ -2964,10 +3132,54 @@ typedef void mpo_proc_label_destroy_t( typedef void mpo_proc_label_init_t( struct label *label ); +/** + @brief Access control check for skywalk flow connect + @param cred Subject credential + @param flow Flow object + @param addr Remote address for flow to send data to + @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) + @param protocol Network protocol (e.g. IPPROTO_TCP) + + Determine whether the subject identified by the credential can + create a flow for sending data to the remote host specified by + addr. + + @return Return 0 if access if granted, otherwise an appropriate + value for errno should be returned. +*/ +typedef int mpo_skywalk_flow_check_connect_t( + kauth_cred_t cred, + void *flow, + const struct sockaddr *addr, + int type, + int protocol +); +/** + @brief Access control check for skywalk flow listen + @param cred Subject credential + @param flow Flow object + @param addr Local address for flow to listen on + @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) + @param protocol Network protocol (e.g. IPPROTO_TCP) + + Determine whether the subject identified by the credential can + create a flow for receiving data on the local address specified + by addr. + + @return Return 0 if access if granted, otherwise an appropriate + value for errno should be returned. +*/ +typedef int mpo_skywalk_flow_check_listen_t( + kauth_cred_t cred, + void *flow, + const struct sockaddr *addr, + int type, + int protocol +); /** @brief Access control check for socket accept @param cred Subject credential - @param socket Object socket + @param so Object socket @param socklabel Policy label for socket Determine whether the subject identified by the credential can accept() @@ -3102,6 +3314,30 @@ typedef int mpo_socket_check_deliver_t( struct mbuf *m, struct label *m_label ); +/** + @brief Access control check for socket ioctl. + @param cred Subject credential + @param so Object socket + @param cmd The ioctl command; see ioctl(2) + @param socklabel Policy label for socket + + Determine whether the subject identified by the credential can perform + the ioctl operation indicated by cmd on the given socket. + + @warning Since ioctl data is opaque from the standpoint of the MAC + framework, and since ioctls can affect many aspects of system + operation, policies must exercise extreme care when implementing + access control checks. + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. +*/ +typedef int mpo_socket_check_ioctl_t( + kauth_cred_t cred, + socket_t so, + unsigned int cmd, + struct label *socklabel +); /** @brief Access control check for socket kqfilter @param cred Subject credential @@ -3178,9 +3414,9 @@ typedef int mpo_socket_check_receive_t( /** @brief Access control check for socket receive @param cred Subject credential - @param socket Object socket + @param sock Object socket @param socklabel Policy label for socket - @param addr Name of the remote socket + @param saddr Name of the remote socket Determine whether the subject identified by the credential can receive data from the remote host specified by addr. @@ -3605,13 +3841,14 @@ typedef int mpo_system_check_auditon_t( @param cred Subject credential Determine whether the subject identified by the credential can perform - performance-related tasks using the CHUD system call. + performance-related tasks using the CHUD system call. This interface is + deprecated. @return Return 0 if access is granted, otherwise an appropriate value for errno should be returned. */ typedef int mpo_system_check_chud_t( - kauth_cred_t cred + kauth_cred_t cred ); /** @brief Access control check for obtaining the host control port @@ -3770,7 +4007,7 @@ typedef int mpo_system_check_kas_info_t( /** @brief Create a System V message label @param cred Subject credential - @param msqkptr The message queue the message will be placed in + @param msqptr The message queue the message will be placed in @param msqlabel The label of the message queue @param msgptr The message @param msglabel The label of the message @@ -3822,7 +4059,7 @@ typedef void mpo_sysvmsg_label_recycle_t( @param cred Subject credential @param msgptr The message @param msglabel The message's label - @param msqkptr The message queue + @param msqptr The message queue @param msqlabel The message queue's label Determine whether the subject identified by the credential can add the @@ -3946,7 +4183,7 @@ typedef int mpo_sysvmsq_check_msqsnd_t( /** @brief Create a System V message queue label @param cred Subject credential - @param msqkptr The message queue + @param msqptr The message queue @param msqlabel The label of the message queue */ @@ -4226,7 +4463,7 @@ typedef