mac_policy.h source code [xnu/BUILD/obj/EXPORT_HDRS/security/security/mac_policy.h]

1	/*
2	* Copyright (c) 2007-2016 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28	/-*
29	* Copyright (c) 1999-2002 Robert N. M. Watson
30	* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
31	* Copyright (c) 2005-2007 SPARTA, Inc.
32	* All rights reserved.
33	*
34	* This software was developed by Robert Watson for the TrustedBSD Project.
35	*
36	* This software was developed for the FreeBSD Project in part by Network
37	* Associates Laboratories, the Security Research Division of Network
38	* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
39	* as part of the DARPA CHATS research program.
40	*
41	* This software was enhanced by SPARTA ISSO under SPAWAR contract
42	* N66001-04-C-6019 ("SEFOS").
43	*
44	* Redistribution and use in source and binary forms, with or without
45	* modification, are permitted provided that the following conditions
46	* are met:
47	* 1. Redistributions of source code must retain the above copyright
48	* notice, this list of conditions and the following disclaimer.
49	* 2. Redistributions in binary form must reproduce the above copyright
50	* notice, this list of conditions and the following disclaimer in the
51	* documentation and/or other materials provided with the distribution.
52	*
53	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
54	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
57	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63	* SUCH DAMAGE.
64	*
65	* $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
66	*/
67
68	/**
69	@file mac_policy.h
70	@brief Kernel Interfaces for MAC policy modules
71
72	This header defines the list of operations that are defined by the
73	TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
74	with the framework to declare interest in a specific set of
75	operations. If interest in an entry point is not declared, then
76	the policy will be ignored when the Framework evaluates that entry
77	point.
78	*/
79
80	#ifndef _SECURITY_MAC_POLICY_H_
81	#define _SECURITY_MAC_POLICY_H_
82
83	#ifndef PRIVATE
84	#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
85	#endif
86
87	#include <security/_label.h>
88
89	struct attrlist;
90	struct auditinfo;
91	struct bpf_d;
92	struct cs_blob;
93	struct devnode;
94	struct exception_action;
95	struct fileglob;
96	struct ifnet;
97	struct inpcb;
98	struct ipq;
99	struct label;
100	struct mac_module_data;
101	struct mac_policy_conf;
102	struct mbuf;
103	struct mount;
104	struct msg;
105	struct msqid_kernel;
106	struct pipe;
107	struct pseminfo;
108	struct pshminfo;
109	struct sbuf;
110	struct semid_kernel;
111	struct shmid_kernel;
112	struct socket;
113	struct sockopt;
114	struct task;
115	struct thread;
116	struct tty;
117	struct ucred;
118	struct vfs_attr;
119	struct vnode;
120	/* @struct dummy /
121
122
123
124	#ifndef _KAUTH_CRED_T
125	#define _KAUTH_CRED_T
126	typedef struct ucred *kauth_cred_t;
127	#endif /* !_KAUTH_CRED_T */
128
129	#ifndef __IOKIT_PORTS_DEFINED__
130	#define __IOKIT_PORTS_DEFINED__
131	#ifdef __cplusplus
132	class OSObject;
133	typedef OSObject *io_object_t;
134	#else
135	struct OSObject;
136	typedef struct OSObject *io_object_t;
137	#endif
138	#endif /* __IOKIT_PORTS_DEFINED__ */
139
140	/-*
141	* MAC entry points are generally named using the following template:
142	*
143	* mpo_<object>_<operation>()
144	*
145	* or:
146	*
147	* mpo_<object>_check_<operation>()
148	*
149	* Entry points are sorted by object type.
150	*
151	* It may be desirable also to consider some subsystems as "objects", such
152	* as system, iokit, etc.
153	*/
154
155	/**
156	@name Entry Points for Label Management
157
158	These are the entry points corresponding to the life cycle events for
159	kernel objects, such as initialization, creation, and destruction.
160
161	Most policies (that use labels) will initialize labels by allocating
162	space for policy-specific data. In most cases, it is permitted to
163	sleep during label initialization operations; it will be noted when
164	it is not permitted.
165
166	Initialization usually will not require doing more than allocating a
167	generic label for the given object. What follows initialization is
168	creation, where a label is made specific to the object it is associated
169	with. Destruction occurs when the label is no longer needed, such as
170	when the corresponding object is destroyed. All necessary cleanup should
171	be performed in label destroy operations.
172
173	Where possible, the label entry points have identical parameters. If
174	the policy module does not require structure-specific label
175	information, the same function may be registered in the policy
176	operation vector. Many policies will implement two such generic
177	allocation calls: one to handle sleepable requests, and one to handle
178	potentially non-sleepable requests.
179	*/
180
181
182	/**
183	@brief Audit event postselection
184	@param cred Subject credential
185	@param syscode Syscall number
186	@param args Syscall arguments
187	@param error Syscall errno
188	@param retval Syscall return value
189
190	This is the MAC Framework audit postselect, which is called before
191	exiting a syscall to determine if an audit event should be committed.
192	A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
193	Any other return value results in the audit record being committed.
194
195	@warning The suppression behavior will probably go away in Apple's
196	future version of the audit implementation.
197
198	@return Return MAC_AUDIT_NO to force suppression of the audit record.
199	Any other value results in the audit record being committed.
200
201	*/
202	typedef int mpo_audit_check_postselect_t(
203	kauth_cred_t cred,
204	unsigned short syscode,
205	void *args,
206	int error,
207	int retval
208	);
209	/**
210	@brief Audit event preselection
211	@param cred Subject credential
212	@param syscode Syscall number
213	@param args Syscall arguments
214
215	This is the MAC Framework audit preselect, which is called before a
216	syscall is entered to determine if an audit event should be created.
217	If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
218	returned. A return value of MAC_AUDIT_NO causes the audit record to
219	be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
220	to defer to the system's existing preselection mechanism.
221
222	When policies return different preferences, the Framework decides what action
223	to take based on the following policy. If any policy returns MAC_AUDIT_YES,
224	then create an audit record, else if any policy returns MAC_AUDIT_NO, then
225	suppress the creations of an audit record, else defer to the system's
226	existing preselection mechanism.
227
228	@warning The audit implementation in Apple's current version is
229	incomplete, so the MAC policies have priority over the system's existing
230	mechanisms. This will probably change in the future version where
231	the audit implementation is more complete.
232
233	@return Return MAC_AUDIT_YES to force auditing of the syscall,
234	MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
235	to allow auditing mechanisms to determine if the syscall is audited.
236
237	*/
238	typedef int mpo_audit_check_preselect_t(
239	kauth_cred_t cred,
240	unsigned short syscode,
241	void *args
242	);
243	/**
244	@brief Initialize BPF descriptor label
245	@param label New label to initialize
246
247	Initialize the label for a newly instantiated BPF descriptor.
248	Sleeping is permitted.
249	*/
250	typedef void mpo_bpfdesc_label_init_t(
251	struct label *label
252	);
253	/**
254	@brief Destroy BPF descriptor label
255	@param label The label to be destroyed
256
257	Destroy a BPF descriptor label. Since the BPF descriptor
258	is going out of scope, policy modules should free any internal
259	storage associated with the label so that it may be destroyed.
260	*/
261	typedef void mpo_bpfdesc_label_destroy_t(
262	struct label *label
263	);
264	/**
265	@brief Associate a BPF descriptor with a label
266	@param cred User credential creating the BPF descriptor
267	@param bpf_d The BPF descriptor
268	@param bpflabel The new label
269
270	Set the label on a newly created BPF descriptor from the passed
271	subject credential. This call will be made when a BPF device node
272	is opened by a process with the passed subject credential.
