/* * Copyright (c) 2007-2016 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. The rights granted to you under the License * may not be used to create, or enable the creation or redistribution of, * unlawful or unlicensed copies of an Apple operating system, or to * circumvent, violate, or enable the circumvention or violation of, any * terms of an Apple operating system software license agreement. * * Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2007 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. * * This software was developed for the FreeBSD Project in part by Network * Associates Laboratories, the Security Research Division of Network * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ */ /** * @file mac_policy.h * @brief Kernel Interfaces for MAC policy modules * * This header defines the list of operations that are defined by the * TrustedBSD MAC Framwork on Darwin. MAC Policy modules register * with the framework to declare interest in a specific set of * operations. If interest in an entry point is not declared, then * the policy will be ignored when the Framework evaluates that entry * point. */ #ifndef _SECURITY_MAC_POLICY_H_ #define _SECURITY_MAC_POLICY_H_ #ifndef PRIVATE #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" #endif #include #include struct attrlist; struct auditinfo; struct bpf_d; struct cs_blob; struct devnode; struct exception_action; struct fileglob; struct ifnet; struct inpcb; struct ipq; struct label; struct mac_policy_conf; struct mbuf; struct mount; struct msg; struct msqid_kernel; struct pipe; struct pseminfo; struct pshminfo; struct sbuf; struct semid_kernel; struct shmid_kernel; struct socket; struct sockopt; struct task; struct thread; struct tty; struct ucred; struct vfs_attr; struct vnode; struct sockaddr; /** @struct dummy */ /* * proc_ident_t support, see: rdar://problem/58928152 * Should be removed once all dependent parties adopt * proc_ident_t. */ #define MAC_PROC_IDENT_SUPPORT #ifndef _KAUTH_CRED_T #define _KAUTH_CRED_T typedef struct ucred *kauth_cred_t; #endif /* !_KAUTH_CRED_T */ #ifndef __IOKIT_PORTS_DEFINED__ #define __IOKIT_PORTS_DEFINED__ #ifdef __cplusplus class OSObject; typedef OSObject *io_object_t; #else struct OSObject; typedef struct OSObject *io_object_t; #endif #endif /* __IOKIT_PORTS_DEFINED__ */ /*- * MAC entry points are generally named using the following template: * * mpo__() * * or: * * mpo__check_() * * Entry points are sorted by object type. * * It may be desirable also to consider some subsystems as "objects", such * as system, iokit, etc. */ /** * @name Entry Points for Label Management * * These are the entry points corresponding to the life cycle events for * kernel objects, such as initialization, creation, and destruction. * * Most policies (that use labels) will initialize labels by allocating * space for policy-specific data. In most cases, it is permitted to * sleep during label initialization operations; it will be noted when * it is not permitted. * * Initialization usually will not require doing more than allocating a * generic label for the given object. What follows initialization is * creation, where a label is made specific to the object it is associated * with. Destruction occurs when the label is no longer needed, such as * when the corresponding object is destroyed. All necessary cleanup should * be performed in label destroy operations. * * Where possible, the label entry points have identical parameters. If * the policy module does not require structure-specific label * information, the same function may be registered in the policy * operation vector. Many policies will implement two such generic * allocation calls: one to handle sleepable requests, and one to handle * potentially non-sleepable requests. */ /** * @brief Audit event postselection * @param cred Subject credential * @param syscode Syscall number * @param args Syscall arguments * @param error Syscall errno * @param retval Syscall return value * * This is the MAC Framework audit postselect, which is called before * exiting a syscall to determine if an audit event should be committed. * A return value of MAC_AUDIT_NO forces the audit record to be suppressed. * Any other return value results in the audit record being committed. * * @warning The suppression behavior will probably go away in Apple's * future version of the audit implementation. * * @return Return MAC_AUDIT_NO to force suppression of the audit record. * Any other value results in the audit record being committed. * */ typedef int mpo_audit_check_postselect_t( kauth_cred_t cred, unsigned short syscode, void *args, int error, int retval ); /** * @brief Audit event preselection * @param cred Subject credential * @param syscode Syscall number * @param args Syscall arguments * * This is the MAC Framework audit preselect, which is called before a * syscall is entered to determine if an audit event should be created. * If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be * returned. A return value of MAC_AUDIT_NO causes the audit record to * be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants * to defer to the system's existing preselection mechanism. * * When policies return different preferences, the Framework decides what action * to take based on the following policy. If any policy returns MAC_AUDIT_YES, * then create an audit record, else if any policy returns MAC_AUDIT_NO, then * suppress the creations of an audit record, else defer to the system's * existing preselection mechanism. * * @warning The audit implementation in Apple's current version is * incomplete, so the MAC policies have priority over the system's existing * mechanisms. This will probably change in the future version where * the audit implementation is more complete. * * @return Return MAC_AUDIT_YES to force auditing of the syscall, * MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT * to allow auditing mechanisms to determine if the syscall is audited. * */ typedef int mpo_audit_check_preselect_t( kauth_cred_t cred, unsigned short syscode, void *args ); /** * @brief Indicate desire to change the process label at exec time * @param old Existing subject credential * @param vp File being executed * @param offset Offset of binary within file being executed * @param scriptvp Script being executed by interpreter, if any. * @param vnodelabel Label corresponding to vp * @param scriptvnodelabel Script vnode label * @param execlabel Userspace provided execution label * @param p Object process * @param macpolicyattr MAC policy-specific spawn attribute data * @param macpolicyattrlen Length of policy-specific spawn attribute data * @see mac_execve * @see mpo_cred_label_update_execve_t * @see mpo_vnode_check_exec_t * * Indicate whether this policy intends to update the label of a newly * created credential from the existing subject credential (old). This * call occurs when a process executes the passed vnode. If a policy * returns success from this entry point, the mpo_cred_label_update_execve * entry point will later be called with the same parameters. Access * has already been checked via the mpo_vnode_check_exec entry point, * this entry point is necessary to preserve kernel locking constraints * during program execution. * * The supplied vnode and vnodelabel correspond with the file actually * being executed; in the case that the file is interpreted (for * example, a script), the label of the original exec-time vnode has * been preserved in scriptvnodelabel. * * The final label, execlabel, corresponds to a label supplied by a * user space application through the use of the mac_execve system call. * * The vnode lock is held during this operation. No changes should be * made to the old credential structure. * * @warning Even if a policy returns 0, it should behave correctly in * the presence of an invocation of mpo_cred_label_update_execve, as that * call may happen as a result of another policy requesting a transition. * * @return Non-zero if a transition is required, 0 otherwise. */ typedef int mpo_cred_check_label_update_execve_t( kauth_cred_t old, struct vnode *vp, off_t offset, struct vnode *scriptvp, struct label *vnodelabel, struct label *scriptvnodelabel, struct label *execlabel, struct proc *p, void *macpolicyattr, size_t macpolicyattrlen ); /** * @brief Access control check for relabelling processes * @param cred Subject credential * @param newlabel New label to apply to the user credential * @see mpo_cred_label_update_t * @see mac_set_proc * * Determine whether the subject identified by the credential can relabel * itself to the supplied new label (newlabel). This access control check * is called when the mac_set_proc system call is invoked. A user space * application will supply a new value, the value will be internalized * and provided in newlabel. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_cred_check_label_update_t( kauth_cred_t cred, struct label *newlabel ); /** * @brief Access control check for visibility of other subjects * @param u1 Subject credential * @param u2 Object credential * * Determine whether the subject identified by the credential u1 can * "see" other subjects with the passed subject credential u2. This call * may be made in a number of situations, including inter-process status * sysctls used by ps, and in procfs lookups. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch, * EPERM for lack of privilege, or ESRCH to hide visibility. */ typedef int mpo_cred_check_visible_t( kauth_cred_t u1, kauth_cred_t u2 ); /** * @brief Associate a credential with a new process at fork * @param cred credential to inherited by new process * @param proc the new process * * Allow a process to associate the credential with a new * process for reference countng purposes. * NOTE: the credential can be dis-associated in ways other * than exit - so this strategy is flawed - should just * catch label destroy callback. */ typedef void mpo_cred_label_associate_fork_t( kauth_cred_t cred, proc_t proc ); /** * @brief Create the first process * @param cred Subject credential to be labeled * * Create the subject credential of process 0, the parent of all BSD * kernel processes. Policies should update the label in the * previously initialized credential structure. */ typedef void mpo_cred_label_associate_kernel_t( kauth_cred_t cred ); /** * @brief Create a credential label * @param parent_cred Parent credential * @param child_cred Child credential * * Set the label of a newly created credential, most likely using the * information in the supplied parent credential. * * @warning This call is made when crcopy or crdup is invoked on a * newly created struct ucred, and should not be confused with a * process fork or creation event. */ typedef void mpo_cred_label_associate_t( kauth_cred_t parent_cred, kauth_cred_t child_cred ); /** * @brief Create the first process * @param cred Subject credential to be labeled * * Create the subject credential of process 1, the parent of all BSD * user processes. Policies should update the label in the previously * initialized credential structure. This is the 'init' process. */ typedef void mpo_cred_label_associate_user_t( kauth_cred_t cred ); /** * @brief Destroy credential label * @param label The label to be destroyed * * Destroy a user credential label. Since the user credential * is going out of scope, policy modules should free any internal * storage associated with the label so that it may be destroyed. */ typedef void mpo_cred_label_destroy_t( struct label *label ); /** * @brief Externalize a user credential label for auditing * @param label Label to be externalized * @param element_name Name of the label namespace for which labels should be * externalized * @param sb String buffer to be filled with a text representation of the label * * Produce an external representation of the label on a user credential for * inclusion in an audit record. An externalized label consists of a text * representation of the label contents that will be added to the audit record * as part of a text token. Policy-agnostic user space tools will display * this externalized version. * * @return 0 on success, return non-zero if an error occurs while * externalizing the label data. * */ typedef int mpo_cred_label_externalize_audit_t( struct label *label, char *element_name, struct sbuf *sb ); /** * @brief Externalize a user credential label * @param label Label to be externalized * @param element_name Name of the label namespace for which labels should be * externalized * @param sb String buffer to be filled with a text representation of the label * * Produce an external representation of the label on a user * credential. An externalized label consists of a text representation * of the label contents that can be used with user applications. * Policy-agnostic user space tools will display this externalized * version. * * @return 0 on success, return non-zero if an error occurs while * externalizing the label data. * */ typedef int mpo_cred_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb ); /** * @brief Initialize user credential label * @param label New label to initialize * * Initialize the label for a newly instantiated user credential. * Sleeping is permitted. */ typedef void mpo_cred_label_init_t( struct label *label ); /** * @brief Internalize a user credential label * @param label Label to be internalized * @param element_name Name of the label namespace for which the label should * be internalized * @param element_data Text data to be internalized * * Produce a user credential label from an external representation. An * externalized label consists of a text representation of the label * contents that can be used with user applications. Policy-agnostic * user space tools will forward text version to the kernel for * processing by individual policy modules. * * The policy's internalize entry points will be called only if the * policy has registered interest in the label namespace. * * @return 0 on success, Otherwise, return non-zero if an error occurs * while internalizing the label data. * */ typedef int mpo_cred_label_internalize_t( struct label *label, char *element_name, char *element_data ); /** * @brief Update credential at exec time * @param old_cred Existing subject credential * @param new_cred New subject credential to be labeled * @param p Object process. * @param vp File being executed * @param offset Offset of binary within file being executed * @param scriptvp Script being executed by interpreter, if any. * @param vnodelabel Label corresponding to vp * @param scriptvnodelabel Script vnode label * @param execlabel Userspace provided execution label * @param csflags Code signing flags to be set after exec * @param macpolicyattr MAC policy-specific spawn attribute data. * @param macpolicyattrlen Length of policy-specific spawn attribute data. * @see mac_execve * @see mpo_cred_check_label_update_execve_t * @see mpo_vnode_check_exec_t * * Update the label of a newly created credential (new) from the * existing subject credential (old). This call occurs when a process * executes the passed vnode and one of the loaded policy modules has * returned success from the mpo_cred_check_label_update_execve entry point. * Access has already been checked via the mpo_vnode_check_exec entry * point, this entry point is only used to update any policy state. * * The supplied vnode and vnodelabel correspond with the file actually * being executed; in the case that the file is interpreted (for * example, a script), the label of the original exec-time vnode has * been preserved in scriptvnodelabel. * * The final label, execlabel, corresponds to a label supplied by a * user space application through the use of the mac_execve system call. * * If non-NULL, the value pointed to by disjointp will be set to 0 to * indicate that the old and new credentials are not disjoint, or 1 to * indicate that they are. * * The vnode lock is held during this operation. No changes should be * made to the old credential structure. * @return 0 on success, Otherwise, return non-zero if update results in * termination of child. */ typedef int mpo_cred_label_update_execve_t( kauth_cred_t old_cred, kauth_cred_t new_cred, struct proc *p, struct vnode *vp, off_t offset, struct vnode *scriptvp, struct label *vnodelabel, struct label *scriptvnodelabel, struct label *execlabel, u_int *csflags, void *macpolicyattr, size_t macpolicyattrlen, int *disjointp ); /** * @brief Update a credential label * @param cred The existing credential * @param newlabel A new label to apply to the credential * @see mpo_cred_check_label_update_t * @see mac_set_proc * * Update the label on a user credential, using the supplied new label. * This is called as a result of a process relabel operation. Access * control was already confirmed by mpo_cred_check_label_update. */ typedef void mpo_cred_label_update_t( kauth_cred_t cred, struct label *newlabel ); /** * @brief Access control for launching a process with constraints * @param curr_p The new process * @param original_parent_id The pid of the original parent that spawned this process * @param responsible_pid The pid of the responsible process that spawned this process * @param macpolicyattr MAC policy-specific spawn attribute data * @param macpolicyattrlen Length of policy-specific spawn attribute data * @param fatal_failure_desc Description of fatal failure * @param fatal_failure_desc_len Failure description len, failure is fatal if non-0 * * Detemine whether the process being spawned adheres to the launch * constraints (e.g. whether the process is spawned by launchd) and should * be allowed to execute. This call occurs during execve or posix_spawn. * * @return Return 0 if process can be created, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_launch_constraints_t( proc_t curr_p, pid_t original_parent_id, pid_t responsible_pid, void *macpolicyattr, size_t macpolicyattrlen, launch_constraint_data_t lcd, char **fatal_failure_desc, size_t *fatal_failure_desc_len ); /** * @brief Create a new devfs device * @param dev Major and minor numbers of special file * @param de "inode" of new device file * @param label Destination label * @param fullpath Path relative to mount (e.g. /dev) of new device file * * This entry point labels a new devfs device. The label will likely be based * on the path to the device, or the major and minor numbers. * The policy should store an appropriate label into 'label'. */ typedef void mpo_devfs_label_associate_device_t( dev_t dev, struct devnode *de, struct label *label, const char *fullpath ); /** * @brief Create a new devfs directory * @param dirname Name of new directory * @param dirnamelen Length of 'dirname' * @param de "inode" of new directory * @param label Destination label * @param fullpath Path relative to mount (e.g. /dev) of new directory * * This entry point labels a new devfs directory. The label will likely be * based on the path of the new directory. The policy should store an appropriate * label into 'label'. The devfs root directory is labelled in this way. */ typedef void mpo_devfs_label_associate_directory_t( const char *dirname, int dirnamelen, struct devnode *de, struct label *label, const char *fullpath ); /** * @brief Copy a devfs label * @param src Source devfs label * @param dest Destination devfs label * * Copy the label information from src to dest. The devfs file system * often duplicates (splits) existing device nodes rather than creating * new ones. */ typedef void mpo_devfs_label_copy_t( struct label *src, struct label *dest ); /** * @brief Destroy devfs label * @param label The label to be destroyed * * Destroy a devfs entry label. Since the object is going out * of scope, policy modules should free any internal storage associated * with the label so that it may be destroyed. */ typedef void mpo_devfs_label_destroy_t( struct label *label ); /** * @brief Initialize devfs label * @param label New label to initialize * * Initialize the label for a newly instantiated devfs entry. Sleeping * is permitted. */ typedef void mpo_devfs_label_init_t( struct label *label ); /** * @brief Update a devfs label after relabelling its vnode * @param mp Devfs mount point * @param de Affected devfs directory entry * @param delabel Label of devfs directory entry * @param vp Vnode associated with de * @param vnodelabel New label of vnode * * Update a devfs label when its vnode is manually relabelled, * for example with setfmac(1). Typically, this will simply copy * the vnode label into the devfs label. */ typedef void mpo_devfs_label_update_t( struct mount *mp, struct devnode *de, struct label *delabel, struct vnode *vp, struct label *vnodelabel ); /** * @brief Access control for sending an exception to an exception action * @param crashlabel The crashing process's label * @param action Exception action * @param exclabel Policy label for exception action * * Determine whether the the exception message caused by the victim * process can be sent to the exception action. The policy may compare * credentials in the crashlabel, which are derived from the process at * the time the exception occurs, with the credentials in the exclabel, * which was set at the time the exception port was set, to determine * its decision. Note that any process from which the policy derived * any credentials may not exist anymore at the time of this policy * operation. Sleeping is permitted. * * @return Return 0 if the message can be sent, otherwise an * appropriate value for errno should be returned. */ typedef int mpo_exc_action_check_exception_send_t( struct label *crashlabel, struct exception_action *action, struct label *exclabel ); /** * @brief Associate an exception action label * @param action Exception action to label * @param exclabel Policy label to be filled in for exception action * * Set the label on an exception action. */ typedef void mpo_exc_action_label_associate_t( struct exception_action *action, struct label *exclabel ); /** * @brief Destroy exception action label * @param label The label to be destroyed * * Destroy the label on an exception action. Since the object is going * out of scope, policy modules should free any internal storage * associated with the label so that it may be destroyed. Sleeping is * permitted. */ typedef void mpo_exc_action_label_destroy_t( struct label *label ); /** * @brief Populate an exception action label with process credentials * @param label The label to be populated * @param proc Process to derive credentials from * * Populate a label with credentials derived from a process. At * exception delivery time, the policy should compare credentials of the * process that set an exception ports with the credentials of the * process or corpse that experienced the exception. Note that the * process that set the port may not exist at that time anymore, so * labels should carry copies of live credentials if necessary. */ typedef void mpo_exc_action_label_populate_t( struct label *label, struct proc *proc ); /** * @brief Initialize exception action label * @param label New label to initialize * * Initialize a label for an exception action. Usually performs * policy specific allocations. Sleeping is permitted. */ typedef int mpo_exc_action_label_init_t( struct label *label ); /** * @brief Update the label on an exception action * @param action Exception action that the label belongs to (may be * NULL if none) * @param label Policy label to update * @param newlabel New label for update * * Update the credentials of an exception action from the given * label. The policy should copy over any credentials (process and * otherwise) from the new label into the label to update. Must not * sleep, must be quick and can be called with locks held. */ typedef int mpo_exc_action_label_update_t( struct exception_action *action, struct label *label, struct label *newlabel ); /** * @brief Access control for changing the offset of a file descriptor * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg * * Determine whether the subject identified by the credential can * change the offset of the file represented by fg. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_file_check_change_offset_t( kauth_cred_t cred, struct fileglob *fg, struct label *label ); /** * @brief Access control for creating a file descriptor * @param cred Subject credential * * Determine whether the subject identified by the credential can * allocate a new file descriptor. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_file_check_create_t( kauth_cred_t cred ); /** * @brief Access control for duplicating a file descriptor * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg * @param newfd New file descriptor number * * Determine whether the subject identified by the credential can * duplicate the fileglob structure represented by fg and as file * descriptor number newfd. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_file_check_dup_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int newfd ); /** * @brief Access control check for fcntl * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg * @param cmd Control operation to be performed; see fcntl(2) * @param arg fcnt arguments; see fcntl(2) * * Determine whether the subject identified by the credential can perform * the file control operation indicated by cmd. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_file_check_fcntl_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int cmd, user_long_t arg ); /** * @brief Access control check for mac_get_fd * @param cred Subject credential * @param fg Fileglob structure * @param elements Element buffer * @param len Length of buffer * * Determine whether the subject identified by the credential should be allowed * to get an externalized version of the label on the object indicated by fd. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_file_check_get_t( kauth_cred_t cred, struct fileglob *fg, char *elements, size_t len ); /** * @brief Access control for getting the offset of a file descriptor * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg * * Determine whether the subject identified by the credential can * get the offset of the file represented by fg. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_file_check_get_offset_t( kauth_cred_t cred, struct fileglob *fg, struct label *label ); /** * @brief Access control for inheriting a file descriptor * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg * * Determine whether the subject identified by the credential can * inherit the fileglob structure represented by fg. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_file_check_inherit_t( kauth_cred_t cred, struct fileglob *fg, struct label *label ); /** * @brief Access control check for file ioctl * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg * @param cmd The ioctl command; see ioctl(2) * * Determine whether the subject identified by the credential can perform * the ioctl operation indicated by cmd. * * @warning Since ioctl data is opaque from the standpoint of the MAC * framework, policies must exercise extreme care when implementing * access control checks. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * */ typedef int mpo_file_check_ioctl_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, unsigned long cmd ); /** * @brief Access control check for file locking * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg * @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) * @param fl The flock structure * * Determine whether the subject identified by the credential can perform * the lock operation indicated by op and fl on the file represented by fg. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * */ typedef int mpo_file_check_lock_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int op, struct flock *fl ); /** * @brief Check with library validation if a Mach-O slice is allowed to be combined into a proc. * @param p Subject process * @param fg Fileglob structure * @param slice_offset offset of the code slice * @param error_message error message returned to user-space in case of error (userspace pointer) * @param error_message_size error message size * * It's a little odd that the MAC/kext writes into userspace since this * implies there is only one MAC module that implements this, however * the alternative is to allocate memory in xnu, in the hope that * the MAC module will use it, or allocate in the MAC module and then * free it in xnu. Neither of these is very appealing, so let's go with * the slightly more hacky way. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_file_check_library_validation_t( struct proc *p, struct fileglob *fg, off_t slice_offset, user_long_t error_message, size_t error_message_size ); /** * @brief Access control check for mapping a file * @param cred Subject credential * @param fg fileglob representing file to map * @param label Policy label associated with vp * @param prot mmap protections; see mmap(2) * @param flags Type of mapped object; see mmap(2) * @param maxprot Maximum rights * * Determine whether the subject identified by the credential should be * allowed to map the file represented by fg with the protections specified * in prot. The maxprot field holds the maximum permissions on the new * mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. * To avoid overriding prior access control checks, a policy should only * remove flags from maxprot. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_file_check_mmap_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int prot, int flags, uint64_t file_pos, int *maxprot ); /** * @brief Downgrade the mmap protections * @param cred Subject credential * @param fg file to map * @param label Policy label associated with vp * @param prot mmap protections to be downgraded * * Downgrade the mmap protections based on the subject and object labels. */ typedef void mpo_file_check_mmap_downgrade_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int *prot ); /** * @brief Access control for receiving a file descriptor * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg * * Determine whether the subject identified by the credential can * receive the fileglob structure represented by fg. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_file_check_receive_t( kauth_cred_t cred, struct fileglob *fg, struct label *label ); /** * @brief Access control check for mac_set_fd * @param cred Subject credential * @param fg Fileglob structure * @param elements Elements buffer * @param len Length of elements buffer * * Determine whether the subject identified by the credential can * perform the mac_set_fd operation. The mac_set_fd operation is used * to associate a MAC label with a file. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_file_check_set_t( kauth_cred_t cred, struct fileglob *fg, char *elements, size_t len ); /** * @brief Inform MAC policies that file is being closed * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg * @param modified Boolean; 1 if file was modified, 0 otherwise * * Called when an open file is being closed, as a result of a call to * close(2), the process exiting, or exec(2) w/O_CLOEXEC set. */ typedef void mpo_file_notify_close_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int modified ); /** * @brief Create file label * @param cred Subject credential * @param fg Fileglob structure * @param label Policy label for fg */ typedef void mpo_file_label_associate_t( kauth_cred_t cred, struct fileglob *fg, struct label *label ); /** * @brief Destroy file label * @param label The label to be destroyed * * Destroy the label on a file descriptor. In this entry point, a * policy module should free any internal storage associated with * label so that it may be destroyed. */ typedef void mpo_file_label_destroy_t( struct label *label ); /** * @brief Initialize file label * @param label New label to initialize */ typedef void mpo_file_label_init_t( struct label *label ); /** * @brief Access control check for opening an I/O Kit device * @param cred Subject credential * @param user_client User client instance * @param user_client_type User client type * * Determine whether the subject identified by the credential can open an * I/O Kit device at the passed path of the passed user client class and * type. This check is performed after instantiating the user client. * See also mpo_iokit_check_open_service_t. * * @return Return 0 if access is granted, or an appropriate value for * errno should be returned. */ typedef int mpo_iokit_check_open_t( kauth_cred_t cred, io_object_t user_client, unsigned int user_client_type ); /** * @brief Access control check for opening an I/O Kit device * @param cred Subject credential * @param service Service instance * @param user_client_type User client type * * Determine whether the subject identified by the credential can open a * I/O Kit user client of the passed service and user client type. * This check is performed before instantiating the user client. See also * mpo_iokit_check_open_t. * * @return Return 0 if access is granted, or an appropriate value for * errno should be returned. */ typedef int mpo_iokit_check_open_service_t( kauth_cred_t cred, io_object_t service, unsigned int user_client_type ); /** * @brief Access control check for setting I/O Kit device properties * @param cred Subject credential * @param entry Target device * @param properties Property list * * Determine whether the subject identified by the credential can set * properties on an I/O Kit device. * * @return Return 0 if access is granted, or an appropriate value for * errno should be returned. */ typedef int mpo_iokit_check_set_properties_t( kauth_cred_t cred, io_object_t entry, io_object_t properties ); /** * @brief Indicate desire to filter I/O Kit devices properties * @param cred Subject credential * @param entry Target device * @see mpo_iokit_check_get_property_t * * Indicate whether this policy may restrict the subject credential * from reading properties of the target device. * If a policy returns success from this entry point, the * mpo_iokit_check_get_property entry point will later be called * for each property that the subject credential tries to read from * the target device. * * This entry point is primarilly to optimize bulk property reads * by skipping calls to the mpo_iokit_check_get_property entry point * for credentials / devices no MAC policy is interested in. * * @warning Even if a policy returns 0, it should behave correctly in * the presence of an invocation of mpo_iokit_check_get_property, as that * call may happen as a result of another policy requesting a transition. * * @return Non-zero if a transition is required, 0 otherwise. */ typedef int mpo_iokit_check_filter_properties_t( kauth_cred_t cred, io_object_t entry ); /** * @brief Access control check for getting I/O Kit device properties * @param cred Subject credential * @param entry Target device * @param name Property name * * Determine whether the subject identified by the credential can get * properties on an I/O Kit device. * * @return Return 0 if access is granted, or an appropriate value for * errno. */ typedef int mpo_iokit_check_get_property_t( kauth_cred_t cred, io_object_t entry, const char *name ); /** * @brief Access control check for software HID control * @param cred Subject credential * * Determine whether the subject identified by the credential can * control the HID (Human Interface Device) subsystem, such as to * post synthetic keypresses, pointer movement and clicks. * * @return Return 0 if access is granted, or an appropriate value for * errno. */ typedef int mpo_iokit_check_hid_control_t( kauth_cred_t cred ); /** * @brief Access control check for fsctl * @param cred Subject credential * @param mp The mount point * @param label Label associated with the mount point * @param cmd Filesystem-dependent request code; see fsctl(2) * * Determine whether the subject identified by the credential can perform * the volume operation indicated by com. * * @warning The fsctl() system call is directly analogous to ioctl(); since * the associated data is opaque from the standpoint of the MAC framework * and since these operations can affect many aspects of system operation, * policies must exercise extreme care when implementing access control checks. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_mount_check_fsctl_t( kauth_cred_t cred, struct mount *mp, struct label *label, unsigned long cmd ); /** * @brief Access control check for the retrieval of file system attributes * @param cred Subject credential * @param mp The mount structure of the file system * @param vfa The attributes requested * * This entry point determines whether given subject can get information * about the given file system. This check happens during statfs() syscalls, * but is also used by other parts within the kernel such as the audit system. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * * @note Policies may change the contents of vfa to alter the list of * file system attributes returned. */ typedef int mpo_mount_check_getattr_t( kauth_cred_t cred, struct mount *mp, struct label *mp_label, struct vfs_attr *vfa ); /** * @brief Access control check for mount point relabeling * @param cred Subject credential * @param mp Object file system mount point * @param mntlabel Policy label for fle system mount point * * Determine whether the subject identified by the credential can relabel * the mount point. This call is made when a file system mount is updated. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch * or EPERM for lack of privilege. */ typedef int mpo_mount_check_label_update_t( kauth_cred_t cred, struct mount *mp, struct label *mntlabel ); /** * @brief Access control check for mounting a file system * @param cred Subject credential * @param vp Vnode that is to be the mount point * @param vlabel Label associated with the vnode * @param cnp Component name for vp * @param vfc_name Filesystem type name * * Determine whether the subject identified by the credential can perform * the mount operation on the target vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_mount_check_mount_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, struct componentname *cnp, const char *vfc_name ); /** * @brief Access control check for mounting a file system (late) * @param cred Subject credential * @param mp Mount point * * Similar to mpo_mount_check_mount, but occurs after VFS_MOUNT has been * called, making it possible to access mnt_vfsstat.f_mntfromname and other * fields. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_mount_check_mount_late_t( kauth_cred_t cred, struct mount *mp ); /** * @brief Access control check for quotactl * @param cred Subject credential * @param cmd The quotactl command and subcommand; see quotactl(2) * @param id The user or group ID on which cmd will operate * * Determine whether the subject identified by the credential can perform * the quotactl operation indicated by cmd. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_mount_check_quotactl_t( kauth_cred_t cred, struct mount *mp, int cmd, int id ); /** * @brief Access control check for fs_snapshot_create * @param cred Subject credential * @mp Filesystem mount point to create snapshot of * @name Name of snapshot to create * * Determine whether the subject identified by the credential can * create a snapshot of the filesystem at the given mount point. * * @return Return 0 if access is granted, otherwise an appropriate value * for errno should be returned. */ typedef int mpo_mount_check_snapshot_create_t( kauth_cred_t cred, struct mount *mp, const char *name ); /** * @brief Access control check for fs_snapshot_delete * @param cred Subject credential * @mp Filesystem mount point to delete snapshot of * @name Name of snapshot to delete * * Determine whether the subject identified by the credential can * delete the named snapshot from the filesystem at the given * mount point. * * @return Return 0 if access is granted, otherwise an appropriate value * for errno should be returned. */ typedef int mpo_mount_check_snapshot_delete_t( kauth_cred_t cred, struct mount *mp, const char *name ); /** * @brief Access control check for fs_snapshot_mount * @param cred Subject credential * @param rvp Vnode of either the root directory of the * filesystem to mount snapshot of, or the device from * which to mount the snapshot. * @param vp Vnode that is to be the mount point * @param cnp Component name for vp * @param name Name of snapshot to mount * @param vfc_name Filesystem type name * * Determine whether the subject identified by the credential can * mount the named snapshot from the filesystem at the given * directory. * * @return Return 0 if access is granted, otherwise an appropriate value * for errno should be returned. */ typedef int mpo_mount_check_snapshot_mount_t( kauth_cred_t cred, struct vnode *rvp, struct vnode *vp, struct componentname *cnp, const char *name, const char *vfc_name ); /** * @brief Access control check for fs_snapshot_revert * @param cred Subject credential * @mp Filesystem mount point to revert to snapshot * @name Name of snapshot to revert to * * Determine whether the subject identified by the credential can * revert the filesystem at the given mount point to the named snapshot. * * @return Return 0 if access is granted, otherwise an appropriate value * for errno should be returned. */ typedef int mpo_mount_check_snapshot_revert_t( kauth_cred_t cred, struct mount *mp, const char *name ); /** * @brief Access control check remounting a filesystem * @param cred Subject credential * @param mp The mount point * @param mlabel Label currently associated with the mount point * * Determine whether the subject identified by the credential can perform * the remount operation on the target vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_mount_check_remount_t( kauth_cred_t cred, struct mount *mp, struct label *mlabel ); /** * @brief Access control check for the settting of file system attributes * @param cred Subject credential * @param mp The mount structure of the file system * @param vfa The attributes requested * * This entry point determines whether given subject can set information * about the given file system, for example the volume name. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_mount_check_setattr_t( kauth_cred_t cred, struct mount *mp, struct label *mp_label, struct vfs_attr *vfa ); /** * @brief Access control check for file system statistics * @param cred Subject credential * @param mp Object file system mount * @param mntlabel Policy label for mp * * Determine whether the subject identified by the credential can see * the results of a statfs performed on the file system. This call may * be made in a number of situations, including during invocations of * statfs(2) and related calls, as well as to determine what file systems * to exclude from listings of file systems, such as when getfsstat(2) * is invoked. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch * or EPERM for lack of privilege. */ typedef int mpo_mount_check_stat_t( kauth_cred_t cred, struct mount *mp, struct label *mntlabel ); /** * @brief Access control check for unmounting a filesystem * @param cred Subject credential * @param mp The mount point * @param mlabel Label associated with the mount point * * Determine whether the subject identified by the credential can perform * the unmount operation on the target vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_mount_check_umount_t( kauth_cred_t cred, struct mount *mp, struct label *mlabel ); /** * @brief Create mount labels * @param cred Subject credential * @param mp Mount point of file system being mounted * @param mntlabel Label to associate with the new mount point * @see mpo_mount_label_init_t * * Fill out the labels on the mount point being created by the supplied * user credential. This call is made when file systems are first mounted. */ typedef void mpo_mount_label_associate_t( kauth_cred_t cred, struct mount *mp, struct label *mntlabel ); /** * @brief Destroy mount label * @param label The label to be destroyed * * Destroy a file system mount label. Since the * object is going out of scope, policy modules should free any * internal storage associated with the label so that it may be * destroyed. */ typedef void mpo_mount_label_destroy_t( struct label *label ); /** * @brief Externalize a mount point label * @param label Label to be externalized * @param element_name Name of the label namespace for which labels should be * externalized * @param sb String buffer to be filled with a text representation of the label * * Produce an external representation of the mount point label. An * externalized label consists of a text representation of the label * contents that can be used with user applications. Policy-agnostic * user space tools will display this externalized version. * * The policy's externalize entry points will be called only if the * policy has registered interest in the label namespace. * * @return 0 on success, return non-zero if an error occurs while * externalizing the label data. * */ typedef int mpo_mount_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb ); /** * @brief Initialize mount point label * @param label New label to initialize * * Initialize the label for a newly instantiated mount structure. * This label is typically used to store a default label in the case * that the file system has been mounted singlelabel. Since some * file systems do not support persistent labels (extended attributes) * or are read-only (such as CD-ROMs), it is often necessary to store * a default label separately from the label of the mount point * itself. Sleeping is permitted. */ typedef void mpo_mount_label_init_t( struct label *label ); /** * @brief Internalize a mount point label * @param label Label to be internalized * @param element_name Name of the label namespace for which the label should * be internalized * @param element_data Text data to be internalized * * Produce a mount point file system label from an external representation. * An externalized label consists of a text representation of the label * contents that can be used with user applications. Policy-agnostic * user space tools will forward text version to the kernel for * processing by individual policy modules. * * The policy's internalize entry points will be called only if the * policy has registered interest in the label namespace. * * @return 0 on success, Otherwise, return non-zero if an error occurs * while internalizing the label data. * */ typedef int mpo_mount_label_internalize_t( struct label *label, char *element_name, char *element_data ); /** * @brief Access control check for opening an NECP file descriptor * @param cred Subject credential * @param flags Open flags * * Determine whether the subject identified by the credential can open * an NECP file descriptor. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * */ typedef int mpo_necp_check_open_t( kauth_cred_t cred, int flags ); /** * @brief Access control check for necp_client_action(2) * @param cred Subject credential * @param fg NECP fileglob * @param action NECP client action * * Determine whether the subject identified by the credential can open * an NECP socket. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * */ typedef int mpo_necp_check_client_action_t( kauth_cred_t cred, struct fileglob *fg, uint32_t action ); /** * @brief Access control check for pipe ioctl * @param cred Subject credential * @param cpipe Object to be accessed * @param pipelabel The label on the pipe * @param cmd The ioctl command; see ioctl(2) * * Determine whether the subject identified by the credential can perform * the ioctl operation indicated by cmd. * * @warning Since ioctl data is opaque from the standpoint of the MAC * framework, policies must exercise extreme care when implementing * access control checks. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * */ typedef int mpo_pipe_check_ioctl_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel, unsigned long cmd ); /** * @brief Access control check for pipe kqfilter * @param cred Subject credential * @param kn Object knote * @param cpipe Object to be accessed * @param pipelabel Policy label for the pipe * * Determine whether the subject identified by the credential can * receive the knote on the passed pipe. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_pipe_check_kqfilter_t( kauth_cred_t cred, struct knote *kn, struct pipe *cpipe, struct label *pipelabel ); /** * @brief Access control check for pipe read * @param cred Subject credential * @param cpipe Object to be accessed * @param pipelabel The label on the pipe * * Determine whether the subject identified by the credential can * perform a read operation on the passed pipe. The cred object holds * the credentials of the subject performing the operation. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * */ typedef int mpo_pipe_check_read_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel ); /** * @brief Access control check for pipe select * @param cred Subject credential * @param cpipe Object to be accessed * @param pipelabel The label on the pipe * @param which The operation selected on: FREAD or FWRITE * * Determine whether the subject identified by the credential can * perform a select operation on the passed pipe. The cred object holds * the credentials of the subject performing the operation. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * */ typedef int mpo_pipe_check_select_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel, int which ); /** * @brief Access control check for pipe stat * @param cred Subject credential * @param cpipe Object to be accessed * @param pipelabel The label on the pipe * * Determine whether the subject identified by the credential can * perform a stat operation on the passed pipe. The cred object holds * the credentials of the subject performing the operation. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * */ typedef int mpo_pipe_check_stat_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel ); /** * @brief Access control check for pipe write * @param cred Subject credential * @param cpipe Object to be accessed * @param pipelabel The label on the pipe * * Determine whether the subject identified by the credential can * perform a write operation on the passed pipe. The cred object holds * the credentials of the subject performing the operation. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * */ typedef int mpo_pipe_check_write_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel ); /** * @brief Create a pipe label * @param cred Subject credential * @param cpipe object to be labeled * @param pipelabel Label for the pipe object * * Create a label for the pipe object being created by the supplied * user credential. This call is made when a pipe pair is being created. * The label is shared by both ends of the pipe. */ typedef void mpo_pipe_label_associate_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel ); /** * @brief Destroy pipe label * @param label The label to be destroyed * * Destroy a pipe label. Since the object is going out of scope, * policy modules should free any internal storage associated with the * label so that it may be destroyed. */ typedef void mpo_pipe_label_destroy_t( struct label *label ); /** * @brief Initialize pipe label * @param label New label to initialize * * Initialize label storage for use with a newly instantiated pipe object. * Sleeping is permitted. */ typedef void mpo_pipe_label_init_t( struct label *label ); /** * @brief Policy unload event * @param mpc MAC policy configuration * * This is the MAC Framework policy unload event. This entry point will * only be called if the module's policy configuration allows unload (if * the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't * want to be unloaded; they should set their flags to prevent this * entry point from being called. * * @warning During this call, the mac policy list mutex is held, so * sleep operations cannot be performed, and calls out to other kernel * subsystems must be made with caution. * * @see MPC_LOADTIME_FLAG_UNLOADOK */ typedef void mpo_policy_destroy_t( struct mac_policy_conf *mpc ); /** * @brief Policy initialization event * @param mpc MAC policy configuration * @see mac_policy_register * @see mpo_policy_initbsd_t * * This is the MAC Framework policy initialization event. This entry * point is called during mac_policy_register, when the policy module * is first registered with the MAC Framework. This is often done very * early in the boot process, after the kernel Mach subsystem has been * initialized, but prior to the BSD subsystem being initialized. * Since the kernel BSD services are not yet available, it is possible * that some initialization must occur later, possibly in the * mpo_policy_initbsd_t policy entry point, such as registering BSD system * controls (sysctls). Policy modules loaded at boot time will be * registered and initialized before labeled Mach objects are created. * * @warning During this call, the mac policy list mutex is held, so * sleep operations cannot be performed, and calls out to other kernel * subsystems must be made with caution. */ typedef void mpo_policy_init_t( struct mac_policy_conf *mpc ); /** * @brief Policy BSD initialization event * @param mpc MAC policy configuration * @see mpo_policy_init_t * * This entry point is called after the kernel BSD subsystem has been * initialized. By this point, the module should already be loaded, * registered, and initialized. Since policy modules are initialized * before kernel BSD services are available, this second initialization * phase is necessary. At this point, BSD services (memory management, * synchronization primitives, vfs, etc.) are available, but the first * process has not yet been created. Mach-related objects and tasks * will already be fully initialized and may be in use--policies requiring * ubiquitous labeling may also want to implement mpo_policy_init_t. * * @warning During this call, the mac policy list mutex is held, so * sleep operations cannot be performed, and calls out to other kernel * subsystems must be made with caution. */ typedef void mpo_policy_initbsd_t( struct mac_policy_conf *mpc ); /** * @brief Policy extension service * @param p Calling process * @param call Policy-specific syscall number * @param arg Pointer to syscall arguments * * This entry point provides a policy-multiplexed system call so that * policies may provide additional services to user processes without * registering specific system calls. The policy name provided during * registration is used to demux calls from userland, and the arguments * will be forwarded to this entry point. When implementing new * services, security modules should be sure to invoke appropriate * access control checks from the MAC framework as needed. For * example, if a policy implements an augmented signal functionality, * it should call the necessary signal access control checks to invoke * the MAC framework and other registered policies. * * @warning Since the format and contents of the policy-specific * arguments are unknown to the MAC Framework, modules must perform the * required copyin() of the syscall data on their own. No policy * mediation is performed, so policies must perform any necessary * access control checks themselves. If multiple policies are loaded, * they will currently be unable to mediate calls to other policies. * * @return In the event of an error, an appropriate value for errno * should be returned, otherwise return 0 upon success. */ typedef int mpo_policy_syscall_t( struct proc *p, int call, user_addr_t arg ); /** * @brief Access control check for POSIX semaphore create * @param cred Subject credential * @param name String name of the semaphore * * Determine whether the subject identified by the credential can create * a POSIX semaphore specified by name. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixsem_check_create_t( kauth_cred_t cred, const char *name ); /** * @brief Access control check for POSIX semaphore open * @param cred Subject credential * @param ps Pointer to semaphore information structure * @param semlabel Label associated with the semaphore * * Determine whether the subject identified by the credential can open * the named POSIX semaphore with label semlabel. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixsem_check_open_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel ); /** * @brief Access control check for POSIX semaphore post * @param cred Subject credential * @param ps Pointer to semaphore information structure * @param semlabel Label associated with the semaphore * * Determine whether the subject identified by the credential can unlock * the named POSIX semaphore with label semlabel. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixsem_check_post_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel ); /** * @brief Access control check for POSIX semaphore unlink * @param cred Subject credential * @param ps Pointer to semaphore information structure * @param semlabel Label associated with the semaphore * @param name String name of the semaphore * * Determine whether the subject identified by the credential can remove * the named POSIX semaphore with label semlabel. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixsem_check_unlink_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel, const char *name ); /** * @brief Access control check for POSIX semaphore wait * @param cred Subject credential * @param ps Pointer to semaphore information structure * @param semlabel Label associated with the semaphore * * Determine whether the subject identified by the credential can lock * the named POSIX semaphore with label semlabel. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixsem_check_wait_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel ); /** * @brief Create a POSIX semaphore label * @param cred Subject credential * @param ps Pointer to semaphore information structure * @param semlabel Label to associate with the new semaphore * @param name String name of the semaphore * * Label a new POSIX semaphore. The label was previously * initialized and associated with the semaphore. At this time, an * appropriate initial label value should be assigned to the object and * stored in semalabel. */ typedef void mpo_posixsem_label_associate_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel, const char *name ); /** * @brief Destroy POSIX semaphore label * @param label The label to be destroyed * * Destroy a POSIX semaphore label. Since the object is * going out of scope, policy modules should free any internal storage * associated with the label so that it may be destroyed. */ typedef void mpo_posixsem_label_destroy_t( struct label *label ); /** * @brief Initialize POSIX semaphore label * @param label New label to initialize * * Initialize the label for a newly instantiated POSIX semaphore. Sleeping * is permitted. */ typedef void mpo_posixsem_label_init_t( struct label *label ); /** * @brief Access control check for POSIX shared memory region create * @param cred Subject credential * @param name String name of the shared memory region * * Determine whether the subject identified by the credential can create * the POSIX shared memory region referenced by name. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixshm_check_create_t( kauth_cred_t cred, const char *name ); /** * @brief Access control check for mapping POSIX shared memory * @param cred Subject credential * @param ps Pointer to shared memory information structure * @param shmlabel Label associated with the shared memory region * @param prot mmap protections; see mmap(2) * @param flags shmat flags; see shmat(2) * * Determine whether the subject identified by the credential can map * the POSIX shared memory segment associated with shmlabel. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixshm_check_mmap_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, int prot, int flags ); /** * @brief Access control check for POSIX shared memory region open * @param cred Subject credential * @param ps Pointer to shared memory information structure * @param shmlabel Label associated with the shared memory region * @param fflags shm_open(2) open flags ('fflags' encoded) * * Determine whether the subject identified by the credential can open * the POSIX shared memory region. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixshm_check_open_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, int fflags ); /** * @brief Access control check for POSIX shared memory stat * @param cred Subject credential * @param ps Pointer to shared memory information structure * @param shmlabel Label associated with the shared memory region * * Determine whether the subject identified by the credential can obtain * status for the POSIX shared memory segment associated with shmlabel. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixshm_check_stat_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel ); /** * @brief Access control check for POSIX shared memory truncate * @param cred Subject credential * @param ps Pointer to shared memory information structure * @param shmlabel Label associated with the shared memory region * @param len Length to truncate or extend shared memory segment * * Determine whether the subject identified by the credential can truncate * or extend (to len) the POSIX shared memory segment associated with shmlabel. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixshm_check_truncate_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, off_t len ); /** * @brief Access control check for POSIX shared memory unlink * @param cred Subject credential * @param ps Pointer to shared memory information structure * @param shmlabel Label associated with the shared memory region * @param name String name of the shared memory region * * Determine whether the subject identified by the credential can delete * the POSIX shared memory segment associated with shmlabel. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_posixshm_check_unlink_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, const char *name ); /** * @brief Create a POSIX shared memory region label * @param cred Subject credential * @param ps Pointer to shared memory information structure * @param shmlabel Label to associate with the new shared memory region * @param name String name of the shared memory region * * Label a new POSIX shared memory region. The label was previously * initialized and associated with the shared memory region. At this * time, an appropriate initial label value should be assigned to the * object and stored in shmlabel. */ typedef void mpo_posixshm_label_associate_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, const char *name ); /** * @brief Destroy POSIX shared memory label * @param label The label to be destroyed * * Destroy a POSIX shared memory region label. Since the * object is going out of scope, policy modules should free any * internal storage associated with the label so that it may be * destroyed. */ typedef void mpo_posixshm_label_destroy_t( struct label *label ); /** * @brief Initialize POSIX Shared Memory region label * @param label New label to initialize * * Initialize the label for newly a instantiated POSIX Shared Memory * region. Sleeping is permitted. */ typedef void mpo_posixshm_label_init_t( struct label *label ); /** * @brief Access control check for privileged operations * @param cred Subject credential * @param priv Requested privilege (see sys/priv.h) * * Determine whether the subject identified by the credential can perform * a privileged operation. Privileged operations are allowed if the cred * is the superuser or any policy returns zero for mpo_priv_grant, unless * any policy returns nonzero for mpo_priv_check. * * @return Return 0 if access is granted, otherwise EPERM should be returned. */ typedef int mpo_priv_check_t( kauth_cred_t cred, int priv ); /** * @brief Grant regular users the ability to perform privileged operations * @param cred Subject credential * @param priv Requested privilege (see sys/priv.h) * * Determine whether the subject identified by the credential should be * allowed to perform a privileged operation that in the absense of any * MAC policy it would not be able to perform. Privileged operations are * allowed if the cred is the superuser or any policy returns zero for * mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. * * Unlike other MAC hooks which can only reduce the privilege of a * credential, this hook raises the privilege of a credential when it * returns 0. Extreme care must be taken when implementing this hook to * avoid undermining the security of the system. * * @return Return 0 if additional privilege is granted, otherwise EPERM * should be returned. */ typedef int mpo_priv_grant_t( kauth_cred_t cred, int priv ); /** * @brief Access control over process core dumps * @param proc Subject process * * Determine whether a core dump may be written to disk for the subject * identified. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_dump_core_t( struct proc *proc ); /** * @brief Access control over remote thread creation * @param cred Subject credential * @param proc Object process * @param flavor Flavor of thread state passed in new_state, or -1 * @param new_state Thread state to be set on the created thread, or NULL * @param new_state_count Size of thread state, in natural_t units, or 0 * * Determine whether the subject can create a thread in the object process * by calling the thread_create or thread_create_running MIG routines on * another process' task port. For thread_create_running, the flavor, * new_state and new_state_count arguments are passed here before they are * converted and checked by machine-dependent code. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_remote_thread_create_t( kauth_cred_t cred, struct proc *proc, int flavor, thread_state_t new_state, mach_msg_type_number_t new_state_count ); /** * @brief Access control check for debugging process * @param cred Subject credential * @param pident Object unique process identifier * * Determine whether the subject identified by the credential can debug * the passed process. This call may be made in a number of situations, * including use of the ptrace(2) and ktrace(2) APIs, as well as for some * types of procfs operations. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch, * EPERM for lack of privilege, or ESRCH to hide visibility of the target. */ typedef int mpo_proc_check_debug_t( kauth_cred_t cred, struct proc_ident *pident ); /** * @brief Access control over fork * @param cred Subject credential * @param proc Subject process trying to fork * * Determine whether the subject identified is allowed to fork. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_fork_t( kauth_cred_t cred, struct proc *proc ); /** * @brief Access control check for setting host special ports. * @param cred Subject credential * @param id The host special port to set * @param port The new value to set for the special port * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_set_host_special_port_t( kauth_cred_t cred, int id, struct ipc_port *port ); /** * @brief Access control check for setting host exception ports. * @param cred Subject credential * @param exception Exception port to set * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_set_host_exception_port_t( kauth_cred_t cred, unsigned int exception ); /** * @brief Access control check for getting task special ports. * @param cred Subject credential * @param pident Object unique process identifier, NULL if target is a corpse task * @param which The task special port to get * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_get_task_special_port_t( kauth_cred_t cred, struct proc_ident *pident, int which ); /** * @brief Access control check for setting task special ports. * @param cred Subject credential * @param pident Object unique process identifier * @param which The task special port to set * @param port The new value to set for the special port * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_set_task_special_port_t( kauth_cred_t cred, struct proc_ident *pident, int which, struct ipc_port *port ); /** * @brief Access control check for getting movable task/thread control port for current task. * @param cred Subject credential * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_get_movable_control_port_t( kauth_cred_t cred ); /** * @brief Access control check for calling task_dyld_process_info_notify_register * and task_dyld_process_info_notify_deregister. * @param cred Subject credential * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_dyld_process_info_notify_register_t( kauth_cred_t cred ); /** * @brief Access control over pid_suspend, pid_resume and family * @param cred Subject credential * @param proc Object process * @param sr Type of call; one of MAC_PROC_CHECK_SUSPEND, * MAC_PROC_CHECK_RESUME, MAC_PROC_CHECK_HIBERNATE, * MAC_PROC_CHECK_SHUTDOWN_SOCKETS or MAC_PROC_CHECK_PIDBIND. * * Determine whether the subject identified is allowed to call pid_suspend, * pid_resume, pid_hibernate, pid_shutdown_sockets, * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_DEVSTATUS) or * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_PIDBIND) on * the object process. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_suspend_resume_t( kauth_cred_t cred, struct proc *proc, int sr ); /** * @brief Access control check for retrieving audit information * @param cred Subject credential * * Determine whether the subject identified by the credential can get * audit information such as the audit user ID, the preselection mask, * the terminal ID and the audit session ID, using the getaudit() system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_getaudit_t( kauth_cred_t cred ); /** * @brief Access control check for retrieving audit user ID * @param cred Subject credential * * Determine whether the subject identified by the credential can get * the user identity being used by the auditing system, using the getauid() * system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_getauid_t( kauth_cred_t cred ); /** * @brief Access control check for retrieving ledger information * @param cred Subject credential * @param target Object process * @param op ledger operation * * Determine if ledger(2) system call is permitted. * * Information returned by this system call is similar to that returned via * process listings etc. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_ledger_t( kauth_cred_t cred, struct proc *target, int op ); /** * @brief Access control check for retrieving process information. * @param cred Subject credential * @param target Target process (may be null, may be zombie) * * Determine if a credential has permission to access process information as defined * by call number and flavor on target process * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_proc_info_t( kauth_cred_t cred, struct proc *target, int callnum, int flavor ); /** * @brief Access control check for retrieving code signing information. * @param cred Subject credential * @param target Target process * @param op Code signing operation being performed * * Determine whether the subject identified by the credential should be * allowed to get code signing information about the target process. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_get_cs_info_t( kauth_cred_t cred, struct proc *target, unsigned int op ); /** * @brief Access control check for setting code signing information. * @param cred Subject credential * @param target Target process * @param op Code signing operation being performed. * * Determine whether the subject identified by the credential should be * allowed to set code signing information about the target process. * * @return Return 0 if permission is granted, otherwise an appropriate * value of errno should be returned. */ typedef int mpo_proc_check_set_cs_info_t( kauth_cred_t cred, struct proc *target, unsigned int op ); /** * @brief Access control check for mmap MAP_ANON * @param proc User process requesting the memory * @param cred Subject credential * @param u_addr Start address of the memory range * @param u_size Length address of the memory range * @param prot mmap protections; see mmap(2) * @param flags Type of mapped object; see mmap(2) * @param maxprot Maximum rights * * Determine whether the subject identified by the credential should be * allowed to obtain anonymous memory using the specified flags and * protections on the new mapping. MAP_ANON will always be present in the * flags. Certain combinations of flags with a non-NULL addr may * cause a mapping to be rejected before this hook is called. The maxprot field * holds the maximum permissions on the new mapping, a combination of * VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior * access control checks, a policy should only remove flags from maxprot. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EPERM for lack of privilege. */ typedef int mpo_proc_check_map_anon_t( struct proc *proc, kauth_cred_t cred, user_addr_t u_addr, user_size_t u_size, int prot, int flags, int *maxprot ); /** * @brief Access control check for memorystatus_control(2) * @param cred Subject credential * @param command Memory status control command * @param pid Target process id, or 0 * * Determine whether the subject identified by the credential should * be allowed to issue the specified memorystatus control command. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_memorystatus_control_t( kauth_cred_t cred, int32_t command, pid_t pid ); /** * @brief Access control check for setting memory protections * @param cred Subject credential * @param proc User process requesting the change * @param addr Start address of the memory range * @param size Length address of the memory range * @param prot Memory protections, see mmap(2) * * Determine whether the subject identified by the credential should * be allowed to set the specified memory protections on memory mapped * in the process proc. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_mprotect_t( kauth_cred_t cred, struct proc *proc, user_addr_t addr, user_size_t size, int prot ); /** * @brief Access control check for changing scheduling parameters * @param cred Subject credential * @param proc Object process * * Determine whether the subject identified by the credential can change * the scheduling parameters of the passed process. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch, * EPERM for lack of privilege, or ESRCH to limit visibility. */ typedef int mpo_proc_check_sched_t( kauth_cred_t cred, struct proc *proc ); /** * @brief Access control check for setting audit information * @param cred Subject credential * @param ai Audit information * * Determine whether the subject identified by the credential can set * audit information such as the the preselection mask, the terminal ID * and the audit session ID, using the setaudit() system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_setaudit_t( kauth_cred_t cred, struct auditinfo_addr *ai ); /** * @brief Access control check for setting audit user ID * @param cred Subject credential * @param auid Audit user ID * * Determine whether the subject identified by the credential can set * the user identity used by the auditing system, using the setauid() * system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_setauid_t( kauth_cred_t cred, uid_t auid ); /** * @brief Access control check for delivering signal * @param cred Subject credential * @param proc Object process * @param signum Signal number; see kill(2) * * Determine whether the subject identified by the credential can deliver * the passed signal to the passed process. * * @warning Programs typically expect to be able to send and receive * signals as part or their normal process lifecycle; caution should be * exercised when implementing access controls over signal events. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch, * EPERM for lack of privilege, or ESRCH to limit visibility. */ typedef int mpo_proc_check_signal_t( kauth_cred_t cred, struct proc *proc, int signum ); /** * @brief Access control check for MAC syscalls. * @param proc Subject process * @param policy MAC policy name * @param callnum MAC policy-specific syscall number * * Determine whether the subject process can perform the passed MAC syscall. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EPERM for lack of privilege. */ typedef int mpo_proc_check_syscall_mac_t( struct proc *proc, const char *policy, int callnum ); /** * @brief Access control check for Unix syscalls. * @param proc Subject process * @param scnum Syscall number; see bsd/kern/syscalls.master. * * Determine whether the subject process can perform the passed syscall (number). * * @warning Programs typically expect to be able to make syscalls as part of * their normal process lifecycle; caution should be exercised when restricting * which syscalls a process can perform. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EPERM for lack of privilege. */ typedef int mpo_proc_check_syscall_unix_t( struct proc *proc, int scnum ); /** * @brief Access control check for wait * @param cred Subject credential * @param proc Object process * * Determine whether the subject identified by the credential can wait * for process termination. * * @warning Caution should be exercised when implementing access * controls for wait, since programs often wait for child processes to * exit. Failure to be notified of a child process terminating may * cause the parent process to hang, or may produce zombie processes. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_wait_t( kauth_cred_t cred, struct proc *proc ); /** * @brief Inform MAC policies that a process has exited. * @param proc Object process * * Called after all of the process's threads have terminated and * it has been removed from the process list. KPI that identifies * the process by pid will fail to find the process; KPI that * identifies the process by the object process pointer functions * normally. proc_exiting() returns true for the object process. */ typedef void mpo_proc_notify_exit_t( struct proc *proc ); /** * @brief Access control check for skywalk flow connect * @param cred Subject credential * @param flow Flow object * @param addr Remote address for flow to send data to * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) * @param protocol Network protocol (e.g. IPPROTO_TCP) * * Determine whether the subject identified by the credential can * create a flow for sending data to the remote host specified by * addr. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_skywalk_flow_check_connect_t( kauth_cred_t cred, void *flow, const struct sockaddr *addr, int type, int protocol ); /** * @brief Access control check for skywalk flow listen * @param cred Subject credential * @param flow Flow object * @param addr Local address for flow to listen on * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) * @param protocol Network protocol (e.g. IPPROTO_TCP) * * Determine whether the subject identified by the credential can * create a flow for receiving data on the local address specified * by addr. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_skywalk_flow_check_listen_t( kauth_cred_t cred, void *flow, const struct sockaddr *addr, int type, int protocol ); /** * @brief Access control check for socket accept * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for socket * * Determine whether the subject identified by the credential can accept() * a new connection on the socket from the host specified by addr. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_accept_t( kauth_cred_t cred, socket_t so, struct label *socklabel ); /** * @brief Access control check for a pending socket accept * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for socket * @param addr Address of the listening socket (coming soon) * * Determine whether the subject identified by the credential can accept() * a pending connection on the socket from the host specified by addr. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_accepted_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockaddr *addr ); /** * @brief Access control check for socket bind * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for socket * @param addr Name to assign to the socket * * Determine whether the subject identified by the credential can bind() * the name (addr) to the socket. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_bind_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockaddr *addr ); /** * @brief Access control check for socket connect * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for socket * @param addr Name to assign to the socket * * Determine whether the subject identified by the credential can * connect() the passed socket to the remote host specified by addr. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_connect_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockaddr *addr ); /** * @brief Access control check for socket() system call. * @param cred Subject credential * @param domain communication domain * @param type socket type * @param protocol socket protocol * * Determine whether the subject identified by the credential can * make the socket() call. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_create_t( kauth_cred_t cred, int domain, int type, int protocol ); /** * @brief Access control check for socket ioctl. * @param cred Subject credential * @param so Object socket * @param cmd The ioctl command; see ioctl(2) * @param socklabel Policy label for socket * * Determine whether the subject identified by the credential can perform * the ioctl operation indicated by cmd on the given socket. * * @warning Since ioctl data is opaque from the standpoint of the MAC * framework, and since ioctls can affect many aspects of system * operation, policies must exercise extreme care when implementing * access control checks. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_socket_check_ioctl_t( kauth_cred_t cred, socket_t so, unsigned long cmd, struct label *socklabel ); /** * @brief Access control check for socket listen * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for socket * * Determine whether the subject identified by the credential can * listen() on the passed socket. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_listen_t( kauth_cred_t cred, socket_t so, struct label *socklabel ); /** * @brief Access control check for socket receive * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for socket * * Determine whether the subject identified by the credential can * receive data from the socket. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_receive_t( kauth_cred_t cred, socket_t so, struct label *socklabel ); /** * @brief Access control check for socket receive * @param cred Subject credential * @param sock Object socket * @param socklabel Policy label for socket * @param saddr Name of the remote socket * * Determine whether the subject identified by the credential can * receive data from the remote host specified by addr. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_received_t( kauth_cred_t cred, struct socket *sock, struct label *socklabel, struct sockaddr *saddr ); /** * @brief Access control check for socket send * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for socket * @param addr Address being sent to * * Determine whether the subject identified by the credential can send * data to the socket. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_send_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockaddr *addr ); /** * @brief Access control check for retrieving socket status * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for so * * Determine whether the subject identified by the credential can * execute the stat() system call on the given socket. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_stat_t( kauth_cred_t cred, socket_t so, struct label *socklabel ); /** * @brief Access control check for setting socket options * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for so * @param sopt The options being set * * Determine whether the subject identified by the credential can * execute the setsockopt system call on the given socket. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_setsockopt_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockopt *sopt ); /** * @brief Access control check for getting socket options * @param cred Subject credential * @param so Object socket * @param socklabel Policy label for so * @param sopt The options to get * * Determine whether the subject identified by the credential can * execute the getsockopt system call on the given socket. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_socket_check_getsockopt_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockopt *sopt ); /** * @brief Access control check for enabling accounting * @param cred Subject credential * @param vp Accounting file * @param vlabel Label associated with vp * * Determine whether the subject should be allowed to enable accounting, * based on its label and the label of the accounting log file. See * acct(5) for more information. * * As accounting is disabled by passing NULL to the acct(2) system call, * the policy should be prepared for both 'vp' and 'vlabel' to be NULL. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_acct_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel ); /** * @brief Access control check for audit * @param cred Subject credential * @param record Audit record * @param length Audit record length * * Determine whether the subject identified by the credential can submit * an audit record for inclusion in the audit log via the audit() system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_audit_t( kauth_cred_t cred, void *record, int length ); /** * @brief Access control check for controlling audit * @param cred Subject credential * @param vp Audit file * @param vl Label associated with vp * * Determine whether the subject should be allowed to enable auditing using * the auditctl() system call, based on its label and the label of the proposed * audit file. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_auditctl_t( kauth_cred_t cred, struct vnode *vp, struct label *vl ); /** * @brief Access control check for manipulating auditing * @param cred Subject credential * @param cmd Audit control command * * Determine whether the subject identified by the credential can perform * the audit subsystem control operation cmd via the auditon() system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_auditon_t( kauth_cred_t cred, int cmd ); /** * @brief Access control check for obtaining the host control port * @param cred Subject credential * * Determine whether the subject identified by the credential can * obtain the host control port. * * @return Return 0 if access is granted, or non-zero otherwise. */ typedef int mpo_system_check_host_priv_t( kauth_cred_t cred ); /** * @brief Access control check for obtaining system information * @param cred Subject credential * @param info_type A description of the information requested * * Determine whether the subject identified by the credential should be * allowed to obtain information about the system. * * This is a generic hook that can be used in a variety of situations where * information is being returned that might be considered sensitive. * Rather than adding a new MAC hook for every such interface, this hook can * be called with a string identifying the type of information requested. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_info_t( kauth_cred_t cred, const char *info_type ); /** * @brief Access control check for calling NFS services * @param cred Subject credential * * Determine whether the subject identified by the credential should be * allowed to call nfssrv(2). * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_nfsd_t( kauth_cred_t cred ); /** * @brief Access control check for reboot * @param cred Subject credential * @param howto howto parameter from reboot(2) * * Determine whether the subject identified by the credential should be * allowed to reboot the system in the specified manner. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_reboot_t( kauth_cred_t cred, int howto ); /** * @brief Access control check for setting system clock * @param cred Subject credential * * Determine whether the subject identified by the credential should be * allowed to set the system clock. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_settime_t( kauth_cred_t cred ); /** * @brief Access control check for removing swap devices * @param cred Subject credential * @param vp Swap device * @param label Label associated with vp * * Determine whether the subject identified by the credential should be * allowed to remove vp as a swap device. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_swapoff_t( kauth_cred_t cred, struct vnode *vp, struct label *label ); /** * @brief Access control check for adding swap devices * @param cred Subject credential * @param vp Swap device * @param label Label associated with vp * * Determine whether the subject identified by the credential should be * allowed to add vp as a swap device. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_swapon_t( kauth_cred_t cred, struct vnode *vp, struct label *label ); /** * @brief Access control check for sysctl * @param cred Subject credential * @param namestring String representation of sysctl name. * @param name Integer name; see sysctl(3) * @param namelen Length of name array of integers; see sysctl(3) * @param old 0 or address where to store old value; see sysctl(3) * @param oldlen Length of old buffer; see sysctl(3) * @param newvalue 0 or address of new value; see sysctl(3) * @param newlen Length of new buffer; see sysctl(3) * * Determine whether the subject identified by the credential should be * allowed to make the specified sysctl(3) transaction. * * The sysctl(3) call specifies that if the old value is not desired, * oldp and oldlenp should be set to NULL. Likewise, if a new value is * not to be set, newp should be set to NULL and newlen set to 0. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_sysctlbyname_t( kauth_cred_t cred, const char *namestring, int *name, size_t namelen, user_addr_t old, /* NULLOK */ size_t oldlen, user_addr_t newvalue, /* NULLOK */ size_t newlen ); /** * @brief Access control check for kas_info * @param cred Subject credential * @param selector Category of information to return. See kas_info.h * * Determine whether the subject identified by the credential can perform * introspection of the kernel address space layout for * debugging/performance analysis. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_system_check_kas_info_t( kauth_cred_t cred, int selector ); /** * @brief Create a System V message label * @param cred Subject credential * @param msqptr The message queue the message will be placed in * @param msqlabel The label of the message queue * @param msgptr The message * @param msglabel The label of the message * * Label the message as its placed in the message queue. */ typedef void mpo_sysvmsg_label_associate_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel ); /** * @brief Destroy System V message label * @param label The label to be destroyed * * Destroy a System V message label. Since the object is * going out of scope, policy modules should free any internal storage * associated with the label so that it may be destroyed. */ typedef void mpo_sysvmsg_label_destroy_t( struct label *label ); /** * @brief Initialize System V message label * @param label New label to initialize * * Initialize the label for a newly instantiated System V message. */ typedef void mpo_sysvmsg_label_init_t( struct label *label ); /** * @brief Clean up a System V message label * @param label The label to be destroyed * * Clean up a System V message label. Darwin pre-allocates * messages at system boot time and re-uses them rather than * allocating new ones. Before messages are returned to the "free * pool", policies can cleanup or overwrite any information present in * the label. */ typedef void mpo_sysvmsg_label_recycle_t( struct label *label ); /** * @brief Access control check for System V message enqueuing * @param cred Subject credential * @param msgptr The message * @param msglabel The message's label * @param msqptr The message queue * @param msqlabel The message queue's label * * Determine whether the subject identified by the credential can add the * given message to the given message queue. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvmsq_check_enqueue_t( kauth_cred_t cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqptr, struct label *msqlabel ); /** * @brief Access control check for System V message reception * @param cred The credential of the intended recipient * @param msgptr The message * @param msglabel The message's label * * Determine whether the subject identified by the credential can receive * the given message. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvmsq_check_msgrcv_t( kauth_cred_t cred, struct msg *msgptr, struct label *msglabel ); /** * @brief Access control check for System V message queue removal * @param cred The credential of the caller * @param msgptr The message * @param msglabel The message's label * * System V message queues are removed using the msgctl() system call. * The system will iterate over each message in the queue, calling this * function for each, to determine whether the caller has the appropriate * credentials. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvmsq_check_msgrmid_t( kauth_cred_t cred, struct msg *msgptr, struct label *msglabel ); /** * @brief Access control check for msgctl() * @param cred The credential of the caller * @param msqptr The message queue * @param msqlabel The message queue's label * * This access check is performed to validate calls to msgctl(). * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvmsq_check_msqctl_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel, int cmd ); /** * @brief Access control check to get a System V message queue * @param cred The credential of the caller * @param msqptr The message queue requested * @param msqlabel The message queue's label * * On a call to msgget(), if the queue requested already exists, * and it is a public queue, this check will be performed before the * queue's ID is returned to the user. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvmsq_check_msqget_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel ); /** * @brief Access control check to receive a System V message from the given queue * @param cred The credential of the caller * @param msqptr The message queue to receive from * @param msqlabel The message queue's label * * On a call to msgrcv(), this check is performed to determine whether the * caller has receive rights on the given queue. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvmsq_check_msqrcv_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel ); /** * @brief Access control check to send a System V message to the given queue * @param cred The credential of the caller * @param msqptr The message queue to send to * @param msqlabel The message queue's label * * On a call to msgsnd(), this check is performed to determine whether the * caller has send rights on the given queue. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvmsq_check_msqsnd_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel ); /** * @brief Create a System V message queue label * @param cred Subject credential * @param msqptr The message queue * @param msqlabel The label of the message queue * */ typedef void mpo_sysvmsq_label_associate_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel ); /** * @brief Destroy System V message queue label * @param label The label to be destroyed * * Destroy a System V message queue label. Since the object is * going out of scope, policy modules should free any internal storage * associated with the label so that it may be destroyed. */ typedef void mpo_sysvmsq_label_destroy_t( struct label *label ); /** * @brief Initialize System V message queue label * @param label New label to initialize * * Initialize the label for a newly instantiated System V message queue. */ typedef void mpo_sysvmsq_label_init_t( struct label *label ); /** * @brief Clean up a System V message queue label * @param label The label to be destroyed * * Clean up a System V message queue label. Darwin pre-allocates * message queues at system boot time and re-uses them rather than * allocating new ones. Before message queues are returned to the "free * pool", policies can cleanup or overwrite any information present in * the label. */ typedef void mpo_sysvmsq_label_recycle_t( struct label *label ); /** * @brief Access control check for System V semaphore control operation * @param cred Subject credential * @param semakptr Pointer to semaphore identifier * @param semaklabel Label associated with semaphore * @param cmd Control operation to be performed; see semctl(2) * * Determine whether the subject identified by the credential can perform * the operation indicated by cmd on the System V semaphore semakptr. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvsem_check_semctl_t( kauth_cred_t cred, struct semid_kernel *semakptr, struct label *semaklabel, int cmd ); /** * @brief Access control check for obtaining a System V semaphore * @param cred Subject credential * @param semakptr Pointer to semaphore identifier * @param semaklabel Label to associate with the semaphore * * Determine whether the subject identified by the credential can * obtain a System V semaphore. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvsem_check_semget_t( kauth_cred_t cred, struct semid_kernel *semakptr, struct label *semaklabel ); /** * @brief Access control check for System V semaphore operations * @param cred Subject credential * @param semakptr Pointer to semaphore identifier * @param semaklabel Label associated with the semaphore * @param accesstype Flags to indicate access (read and/or write) * * Determine whether the subject identified by the credential can * perform the operations on the System V semaphore indicated by * semakptr. The accesstype flags hold the maximum set of permissions * from the sem_op array passed to the semop system call. It may * contain SEM_R for read-only operations or SEM_A for read/write * operations. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvsem_check_semop_t( kauth_cred_t cred, struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype ); /** * @brief Create a System V semaphore label * @param cred Subject credential * @param semakptr The semaphore being created * @param semalabel Label to associate with the new semaphore * * Label a new System V semaphore. The label was previously * initialized and associated with the semaphore. At this time, an * appropriate initial label value should be assigned to the object and * stored in semalabel. */ typedef void mpo_sysvsem_label_associate_t( kauth_cred_t cred, struct semid_kernel *semakptr, struct label *semalabel ); /** * @brief Destroy System V semaphore label * @param label The label to be destroyed * * Destroy a System V semaphore label. Since the object is * going out of scope, policy modules should free any internal storage * associated with the label so that it may be destroyed. */ typedef void mpo_sysvsem_label_destroy_t( struct label *label ); /** * @brief Initialize System V semaphore label * @param label New label to initialize * * Initialize the label for a newly instantiated System V semaphore. Sleeping * is permitted. */ typedef void mpo_sysvsem_label_init_t( struct label *label ); /** * @brief Clean up a System V semaphore label * @param label The label to be cleaned * * Clean up a System V semaphore label. Darwin pre-allocates * semaphores at system boot time and re-uses them rather than * allocating new ones. Before semaphores are returned to the "free * pool", policies can cleanup or overwrite any information present in * the label. */ typedef void mpo_sysvsem_label_recycle_t( struct label *label ); /** * @brief Access control check for mapping System V shared memory * @param cred Subject credential * @param shmsegptr Pointer to shared memory segment identifier * @param shmseglabel Label associated with the shared memory segment * @param shmflg shmat flags; see shmat(2) * * Determine whether the subject identified by the credential can map * the System V shared memory segment associated with shmsegptr. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvshm_check_shmat_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg ); /** * @brief Access control check for System V shared memory control operation * @param cred Subject credential * @param shmsegptr Pointer to shared memory segment identifier * @param shmseglabel Label associated with the shared memory segment * @param cmd Control operation to be performed; see shmctl(2) * * Determine whether the subject identified by the credential can perform * the operation indicated by cmd on the System V shared memory segment * shmsegptr. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvshm_check_shmctl_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd ); /** * @brief Access control check for unmapping System V shared memory * @param cred Subject credential * @param shmsegptr Pointer to shared memory segment identifier * @param shmseglabel Label associated with the shared memory segment * * Determine whether the subject identified by the credential can unmap * the System V shared memory segment associated with shmsegptr. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvshm_check_shmdt_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel ); /** * @brief Access control check obtaining System V shared memory identifier * @param cred Subject credential * @param shmsegptr Pointer to shared memory segment identifier * @param shmseglabel Label associated with the shared memory segment * @param shmflg shmget flags; see shmget(2) * * Determine whether the subject identified by the credential can get * the System V shared memory segment address. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_sysvshm_check_shmget_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg ); /** * @brief Create a System V shared memory region label * @param cred Subject credential * @param shmsegptr The shared memory region being created * @param shmlabel Label to associate with the new shared memory region * * Label a new System V shared memory region. The label was previously * initialized and associated with the shared memory region. At this * time, an appropriate initial label value should be assigned to the * object and stored in shmlabel. */ typedef void mpo_sysvshm_label_associate_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmlabel ); /** * @brief Destroy System V shared memory label * @param label The label to be destroyed * * Destroy a System V shared memory region label. Since the * object is going out of scope, policy modules should free any * internal storage associated with the label so that it may be * destroyed. */ typedef void mpo_sysvshm_label_destroy_t( struct label *label ); /** * @brief Initialize System V Shared Memory region label * @param label New label to initialize * * Initialize the label for a newly instantiated System V Shared Memory * region. Sleeping is permitted. */ typedef void mpo_sysvshm_label_init_t( struct label *label ); /** * @brief Clean up a System V Share Memory Region label * @param shmlabel The label to be cleaned * * Clean up a System V Shared Memory Region label. Darwin * pre-allocates these objects at system boot time and re-uses them * rather than allocating new ones. Before the memory regions are * returned to the "free pool", policies can cleanup or overwrite any * information present in the label. */ typedef void mpo_sysvshm_label_recycle_t( struct label *shmlabel ); /** * @brief Access control check for getting a process's task ports of different flavors * @param cred Subject credential * @param pident Object unique process identifier * @param flavor Requested task port flavor * * Determine whether the subject identified by the credential can get * the passed process's task port of given flavor. * This call is used by the task_{,read,inspect,name}_for_pid(2) API. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch, * EPERM for lack of privilege, or ESRCH to hide visibility of the target. */ typedef int mpo_proc_check_get_task_with_flavor_t( kauth_cred_t cred, struct proc_ident *pident, mach_task_flavor_t flavor ); /** * @brief Access control check for exposing a process's task ports of different flavors * @param cred Subject credential * @param pident Object unique process identifier * @param flavor Requested task port flavor * * Determine whether the subject identified by the credential can expose * the passed process's task port of given flavor. * This call is used by the accessor APIs like processor_set_tasks() and * processor_set_threads(). * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch, * EPERM for lack of privilege, or ESRCH to hide visibility of the target. */ typedef int mpo_proc_check_expose_task_with_flavor_t( kauth_cred_t cred, struct proc_ident *pident, mach_task_flavor_t flavor ); /** * @brief Access control check for upgrading to task port with a task identity token * @param cred Subject credential * @param pident Object unique process identifier, NULL if token represents a corpse task * @param flavor Requested task port flavor * * Determine whether the subject identified by the credential can upgrade to task port * of given flavor with a task identity token of the passed process. * This call is used by task_identity_token_get_task_port(). * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch, * EPERM for lack of privilege, or ESRCH to hide visibility of the target. */ typedef int mpo_proc_check_task_id_token_get_task_t( kauth_cred_t cred, struct proc_ident *pident, /* Nullable */ mach_task_flavor_t flavor ); /** * @brief Check whether task's IPC may inherit across process exec * @param p current process instance * @param cur_vp vnode pointer to current instance * @param cur_offset offset of binary of currently executing image * @param img_vp vnode pointer to to be exec'ed image * @param img_offset offset into file which is selected for execution * @param scriptvp vnode pointer of script file if any. * @return Return 0 if access is granted. * EPERM if parent does not have any entitlements. * EACCESS if mismatch in entitlements */ typedef int mpo_proc_check_inherit_ipc_ports_t( struct proc *p, struct vnode *cur_vp, off_t cur_offset, struct vnode *img_vp, off_t img_offset, struct vnode *scriptvp ); /** * @brief Privilege check for a process to run invalid * @param p Object process * * Determine whether the process may execute even though the system determined * that it is untrusted (eg unidentified / modified code). * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_run_cs_invalid_t( struct proc *p ); /** * @brief Notification a process was invalidated * @param p Object process * * Notifies that the CS_VALID bit was removed from a process' csflags. This * either indicates that a validly code-signed process has encountered an * invalidly code-signed page for the first time, or that it was explicitly * marked invalid via a csops(CS_OPS_MARKINVALID) syscall. * * @warning This hook can be called from the page fault handler; it should not * perform any operations that may result in paging, and stack space is extremely * limited. Furthermore, the hook is called with proc lock held, and if called * from the fault handler, with vm object lock held. Consumers reacting to this * hook being called are expected to defer processing to a userret, possibly * after suspending the task. */ typedef void mpo_proc_notify_cs_invalidated_t( struct proc *p ); /** * @brief Notification a process is finished with exec and will jump to userspace * @param p Object process * * Notifies all MAC policies that a process has completed an exec and is about to * jump to userspace to continue execution. This may result in process termination * via signals. Hook is designed to hold no/minimal locks so it can be used for any * necessary upcalls. */ typedef void mpo_proc_notify_exec_complete_t( struct proc *p ); /** * @brief Access control check for setting user ID * @param cred Subject credential * @param uid Requested user ID * * Determine whether the subject identified by the credential can set the * real and effective user ID and the saved set-user-ID of the current * process, using the setuid() system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_setuid_t( kauth_cred_t cred, uid_t uid ); /** * @brief Access control check for setting effective user ID * @param cred Subject credential * @param euid Requested effective user ID * * Determine whether the subject identified by the credential can set the * effective user ID of the current process, using the seteuid() system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_seteuid_t( kauth_cred_t cred, uid_t euid ); /** * @brief Access control check for setting real and effective user ID * @param cred Subject credential * @param ruid Requested real user ID * @param euid Requested effective user ID * * Determine whether the subject identified by the credential can set the * real and effective user ID of the current process, using the setreuid() * system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_setreuid_t( kauth_cred_t cred, uid_t ruid, uid_t euid ); /** * @brief Access control check for setting group ID * @param cred Subject credential * @param gid Requested group ID * * Determine whether the subject identified by the credential can set the * real and effective group IDs and the saved set-group-ID of the current * process, using the setgid() system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_setgid_t( kauth_cred_t cred, gid_t gid ); /** * @brief Access control check for setting effective group ID * @param cred Subject credential * @param egid Requested effective group ID * * Determine whether the subject identified by the credential can set the * effective group ID of the current process, using the setegid() system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_setegid_t( kauth_cred_t cred, gid_t egid ); /** * @brief Access control check for setting real and effective group ID * @param cred Subject credential * @param rgid Requested real group ID or KAUTH_UID_NONE for none * @param egid Requested effective group ID or KAUTH_GID_NONE for none * * Determine whether the subject identified by the credential can set the * real and effective group ID of the current process, using the setregid() * system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_setregid_t( kauth_cred_t cred, gid_t rgid, gid_t egid ); /** * @brief Access control check for setting thread assumed identity * @param pcred Subject process credential * @param tcred Subject thread credential * @param uid Requested user ID or KAUTH_UID_NONE for none * @param gid Requested group ID or KAUTH_GID_NONE for none * * Determine whether the subject identified by the credential can set the * user and group ID of the current thread, using the settid() or * settid_with_pid() system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_proc_check_settid_t( kauth_cred_t pcred, kauth_cred_t tcred, uid_t uid, gid_t gid ); /** * @brief Notification of connection port derivation from service port * @param cred Subject process credential * @param sp_info Service port info * * Called when a process derives a connection port from a service port. * * Notes: * - Port derivation is only mandatory if the receiving end of the * connection performs validation of that fact. * - MAC policies should not perform upcalls or expensive operations in * this hook. * - Only called on macOS. */ typedef void mpo_proc_notify_service_port_derive_t( kauth_cred_t cred, struct mach_service_port_info *sp_info ); /** * @brief Perform MAC-related analysis of telemetry data. * @param thread The Mach thread that was sampled. * * Notifies MAC policies that telemetry data was just collected from a * process's user thread and that it is ready to be analyzed. The analysis is * performed shortly before a thread is about to return to userspace via a * syscall or mach trap. * * Note that sometimes the scheduled telemetry can fail. In the case of * failure, the function will be called with a non-zero `err` value, in which * case it is expected that the client will cleanup any necessary state * recorded back when the telemetry was first scheduled. */ typedef void mpo_thread_telemetry_t( struct thread *thread, int err, const void *data, size_t length ); /** * @brief Perform MAC-related events when a thread returns to user space * @param thread Mach (not BSD) thread that is returning * * This entry point permits policy modules to perform MAC-related * events when a thread returns to user space, via a system call * return or trap return. */ typedef void mpo_thread_userret_t( struct thread *thread ); /** * @brief Check vnode access * @param cred Subject credential * @param vp Object vnode * @param label Label for vp * @param acc_mode access(2) flags * * Determine how invocations of access(2) and related calls by the * subject identified by the credential should return when performed * on the passed vnode using the passed access flags. This should * generally be implemented using the same semantics used in * mpo_vnode_check_open. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_access_t( kauth_cred_t cred, struct vnode *vp, struct label *label, int acc_mode ); /** * @brief Access control check for changing working directory * @param cred Subject credential * @param dvp Object; vnode to chdir(2) into * @param dlabel Policy label for dvp * * Determine whether the subject identified by the credential can change * the process working directory to the passed vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_chdir_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel ); /** * @brief Access control check for changing root directory * @param cred Subject credential * @param dvp Directory vnode * @param dlabel Policy label associated with dvp * @param cnp Component name for dvp * * Determine whether the subject identified by the credential should be * allowed to chroot(2) into the specified directory (dvp). * * @return In the event of an error, an appropriate value for errno * should be returned, otherwise return 0 upon success. */ typedef int mpo_vnode_check_chroot_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp ); /** * @brief Access control check for creating clone * @param cred Subject credential * @param dvp Vnode of directory to create the clone in * @param dlabel Policy label associated with dvp * @param vp Vnode of the file to clone from * @param label Policy label associated with vp * @param cnp Component name for the clone being created * * Determine whether the subject identified by the credential should be * allowed to create a clone of the vnode vp with the name specified by cnp. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_clone_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp ); /** * @brief Access control check for creating vnode * @param cred Subject credential * @param dvp Directory vnode * @param dlabel Policy label for dvp * @param cnp Component name for dvp * @param vap vnode attributes for vap * * Determine whether the subject identified by the credential can create * a vnode with the passed parent directory, passed name information, * and passed attribute information. This call may be made in a number of * situations, including as a result of calls to open(2) with O_CREAT, * mknod(2), mkfifo(2), and others. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_create_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vnode_attr *vap ); /** * @brief Access control check for deleting extended attribute * @param cred Subject credential * @param vp Object vnode * @param vlabel Label associated with vp * @param name Extended attribute name * * Determine whether the subject identified by the credential can delete * the extended attribute from the passed vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_deleteextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, const char *name ); /** * @brief Access control check for exchanging file data * @param cred Subject credential * @param v1 vnode 1 to swap * @param vl1 Policy label for v1 * @param v2 vnode 2 to swap * @param vl2 Policy label for v2 * * Determine whether the subject identified by the credential can swap the data * in the two supplied vnodes. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_exchangedata_t( kauth_cred_t cred, struct vnode *v1, struct label *vl1, struct vnode *v2, struct label *vl2 ); /** * @brief Access control check for executing the vnode * @param cred Subject credential * @param vp Object vnode to execute * @param scriptvp Script being executed by interpreter, if any. * @param vnodelabel Label corresponding to vp * @param scriptlabel Script vnode label * @param execlabel Userspace provided execution label * @param cnp Component name for file being executed * @param macpolicyattr MAC policy-specific spawn attribute data. * @param macpolicyattrlen Length of policy-specific spawn attribute data. * * Determine whether the subject identified by the credential can execute * the passed vnode. Determination of execute privilege is made separately * from decisions about any process label transitioning event. * * The final label, execlabel, corresponds to a label supplied by a * user space application through the use of the mac_execve system call. * This label will be NULL if the user application uses the the vendor * execve(2) call instead of the MAC Framework mac_execve() call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_exec_t( kauth_cred_t cred, struct vnode *vp, struct vnode *scriptvp, struct label *vnodelabel, struct label *scriptlabel, struct label *execlabel, /* NULLOK */ struct componentname *cnp, u_int *csflags, void *macpolicyattr, size_t macpolicyattrlen ); /** * @brief Access control check for fsgetpath * @param cred Subject credential * @param vp Vnode for which a path will be returned * @param label Label associated with the vnode * * Determine whether the subject identified by the credential can get the path * of the given vnode with fsgetpath. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_fsgetpath_t( kauth_cred_t cred, struct vnode *vp, struct label *label ); /** * @brief Access control check for retrieving file attributes * @param active_cred Subject credential * @param file_cred Credential associated with the struct fileproc * @param vp Object vnode * @param vlabel Policy label for vp * @param va Vnode attributes to retrieve * * Determine whether the subject identified by the credential can * get information about the passed vnode. The active_cred hold * the credentials of the subject performing the operation, and * file_cred holds the credentials of the subject that originally * opened the file. This check happens during stat(), lstat(), * fstat(), and getattrlist() syscalls. See for * definitions of the attributes. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. * * @note Policies may change the contents of va to alter the list of * file attributes returned. */ typedef int mpo_vnode_check_getattr_t( kauth_cred_t active_cred, kauth_cred_t file_cred, /* NULLOK */ struct vnode *vp, struct label *vlabel, struct vnode_attr *va ); /** * @brief Access control check for retrieving file attributes * @param cred Subject credential * @param vp Object vnode * @param vlabel Policy label for vp * @param alist List of attributes to retrieve * @param options Option flags for alist * * Determine whether the subject identified by the credential can read * various attributes of the specified vnode, or the filesystem or volume on * which that vnode resides. See for definitions of the * attributes and flags. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. Access control covers all attributes requested * with this call; the security policy is not permitted to change the set of * attributes requested. */ typedef int mpo_vnode_check_getattrlist_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, struct attrlist *alist, uint64_t options ); /** * @brief Access control check for retrieving file attributes for multiple directory entries * @param cred Subject credential * @param dvp Directory vnode * @param alist List of attributes to retrieve * @param options Option flags for alist * * Determine whether the subject identified by the credential can read * various attributes of the specified vnode, or the filesystem or volume on * which that vnode resides. See for definitions of the * attributes and flags. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. Access control covers all attributes requested * with this call; the security policy is not permitted to change the set of * attributes requested. */ typedef int mpo_vnode_check_getattrlistbulk_t( kauth_cred_t cred, struct vnode *dvp, struct attrlist *alist, uint64_t options ); /** * @brief Access control check for retrieving an extended attribute * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param name Extended attribute name * @param uio I/O structure pointer * * Determine whether the subject identified by the credential can retrieve * the extended attribute from the passed vnode. The uio parameter * will be NULL when the getxattr(2) call has been made with a NULL data * value; this is done to request the size of the data only. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_getextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *label, /* NULLOK */ const char *name, struct uio *uio /* NULLOK */ ); /** * @brief Access control check for ioctl * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param cmd Device-dependent request code; see ioctl(2) * * Determine whether the subject identified by the credential can perform * the ioctl operation indicated by com. * * @warning Since ioctl data is opaque from the standpoint of the MAC * framework, and since ioctls can affect many aspects of system * operation, policies must exercise extreme care when implementing * access control checks. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_ioctl_t( kauth_cred_t cred, struct vnode *vp, struct label *label, unsigned long cmd ); /** * @brief Access control check for vnode kqfilter * @param active_cred Subject credential * @param kn Object knote * @param vp Object vnode * @param label Policy label for vp * * Determine whether the subject identified by the credential can * receive the knote on the passed vnode. * * @return Return 0 if access if granted, otherwise an appropriate * value for errno should be returned. */ typedef int mpo_vnode_check_kqfilter_t( kauth_cred_t active_cred, kauth_cred_t file_cred, /* NULLOK */ struct knote *kn, struct vnode *vp, struct label *label ); /** * @brief Access control check for relabel * @param cred Subject credential * @param vp Object vnode * @param vnodelabel Existing policy label for vp * @param newlabel Policy label update to later be applied to vp * @see mpo_relable_vnode_t * * Determine whether the subject identified by the credential can relabel * the passed vnode to the passed label update. If all policies permit * the label change, the actual relabel entry point (mpo_vnode_label_update) * will follow. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_label_update_t( struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel ); /** * @brief Access control check for creating link * @param cred Subject credential * @param dvp Directory vnode * @param dlabel Policy label associated with dvp * @param vp Link destination vnode * @param label Policy label associated with vp * @param cnp Component name for the link being created * * Determine whether the subject identified by the credential should be * allowed to create a link to the vnode vp with the name specified by cnp. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_link_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp ); /** * @brief Access control check for listing extended attributes * @param cred Subject credential * @param vp Object vnode * @param vlabel Policy label associated with vp * * Determine whether the subject identified by the credential can retrieve * a list of named extended attributes from a vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_listextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel ); /** * @brief Access control check for lookup * @param cred Subject credential * @param dvp Directory vnode * @param dlabel Policy label for dvp * @param path Path being looked up * @param pathlen Length of path in bytes * * Determine whether the subject identified by the credential can perform * a lookup of the passed path relative to the passed directory vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. * * @note The path may contain untrusted input. If approved, lookup proceeds * on the path; if a component is found to be a symlink then this hook is * called again with the updated path. */ typedef int mpo_vnode_check_lookup_preflight_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, const char *path, size_t pathlen ); /** * @brief Access control check for lookup * @param cred Subject credential * @param dvp Object vnode * @param dlabel Policy label for dvp * @param cnp Component name being looked up * * Determine whether the subject identified by the credential can perform * a lookup in the passed directory vnode for the passed name (cnp). * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_lookup_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp ); /** * @brief Access control check for open * @param cred Subject credential * @param vp Object vnode * @param label Policy label associated with vp * @param acc_mode open(2) access mode * * Determine whether the subject identified by the credential can perform * an open operation on the passed vnode with the passed access mode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_open_t( kauth_cred_t cred, struct vnode *vp, struct label *label, int acc_mode ); /** * @brief Access control check for read * @param active_cred Subject credential * @param file_cred Credential associated with the struct fileproc * @param vp Object vnode * @param label Policy label for vp * * Determine whether the subject identified by the credential can perform * a read operation on the passed vnode. The active_cred hold the credentials * of the subject performing the operation, and file_cred holds the * credentials of the subject that originally opened the file. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_read_t( kauth_cred_t active_cred, /* SUBJECT */ kauth_cred_t file_cred, /* NULLOK */ struct vnode *vp, /* OBJECT */ struct label *label /* LABEL */ ); /** * @brief Access control check for read directory * @param cred Subject credential * @param dvp Object directory vnode * @param dlabel Policy label for dvp * * Determine whether the subject identified by the credential can * perform a readdir operation on the passed directory vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_readdir_t( kauth_cred_t cred, /* SUBJECT */ struct vnode *dvp, /* OBJECT */ struct label *dlabel /* LABEL */ ); /** * @brief Access control check for read link * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * * Determine whether the subject identified by the credential can perform * a readlink operation on the passed symlink vnode. This call can be made * in a number of situations, including an explicit readlink call by the * user process, or as a result of an implicit readlink during a name * lookup by the process. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_readlink_t( kauth_cred_t cred, struct vnode *vp, struct label *label ); /** * @brief Access control check for rename * @param cred Subject credential * @param dvp Directory vnode * @param dlabel Policy label associated with dvp * @param vp vnode to be renamed * @param label Policy label associated with vp * @param cnp Component name for vp * @param tdvp Destination directory vnode * @param tdlabel Policy label associated with tdvp * @param tvp Overwritten vnode * @param tlabel Policy label associated with tvp * @param tcnp Destination component name * * Determine whether the subject identified by the credential should be allowed * to rename the vnode vp to something else. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_rename_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp, struct vnode *tdvp, struct label *tdlabel, struct vnode *tvp, struct label *tlabel, struct componentname *tcnp ); /** * @brief Access control check for rename from * @param cred Subject credential * @param dvp Directory vnode * @param dlabel Policy label associated with dvp * @param vp vnode to be renamed * @param label Policy label associated with vp * @param cnp Component name for vp * @see mpo_vnode_check_rename_t * @see mpo_vnode_check_rename_to_t * * Determine whether the subject identified by the credential should be * allowed to rename the vnode vp to something else. * * Due to VFS locking constraints (to make sure proper vnode locks are * held during this entry point), the vnode relabel checks had to be * split into two parts: relabel_from and relabel to. * * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_rename_from_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp ); /** * @brief Access control check for rename to * @param cred Subject credential * @param dvp Directory vnode * @param dlabel Policy label associated with dvp * @param vp Overwritten vnode * @param label Policy label associated with vp * @param samedir Boolean; 1 if the source and destination directories are the same * @param cnp Destination component name * @see mpo_vnode_check_rename_t * @see mpo_vnode_check_rename_from_t * * Determine whether the subject identified by the credential should be * allowed to rename to the vnode vp, into the directory dvp, or to the * name represented by cnp. If there is no existing file to overwrite, * vp and label will be NULL. * * Due to VFS locking constraints (to make sure proper vnode locks are * held during this entry point), the vnode relabel checks had to be * split into two parts: relabel_from and relabel to. * * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_rename_to_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, /* NULLOK */ struct label *label, /* NULLOK */ int samedir, struct componentname *cnp ); /** * @brief Access control check for revoke * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * * Determine whether the subject identified by the credential can revoke * access to the passed vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_revoke_t( kauth_cred_t cred, struct vnode *vp, struct label *label ); /** * @brief Access control check for searchfs * @param cred Subject credential * @param vp Object vnode * @param vlabel Policy label for vp * @param returnattrs List of attributes to be returned * @param searchattrs List of attributes used as search criteria * * Determine whether the subject identified by the credential can search the * vnode using the searchfs system call. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_searchfs_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, struct attrlist *returnattrs, struct attrlist *searchattrs ); /** * @brief Access control check for select * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param which The operation selected on: FREAD or FWRITE * * Determine whether the subject identified by the credential can select * the vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_select_t( kauth_cred_t cred, struct vnode *vp, struct label *label, int which ); /** * @brief Access control check for setting ACL * @param cred Subject credential * @param vp Object node * @param label Policy label for vp * @param acl ACL structure pointer * * Determine whether the subject identified by the credential can set an ACL * on the specified vnode. The ACL pointer will be NULL when removing an ACL. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_setacl_t( kauth_cred_t cred, struct vnode *vp, struct label *label, struct kauth_acl *acl ); /** * @brief Access control check for setting file attributes * @param cred Subject credential * @param vp Object vnode * @param vlabel Policy label for vp * @param alist List of attributes to set * * Determine whether the subject identified by the credential can set * various attributes of the specified vnode, or the filesystem or volume on * which that vnode resides. See for definitions of the * attributes. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. Access control covers all attributes requested * with this call. */ typedef int mpo_vnode_check_setattrlist_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, struct attrlist *alist ); /** * @brief Access control check for setting extended attribute * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param name Extended attribute name * @param uio I/O structure pointer * * Determine whether the subject identified by the credential can set the * extended attribute of passed name and passed namespace on the passed * vnode. Policies implementing security labels backed into extended * attributes may want to provide additional protections for those * attributes. Additionally, policies should avoid making decisions based * on the data referenced from uio, as there is a potential race condition * between this check and the actual operation. The uio may also be NULL * if a delete operation is being performed. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_setextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *label, const char *name, struct uio *uio ); /** * @brief Access control check for setting flags * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param flags File flags; see chflags(2) * * Determine whether the subject identified by the credential can set * the passed flags on the passed vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_setflags_t( kauth_cred_t cred, struct vnode *vp, struct label *label, u_long flags ); /** * @brief Access control check for setting mode * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param mode File mode; see chmod(2) * * Determine whether the subject identified by the credential can set * the passed mode on the passed vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_setmode_t( kauth_cred_t cred, struct vnode *vp, struct label *label, mode_t mode ); /** * @brief Access control check for setting uid and gid * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param uid User ID * @param gid Group ID * * Determine whether the subject identified by the credential can set * the passed uid and passed gid as file uid and file gid on the passed * vnode. The IDs may be set to (-1) to request no update. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_setowner_t( kauth_cred_t cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid ); /** * @brief Access control check for setting timestamps * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param atime Access time; see utimes(2) * @param mtime Modification time; see utimes(2) * * Determine whether the subject identified by the credential can set * the passed access timestamps on the passed vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_setutimes_t( kauth_cred_t cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime ); /** * @brief Access control check after determining the code directory hash * @param vp vnode vnode to combine into proc * @param label label associated with the vnode * @param cpu_type cpu type of the signature being checked * @param cs_blob the code signature to check * @param cs_flags update code signing flags if needed * @param signer_type output parameter for the code signature's signer type * @param flags operational flag to mpo_vnode_check_signature * @param platform platform of the signature being checked * @param fatal_failure_desc description of fatal failure * @param fatal_failure_desc_len failure description len, failure is fatal if non-0 * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_signature_t( struct vnode *vp, struct label *label, cpu_type_t cpu_type, struct cs_blob *cs_blob, unsigned int *cs_flags, unsigned int *signer_type, int flags, unsigned int platform, char **fatal_failure_desc, size_t *fatal_failure_desc_len ); /** * @brief Access control check for supplemental signature attachement * @param vp the vnode to which the signature will be attached * @param label label associated with the vnode * @param cs_blob the code signature to check * @param linked_vp vnode to which this new vp is related * @param linked_cs_blob the code signature of the linked vnode * @param signer_type output parameter for the signer type of the code signature being checked. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_supplemental_signature_t( struct vnode *vp, struct label *label, struct cs_blob *cs_blob, struct vnode *linked_vp, struct cs_blob *linked_cs_blob, unsigned int *signer_type ); /** * @brief Access control check for stat * @param active_cred Subject credential * @param file_cred Credential associated with the struct fileproc * @param vp Object vnode * @param label Policy label for vp * * Determine whether the subject identified by the credential can stat * the passed vnode. See stat(2) for more information. The active_cred * hold the credentials of the subject performing the operation, and * file_cred holds the credentials of the subject that originally * opened the file. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_stat_t( struct ucred *active_cred, struct ucred *file_cred, /* NULLOK */ struct vnode *vp, struct label *label ); /** * @brief Access control check for vnode trigger resolution * @param cred Subject credential * @param dvp Object vnode * @param dlabel Policy label for dvp * @param cnp Component name that triggered resolution * * Determine whether the subject identified by the credential can trigger * resolution of the passed name (cnp) in the passed directory vnode * via an external trigger resolver. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_trigger_resolve_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp ); /** * @brief Access control check for truncate/ftruncate * @param active_cred Subject credential * @param file_cred Credential associated with the struct fileproc * @param vp Object vnode * @param label Policy label for vp * * Determine whether the subject identified by the credential can * perform a truncate operation on the passed vnode. The active_cred hold * the credentials of the subject performing the operation, and * file_cred holds the credentials of the subject that originally * opened the file. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_truncate_t( kauth_cred_t active_cred, kauth_cred_t file_cred, /* NULLOK */ struct vnode *vp, struct label *label ); /** * @brief Access control check for binding UNIX domain socket * @param cred Subject credential * @param dvp Directory vnode * @param dlabel Policy label for dvp * @param cnp Component name for dvp * @param vap vnode attributes for vap * * Determine whether the subject identified by the credential can perform a * bind operation on a UNIX domain socket with the passed parent directory, * passed name information, and passed attribute information. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_uipc_bind_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vnode_attr *vap ); /** * @brief Access control check for connecting UNIX domain socket * @param cred Subject credential * @param vp Object vnode * @param label Policy label associated with vp * @param so Socket * * Determine whether the subject identified by the credential can perform a * connect operation on the passed UNIX domain socket vnode. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_uipc_connect_t( kauth_cred_t cred, struct vnode *vp, struct label *label, socket_t so ); /** * @brief Access control check for deleting vnode * @param cred Subject credential * @param dvp Parent directory vnode * @param dlabel Policy label for dvp * @param vp Object vnode to delete * @param label Policy label for vp * @param cnp Component name for vp * @see mpo_check_rename_to_t * * Determine whether the subject identified by the credential can delete * a vnode from the passed parent directory and passed name information. * This call may be made in a number of situations, including as a * results of calls to unlink(2) and rmdir(2). Policies implementing * this entry point should also implement mpo_check_rename_to to * authorize deletion of objects as a result of being the target of a rename. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_unlink_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp ); /** * @brief Access control check for write * @param active_cred Subject credential * @param file_cred Credential associated with the struct fileproc * @param vp Object vnode * @param label Policy label for vp * * Determine whether the subject identified by the credential can * perform a write operation on the passed vnode. The active_cred hold * the credentials of the subject performing the operation, and * file_cred holds the credentials of the subject that originally * opened the file. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EACCES for label mismatch or * EPERM for lack of privilege. */ typedef int mpo_vnode_check_write_t( kauth_cred_t active_cred, kauth_cred_t file_cred, /* NULLOK */ struct vnode *vp, struct label *label ); /** * @brief Access control check for copyfile * @param cred Subject credential * @param dvp Vnode of directory to create the copy in * @param dlabel Policy label associated with dvp * @param tvp Vnode of the file at the target path that will be unlinked to * make room for the copy being created, if file exists * @param tlabel Policy label associated with tvp * @param fvp Vnode of the file to copy from * @param flabel Policy label associated with fvp * @param cnp Component name for the copy being created * @param mode Corresponds to mode argument to the copyfile syscall * @param flags Corresponds to flags argument to the copyfile syscall * * Determine whether the subject identified by the credential should be * allowed to create a copy of the vnode fvp with the name specified by cnp. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. */ typedef int mpo_vnode_check_copyfile_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *tvp, /* NULLOK */ struct label *tlabel, /* NULLOK */ struct vnode *fvp, struct label *flabel, struct componentname *cnp, mode_t mode, int flags ); /** * @brief Associate a vnode with a devfs entry * @param mp Devfs mount point * @param mntlabel Devfs mount point label * @param de Devfs directory entry * @param delabel Label associated with de * @param vp vnode associated with de * @param vlabel Label associated with vp * * Fill in the label (vlabel) for a newly created devfs vnode. The * label is typically derived from the label on the devfs directory * entry or the label on the filesystem, supplied as parameters. */ typedef void mpo_vnode_label_associate_devfs_t( struct mount *mp, struct label *mntlabel, struct devnode *de, struct label *delabel, struct vnode *vp, struct label *vlabel ); /** * @brief Associate a label with a vnode * @param mp File system mount point * @param mntlabel File system mount point label * @param vp Vnode to label * @param vlabel Label associated with vp * * Attempt to retrieve label information for the vnode, vp, from the * file system extended attribute store. The label should be stored in * the supplied vlabel parameter. If a policy cannot retrieve an * extended attribute, sometimes it is acceptible to fallback to using * the mntlabel. * * If the policy requires vnodes to have a valid label elsewhere it * MUST NOT return other than temporary errors, and must always provide * a valid label of some sort. Returning an error will cause vnode * labeling to be retried at a later access. Failure to handle policy * centric errors internally (corrupt labels etc.) will result in * inaccessible files. * * @return In the event of an error, an appropriate value for errno * should be returned, otherwise return 0 upon success. */ typedef int mpo_vnode_label_associate_extattr_t( struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel ); /** * @brief Associate a file label with a vnode * @param cred User credential * @param mp Fdesc mount point * @param mntlabel Fdesc mount point label * @param fg Fileglob structure * @param label Policy label for fg * @param vp Vnode to label * @param vlabel Label associated with vp * * Associate label information for the vnode, vp, with the label of * the open file descriptor described by fg. * The label should be stored in the supplied vlabel parameter. */ typedef void mpo_vnode_label_associate_file_t( struct ucred *cred, struct mount *mp, struct label *mntlabel, struct fileglob *fg, struct label *label, struct vnode *vp, struct label *vlabel ); /** * @brief Associate a pipe label with a vnode * @param cred User credential for the process that opened the pipe * @param cpipe Pipe structure * @param pipelabel Label associated with pipe * @param vp Vnode to label * @param vlabel Label associated with vp * * Associate label information for the vnode, vp, with the label of * the pipe described by the pipe structure cpipe. * The label should be stored in the supplied vlabel parameter. */ typedef void mpo_vnode_label_associate_pipe_t( struct ucred *cred, struct pipe *cpipe, struct label *pipelabel, struct vnode *vp, struct label *vlabel ); /** * @brief Associate a POSIX semaphore label with a vnode * @param cred User credential for the process that create psem * @param psem POSIX semaphore structure * @param psemlabel Label associated with psem * @param vp Vnode to label * @param vlabel Label associated with vp * * Associate label information for the vnode, vp, with the label of * the POSIX semaphore described by psem. * The label should be stored in the supplied vlabel parameter. */ typedef void mpo_vnode_label_associate_posixsem_t( struct ucred *cred, struct pseminfo *psem, struct label *psemlabel, struct vnode *vp, struct label *vlabel ); /** * @brief Associate a POSIX shared memory label with a vnode * @param cred User credential for the process that created pshm * @param pshm POSIX shared memory structure * @param pshmlabel Label associated with pshm * @param vp Vnode to label * @param vlabel Label associated with vp * * Associate label information for the vnode, vp, with the label of * the POSIX shared memory region described by pshm. * The label should be stored in the supplied vlabel parameter. */ typedef void mpo_vnode_label_associate_posixshm_t( struct ucred *cred, struct pshminfo *pshm, struct label *pshmlabel, struct vnode *vp, struct label *vlabel ); /** * @brief Associate a label with a vnode * @param mp File system mount point * @param mntlabel File system mount point label * @param vp Vnode to label * @param vlabel Label associated with vp * * On non-multilabel file systems, set the label for a vnode. The * label will most likely be based on the file system label. */ typedef void mpo_vnode_label_associate_singlelabel_t( struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel ); /** * @brief Associate a socket label with a vnode * @param cred User credential for the process that opened the socket * @param so Socket structure * @param solabel Label associated with so * @param vp Vnode to label * @param vlabel Label associated with vp * * Associate label information for the vnode, vp, with the label of * the open socket described by the socket structure so. * The label should be stored in the supplied vlabel parameter. */ typedef void mpo_vnode_label_associate_socket_t( kauth_cred_t cred, socket_t so, struct label *solabel, struct vnode *vp, struct label *vlabel ); /** * @brief Copy a vnode label * @param src Source vnode label * @param dest Destination vnode label * * Copy the vnode label information from src to dest. On Darwin, this * is currently only necessary when executing interpreted scripts, but * will later be used if vnode label externalization cannot be an * atomic operation. */ typedef void mpo_vnode_label_copy_t( struct label *src, struct label *dest ); /** * @brief Destroy vnode label * @param label The label to be destroyed * * Destroy a vnode label. Since the object is going out of scope, * policy modules should free any internal storage associated with the * label so that it may be destroyed. */ typedef void mpo_vnode_label_destroy_t( struct label *label ); /** * @brief Externalize a vnode label for auditing * @param label Label to be externalized * @param element_name Name of the label namespace for which labels should be * externalized * @param sb String buffer to be filled with a text representation of the label * * Produce an external representation of the label on a vnode suitable for * inclusion in an audit record. An externalized label consists of a text * representation of the label contents that will be added to the audit record * as part of a text token. Policy-agnostic user space tools will display * this externalized version. * * @return 0 on success, return non-zero if an error occurs while * externalizing the label data. * */ typedef int mpo_vnode_label_externalize_audit_t( struct label *label, char *element_name, struct sbuf *sb ); /** * @brief Externalize a vnode label * @param label Label to be externalized * @param element_name Name of the label namespace for which labels should be * externalized * @param sb String buffer to be filled with a text representation of the label * * Produce an external representation of the label on a vnode. An * externalized label consists of a text representation of the label * contents that can be used with user applications. Policy-agnostic * user space tools will display this externalized version. * * @return 0 on success, return non-zero if an error occurs while * externalizing the label data. * */ typedef int mpo_vnode_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb ); /** * @brief Initialize vnode label * @param label New label to initialize * * Initialize label storage for use with a newly instantiated vnode, or * for temporary storage associated with the copying in or out of a * vnode label. While it is necessary to allocate space for a * kernel-resident vnode label, it is not yet necessary to link this vnode * with persistent label storage facilities, such as extended attributes. * Sleeping is permitted. */ typedef void mpo_vnode_label_init_t( struct label *label ); /** * @brief Internalize a vnode label * @param label Label to be internalized * @param element_name Name of the label namespace for which the label should * be internalized * @param element_data Text data to be internalized * * Produce a vnode label from an external representation. An * externalized label consists of a text representation of the label * contents that can be used with user applications. Policy-agnostic * user space tools will forward text version to the kernel for * processing by individual policy modules. * * The policy's internalize entry points will be called only if the * policy has registered interest in the label namespace. * * @return 0 on success, Otherwise, return non-zero if an error occurs * while internalizing the label data. */ typedef int mpo_vnode_label_internalize_t( struct label *label, char *element_name, char *element_data ); /** * @brief Clean up a vnode label * @param label The label to be cleaned or purged * * Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but * typically never frees them. Before vnodes are placed back on free lists for * re-use, policies can cleanup or overwrite any information present in the label, * or free any internal resources used for the label. */ typedef void mpo_vnode_label_recycle_t( struct label *label ); /** * @brief Write a label to a extended attribute * @param cred Subject credential * @param vp The vnode for which the label is being stored * @param vlabel Label associated with vp * @param intlabel The new label to store * * Store a new label in the extended attribute corresponding to the * supplied vnode. The policy has already authorized the operation; * this call must be implemented in order to perform the actual * operation. * * @return In the event of an error, an appropriate value for errno * should be returned, otherwise return 0 upon success. * * @warning XXX After examining the extended attribute implementation on * Apple's future release, this entry point may be changed. */ typedef int mpo_vnode_label_store_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, struct label *intlabel ); /** * @brief Update vnode label from extended attributes * @param mp File system mount point * @param mntlabel Mount point label * @param vp Vnode to label * @param vlabel Label associated with vp * @param name Name of the xattr * @see mpo_vnode_check_setextattr_t * * When an extended attribute is updated via the Vendor attribute management * functions, the MAC vnode label might also require an update. * Policies should first determine if 'name' matches their xattr label * name. If it does, the kernel is has either replaced or removed the * named extended attribute that was previously associated with the * vnode. Normally labels should only be modified via MAC Framework label * management calls, but sometimes the user space components will directly * modify extended attributes. For example, 'cp', 'tar', etc. manage * extended attributes in userspace, not the kernel. * * This entry point is called after the label update has occurred, so * it cannot return a failure. However, the operation is preceded by * the mpo_vnode_check_setextattr() access control check. * * If the vnode label needs to be updated the policy should return * a non-zero value. The vnode label will be marked for re-association * by the framework. */ typedef int mpo_vnode_label_update_extattr_t( struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel, const char *name ); /** * @brief Update a vnode label * @param cred Subject credential * @param vp The vnode to relabel * @param vnodelabel Existing vnode label * @param label New label to replace existing label * @see mpo_vnode_check_label_update_t * * The subject identified by the credential has previously requested * and was authorized to relabel the vnode; this entry point allows * policies to perform the actual relabel operation. Policies should * update vnodelabel using the label stored in the label parameter. */ typedef void mpo_vnode_label_update_t( kauth_cred_t cred, struct vnode *vp, struct label *vnodelabel, struct label *label ); /** * @brief Find deatched signatures for a shared library * @param p file trying to find the signature * @param vp The vnode to relabel * @param offset offset in the Mach-O that the signature is requested for (for fat binaries) * @param label Existing vnode label * */ typedef int mpo_vnode_find_sigs_t( struct proc *p, struct vnode *vp, off_t offset, struct label *label ); /** * @brief Create a new vnode, backed by extended attributes * @param cred User credential for the creating process * @param mp File system mount point * @param mntlabel File system mount point label * @param dvp Parent directory vnode * @param dlabel Parent directory vnode label * @param vp Newly created vnode * @param vlabel Label to associate with the new vnode * @param cnp Component name for vp * * Write out the label for the newly created vnode, most likely storing * the results in a file system extended attribute. Most policies will * derive the new vnode label using information from a combination * of the subject (user) credential, the file system label, the parent * directory label, and potentially the path name component. * * @return If the operation succeeds, store the new label in vlabel and * return 0. Otherwise, return an appropriate errno value. */ typedef int mpo_vnode_notify_create_t( kauth_cred_t cred, struct mount *mp, struct label *mntlabel, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp ); /** * @brief Inform MAC policies that a vnode has been opened * @param cred User credential for the creating process * @param vp vnode opened * @param label Policy label for the vp * @param acc_mode open(2) access mode used * * Inform Mac policies that a vnode have been successfully opened * (passing all MAC polices and DAC). */ typedef void mpo_vnode_notify_open_t( kauth_cred_t cred, struct vnode *vp, struct label *label, int acc_mode ); /** * @brief Inform MAC policies that a vnode has been renamed * @param cred User credential for the renaming process * @param vp Vnode that's being renamed * @param label Policy label for vp * @param dvp Parent directory for the destination * @param dlabel Policy label for dvp * @param cnp Component name for the destination * * Inform MAC policies that a vnode has been renamed. */ typedef void mpo_vnode_notify_rename_t( kauth_cred_t cred, struct vnode *vp, struct label *label, struct vnode *dvp, struct label *dlabel, struct componentname *cnp ); /** * @brief Inform MAC policies that two vnodes were atomically swapped. * @param cred User credential for the renaming process * @param v1 vnode 1 to swap * @param vl1 Policy label for v1 * @param v2 vnode 2 to swap * @param vl2 Policy label for v2 * * Inform MAC policies that two vnodes were atomically swapped. * NOTE: If a policy implements this notify hook, then this hook will be * called instead of two calls to the vnode_notify_rename hook (one for each * member of the swap). */ typedef void mpo_vnode_notify_swap_t( kauth_cred_t cred, struct vnode *v1, struct label *vl1, struct vnode *v2, struct label *vl2 ); /** * @brief Inform MAC policies that a vnode has been linked * @param cred User credential for the renaming process * @param dvp Parent directory for the destination * @param dlabel Policy label for dvp * @param vp Vnode that's being linked * @param vlabel Policy label for vp * @param cnp Component name for the destination * * Inform MAC policies that a vnode has been linked. */ typedef void mpo_vnode_notify_link_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp ); /** * @brief Inform MAC policies that an extended attribute has been removed from a vnode * @param cred Subject credential * @param vp Object node * @param label Policy label for vp * @param name Extended attribute name * * Inform MAC policies that an extended attribute has been removed from a vnode. */ typedef void mpo_vnode_notify_deleteextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *label, const char *name ); /** * @brief Inform MAC policies that an ACL has been set on a vnode * @param cred Subject credential * @param vp Object node * @param label Policy label for vp * @param acl ACL structure pointer * * Inform MAC policies that an ACL has been set on a vnode. */ typedef void mpo_vnode_notify_setacl_t( kauth_cred_t cred, struct vnode *vp, struct label *label, struct kauth_acl *acl ); /** * @brief Inform MAC policies that an attributes have been set on a vnode * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param alist List of attributes to set * * Inform MAC policies that an attributes have been set on a vnode. */ typedef void mpo_vnode_notify_setattrlist_t( kauth_cred_t cred, struct vnode *vp, struct label *label, struct attrlist *alist ); /** * @brief Inform MAC policies that an extended attribute has been set on a vnode * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param name Extended attribute name * @param uio I/O structure pointer * * Inform MAC policies that an extended attribute has been set on a vnode. */ typedef void mpo_vnode_notify_setextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *label, const char *name, struct uio *uio ); /** * @brief Inform MAC policies that flags have been set on a vnode * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param flags File flags; see chflags(2) * * Inform MAC policies that flags have been set on a vnode. */ typedef void mpo_vnode_notify_setflags_t( kauth_cred_t cred, struct vnode *vp, struct label *label, u_long flags ); /** * @brief Inform MAC policies that a new mode has been set on a vnode * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param mode File mode; see chmod(2) * * Inform MAC policies that a new mode has been set on a vnode. */ typedef void mpo_vnode_notify_setmode_t( kauth_cred_t cred, struct vnode *vp, struct label *label, mode_t mode ); /** * @brief Inform MAC policies that new uid/gid have been set on a vnode * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param uid User ID * @param gid Group ID * * Inform MAC policies that new uid/gid have been set on a vnode. */ typedef void mpo_vnode_notify_setowner_t( kauth_cred_t cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid ); /** * @brief Inform MAC policies that new timestamps have been set on a vnode * @param cred Subject credential * @param vp Object vnode * @param label Policy label for vp * @param atime Access time; see utimes(2) * @param mtime Modification time; see utimes(2) * * Inform MAC policies that new timestamps have been set on a vnode. */ typedef void mpo_vnode_notify_setutimes_t( kauth_cred_t cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime ); /** * @brief Inform MAC policies that a vnode has been truncated * @param cred Subject credential * @param file_cred Credential associated with the struct fileproc * @param vp Object vnode * @param label Policy label for vp * * Inform MAC policies that a vnode has been truncated. */ typedef void mpo_vnode_notify_truncate_t( kauth_cred_t cred, kauth_cred_t file_cred, struct vnode *vp, struct label *label ); /** * @brief Inform MAC policies that a pty slave has been granted * @param p Responsible process * @param tp tty data structure * @param dev Major and minor numbers of device * @param label Policy label for tp * * Inform MAC policies that a pty slave has been granted. */ typedef void mpo_pty_notify_grant_t( proc_t p, struct tty *tp, dev_t dev, struct label *label ); /** * @brief Inform MAC policies that a pty master has been closed * @param p Responsible process * @param tp tty data structure * @param dev Major and minor numbers of device * @param label Policy label for tp * * Inform MAC policies that a pty master has been closed. */ typedef void mpo_pty_notify_close_t( proc_t p, struct tty *tp, dev_t dev, struct label *label ); /** * @brief Access control check for kext loading * @param cred Subject credential * @param identifier Kext identifier * * Determine whether the subject identified by the credential can load the * specified kext. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EPERM for lack of privilege. */ typedef int mpo_kext_check_load_t( kauth_cred_t cred, const char *identifier ); /** * @brief Access control check for kext unloading * @param cred Subject credential * @param identifier Kext identifier * * Determine whether the subject identified by the credential can unload the * specified kext. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EPERM for lack of privilege. */ typedef int mpo_kext_check_unload_t( kauth_cred_t cred, const char *identifier ); /** * @brief Access control check for querying information about loaded kexts * @param cred Subject credential * * Determine whether the subject identified by the credential can query * information about loaded kexts. * * @return Return 0 if access is granted, otherwise an appropriate value for * errno should be returned. Suggested failure: EPERM for lack of privilege. */ typedef int mpo_kext_check_query_t( kauth_cred_t cred ); /** * @brief Inform MAC policies that a vnode is being reclaimed * @param vp Object vnode * * Any external accounting tracking this vnode must consider it to be no longer valid. */ typedef void mpo_vnode_notify_reclaim_t( struct vnode *vp ); /** * @brief Inform MAC policies that a vnode has been deleted * @param cred Subject credential * @param dvp Parent directory vnode * @param dlabel Policy label for dvp * @param vp Object vnode to delete * @param label Policy label for vp * @param cnp Component name for vp * * Inform Mac policies that a vnode have been successfully deleted * (passing all MAC polices and DAC). */ typedef void mpo_vnode_notify_unlink_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp ); /* * Placeholder for future events that may need mac hooks. */ typedef void mpo_reserved_hook_t(void); /* * Policy module operations. * * Please note that this should be kept in sync with the check assumptions * policy in bsd/kern/policy_check.c (policy_ops struct). */ #define MAC_POLICY_OPS_VERSION 84 /* inc when new reserved slots are taken */ struct mac_policy_ops { mpo_audit_check_postselect_t *mpo_audit_check_postselect; mpo_audit_check_preselect_t *mpo_audit_check_preselect; mpo_reserved_hook_t *mpo_reserved01; mpo_reserved_hook_t *mpo_reserved02; mpo_reserved_hook_t *mpo_reserved03; mpo_reserved_hook_t *mpo_reserved04; mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; mpo_cred_check_label_update_t *mpo_cred_check_label_update; mpo_cred_check_visible_t *mpo_cred_check_visible; mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; mpo_cred_label_associate_t *mpo_cred_label_associate; mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; mpo_cred_label_destroy_t *mpo_cred_label_destroy; mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; mpo_cred_label_externalize_t *mpo_cred_label_externalize; mpo_cred_label_init_t *mpo_cred_label_init; mpo_cred_label_internalize_t *mpo_cred_label_internalize; mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; mpo_cred_label_update_t *mpo_cred_label_update; mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; mpo_devfs_label_copy_t *mpo_devfs_label_copy; mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; mpo_devfs_label_init_t *mpo_devfs_label_init; mpo_devfs_label_update_t *mpo_devfs_label_update; mpo_file_check_change_offset_t *mpo_file_check_change_offset; mpo_file_check_create_t *mpo_file_check_create; mpo_file_check_dup_t *mpo_file_check_dup; mpo_file_check_fcntl_t *mpo_file_check_fcntl; mpo_file_check_get_offset_t *mpo_file_check_get_offset; mpo_file_check_get_t *mpo_file_check_get; mpo_file_check_inherit_t *mpo_file_check_inherit; mpo_file_check_ioctl_t *mpo_file_check_ioctl; mpo_file_check_lock_t *mpo_file_check_lock; mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; mpo_file_check_mmap_t *mpo_file_check_mmap; mpo_file_check_receive_t *mpo_file_check_receive; mpo_file_check_set_t *mpo_file_check_set; mpo_file_label_init_t *mpo_file_label_init; /* deprecated not called anymore */ mpo_file_label_destroy_t *mpo_file_label_destroy; /* deprecated not called anymore */ mpo_file_label_associate_t *mpo_file_label_associate; /* deprecated not called anymore */ mpo_file_notify_close_t *mpo_file_notify_close; mpo_proc_check_launch_constraints_t *mpo_proc_check_launch_constraints; mpo_proc_notify_service_port_derive_t *mpo_proc_notify_service_port_derive; mpo_reserved_hook_t *mpo_reserved08; mpo_reserved_hook_t *mpo_reserved09; mpo_reserved_hook_t *mpo_reserved10; mpo_reserved_hook_t *mpo_reserved11; mpo_reserved_hook_t *mpo_reserved12; mpo_reserved_hook_t *mpo_reserved13; mpo_reserved_hook_t *mpo_reserved14; mpo_reserved_hook_t *mpo_reserved15; mpo_reserved_hook_t *mpo_reserved16; mpo_reserved_hook_t *mpo_reserved17; mpo_reserved_hook_t *mpo_reserved18; mpo_reserved_hook_t *mpo_reserved19; mpo_reserved_hook_t *mpo_reserved20; mpo_reserved_hook_t *mpo_reserved21; mpo_reserved_hook_t *mpo_reserved22; mpo_reserved_hook_t *mpo_reserved23; mpo_reserved_hook_t *mpo_reserved24; mpo_necp_check_open_t *mpo_necp_check_open; mpo_necp_check_client_action_t *mpo_necp_check_client_action; mpo_file_check_library_validation_t *mpo_file_check_library_validation; mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl; mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist; mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr; mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags; mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode; mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner; mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes; mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate; mpo_vnode_check_getattrlistbulk_t *mpo_vnode_check_getattrlistbulk; mpo_proc_check_get_task_special_port_t *mpo_proc_check_get_task_special_port; mpo_proc_check_set_task_special_port_t *mpo_proc_check_set_task_special_port; mpo_vnode_notify_swap_t *mpo_vnode_notify_swap; mpo_vnode_notify_unlink_t *mpo_vnode_notify_unlink; mpo_reserved_hook_t *mpo_reserved32; mpo_reserved_hook_t *mpo_reserved33; mpo_reserved_hook_t *mpo_reserved34; mpo_reserved_hook_t *mpo_reserved35; mpo_vnode_check_copyfile_t *mpo_vnode_check_copyfile; mpo_mount_check_quotactl_t *mpo_mount_check_quotactl; mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; mpo_mount_check_getattr_t *mpo_mount_check_getattr; mpo_mount_check_label_update_t *mpo_mount_check_label_update; mpo_mount_check_mount_t *mpo_mount_check_mount; mpo_mount_check_remount_t *mpo_mount_check_remount; mpo_mount_check_setattr_t *mpo_mount_check_setattr; mpo_mount_check_stat_t *mpo_mount_check_stat; mpo_mount_check_umount_t *mpo_mount_check_umount; mpo_mount_label_associate_t *mpo_mount_label_associate; mpo_mount_label_destroy_t *mpo_mount_label_destroy; mpo_mount_label_externalize_t *mpo_mount_label_externalize; mpo_mount_label_init_t *mpo_mount_label_init; mpo_mount_label_internalize_t *mpo_mount_label_internalize; mpo_proc_check_expose_task_with_flavor_t *mpo_proc_check_expose_task_with_flavor; mpo_proc_check_get_task_with_flavor_t *mpo_proc_check_get_task_with_flavor; mpo_proc_check_task_id_token_get_task_t *mpo_proc_check_task_id_token_get_task; mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; mpo_reserved_hook_t *mpo_reserved41; mpo_pipe_check_read_t *mpo_pipe_check_read; mpo_pipe_check_select_t *mpo_pipe_check_select; mpo_pipe_check_stat_t *mpo_pipe_check_stat; mpo_pipe_check_write_t *mpo_pipe_check_write; mpo_pipe_label_associate_t *mpo_pipe_label_associate; mpo_reserved_hook_t *mpo_reserved42; mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; mpo_reserved_hook_t *mpo_reserved43; mpo_pipe_label_init_t *mpo_pipe_label_init; mpo_reserved_hook_t *mpo_reserved44; mpo_proc_check_syscall_mac_t *mpo_proc_check_syscall_mac; mpo_policy_destroy_t *mpo_policy_destroy; mpo_policy_init_t *mpo_policy_init; mpo_policy_initbsd_t *mpo_policy_initbsd; mpo_policy_syscall_t *mpo_policy_syscall; mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; mpo_vnode_check_rename_t *mpo_vnode_check_rename; mpo_kext_check_query_t *mpo_kext_check_query; mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete; mpo_proc_notify_cs_invalidated_t *mpo_proc_notify_cs_invalidated; mpo_proc_check_syscall_unix_t *mpo_proc_check_syscall_unix; mpo_reserved_hook_t *mpo_reserved45; mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port; mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port; mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send; mpo_exc_action_label_associate_t *mpo_exc_action_label_associate; mpo_exc_action_label_populate_t *mpo_exc_action_label_populate; mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy; mpo_exc_action_label_init_t *mpo_exc_action_label_init; mpo_exc_action_label_update_t *mpo_exc_action_label_update; mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve; mpo_mount_check_mount_late_t *mpo_mount_check_mount_late; mpo_mount_check_snapshot_mount_t *mpo_mount_check_snapshot_mount; mpo_vnode_notify_reclaim_t *mpo_vnode_notify_reclaim; mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect; mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen; mpo_posixsem_check_create_t *mpo_posixsem_check_create; mpo_posixsem_check_open_t *mpo_posixsem_check_open; mpo_posixsem_check_post_t *mpo_posixsem_check_post; mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; mpo_posixsem_label_init_t *mpo_posixsem_label_init; mpo_posixshm_check_create_t *mpo_posixshm_check_create; mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; mpo_posixshm_check_open_t *mpo_posixshm_check_open; mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; mpo_posixshm_label_init_t *mpo_posixshm_label_init; mpo_proc_check_debug_t *mpo_proc_check_debug; mpo_proc_check_fork_t *mpo_proc_check_fork; mpo_reserved_hook_t *mpo_reserved61; mpo_reserved_hook_t *mpo_reserved62; mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; mpo_proc_check_getauid_t *mpo_proc_check_getauid; mpo_reserved_hook_t *mpo_reserved63; mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; mpo_proc_check_sched_t *mpo_proc_check_sched; mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; mpo_proc_check_setauid_t *mpo_proc_check_setauid; mpo_reserved_hook_t *mpo_reserved64; mpo_proc_check_signal_t *mpo_proc_check_signal; mpo_proc_check_wait_t *mpo_proc_check_wait; mpo_proc_check_dump_core_t *mpo_proc_check_dump_core; mpo_proc_check_remote_thread_create_t *mpo_proc_check_remote_thread_create; mpo_socket_check_accept_t *mpo_socket_check_accept; mpo_socket_check_accepted_t *mpo_socket_check_accepted; mpo_socket_check_bind_t *mpo_socket_check_bind; mpo_socket_check_connect_t *mpo_socket_check_connect; mpo_socket_check_create_t *mpo_socket_check_create; mpo_reserved_hook_t *mpo_reserved46; mpo_reserved_hook_t *mpo_reserved47; mpo_reserved_hook_t *mpo_reserved48; mpo_socket_check_listen_t *mpo_socket_check_listen; mpo_socket_check_receive_t *mpo_socket_check_receive; mpo_socket_check_received_t *mpo_socket_check_received; mpo_reserved_hook_t *mpo_reserved49; mpo_socket_check_send_t *mpo_socket_check_send; mpo_socket_check_stat_t *mpo_socket_check_stat; mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; mpo_proc_check_get_movable_control_port_t *mpo_proc_check_get_movable_control_port; mpo_proc_check_dyld_process_info_notify_register_t *mpo_proc_check_dyld_process_info_notify_register; mpo_proc_check_setuid_t *mpo_proc_check_setuid; mpo_proc_check_seteuid_t *mpo_proc_check_seteuid; mpo_proc_check_setreuid_t *mpo_proc_check_setreuid; mpo_proc_check_setgid_t *mpo_proc_check_setgid; mpo_proc_check_setegid_t *mpo_proc_check_setegid; mpo_proc_check_setregid_t *mpo_proc_check_setregid; mpo_proc_check_settid_t *mpo_proc_check_settid; mpo_proc_check_memorystatus_control_t *mpo_proc_check_memorystatus_control; mpo_reserved_hook_t *mpo_reserved60; mpo_thread_telemetry_t *mpo_thread_telemetry; mpo_iokit_check_open_service_t *mpo_iokit_check_open_service; mpo_system_check_acct_t *mpo_system_check_acct; mpo_system_check_audit_t *mpo_system_check_audit; mpo_system_check_auditctl_t *mpo_system_check_auditctl; mpo_system_check_auditon_t *mpo_system_check_auditon; mpo_system_check_host_priv_t *mpo_system_check_host_priv; mpo_system_check_nfsd_t *mpo_system_check_nfsd; mpo_system_check_reboot_t *mpo_system_check_reboot; mpo_system_check_settime_t *mpo_system_check_settime; mpo_system_check_swapoff_t *mpo_system_check_swapoff; mpo_system_check_swapon_t *mpo_system_check_swapon; mpo_socket_check_ioctl_t *mpo_socket_check_ioctl; mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; mpo_proc_notify_exit_t *mpo_proc_notify_exit; mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert; mpo_vnode_check_getattr_t *mpo_vnode_check_getattr; mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create; mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete; mpo_vnode_check_clone_t *mpo_vnode_check_clone; mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info; mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info; mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; mpo_vnode_check_access_t *mpo_vnode_check_access; mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; mpo_vnode_check_create_t *mpo_vnode_check_create; mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; mpo_vnode_check_exec_t *mpo_vnode_check_exec; mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; mpo_vnode_check_link_t *mpo_vnode_check_link; mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; mpo_vnode_check_open_t *mpo_vnode_check_open; mpo_vnode_check_read_t *mpo_vnode_check_read; mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; mpo_vnode_check_select_t *mpo_vnode_check_select; mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; mpo_vnode_check_stat_t *mpo_vnode_check_stat; mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; mpo_vnode_check_write_t *mpo_vnode_check_write; mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; mpo_vnode_label_copy_t *mpo_vnode_label_copy; mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; mpo_vnode_label_init_t *mpo_vnode_label_init; mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; mpo_vnode_label_store_t *mpo_vnode_label_store; mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; mpo_vnode_label_update_t *mpo_vnode_label_update; mpo_vnode_notify_create_t *mpo_vnode_notify_create; mpo_vnode_check_signature_t *mpo_vnode_check_signature; mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; mpo_thread_userret_t *mpo_thread_userret; mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; mpo_vnode_check_supplemental_signature_t *mpo_vnode_check_supplemental_signature; mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; mpo_priv_check_t *mpo_priv_check; mpo_priv_grant_t *mpo_priv_grant; mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; mpo_iokit_check_open_t *mpo_iokit_check_open; mpo_proc_check_ledger_t *mpo_proc_check_ledger; mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; mpo_vnode_check_setacl_t *mpo_vnode_check_setacl; mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr; mpo_system_check_kas_info_t *mpo_system_check_kas_info; mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight; mpo_vnode_notify_open_t *mpo_vnode_notify_open; mpo_system_check_info_t *mpo_system_check_info; mpo_pty_notify_grant_t *mpo_pty_notify_grant; mpo_pty_notify_close_t *mpo_pty_notify_close; mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; mpo_kext_check_load_t *mpo_kext_check_load; mpo_kext_check_unload_t *mpo_kext_check_unload; mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; mpo_vnode_notify_link_t *mpo_vnode_notify_link; mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; }; /** * @brief MAC policy handle type * * The MAC handle is used to uniquely identify a loaded policy within * the MAC Framework. * * A variable of this type is set by mac_policy_register(). */ typedef unsigned int mac_policy_handle_t; #define mpc_t struct mac_policy_conf * /** * @brief Mac policy configuration * * This structure specifies the configuration information for a * MAC policy module. A policy module developer must supply * a short unique policy name, a more descriptive full name, a list of label * namespaces and count, a pointer to the registered enty point operations, * any load time flags, and optionally, a pointer to a label slot identifier. * * The Framework will update the runtime flags (mpc_runtime_flags) to * indicate that the module has been registered. * * If the label slot identifier (mpc_field_off) is NULL, the Framework * will not provide label storage for the policy. Otherwise, the * Framework will store the label location (slot) in this field. * * The mpc_list field is used by the Framework and should not be * modified by policies. */ /* XXX - reorder these for better alignment on 64bit platforms */ struct mac_policy_conf { const char *mpc_name; /** policy name */ const char *mpc_fullname; /** full name */ char const * const *mpc_labelnames; /** managed label namespaces */ unsigned int mpc_labelname_count; /** number of managed label namespaces */ const struct mac_policy_ops *mpc_ops; /** operation vector */ int mpc_loadtime_flags; /** load time flags */ int *mpc_field_off; /** label slot */ int mpc_runtime_flags; /** run time flags */ mpc_t mpc_list; /** List reference */ void *mpc_data; /** module data */ }; /** * @brief MAC policy module registration routine * * This function is called to register a policy with the * MAC framework. A policy module will typically call this from the * Darwin KEXT registration routine. */ int mac_policy_register(struct mac_policy_conf *mpc, mac_policy_handle_t *handlep, void *xd); /** * @brief MAC policy module de-registration routine * * This function is called to de-register a policy with the * MAC framework. A policy module will typically call this from the * Darwin KEXT de-registration routine. */ int mac_policy_unregister(mac_policy_handle_t handle); /* * Framework entry points for the policies to add audit data. */ int mac_audit_text(char *text, mac_policy_handle_t handle); /* * Calls to assist with use of Apple XATTRs within policy modules. */ int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, size_t *); int mac_vnop_removexattr(struct vnode *, const char *); /** * @brief Set an extended attribute on a vnode-based fileglob. * @param fg fileglob representing file to attach the extended attribute * @param name extended attribute name * @param buf buffer of data to use as the extended attribute value * @param len size of buffer * * Sets the value of an extended attribute on a file. * * Caller must hold an iocount on the vnode represented by the fileglob. */ #ifdef KERNEL_PRIVATE int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len); #endif /** * @brief Get an extended attribute from a vnode-based fileglob. * @param fg fileglob representing file to read the extended attribute * @param name extended attribute name * @param buf buffer of data to hold the extended attribute value * @param len size of buffer * @param attrlen size of full extended attribute value * * Gets the value of an extended attribute on a file. * * Caller must hold an iocount on the vnode represented by the fileglob. */ #ifdef KERNEL_PRIVATE int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len, size_t *attrlen); #endif /** * @brief Remove an extended attribute from a vnode-based fileglob. * @param fg fileglob representing file to remove the extended attribute * @param name extended attribute name * * Removes the named extended attribute from the file. * * Caller must hold an iocount on the vnode represented by the fileglob. */ #ifdef KERNEL_PRIVATE int mac_file_removexattr(struct fileglob *fg, const char *name); #endif /* * Arbitrary limit on how much data will be logged by the audit * entry points above. */ #define MAC_AUDIT_DATA_LIMIT 1024 /* * Values returned by mac_audit_{pre,post}select. To combine the responses * of the security policies into a single decision, * mac_audit_{pre,post}select() choose the greatest value returned. */ #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ #define MAC_AUDIT_NO 1 /* force not auditing this event */ #define MAC_AUDIT_YES 2 /* force auditing this event */ // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field /** * @name Flags for the mpc_loadtime_flags field * @see mac_policy_conf * * This is the complete list of flags that are supported by the * mpc_loadtime_flags field of the mac_policy_conf structure. These * flags specify the load time behavior of MAC Framework policy * modules. */ /*@{*/ /** * @brief Flag to indicate registration preference * * This flag indicates that the policy module must be loaded and * initialized early in the boot process. If the flag is specified, * attempts to register the module following boot will be rejected. The * flag may be used by policies that require pervasive labeling of all * system objects, and cannot handle objects that have not been * properly initialized by the policy. */ #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 /** * @brief Flag to indicate unload preference * * This flag indicates that the policy module may be unloaded. If this * flag is not set, then the policy framework will reject requests to * unload the module. This flag might be used by modules that allocate * label state and are unable to free that state at runtime, or for * modules that simply do not want to permit unload operations. */ #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 /** * @brief Unsupported * * XXX This flag is not yet supported. */ #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 /** * @brief Flag to indicate a base policy * * This flag indicates that the policy module is a base policy. Only * one module can declare itself as base, otherwise the boot process * will be halted. */ #define MPC_LOADTIME_BASE_POLICY 0x00000008 /*@}*/ /** * @brief Policy registration flag * @see mac_policy_conf * * This flag indicates that the policy module has been successfully * registered with the TrustedBSD MAC Framework. The Framework will * set this flag in the mpc_runtime_flags field of the policy's * mac_policy_conf structure after registering the policy. */ #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 /* * Depends on POLICY_VER */ #ifndef POLICY_VER #define POLICY_VER 1.0 #endif #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ static struct mac_policy_conf mpname##_mac_policy_conf = { \ .mpc_name = #mpname, \ .mpc_fullname = mpfullname, \ .mpc_labelnames = lnames, \ .mpc_labelname_count = lcount, \ .mpc_ops = mpops, \ .mpc_loadtime_flags = lflags, \ .mpc_field_off = slot, \ .mpc_runtime_flags = rflags \ }; \ \ static kern_return_t \ kmod_start(kmod_info_t *ki, void *xd) \ { \ return mac_policy_register(&mpname##_mac_policy_conf, \ &handle, xd); \ } \ \ static kern_return_t \ kmod_stop(kmod_info_t *ki, void *xd) \ { \ return mac_policy_unregister(handle); \ } \ \ extern kern_return_t _start(kmod_info_t *ki, void *data); \ extern kern_return_t _stop(kmod_info_t *ki, void *data); \ \ KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ kmod_start_func_t *_realmain = kmod_start; \ kmod_stop_func_t *_antimain = kmod_stop; \ int _kext_apple_cc = __APPLE_CC__ /* * Policy interface to map a struct label pointer to per-policy data. * Typically, policies wrap this in their own accessor macro that casts an * intptr_t to a policy-specific data type. */ #ifdef KERNEL_PRIVATE struct label * mac_label_verify(struct label **labelp); intptr_t mac_label_get(struct label *l, int slot); /* * Sets a label slot to the given pointer value, `v`. `v` cannot be `~0ULL`. */ void mac_label_set(struct label *l, int slot, intptr_t v); struct label * mac_labelzone_alloc(int flags); struct label * mac_labelzone_alloc_for_owner(struct label **labelp, int flags, void (^extra_setup)(struct label *)); struct label * mac_labelzone_alloc_owned(struct label **labelp, int flags, void (^extra_setup)(struct label *)); void mac_labelzone_free(struct label *l); void mac_labelzone_free_owned(struct label **labelp, void (^extra_deinit)(struct label *)); intptr_t mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel); void mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v); #endif #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) /** * @name Flags for MAC allocator interfaces * * These flags are passed to the Darwin kernel allocator routines to * indicate whether the allocation is permitted to block or not. * Caution should be taken; some operations are not permitted to sleep, * and some types of locks cannot be held when sleeping. */ /*@{*/ /** * @brief Allocation operations may block * * If memory is not immediately available, the allocation routine * will block (typically sleeping) until memory is available. * * @warning Inappropriate use of this flag may cause kernel panics. */ #define MAC_WAITOK 0 /** * @brief Allocation operations may not block * * Rather than blocking, the allocator may return an error if memory * is not immediately available. This type of allocation will not * sleep, preserving locking semantics. */ #define MAC_NOWAIT 1 /*@}*/ #endif /* !_SECURITY_MAC_POLICY_H_ */