void mpo_sysvshm_label_recycle_t( /** @brief Access control check for getting a process's task name @param cred Subject credential - @param proc Object process + @param p Object process Determine whether the subject identified by the credential can get the passed process's task name port. @@ -4243,7 +4480,7 @@ typedef int mpo_proc_check_get_task_name_t( /** @brief Access control check for getting a process's task port @param cred Subject credential - @param proc Object process + @param p Object process Determine whether the subject identified by the credential can get the passed process's task control port. @@ -4261,7 +4498,7 @@ typedef int mpo_proc_check_get_task_t( /** @brief Access control check for exposing a process's task port @param cred Subject credential - @param proc Object process + @param p Object process Determine whether the subject identified by the credential can expose the passed process's task control port. @@ -4279,7 +4516,7 @@ typedef int mpo_proc_check_expose_task_t( /** @brief Check whether task's IPC may inherit across process exec - @param proc current process instance + @param p current process instance @param cur_vp vnode pointer to current instance @param cur_offset offset of binary of currently executing image @param img_vp vnode pointer to to be exec'ed image @@ -4300,7 +4537,7 @@ typedef int mpo_proc_check_inherit_ipc_ports_t( /** @brief Privilege check for a process to run invalid - @param proc Object process + @param p Object process Determine whether the process may execute even though the system determined that it is untrusted (eg unidentified / modified code). @@ -4312,6 +4549,19 @@ typedef int mpo_proc_check_run_cs_invalid_t( struct proc *p ); +/** + @brief Notification a process is finished with exec and will jump to userspace + @param p Object process + + Notifies all MAC policies that a process has completed an exec and is about to + jump to userspace to continue execution. This may result in process termination + via signals. Hook is designed to hold no/minimal locks so it can be used for any + necessary upcalls. + */ +typedef void mpo_proc_notify_exec_complete_t( + struct proc *p +); + /** @brief Perform MAC-related events when a thread returns to user space @param thread Mach (not BSD) thread that is returning @@ -4384,6 +4634,29 @@ typedef int mpo_vnode_check_chroot_t( struct label *dlabel, struct componentname *cnp ); +/** + @brief Access control check for creating clone + @param cred Subject credential + @param dvp Vnode of directory to create the clone in + @param dlabel Policy label associated with dvp + @param vp Vnode of the file to clone from + @param label Policy label associated with vp + @param cnp Component name for the clone being created + + Determine whether the subject identified by the credential should be + allowed to create a clone of the vnode vp with the name specified by cnp. + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. +*/ +typedef int mpo_vnode_check_clone_t( + kauth_cred_t cred, + struct vnode *dvp, + struct label *dlabel, + struct vnode *vp, + struct label *label, + struct componentname *cnp +); /** @brief Access control check for creating vnode @param cred Subject credential @@ -4457,7 +4730,7 @@ typedef int mpo_vnode_check_exchangedata_t( @param vp Object vnode to execute @param scriptvp Script being executed by interpreter, if any. @param vnodelabel Label corresponding to vp - @param scriptvnodelabel Script vnode label + @param scriptlabel Script vnode label @param execlabel Userspace provided execution label @param cnp Component name for file being executed @param macpolicyattr MAC policy-specific spawn attribute data. @@ -4506,13 +4779,34 @@ typedef int mpo_vnode_check_fsgetpath_t( struct label *label ); /** - @brief Access control check after determining the code directory hash - */ -typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label, - off_t macho_offset, unsigned char *sha1, - const void *signature, int size, - int flags, int *is_platform_binary); + @brief Access control check for retrieving file attributes + @param active_cred Subject credential + @param file_cred Credential associated with the struct fileproc + @param vp Object vnode + @param vlabel Policy label for vp + @param va Vnode attributes to retrieve + + Determine whether the subject identified by the credential can + get information about the passed vnode. The active_cred hold + the credentials of the subject performing the operation, and + file_cred holds the credentials of the subject that originally + opened the file. This check happens during stat(), lstat(), + fstat(), and getattrlist() syscalls. See for + definitions of