273	*/
274	typedef void mpo_bpfdesc_label_associate_t(
275	kauth_cred_t cred,
276	struct bpf_d *bpf_d,
277	struct label *bpflabel
278	);
279	/**
280	@brief Check whether BPF can read from a network interface
281	@param bpf_d Subject; the BPF descriptor
282	@param bpflabel Policy label for bpf_d
283	@param ifp Object; the network interface
284	@param ifnetlabel Policy label for ifp
285
286	Determine whether the MAC framework should permit datagrams from
287	the passed network interface to be delivered to the buffers of
288	the passed BPF descriptor. Return (0) for success, or an errno
289	value for failure. Suggested failure: EACCES for label mismatches,
290	EPERM for lack of privilege.
291	*/
292	typedef int mpo_bpfdesc_check_receive_t(
293	struct bpf_d *bpf_d,
294	struct label *bpflabel,
295	struct ifnet *ifp,
296	struct label *ifnetlabel
297	);
298	/**
299	@brief Indicate desire to change the process label at exec time
300	@param old Existing subject credential
301	@param vp File being executed
302	@param offset Offset of binary within file being executed
303	@param scriptvp Script being executed by interpreter, if any.
304	@param vnodelabel Label corresponding to vp
305	@param scriptvnodelabel Script vnode label
306	@param execlabel Userspace provided execution label
307	@param p Object process
308	@param macpolicyattr MAC policy-specific spawn attribute data
309	@param macpolicyattrlen Length of policy-specific spawn attribute data
310	@see mac_execve
311	@see mpo_cred_label_update_execve_t
312	@see mpo_vnode_check_exec_t
313
314	Indicate whether this policy intends to update the label of a newly
315	created credential from the existing subject credential (old). This
316	call occurs when a process executes the passed vnode. If a policy
317	returns success from this entry point, the mpo_cred_label_update_execve
318	entry point will later be called with the same parameters. Access
319	has already been checked via the mpo_vnode_check_exec entry point,
320	this entry point is necessary to preserve kernel locking constraints
321	during program execution.
322
323	The supplied vnode and vnodelabel correspond with the file actually
324	being executed; in the case that the file is interpreted (for
325	example, a script), the label of the original exec-time vnode has
326	been preserved in scriptvnodelabel.
327
328	The final label, execlabel, corresponds to a label supplied by a
329	user space application through the use of the mac_execve system call.
330
331	The vnode lock is held during this operation. No changes should be
332	made to the old credential structure.
333
334	@warning Even if a policy returns 0, it should behave correctly in
335	the presence of an invocation of mpo_cred_label_update_execve, as that
336	call may happen as a result of another policy requesting a transition.
337
338	@return Non-zero if a transition is required, 0 otherwise.
339	*/
340	typedef int mpo_cred_check_label_update_execve_t(
341	kauth_cred_t old,
342	struct vnode *vp,
343	off_t offset,
344	struct vnode *scriptvp,
345	struct label *vnodelabel,
346	struct label *scriptvnodelabel,
347	struct label *execlabel,
348	struct proc *p,
349	void *macpolicyattr,
350	size_t macpolicyattrlen
351	);
352	/**
353	@brief Access control check for relabelling processes
354	@param cred Subject credential
355	@param newlabel New label to apply to the user credential
356	@see mpo_cred_label_update_t
357	@see mac_set_proc
358
359	Determine whether the subject identified by the credential can relabel
360	itself to the supplied new label (newlabel). This access control check
361	is called when the mac_set_proc system call is invoked. A user space
362	application will supply a new value, the value will be internalized
363	and provided in newlabel.
364
365	@return Return 0 if access is granted, otherwise an appropriate value for
366	errno should be returned.
367	*/
368	typedef int mpo_cred_check_label_update_t(
369	kauth_cred_t cred,
370	struct label *newlabel
371	);
372	/**
373	@brief Access control check for visibility of other subjects
374	@param u1 Subject credential
375	@param u2 Object credential
376
377	Determine whether the subject identified by the credential u1 can
378	"see" other subjects with the passed subject credential u2. This call
379	may be made in a number of situations, including inter-process status
380	sysctls used by ps, and in procfs lookups.
381
382	@return Return 0 if access is granted, otherwise an appropriate value for
383	errno should be returned. Suggested failure: EACCES for label mismatch,
384	EPERM for lack of privilege, or ESRCH to hide visibility.
385	*/
386	typedef int mpo_cred_check_visible_t(
387	kauth_cred_t u1,
388	kauth_cred_t u2
389	);
390	/**
391	@brief Associate a credential with a new process at fork
392	@param cred credential to inherited by new process
393	@param proc the new process
394
395	Allow a process to associate the credential with a new
396	process for reference countng purposes.
397	NOTE: the credential can be dis-associated in ways other
398	than exit - so this strategy is flawed - should just
399	catch label destroy callback.
400	*/
401	typedef void mpo_cred_label_associate_fork_t(
402	kauth_cred_t cred,
403	proc_t proc
404	);
405	/**
406	@brief Create the first process
407	@param cred Subject credential to be labeled
408
409	Create the subject credential of process 0, the parent of all BSD
410	kernel processes. Policies should update the label in the
411	previously initialized credential structure.
412	*/
413	typedef void mpo_cred_label_associate_kernel_t(
414	kauth_cred_t cred
415	);
416	/**
417	@brief Create a credential label
418	@param parent_cred Parent credential
419	@param child_cred Child credential
420
421	Set the label of a newly created credential, most likely using the
422	information in the supplied parent credential.
423
424	@warning This call is made when crcopy or crdup is invoked on a
425	newly created struct ucred, and should not be confused with a
426	process fork or creation event.
427	*/
428	typedef void mpo_cred_label_associate_t(
429	kauth_cred_t parent_cred,
430	kauth_cred_t child_cred
431	);
432	/**
433	@brief Create the first process
434	@param cred Subject credential to be labeled
435
436	Create the subject credential of process 1, the parent of all BSD
437	user processes. Policies should update the label in the previously
438	initialized credential structure. This is the 'init' process.
439	*/
440	typedef void mpo_cred_label_associate_user_t(
441	kauth_cred_t cred
442	);
443	/**
444	@brief Destroy credential label
445	@param label The label to be destroyed
446
447	Destroy a user credential label. Since the user credential
448	is going out of scope, policy modules should free any internal
449	storage associated with the label so that it may be destroyed.
450	*/
451	typedef void mpo_cred_label_destroy_t(
452	struct label *label
453	);
454	/**
455	@brief Externalize a user credential label for auditing
456	@param label Label to be externalized
457	@param element_name Name of the label namespace for which labels should be
458	externalized
459	@param sb String buffer to be filled with a text representation of the label
460
461	Produce an external representation of the label on a user credential for
462	inclusion in an audit record. An externalized label consists of a text
463	representation of the label contents that will be added to the audit record
464	as part of a text token. Policy-agnostic user space tools will display
465	this externalized version.
466
467	@return 0 on success, return non-zero if an error occurs while
468	externalizing the label data.
469
470	*/
471	typedef int mpo_cred_label_externalize_audit_t(
472	struct label *label,
473	char *element_name,
474	struct sbuf *sb
475	);
476	/**
477	@brief Externalize a user credential label
478	@param label Label to be externalized
479	@param element_name Name of the label namespace for which labels should be
480	externalized
481	@param sb String buffer to be filled with a text representation of the label
482
483	Produce an external representation of the label on a user
484	credential. An externalized label consists of a text representation
485	of the label contents that can be used with user applications.
486	Policy-agnostic user space tools will display this externalized
487	version.
488
489	@return 0 on success, return non-zero if an error occurs while
490	externalizing the label data.
491
492	*/
493	typedef int mpo_cred_label_externalize_t(
494	struct label *label,
495	char *element_name,
496	struct sbuf *sb
497	);
498	/**
499	@brief Initialize user credential label
500	@param label New label to initialize
501
502	Initialize the label for a newly instantiated user credential.
503	Sleeping is permitted.
504	*/
505	typedef void mpo_cred_label_init_t(
506	struct label *label
507	);
508	/**
509	@brief Internalize a user credential label
510	@param label Label to be internalized
511	@param element_name Name of the label namespace for which the label should
512	be internalized
513	@param element_data Text data to be internalized
514
515	Produce a user credential label from an external representation. An
516	externalized label consists of a text representation of the label
517	contents that can be used with user applications. Policy-agnostic
518	user space tools will forward text version to the kernel for
519	processing by individual policy modules.
520
521	The policy's internalize entry points will be called only if the
522	policy has registered interest in the label namespace.
523
524	@return 0 on success, Otherwise, return non-zero if an error occurs
525	while internalizing the label data.
526
527	*/
528	typedef int mpo_cred_label_internalize_t(
529	struct label *label,
530	char *element_name,
531	char *element_data
532	);
533	/**
534	@brief Update credential at exec time
535	@param old_cred Existing subject credential
536	@param new_cred New subject credential to be labeled
537	@param p Object process.
538	@param vp File being executed
539	@param offset Offset of binary within file being executed
540	@param scriptvp Script being executed by interpreter, if any.
541	@param vnodelabel Label corresponding to vp
542	@param scriptvnodelabel Script vnode label
543	@param execlabel Userspace provided execution label
544	@param csflags Code signing flags to be set after exec
545	@param macpolicyattr MAC policy-specific spawn attribute data.
546	@param macpolicyattrlen Length of policy-specific spawn attribute data.
547	@see mac_execve
548	@see mpo_cred_check_label_update_execve_t
549	@see mpo_vnode_check_exec_t
550
551	Update the label of a newly created credential (new) from the
552	existing subject credential (old). This call occurs when a process
553	executes the passed vnode and one of the loaded policy modules has
554	returned success from the mpo_cred_check_label_update_execve entry point.
555	Access has already been checked via the mpo_vnode_check_exec entry
556	point, this entry point is only used to update any policy state.
557
558	The supplied vnode and vnodelabel correspond with the file actually
559	being executed; in the case that the file is interpreted (for
560	example, a script), the label of the original exec-time vnode has
561	been preserved in scriptvnodelabel.
562
563	The final label, execlabel, corresponds to a label supplied by a
564	user space application through the use of the mac_execve system call.
565
566	If non-NULL, the value pointed to by disjointp will be set to 0 to
567	indicate that the old and new credentials are not disjoint, or 1 to
568	indicate that they are.
569
570	The vnode lock is held during this operation. No changes should be
571	made to the old credential structure.
572	@return 0 on success, Otherwise, return non-zero if update results in
573	termination of child.
574	*/
575	typedef int mpo_cred_label_update_execve_t(
576	kauth_cred_t old_cred,
577	kauth_cred_t new_cred,
578	struct proc *p,
579	struct vnode *vp,
580	off_t offset,
581	struct vnode *scriptvp,
582	struct label *vnodelabel,
583	struct label *scriptvnodelabel,
584	struct label *execlabel,
585	u_int *csflags,
586	void *macpolicyattr,
587	size_t macpolicyattrlen,
588	int *disjointp
589	);
590	/**
591	@brief Update a credential label
592	@param cred The existing credential
593	@param newlabel A new label to apply to the credential
594	@see mpo_cred_check_label_update_t
595	@see mac_set_proc
596
597	Update the label on a user credential, using the supplied new label.
598	This is called as a result of a process relabel operation. Access
599	control was already confirmed by mpo_cred_check_label_update.
600	*/
601	typedef void mpo_cred_label_update_t(
602	kauth_cred_t cred,
603	struct label *newlabel
604	);
605	/**
606	@brief Create a new devfs device
607	@param dev Major and minor numbers of special file
608	@param de "inode" of new device file
609	@param label Destination label
610	@param fullpath Path relative to mount (e.g. /dev) of new device file
611
612	This entry point labels a new devfs device. The label will likely be based
613	on the path to the device, or the major and minor numbers.
614	The policy should store an appropriate label into 'label'.
615	*/
616	typedef void mpo_devfs_label_associate_device_t(
617	dev_t dev,
618	struct devnode *de,
619	struct label *label,
620	const char *fullpath
621	);
622	/**
623	@brief Create a new devfs directory
624	@param dirname Name of new directory
625	@param dirnamelen Length of 'dirname'
626	@param de "inode" of new directory
627	@param label Destination label
628	@param fullpath Path relative to mount (e.g. /dev) of new directory
629
630	This entry point labels a new devfs directory. The label will likely be
631	based on the path of the new directory. The policy should store an appropriate
632	label into 'label'. The devfs root directory is labelled in this way.
633	*/
634	typedef void mpo_devfs_label_associate_directory_t(
635	const char *dirname,
636	int dirnamelen,
637	struct devnode *de,
638	struct label *label,
639	const char *fullpath
640	);
641	/**
642	@brief Copy a devfs label
643	@param src Source devfs label
644	@param dest Destination devfs label
645
646	Copy the label information from src to dest. The devfs file system
647	often duplicates (splits) existing device nodes rather than creating
648	new ones.
649	*/
650	typedef void mpo_devfs_label_copy_t(
651	struct label *src,
652	struct label *dest
653	);
654	/**
655	@brief Destroy devfs label
656	@param label The label to be destroyed
657
658	Destroy a devfs entry label. Since the object is going out
659	of scope, policy modules should free any internal storage associated
660	with the label so that it may be destroyed.
661	*/
662	typedef void mpo_devfs_label_destroy_t(
663	struct label *label
664	);
665	/**
666	@brief Initialize devfs label
667	@param label New label to initialize
668
669	Initialize the label for a newly instantiated devfs entry. Sleeping
670	is permitted.
671	*/
672	typedef void mpo_devfs_label_init_t(
673	struct label *label
674	);
675	/**
676	@brief Update a devfs label after relabelling its vnode
677	@param mp Devfs mount point
678	@param de Affected devfs directory entry
679	@param delabel Label of devfs directory entry
680	@param vp Vnode associated with de
681	@param vnodelabel New label of vnode
682
683	Update a devfs label when its vnode is manually relabelled,
684	for example with setfmac(1). Typically, this will simply copy
685	the vnode label into the devfs label.
686	*/
687	typedef void mpo_devfs_label_update_t(
688	struct mount *mp,
689	struct devnode *de,
690	struct label *delabel,
691	struct vnode *vp,
692	struct label *vnodelabel
693	);
694	/**
695	@brief Access control for sending an exception to an exception action
696	@param crashlabel The crashing process's label
697	@param action Exception action
698	@param exclabel Policy label for exception action
699
700	Determine whether the the exception message caused by the victim
701	process can be sent to the exception action. The policy may compare
702	credentials in the crashlabel, which are derived from the process at
703	the time the exception occurs, with the credentials in the exclabel,
704	which was set at the time the exception port was set, to determine
705	its decision. Note that any process from which the policy derived
706	any credentials may not exist anymore at the time of this policy
707	operation. Sleeping is permitted.