the attributes. + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. + + @note Policies may change the contents of va to alter the list of + file attributes returned. +*/ +typedef int mpo_vnode_check_getattr_t( + kauth_cred_t active_cred, + kauth_cred_t file_cred, /* NULLOK */ + struct vnode *vp, + struct label *vlabel, + struct vnode_attr *va +); /** @brief Access control check for retrieving file attributes @param cred Subject credential @@ -4566,7 +4860,7 @@ typedef int mpo_vnode_check_getextattr_t( @param cred Subject credential @param vp Object vnode @param label Policy label for vp - @param com Device-dependent request code; see ioctl(2) + @param cmd Device-dependent request code; see ioctl(2) Determine whether the subject identified by the credential can perform the ioctl operation indicated by com. @@ -4587,7 +4881,7 @@ typedef int mpo_vnode_check_ioctl_t( ); /** @brief Access control check for vnode kqfilter - @param cred Subject credential + @param active_cred Subject credential @param kn Object knote @param vp Object vnode @param label Policy label for vp @@ -4667,6 +4961,32 @@ typedef int mpo_vnode_check_listextattr_t( struct vnode *vp, struct label *vlabel ); +/** + @brief Access control check for lookup + @param cred Subject credential + @param dvp Directory vnode + @param dlabel Policy label for dvp + @param path Path being looked up + @param pathlen Length of path in bytes + + Determine whether the subject identified by the credential can perform + a lookup of the passed path relative to the passed directory vnode. + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. Suggested failure: EACCES for label mismatch or + EPERM for lack of privilege. + + @note The path may contain untrusted input. If approved, lookup proceeds + on the path; if a component is found to be a symlink then this hook is + called again with the updated path. +*/ +typedef int mpo_vnode_check_lookup_preflight_t( + kauth_cred_t cred, + struct vnode *dvp, + struct label *dlabel, + const char *path, + size_t pathlen +); /** @brief Access control check for lookup @param cred Subject credential @@ -4923,6 +5243,26 @@ typedef int mpo_vnode_check_select_t( struct label *label, int which ); +/** + @brief Access control check for setting ACL + @param cred Subject credential + @param vp Object node + @param label Policy label for vp + @param acl ACL structure pointer + + Determine whether the subject identified by the credential can set an ACL + on the specified vnode. The ACL pointer will be NULL when removing an ACL. + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. Suggested failure: EACCES for label mismatch or + EPERM for lack of privilege. +*/ +typedef int mpo_vnode_check_setacl_t( + kauth_cred_t cred, + struct vnode *vp, + struct label *label, + struct kauth_acl *acl +); /** @brief Access control check for setting file attributes @param cred Subject credential @@ -5059,6 +5399,31 @@ typedef int mpo_vnode_check_setutimes_t( struct timespec atime, struct timespec mtime ); +/** + @brief Access control check after determining the code directory hash + @param vp vnode vnode to combine into proc + @param label label associated with the vnode + @param cpu_type cpu type of the signature being checked + @param cs_blob the code signature to check + @param cs_flags update code signing flags if needed + @param signer_type output parameter for the code signature's signer type + @param flags operational flag to mpo_vnode_check_signature + @param fatal_failure_desc description of fatal failure + @param fatal_failure_desc_len failure description len, failure is fatal if non-0 + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. + */ +typedef int mpo_vnode_check_signature_t( + struct vnode *vp, + struct label *label, + cpu_type_t cpu_type, + struct cs_blob *cs_blob, + unsigned int *cs_flags, + unsigned int *signer_type, + int flags, + char **fatal_failure_desc, size_t *fatal_failure_desc_len +); /** @brief Access control check for stat @param active_cred Subject credential @@ -5082,6 +5447,27 @@ typedef int mpo_vnode_check_stat_t( struct vnode *vp, struct label *label ); +/** + @brief Access control check for vnode trigger resolution + @param cred Subject credential + @param dvp Object vnode + @param dlabel Policy label for dvp + @param cnp Component name that triggered resolution + + Determine whether the subject identified by the credential can trigger + resolution of the passed name (cnp) in the passed directory vnode + via an external trigger resolver. + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. Suggested failure: EACCES for label mismatch or + EPERM for lack of privilege. +*/ +typedef int