708
709	@return Return 0 if the message can be sent, otherwise an
710	appropriate value for errno should be returned.
711	*/
712	typedef int mpo_exc_action_check_exception_send_t(
713	struct label *crashlabel,
714	struct exception_action *action,
715	struct label *exclabel
716	);
717	/**
718	@brief Associate an exception action label
719	@param action Exception action to label
720	@param exclabel Policy label to be filled in for exception action
721
722	Set the label on an exception action.
723	*/
724	typedef void mpo_exc_action_label_associate_t(
725	struct exception_action *action,
726	struct label *exclabel
727	);
728	/**
729	@brief Destroy exception action label
730	@param label The label to be destroyed
731
732	Destroy the label on an exception action. Since the object is going
733	out of scope, policy modules should free any internal storage
734	associated with the label so that it may be destroyed. Sleeping is
735	permitted.
736	*/
737	typedef void mpo_exc_action_label_destroy_t(
738	struct label *label
739	);
740	/**
741	@brief Populate an exception action label with process credentials
742	@param label The label to be populated
743	@param proc Process to derive credentials from
744
745	Populate a label with credentials derived from a process. At
746	exception delivery time, the policy should compare credentials of the
747	process that set an exception ports with the credentials of the
748	process or corpse that experienced the exception. Note that the
749	process that set the port may not exist at that time anymore, so
750	labels should carry copies of live credentials if necessary.
751	*/
752	typedef void mpo_exc_action_label_populate_t(
753	struct label *label,
754	struct proc *proc
755	);
756	/**
757	@brief Initialize exception action label
758	@param label New label to initialize
759
760	Initialize a label for an exception action. Usually performs
761	policy specific allocations. Sleeping is permitted.
762	*/
763	typedef int mpo_exc_action_label_init_t(
764	struct label *label
765	);
766	/**
767	@brief Update the label on an exception action
768	@param action Exception action that the label belongs to (may be
769	NULL if none)
770	@param label Policy label to update
771	@param newlabel New label for update
772
773	Update the credentials of an exception action from the given
774	label. The policy should copy over any credentials (process and
775	otherwise) from the new label into the label to update. Must not
776	sleep, must be quick and can be called with locks held.
777	*/
778	typedef int mpo_exc_action_label_update_t(
779	struct exception_action *action,
780	struct label *label,
781	struct label *newlabel
782	);
783	/**
784	@brief Access control for changing the offset of a file descriptor
785	@param cred Subject credential
786	@param fg Fileglob structure
787	@param label Policy label for fg
788
789	Determine whether the subject identified by the credential can
790	change the offset of the file represented by fg.
791
792	@return Return 0 if access if granted, otherwise an appropriate
793	value for errno should be returned.
794	*/
795	typedef int mpo_file_check_change_offset_t(
796	kauth_cred_t cred,
797	struct fileglob *fg,
798	struct label *label
799	);
800	/**
801	@brief Access control for creating a file descriptor
802	@param cred Subject credential
803
804	Determine whether the subject identified by the credential can
805	allocate a new file descriptor.
806
807	@return Return 0 if access if granted, otherwise an appropriate
808	value for errno should be returned.
809	*/
810	typedef int mpo_file_check_create_t(
811	kauth_cred_t cred
812	);
813	/**
814	@brief Access control for duplicating a file descriptor
815	@param cred Subject credential
816	@param fg Fileglob structure
817	@param label Policy label for fg
818	@param newfd New file descriptor number
819
820	Determine whether the subject identified by the credential can
821	duplicate the fileglob structure represented by fg and as file
822	descriptor number newfd.
823
824	@return Return 0 if access if granted, otherwise an appropriate
825	value for errno should be returned.
826	*/
827	typedef int mpo_file_check_dup_t(
828	kauth_cred_t cred,
829	struct fileglob *fg,
830	struct label *label,
831	int newfd
832	);
833	/**
834	@brief Access control check for fcntl
835	@param cred Subject credential
836	@param fg Fileglob structure
837	@param label Policy label for fg
838	@param cmd Control operation to be performed; see fcntl(2)
839	@param arg fcnt arguments; see fcntl(2)
840
841	Determine whether the subject identified by the credential can perform
842	the file control operation indicated by cmd.
843
844	@return Return 0 if access is granted, otherwise an appropriate value for
845	errno should be returned.
846	*/
847	typedef int mpo_file_check_fcntl_t(
848	kauth_cred_t cred,
849	struct fileglob *fg,
850	struct label *label,
851	int cmd,
852	user_long_t arg
853	);
854	/**
855	@brief Access control check for mac_get_fd
856	@param cred Subject credential
857	@param fg Fileglob structure
858	@param elements Element buffer
859	@param len Length of buffer
860
861	Determine whether the subject identified by the credential should be allowed
862	to get an externalized version of the label on the object indicated by fd.
863
864	@return Return 0 if access is granted, otherwise an appropriate value for
865	errno should be returned.
866	*/
867	typedef int mpo_file_check_get_t(
868	kauth_cred_t cred,
869	struct fileglob *fg,
870	char *elements,
871	int len
872	);
873	/**
874	@brief Access control for getting the offset of a file descriptor
875	@param cred Subject credential
876	@param fg Fileglob structure
877	@param label Policy label for fg
878
879	Determine whether the subject identified by the credential can
880	get the offset of the file represented by fg.
881
882	@return Return 0 if access if granted, otherwise an appropriate
883	value for errno should be returned.
884	*/
885	typedef int mpo_file_check_get_offset_t(
886	kauth_cred_t cred,
887	struct fileglob *fg,
888	struct label *label
889	);
890	/**
891	@brief Access control for inheriting a file descriptor
892	@param cred Subject credential
893	@param fg Fileglob structure
894	@param label Policy label for fg
895
896	Determine whether the subject identified by the credential can
897	inherit the fileglob structure represented by fg.
898
899	@return Return 0 if access if granted, otherwise an appropriate
900	value for errno should be returned.
901	*/
902	typedef int mpo_file_check_inherit_t(
903	kauth_cred_t cred,
904	struct fileglob *fg,
905	struct label *label
906	);
907	/**
908	@brief Access control check for file ioctl
909	@param cred Subject credential
910	@param fg Fileglob structure
911	@param label Policy label for fg
912	@param cmd The ioctl command; see ioctl(2)
913
914	Determine whether the subject identified by the credential can perform
915	the ioctl operation indicated by cmd.
916
917	@warning Since ioctl data is opaque from the standpoint of the MAC
918	framework, policies must exercise extreme care when implementing
919	access control checks.
920
921	@return Return 0 if access is granted, otherwise an appropriate value for
922	errno should be returned.
923
924	*/
925	typedef int mpo_file_check_ioctl_t(
926	kauth_cred_t cred,
927	struct fileglob *fg,
928	struct label *label,
929	unsigned int cmd
930	);
931	/**
932	@brief Access control check for file locking
933	@param cred Subject credential
934	@param fg Fileglob structure
935	@param label Policy label for fg
936	@param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
937	@param fl The flock structure
938
939	Determine whether the subject identified by the credential can perform
940	the lock operation indicated by op and fl on the file represented by fg.
941
942	@return Return 0 if access is granted, otherwise an appropriate value for
943	errno should be returned.
944
945	*/
946	typedef int mpo_file_check_lock_t(
947	kauth_cred_t cred,
948	struct fileglob *fg,
949	struct label *label,
950	int op,
951	struct flock *fl
952	);
953	/**
954	@brief Check with library validation if a macho slice is allowed to be combined into a proc.