mpo_vnode_check_trigger_resolve_t( + kauth_cred_t cred, + struct vnode *dvp, + struct label *dlabel, + struct componentname *cnp +); /** @brief Access control check for truncate/ftruncate @param active_cred Subject credential @@ -5133,6 +5519,7 @@ typedef int mpo_vnode_check_uipc_bind_t( @param cred Subject credential @param vp Object vnode @param label Policy label associated with vp + @param so Socket Determine whether the subject identified by the credential can perform a connect operation on the passed UNIX domain socket vnode. @@ -5144,7 +5531,8 @@ typedef int mpo_vnode_check_uipc_bind_t( typedef int mpo_vnode_check_uipc_connect_t( kauth_cred_t cred, struct vnode *vp, - struct label *label + struct label *label, + socket_t so ); /** @brief Access control check for deleting vnode @@ -5659,6 +6047,158 @@ typedef void mpo_vnode_notify_link_t( struct componentname *cnp ); +/** + @brief Inform MAC policies that an extended attribute has been removed from a vnode + @param cred Subject credential + @param vp Object node + @param label Policy label for vp + @param name Extended attribute name + + Inform MAC policies that an extended attribute has been removed from a vnode. +*/ +typedef void mpo_vnode_notify_deleteextattr_t( + kauth_cred_t cred, + struct vnode *vp, + struct label *label, + const char *name +); + + +/** + @brief Inform MAC policies that an ACL has been set on a vnode + @param cred Subject credential + @param vp Object node + @param label Policy label for vp + @param acl ACL structure pointer + + Inform MAC policies that an ACL has been set on a vnode. +*/ +typedef void mpo_vnode_notify_setacl_t( + kauth_cred_t cred, + struct vnode *vp, + struct label *label, + struct kauth_acl *acl +); + +/** + @brief Inform MAC policies that an attributes have been set on a vnode + @param cred Subject credential + @param vp Object vnode + @param label Policy label for vp + @param alist List of attributes to set + + Inform MAC policies that an attributes have been set on a vnode. +*/ +typedef void mpo_vnode_notify_setattrlist_t( + kauth_cred_t cred, + struct vnode *vp, + struct label *label, + struct attrlist *alist +); + +/** + @brief Inform MAC policies that an extended attribute has been set on a vnode + @param cred Subject credential + @param vp Object vnode + @param label Policy label for vp + @param name Extended attribute name + @param uio I/O structure pointer + + Inform MAC policies that an extended attribute has been set on a vnode. +*/ +typedef void mpo_vnode_notify_setextattr_t( + kauth_cred_t cred, + struct vnode *vp, + struct label *label, + const char *name, + struct uio *uio +); + +/** + @brief Inform MAC policies that flags have been set on a vnode + @param cred Subject credential + @param vp Object vnode + @param label Policy label for vp + @param flags File flags; see chflags(2) + + Inform MAC policies that flags have been set on a vnode. +*/ +typedef void mpo_vnode_notify_setflags_t( + kauth_cred_t cred, + struct vnode *vp, + struct label *label, + u_long flags +); + +/** + @brief Inform MAC policies that a new mode has been set on a vnode + @param cred Subject credential + @param vp Object vnode + @param label Policy label for vp + @param mode File mode; see chmod(2) + + Inform MAC policies that a new mode has been set on a vnode. +*/ +typedef void mpo_vnode_notify_setmode_t( + kauth_cred_t cred, + struct vnode *vp, + struct label *label, + mode_t mode +); + +/** + @brief Inform MAC policies that new uid/gid have been set on a vnode + @param cred Subject credential + @param vp Object vnode + @param label Policy label for vp + @param uid User ID + @param gid Group ID + + Inform MAC policies that new uid/gid have been set on a vnode. +*/ +typedef void mpo_vnode_notify_setowner_t( + kauth_cred_t cred, + struct vnode *vp, + struct label *label, + uid_t uid, + gid_t gid +); + +/** + @brief Inform MAC policies that new timestamps have been set on a vnode + @param cred Subject credential + @param vp Object vnode + @param label Policy label for vp + @param atime Access time; see utimes(2) + @param mtime Modification time; see utimes(2) + + Inform MAC policies that new timestamps have been set on a vnode. +*/ +typedef void mpo_vnode_notify_setutimes_t( + kauth_cred_t cred, + struct vnode *vp, + struct label *label, + struct timespec atime, + struct timespec mtime +); + +/** + @brief Inform MAC policies that a vnode has been truncated + @param cred Subject credential + @param file_cred Credential associated with the struct fileproc + @param vp Object vnode + @param label Policy label for vp + + Inform MAC policies that a vnode has been truncated. +*/ +typedef void