955	@param p Subject process
956	@param fg Fileglob structure
957	@param slice_offset offset of the code slice
958	@param error_message error message returned to user-space in case of error (userspace pointer)
959	@param error_message_size error message size
960
961	Its a little odd that the MAC/kext writes into userspace since this
962	implies there is only one MAC module that implements this, however
963	the alterantive is to allocate memory in xnu, on the hope that
964	the MAC module will use it, or allocated in the MAC module and then
965	free it in xnu. Either of these are very appeling, so lets go with
966	the slightly more hacky way.
967
968	@return Return 0 if access is granted, otherwise an appropriate value for
969	errno should be returned.
970	*/
971	typedef int mpo_file_check_library_validation_t(
972	struct proc *p,
973	struct fileglob *fg,
974	off_t slice_offset,
975	user_long_t error_message,
976	size_t error_message_size
977	);
978	/**
979	@brief Access control check for mapping a file
980	@param cred Subject credential
981	@param fg fileglob representing file to map
982	@param label Policy label associated with vp
983	@param prot mmap protections; see mmap(2)
984	@param flags Type of mapped object; see mmap(2)
985	@param maxprot Maximum rights
986
987	Determine whether the subject identified by the credential should be
988	allowed to map the file represented by fg with the protections specified
989	in prot. The maxprot field holds the maximum permissions on the new
990	mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
991	To avoid overriding prior access control checks, a policy should only
992	remove flags from maxprot.
993
994	@return Return 0 if access is granted, otherwise an appropriate value for
995	errno should be returned. Suggested failure: EACCES for label mismatch or
996	EPERM for lack of privilege.
997	*/
998	typedef int mpo_file_check_mmap_t(
999	kauth_cred_t cred,
1000	struct fileglob *fg,
1001	struct label *label,
1002	int prot,
1003	int flags,
1004	uint64_t file_pos,
1005	int *maxprot
1006	);
1007	/**
1008	@brief Downgrade the mmap protections
1009	@param cred Subject credential
1010	@param fg file to map
1011	@param label Policy label associated with vp
1012	@param prot mmap protections to be downgraded
1013
1014	Downgrade the mmap protections based on the subject and object labels.
1015	*/
1016	typedef void mpo_file_check_mmap_downgrade_t(
1017	kauth_cred_t cred,
1018	struct fileglob *fg,
1019	struct label *label,
1020	int *prot
1021	);
1022	/**
1023	@brief Access control for receiving a file descriptor
1024	@param cred Subject credential
1025	@param fg Fileglob structure
1026	@param label Policy label for fg
1027
1028	Determine whether the subject identified by the credential can
1029	receive the fileglob structure represented by fg.
1030
1031	@return Return 0 if access if granted, otherwise an appropriate
1032	value for errno should be returned.
1033	*/
1034	typedef int mpo_file_check_receive_t(
1035	kauth_cred_t cred,
1036	struct fileglob *fg,
1037	struct label *label
1038	);
1039	/**
1040	@brief Access control check for mac_set_fd
1041	@param cred Subject credential
1042	@param fg Fileglob structure
1043	@param elements Elements buffer
1044	@param len Length of elements buffer
1045
1046	Determine whether the subject identified by the credential can
1047	perform the mac_set_fd operation. The mac_set_fd operation is used
1048	to associate a MAC label with a file.
1049
1050	@return Return 0 if access is granted, otherwise an appropriate value for
1051	errno should be returned.
1052	*/
1053	typedef int mpo_file_check_set_t(
1054	kauth_cred_t cred,
1055	struct fileglob *fg,
1056	char *elements,
1057	int len
1058	);
1059	/**
1060	@brief Create file label
1061	@param cred Subject credential
1062	@param fg Fileglob structure
1063	@param label Policy label for fg
1064	*/
1065	typedef void mpo_file_label_associate_t(
1066	kauth_cred_t cred,
1067	struct fileglob *fg,
1068	struct label *label
1069	);
1070	/**
1071	@brief Destroy file label
1072	@param label The label to be destroyed
1073
1074	Destroy the label on a file descriptor. In this entry point, a
1075	policy module should free any internal storage associated with
1076	label so that it may be destroyed.
1077	*/
1078	typedef void mpo_file_label_destroy_t(
1079	struct label *label
1080	);
1081	/**
1082	@brief Initialize file label
1083	@param label New label to initialize
1084	*/
1085	typedef void mpo_file_label_init_t(
1086	struct label *label
1087	);
1088	/**
1089	@brief Access control check for relabeling network interfaces
1090	@param cred Subject credential
1091	@param ifp network interface being relabeled
1092	@param ifnetlabel Current label of the network interfaces
1093	@param newlabel New label to apply to the network interfaces
1094	@see mpo_ifnet_label_update_t
1095
1096	Determine whether the subject identified by the credential can
1097	relabel the network interface represented by ifp to the supplied
1098	new label (newlabel).
1099
1100	@return Return 0 if access is granted, otherwise an appropriate value for
1101	errno should be returned.
1102	*/
1103	typedef int mpo_ifnet_check_label_update_t(
1104	kauth_cred_t cred,
1105	struct ifnet *ifp,
1106	struct label *ifnetlabel,
1107	struct label *newlabel
1108	);
1109	/**
1110	@brief Access control check for relabeling network interfaces
1111	@param ifp Network interface mbuf will be transmitted through
1112	@param ifnetlabel Label of the network interfaces
1113	@param m The mbuf to be transmitted
1114	@param mbuflabel Label of the mbuf to be transmitted
1115	@param family Address Family, AF_*
1116	@param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1117
1118	Determine whether the mbuf with label mbuflabel may be transmitted
1119	through the network interface represented by ifp that has the
1120	label ifnetlabel.
1121
1122	@return Return 0 if access is granted, otherwise an appropriate value for
1123	errno should be returned.
1124	*/
1125	typedef int mpo_ifnet_check_transmit_t(
1126	struct ifnet *ifp,
1127	struct label *ifnetlabel,
1128	struct mbuf *m,
1129	struct label *mbuflabel,
1130	int family,
1131	int type
1132	);
1133	/**
1134	@brief Create a network interface label
1135	@param ifp Network interface labeled
1136	@param ifnetlabel Label for the network interface
1137
1138	Set the label of a newly created network interface, most likely
1139	using the information in the supplied network interface struct.
1140	*/
1141	typedef void mpo_ifnet_label_associate_t(
1142	struct ifnet *ifp,
1143	struct label *ifnetlabel
1144	);
1145	/**
1146	@brief Copy an ifnet label
1147	@param src Source ifnet label
1148	@param dest Destination ifnet label
1149
1150	Copy the label information from src to dest.
1151	*/
1152	typedef void mpo_ifnet_label_copy_t(
1153	struct label *src,
1154	struct label *dest
1155	);
1156	/**
1157	@brief Destroy ifnet label
1158	@param label The label to be destroyed
1159
1160	Destroy the label on an ifnet label. In this entry point, a
1161	policy module should free any internal storage associated with
1162	label so that it may be destroyed.
1163	*/
1164	typedef void mpo_ifnet_label_destroy_t(
1165	struct label *label
1166	);
1167	/**
1168	@brief Externalize an ifnet label
1169	@param label Label to be externalized
1170	@param element_name Name of the label namespace for which labels should be
1171	externalized
1172	@param sb String buffer to be filled with a text representation of the label
1173
1174	Produce an external representation of the label on an interface.
1175	An externalized label consists of a text representation of the
1176	label contents that can be used with user applications.
1177	Policy-agnostic user space tools will display this externalized
1178	version.
1179
1180	@return 0 on success, return non-zero if an error occurs while
1181	externalizing the label data.
1182
1183	*/
1184	typedef int mpo_ifnet_label_externalize_t(
1185	struct label *label,
1186	char *element_name,
1187	struct sbuf *sb
1188	);
1189	/**
1190	@brief Initialize ifnet label
1191	@param label New label to initialize
1192	*/
1193	typedef void mpo_ifnet_label_init_t(
1194	struct label *label
1195	);
1196	/**
1197	@brief Internalize an interface label
1198	@param label Label to be internalized
1199	@param element_name Name of the label namespace for which the label should
1200	be internalized
1201	@param element_data Text data to be internalized
1202
1203	Produce an interface label from an external representation. An
1204	externalized label consists of a text representation of the label
1205	contents that can be used with user applications. Policy-agnostic
1206	user space tools will forward text version to the kernel for
1207	processing by individual policy modules.
1208
1209	The policy's internalize entry points will be called only if the
1210	policy has registered interest in the label namespace.
1211
1212	@return 0 on success, Otherwise, return non-zero if an error occurs
1213	while internalizing the label data.
1214
1215	*/
1216	typedef int mpo_ifnet_label_internalize_t(
1217	struct label *label,
1218	char *element_name,
1219	char *element_data
1220	);
1221	/**
1222	@brief Recycle up a network interface label
1223	@param label The label to be recycled
1224
1225	Recycle a network interface label. Darwin caches the struct ifnet
1226	of detached ifnets in a "free pool". Before ifnets are returned
1227	to the "free pool", policies can cleanup or overwrite any information
1228	present in the label.
1229	*/
1230	typedef void mpo_ifnet_label_recycle_t(
1231	struct label *label
1232	);
1233	/**
1234	@brief Update a network interface label
1235	@param cred Subject credential
1236	@param ifp The network interface to be relabeled
1237	@param ifnetlabel The current label of the network interface
1238	@param newlabel A new label to apply to the network interface
1239	@see mpo_ifnet_check_label_update_t
1240
1241	Update the label on a network interface, using the supplied new label.
1242	*/
1243	typedef void mpo_ifnet_label_update_t(
1244	kauth_cred_t cred,
1245	struct ifnet *ifp,
1246	struct label *ifnetlabel,
1247	struct label *newlabel
1248	);
1249	/**
1250	@brief Access control check for delivering a packet to a socket
1251	@param inp inpcb the socket is associated with
1252	@param inplabel Label of the inpcb
1253	@param m The mbuf being received
1254	@param mbuflabel Label of the mbuf being received
1255	@param family Address family, AF_*
1256	@param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1257
1258	Determine whether the mbuf with label mbuflabel may be received
1259	by the socket associated with inpcb that has the label inplabel.
1260
1261	@return Return 0 if access is granted, otherwise an appropriate value for
1262	errno should be returned.
1263	*/
1264	typedef int mpo_inpcb_check_deliver_t(
1265	struct inpcb *inp,
1266	struct label *inplabel,
1267	struct mbuf *m,
1268	struct label *mbuflabel,
1269	int family,
1270	int type
1271	);
1272	/**
1273	@brief Create an inpcb label
1274	@param so Socket containing the inpcb to be labeled
1275	@param solabel Label of the socket
1276	@param inp inpcb to be labeled
1277	@param inplabel Label for the inpcb
1278
1279	Set the label of a newly created inpcb, most likely
1280	using the information in the socket and/or socket label.
1281	*/
1282	typedef void mpo_inpcb_label_associate_t(
1283	struct socket *so,
1284	struct label *solabel,
1285	struct inpcb *inp,
1286	struct label *inplabel
1287	);
1288	/**
1289	@brief Destroy inpcb label
1290	@param label The label to be destroyed
1291
1292	Destroy the label on an inpcb label. In this entry point, a
1293	policy module should free any internal storage associated with
1294	label so that it may be destroyed.
1295	*/
1296	typedef void mpo_inpcb_label_destroy_t(
1297	struct label *label
1298	);
1299	/**
1300	@brief Initialize inpcb label
1301	@param label New label to initialize
1302	@param flag M_WAITOK or M_NOWAIT
1303	*/
1304	typedef int mpo_inpcb_label_init_t(
1305	struct label *label,
1306	int flag
1307	);
1308	/**
1309	@brief Recycle up an inpcb label
1310	@param label The label to be recycled
1311
1312	Recycle an inpcb label. Darwin allocates the inpcb as part of
1313	the socket structure in some cases. For this case we must recycle
1314	rather than destroy the inpcb as it will be reused later.
1315	*/
1316	typedef void mpo_inpcb_label_recycle_t(
1317	struct label *label
1318	);
1319	/**
1320	@brief Update an inpcb label from a socket label
1321	@param so Socket containing the inpcb to be relabeled
1322	@param solabel New label of the socket
1323	@param inp inpcb to be labeled
1324	@param inplabel Label for the inpcb
1325
1326	Set the label of a newly created inpcb due to a change in the
1327	underlying socket label.
1328	*/
1329	typedef void mpo_inpcb_label_update_t(
1330	struct socket *so,
1331	struct label *solabel,
1332	struct inpcb *inp,
1333	struct label *inplabel
1334	);
1335	/**
1336	@brief Device hardware access control
1337	@param devtype Type of device connected
1338
1339	This is the MAC Framework device access control, which is called by the I/O
1340	Kit when a new device is connected to the system to determine whether that
1341	device should be trusted. A list of properties associated with the device
1342	is passed as an XML-formatted string. The routine should examine these
1343	properties to determine the trustworthiness of the device. A return value
1344	of EPERM forces the device to be claimed by a special device driver that
1345	will prevent its operation.
1346
1347	@warning This is an experimental interface and may change in the future.
1348
1349	@return Return EPERM to indicate that the device is untrusted and should
1350	not be allowed to operate. Return zero to indicate that the device is
1351	trusted and should be allowed to operate normally.
1352
1353	*/
1354	typedef int mpo_iokit_check_device_t(
1355	char *devtype,
1356	struct mac_module_data *mdata
1357	);
1358	/**
1359	@brief Access control check for opening an I/O Kit device
1360	@param cred Subject credential
1361	@param user_client User client instance
1362	@param user_client_type User client type
1363
1364	Determine whether the subject identified by the credential can open an
1365	I/O Kit device at the passed path of the passed user client class and
1366	type.
1367
1368	@return Return 0 if access is granted, or an appropriate value for
1369	errno should be returned.
1370	*/
1371	typedef int mpo_iokit_check_open_t(
1372	kauth_cred_t cred,
1373	io_object_t user_client,
1374	unsigned int user_client_type
1375	);
1376	/**
1377	@brief Access control check for setting I/O Kit device properties
1378	@param cred Subject credential
1379	@param entry Target device
1380	@param properties Property list
1381
1382	Determine whether the subject identified by the credential can set
1383	properties on an I/O Kit device.
1384
1385	@return Return 0 if access is granted, or an appropriate value for
1386	errno should be returned.
1387	*/
1388	typedef int mpo_iokit_check_set_properties_t(
1389	kauth_cred_t cred,
1390	io_object_t entry,
1391	io_object_t properties
1392	);
1393	/**
1394	@brief Indicate desire to filter I/O Kit devices properties
1395	@param cred Subject credential
1396	@param entry Target device
1397	@see mpo_iokit_check_get_property_t
1398
1399	Indicate whether this policy may restrict the subject credential
1400	from reading properties of the target device.
1401	If a policy returns success from this entry point, the
1402	mpo_iokit_check_get_property entry point will later be called
1403	for each property that the subject credential tries to read from
1404	the target device.