mpo_vnode_notify_truncate_t( + kauth_cred_t cred, + kauth_cred_t file_cred, + struct vnode *vp, + struct label *label +); + + /** @brief Inform MAC policies that a pty slave has been granted @param p Responsible process @@ -5737,56 +6277,6 @@ typedef int mpo_kext_check_query_t( kauth_cred_t cred ); -/** - @brief Access control check for getting NVRAM variables. - @param cred Subject credential - @param name NVRAM variable to get - - Determine whether the subject identifier by the credential can get the - value of the named NVRAM variable. - - @return Return 0 if access is granted, otherwise an appropriate value for - errno should be returned. Suggested failure: EPERM for lack of privilege. -*/ -typedef int mpo_iokit_check_nvram_get_t( - kauth_cred_t cred, - const char *name -); - -/** - @brief Access control check for setting NVRAM variables. - @param cred Subject credential - @param name NVRAM variable to set - @param value The new value for the NVRAM variable - - Determine whether the subject identifier by the credential can set the - value of the named NVRAM variable. - - @return Return 0 if access is granted, otherwise an appropriate value for - errno should be returned. Suggested failure: EPERM for lack of privilege. -*/ -typedef int mpo_iokit_check_nvram_set_t( - kauth_cred_t cred, - const char *name, - io_object_t value -); - -/** - @brief Access control check for deleting NVRAM variables. - @param cred Subject credential - @param name NVRAM variable to delete - - Determine whether the subject identifier by the credential can delete the - named NVRAM variable. - - @return Return 0 if access is granted, otherwise an appropriate value for - errno should be returned. Suggested failure: EPERM for lack of privilege. -*/ -typedef int mpo_iokit_check_nvram_delete_t( - kauth_cred_t cred, - const char *name -); - /* * Placeholder for future events that may need mac hooks. */ @@ -5798,7 +6288,7 @@ typedef void mpo_reserved_hook_t(void); * Please note that this should be kept in sync with the check assumptions * policy in bsd/kern/policy_check.c (policy_ops struct). */ -#define MAC_POLICY_OPS_VERSION 39 /* inc when new reserved slots are taken */ +#define MAC_POLICY_OPS_VERSION 55 /* inc when new reserved slots are taken */ struct mac_policy_ops { mpo_audit_check_postselect_t *mpo_audit_check_postselect; mpo_audit_check_preselect_t *mpo_audit_check_preselect; @@ -5873,15 +6363,15 @@ struct mac_policy_ops { mpo_ipq_label_init_t *mpo_ipq_label_init; mpo_ipq_label_update_t *mpo_ipq_label_update; - mpo_reserved_hook_t *mpo_reserved1; - mpo_reserved_hook_t *mpo_reserved2; - mpo_reserved_hook_t *mpo_reserved3; - mpo_reserved_hook_t *mpo_reserved4; - mpo_reserved_hook_t *mpo_reserved5; - mpo_reserved_hook_t *mpo_reserved6; - mpo_reserved_hook_t *mpo_reserved7; - mpo_reserved_hook_t *mpo_reserved8; - mpo_reserved_hook_t *mpo_reserved9; + mpo_file_check_library_validation_t *mpo_file_check_library_validation; + mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl; + mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist; + mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr; + mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags; + mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode; + mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner; + mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes; + mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate; mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; @@ -5937,24 +6427,25 @@ struct mac_policy_ops { mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; mpo_vnode_check_rename_t *mpo_vnode_check_rename; mpo_kext_check_query_t *mpo_kext_check_query; - mpo_iokit_check_nvram_get_t *mpo_iokit_check_nvram_get; - mpo_iokit_check_nvram_set_t *mpo_iokit_check_nvram_set; - mpo_iokit_check_nvram_delete_t *mpo_iokit_check_nvram_delete; + mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete; + mpo_reserved_hook_t *mpo_reserved5; + mpo_reserved_hook_t *mpo_reserved6; mpo_proc_check_expose_task_t *mpo_proc_check_expose_task; mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port; mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port; - mpo_reserved_hook_t *mpo_reserved11; - mpo_reserved_hook_t *mpo_reserved12; - mpo_reserved_hook_t *mpo_reserved13; - mpo_reserved_hook_t *mpo_reserved14; - mpo_reserved_hook_t *mpo_reserved15; - mpo_reserved_hook_t *mpo_reserved16; - mpo_reserved_hook_t *mpo_reserved17; - mpo_reserved_hook_t *mpo_reserved18; - mpo_reserved_hook_t *mpo_reserved19; - mpo_reserved_hook_t *mpo_reserved20; - mpo_reserved_hook_t *mpo_reserved21; - mpo_reserved_hook_t *mpo_reserved22; + mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send; + mpo_exc_action_label_associate_t *mpo_exc_action_label_associate; + mpo_exc_action_label_populate_t *mpo_exc_action_label_populate; + mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy; + mpo_exc_action_label_init_t *mpo_exc_action_label_init; + mpo_exc_action_label_update_t *mpo_exc_action_label_update; + + mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve; + mpo_reserved_hook_t *mpo_reserved1; + mpo_reserved_hook_t *mpo_reserved2; + mpo_reserved_hook_t *mpo_reserved3; + mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect; + mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen; mpo_posixsem_check_create_t *mpo_posixsem_check_create; mpo_posixsem_check_open_t *mpo_posixsem_check_open; @@ -6032,7 +6523,7 @@ struct mac_policy_ops { mpo_system_check_settime_t *mpo_system_check_settime; mpo_system_check_swapoff_t *mpo_system_check_swapoff; mpo_system_check_swapon_t *mpo_system_check_swapon; - mpo_reserved_hook_t *mpo_reserved31; + mpo_socket_check_ioctl_t *mpo_socket_check_ioctl; mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; @@ -6065,12 +6556,12 @@ struct mac_policy_ops { mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; - mpo_reserved_hook_t *mpo_reserved23; - mpo_reserved_hook_t *mpo_reserved24; - mpo_reserved_hook_t *mpo_reserved25; - mpo_reserved_hook_t *mpo_reserved26; - mpo_reserved_hook_t *mpo_reserved27; - mpo_reserved_hook_t *mpo_reserved28; + mpo_proc_notify_exit_t *mpo_proc_notify_exit; + mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert; + mpo_vnode_check_getattr_t *mpo_vnode_check_getattr; + mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create; + mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete; + mpo_vnode_check_clone_t *mpo_vnode_check_clone; mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info; mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info; @@ -6156,12 +6647,13 @@ struct mac_policy_ops { mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; - mpo_reserved_hook_t *mpo_reserved32; - mpo_reserved_hook_t *mpo_reserved33; + mpo_vnode_check_setacl_t *mpo_vnode_check_setacl; + + mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr; mpo_system_check_kas_info_t *mpo_system_check_kas_info; - mpo_proc_check_cpumon_t *mpo_proc_check_cpumon; + mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight; mpo_vnode_notify_open_t *mpo_vnode_notify_open; @@ -6216,9 +6708,9 @@ typedef unsigned int mac_policy_handle_t; struct mac_policy_conf { const char *mpc_name; /** policy name */ const char *mpc_fullname; /** full name */ - const char **mpc_labelnames; /** managed label namespaces */ + char const * const *mpc_labelnames; /** managed label namespaces */ unsigned int mpc_labelname_count; /** number of managed label namespaces */ - struct mac_policy_ops *mpc_ops; /** operation vector */ + const struct mac_policy_ops *mpc_ops; /** operation vector */ int mpc_loadtime_flags; /** load time flags */ int *mpc_field_off; /** label slot */ int mpc_runtime_flags; /** run time flags */ @@ -6258,6 +6750,46 @@ int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, size_t *); int mac_vnop_removexattr(struct vnode *, const char *); +/** + @brief Set an extended attribute on a vnode-based fileglob. + @param fg fileglob representing file to attach the extended attribute + @param name extended attribute name + @param buf buffer of data to use as the extended attribute value + @param len size of buffer + + Sets the value of an extended attribute on a file. + + Caller must hold an iocount on the vnode represented by the fileglob. +*/ +int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len); + +/** + @brief Get an extended attribute from a vnode-based fileglob. + @param fg fileglob representing file to read the extended attribute + @param name extended attribute name + @param buf buffer of data to hold the extended attribute value + @param len size of buffer + @param attrlen size of full extended attribute value + + Gets the value of an extended attribute on a file. + + Caller must hold an iocount on the vnode represented by the fileglob. +*/ +int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len, + size_t *attrlen); + +/** + @brief Remove an extended attribute from a vnode-based fileglob. + @param fg fileglob representing file to remove the extended attribute + @param name extended attribute name + + Removes the named extended attribute from the file. + + Caller must hold an iocount on the vnode represented by the fileglob. +*/ +int mac_file_removexattr(struct fileglob *fg, const char *name); + + /* * Arbitrary limit on how much data will be logged by the audit * entry points above.