1405
1406	This entry point is primarilly to optimize bulk property reads
1407	by skipping calls to the mpo_iokit_check_get_property entry point
1408	for credentials / devices no MAC policy is interested in.
1409
1410	@warning Even if a policy returns 0, it should behave correctly in
1411	the presence of an invocation of mpo_iokit_check_get_property, as that
1412	call may happen as a result of another policy requesting a transition.
1413
1414	@return Non-zero if a transition is required, 0 otherwise.
1415	*/
1416	typedef int mpo_iokit_check_filter_properties_t(
1417	kauth_cred_t cred,
1418	io_object_t entry
1419	);
1420	/**
1421	@brief Access control check for getting I/O Kit device properties
1422	@param cred Subject credential
1423	@param entry Target device
1424	@param name Property name
1425
1426	Determine whether the subject identified by the credential can get
1427	properties on an I/O Kit device.
1428
1429	@return Return 0 if access is granted, or an appropriate value for
1430	errno.
1431	*/
1432	typedef int mpo_iokit_check_get_property_t(
1433	kauth_cred_t cred,
1434	io_object_t entry,
1435	const char *name
1436	);
1437	/**
1438	@brief Access control check for software HID control
1439	@param cred Subject credential
1440
1441	Determine whether the subject identified by the credential can
1442	control the HID (Human Interface Device) subsystem, such as to
1443	post synthetic keypresses, pointer movement and clicks.
1444
1445	@return Return 0 if access is granted, or an appropriate value for
1446	errno.
1447	*/
1448	typedef int mpo_iokit_check_hid_control_t(
1449	kauth_cred_t cred
1450	);
1451	/**
1452	@brief Create an IP reassembly queue label
1453	@param fragment First received IP fragment
1454	@param fragmentlabel Policy label for fragment
1455	@param ipq IP reassembly queue to be labeled
1456	@param ipqlabel Policy label to be filled in for ipq
1457
1458	Set the label on a newly created IP reassembly queue from
1459	the mbuf header of the first received fragment.
1460	*/
1461	typedef void mpo_ipq_label_associate_t(
1462	struct mbuf *fragment,
1463	struct label *fragmentlabel,
1464	struct ipq *ipq,
1465	struct label *ipqlabel
1466	);
1467	/**
1468	@brief Compare an mbuf header label to an ipq label
1469	@param fragment IP datagram fragment
1470	@param fragmentlabel Policy label for fragment
1471	@param ipq IP fragment reassembly queue
1472	@param ipqlabel Policy label for ipq
1473
1474	Compare the label of the mbuf header containing an IP datagram
1475	(fragment) fragment with the label of the passed IP fragment
1476	reassembly queue (ipq). Return (1) for a successful match, or (0)
1477	for no match. This call is made when the IP stack attempts to
1478	find an existing fragment reassembly queue for a newly received
1479	fragment; if this fails, a new fragment reassembly queue may be
1480	instantiated for the fragment. Policies may use this entry point
1481	to prevent the reassembly of otherwise matching IP fragments if
1482	policy does not permit them to be reassembled based on the label
1483	or other information.
1484	*/
1485	typedef int mpo_ipq_label_compare_t(
1486	struct mbuf *fragment,
1487	struct label *fragmentlabel,
1488	struct ipq *ipq,
1489	struct label *ipqlabel
1490	);
1491	/**
1492	@brief Destroy IP reassembly queue label
1493	@param label The label to be destroyed
1494
1495	Destroy the label on an IP fragment queue. In this entry point, a
1496	policy module should free any internal storage associated with
1497	label so that it may be destroyed.
1498	*/
1499	typedef void mpo_ipq_label_destroy_t(
1500	struct label *label
1501	);
1502	/**
1503	@brief Initialize IP reassembly queue label
1504	@param label New label to initialize
1505	@param flag M_WAITOK or M_NOWAIT
1506
1507	Initialize the label on a newly instantiated IP fragment reassembly
1508	queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
1509	should be employed to avoid performing a sleeping malloc(9) during
1510	this initialization call. IP fragment reassembly queue allocation
1511	frequently occurs in performance sensitive environments, and the
1512	implementation should be careful to avoid sleeping or long-lived
1513	operations. This entry point is permitted to fail resulting in
1514	the failure to allocate the IP fragment reassembly queue.
1515	*/
1516	typedef int mpo_ipq_label_init_t(
1517	struct label *label,
1518	int flag
1519	);
1520	/**
1521	@brief Update the label on an IP fragment reassembly queue
1522	@param fragment IP fragment
1523	@param fragmentlabel Policy label for fragment
1524	@param ipq IP fragment reassembly queue
1525	@param ipqlabel Policy label to be updated for ipq
1526
1527	Update the label on an IP fragment reassembly queue (ipq) based
1528	on the acceptance of the passed IP fragment mbuf header (fragment).
1529	*/
1530	typedef void mpo_ipq_label_update_t(
1531	struct mbuf *fragment,
1532	struct label *fragmentlabel,
1533	struct ipq *ipq,
1534	struct label *ipqlabel
1535	);
1536	/**
1537	@brief Assign a label to a new mbuf
1538	@param bpf_d BPF descriptor
1539	@param b_label Policy label for bpf_d
1540	@param m Object; mbuf
1541	@param m_label Policy label to fill in for m
1542
1543	Set the label on the mbuf header of a newly created datagram
1544	generated using the passed BPF descriptor. This call is made when
1545	a write is performed to the BPF device associated with the passed
1546	BPF descriptor.
1547	*/
1548	typedef void mpo_mbuf_label_associate_bpfdesc_t(
1549	struct bpf_d *bpf_d,
1550	struct label *b_label,
1551	struct mbuf *m,
1552	struct label *m_label
1553	);
1554	/**
1555	@brief Assign a label to a new mbuf
1556	@param ifp Interface descriptor
1557	@param i_label Existing label of ifp
1558	@param m Object; mbuf
1559	@param m_label Policy label to fill in for m
1560
1561	Label an mbuf based on the interface from which it was received.
1562	*/
1563	typedef void mpo_mbuf_label_associate_ifnet_t(
1564	struct ifnet *ifp,
1565	struct label *i_label,
1566	struct mbuf *m,
1567	struct label *m_label
1568	);
1569	/**
1570	@brief Assign a label to a new mbuf
1571	@param inp inpcb structure
1572	@param i_label Existing label of inp
1573	@param m Object; mbuf
1574	@param m_label Policy label to fill in for m
1575
1576	Label an mbuf based on the inpcb from which it was derived.
1577	*/
1578	typedef void mpo_mbuf_label_associate_inpcb_t(
1579	struct inpcb *inp,
1580	struct label *i_label,
1581	struct mbuf *m,
1582	struct label *m_label
1583	);
1584	/**
1585	@brief Set the label on a newly reassembled IP datagram
1586	@param ipq IP fragment reassembly queue
1587	@param ipqlabel Policy label for ipq
1588	@param mbuf IP datagram to be labeled
1589	@param mbuflabel Policy label to be filled in for mbuf
1590
1591	Set the label on a newly reassembled IP datagram (mbuf) from the IP
1592	fragment reassembly queue (ipq) from which it was generated.
1593	*/
1594	typedef void mpo_mbuf_label_associate_ipq_t(
1595	struct ipq *ipq,
1596	struct label *ipqlabel,
1597	struct mbuf *mbuf,
1598	struct label *mbuflabel
1599	);
1600	/**
1601	@brief Assign a label to a new mbuf
1602	@param ifp Subject; network interface
1603	@param i_label Existing label of ifp
1604	@param m Object; mbuf
1605	@param m_label Policy label to fill in for m
1606
1607	Set the label on the mbuf header of a newly created datagram
1608	generated for the purposes of a link layer response for the passed
1609	interface. This call may be made in a number of situations, including
1610	for ARP or ND6 responses in the IPv4 and IPv6 stacks.
1611	*/
1612	typedef void mpo_mbuf_label_associate_linklayer_t(
1613	struct ifnet *ifp,
1614	struct label *i_label,
1615	struct mbuf *m,
1616	struct label *m_label
1617	);
1618	/**
1619	@brief Assign a label to a new mbuf
1620	@param oldmbuf mbuf headerder for existing datagram for existing datagram
1621	@param oldmbuflabel Policy label for oldmbuf
1622	@param ifp Network interface
1623	@param ifplabel Policy label for ifp
1624	@param newmbuf mbuf header to be labeled for new datagram
1625	@param newmbuflabel Policy label for newmbuf
1626
1627	Set the label on the mbuf header of a newly created datagram
1628	generated from the existing passed datagram when it is processed
1629	by the passed multicast encapsulation interface. This call is made
1630	when an mbuf is to be delivered using the virtual interface.
1631	*/
1632	typedef void mpo_mbuf_label_associate_multicast_encap_t(
1633	struct mbuf *oldmbuf,
1634	struct label *oldmbuflabel,
1635	struct ifnet *ifp,
1636	struct label *ifplabel,
1637	struct mbuf *newmbuf,
1638	struct label *newmbuflabel
1639	);
1640	/**
1641	@brief Assign a label to a new mbuf
1642	@param oldmbuf Received datagram
1643	@param oldmbuflabel Policy label for oldmbuf
1644	@param newmbuf Newly created datagram
1645	@param newmbuflabel Policy label for newmbuf
1646
1647	Set the label on the mbuf header of a newly created datagram generated
1648	by the IP stack in response to an existing received datagram (oldmbuf).
1649	This call may be made in a number of situations, including when responding
1650	to ICMP request datagrams.
1651	*/
1652	typedef void mpo_mbuf_label_associate_netlayer_t(
1653	struct mbuf *oldmbuf,
1654	struct label *oldmbuflabel,
1655	struct mbuf *newmbuf,
1656	struct label *newmbuflabel
1657	);
1658	/**
1659	@brief Assign a label to a new mbuf
1660	@param so Socket to label
1661	@param so_label Policy label for socket
1662	@param m Object; mbuf
1663	@param m_label Policy label to fill in for m
1664
1665	An mbuf structure is used to store network traffic in transit.
1666	When an application sends data to a socket or a pipe, it is wrapped
1667	in an mbuf first. This function sets the label on a newly created mbuf header
1668	based on the socket sending the data. The contents of the label should be
1669	suitable for performing an access check on the receiving side of the
1670	communication.
1671
1672	Only labeled MBUFs will be presented to the policy via this entrypoint.
1673	*/
1674	typedef void mpo_mbuf_label_associate_socket_t(
1675	socket_t so,
1676	struct label *so_label,
1677	struct mbuf *m,
1678	struct label *m_label
1679	);
1680	/**
1681	@brief Copy a mbuf label
1682	@param src Source label
1683	@param dest Destination label
1684
1685	Copy the mbuf label information in src into dest.
1686
1687	Only called when both source and destination mbufs have labels.
1688	*/
1689	typedef void mpo_mbuf_label_copy_t(
1690	struct label *src,
1691	struct label *dest
1692	);
1693	/**
1694	@brief Destroy mbuf label
1695	@param label The label to be destroyed
1696
1697	Destroy a mbuf label. Since the
1698	object is going out of scope, policy modules should free any
1699	internal storage associated with the label so that it may be
1700	destroyed.
1701	*/
1702	typedef void mpo_mbuf_label_destroy_t(
1703	struct label *label
1704	);
1705	/**
1706	@brief Initialize mbuf label
1707	@param label New label to initialize
1708	@param flag Malloc flags
1709
1710	Initialize the label for a newly instantiated mbuf.
1711
1712	@warning Since it is possible for the flags to be set to
1713	M_NOWAIT, the malloc operation may fail.
1714
1715	@return On success, 0, otherwise, an appropriate errno return value.
1716	*/
1717	typedef int mpo_mbuf_label_init_t(
1718	struct label *label,
1719	int flag
1720	);
1721	/**
1722	@brief Access control check for fsctl
1723	@param cred Subject credential
1724	@param mp The mount point
1725	@param label Label associated with the mount point
1726	@param cmd Filesystem-dependent request code; see fsctl(2)
1727
1728	Determine whether the subject identified by the credential can perform
1729	the volume operation indicated by com.
1730
1731	@warning The fsctl() system call is directly analogous to ioctl(); since
1732	the associated data is opaque from the standpoint of the MAC framework
1733	and since these operations can affect many aspects of system operation,
1734	policies must exercise extreme care when implementing access control checks.
1735
1736	@return Return 0 if access is granted, otherwise an appropriate value for
1737	errno should be returned.
1738	*/
1739	typedef int mpo_mount_check_fsctl_t(
1740	kauth_cred_t cred,
1741	struct mount *mp,
1742	struct label *label,
1743	unsigned int cmd
1744	);
1745	/**
1746	@brief Access control check for the retrieval of file system attributes
1747	@param cred Subject credential
1748	@param mp The mount structure of the file system
1749	@param vfa The attributes requested
1750
1751	This entry point determines whether given subject can get information
1752	about the given file system. This check happens during statfs() syscalls,
1753	but is also used by other parts within the kernel such as the audit system.
1754
1755	@return Return 0 if access is granted, otherwise an appropriate value for
1756	errno should be returned.
1757
1758	@note Policies may change the contents of vfa to alter the list of
1759	file system attributes returned.
1760	*/
1761
1762	typedef int mpo_mount_check_getattr_t(
1763	kauth_cred_t cred,
1764	struct mount *mp,
1765	struct label *mp_label,
1766	struct vfs_attr *vfa
1767	);
1768	/**
1769	@brief Access control check for mount point relabeling
1770	@param cred Subject credential
1771	@param mp Object file system mount point
1772	@param mntlabel Policy label for fle system mount point
1773
1774	Determine whether the subject identified by the credential can relabel
1775	the mount point. This call is made when a file system mount is updated.
1776
1777	@return Return 0 if access is granted, otherwise an appropriate value for
1778	errno should be returned. Suggested failure: EACCES for label mismatch
1779	or EPERM for lack of privilege.
1780	*/
1781	typedef int mpo_mount_check_label_update_t(
1782	kauth_cred_t cred,
1783	struct mount *mp,
1784	struct label *mntlabel
1785	);
1786	/**
1787	@brief Access control check for mounting a file system
1788	@param cred Subject credential
1789	@param vp Vnode that is to be the mount point
1790	@param vlabel Label associated with the vnode
1791	@param cnp Component name for vp
1792	@param vfc_name Filesystem type name
1793
1794	Determine whether the subject identified by the credential can perform
1795	the mount operation on the target vnode.
1796
1797	@return Return 0 if access is granted, otherwise an appropriate value for
1798	errno should be returned.
1799	*/
1800	typedef int mpo_mount_check_mount_t(
1801	kauth_cred_t cred,
1802	struct vnode *vp,
1803	struct label *vlabel,
1804	struct componentname *cnp,
1805	const char *vfc_name
1806	);
1807	/**
1808	@brief Access control check for fs_snapshot_create
1809	@param cred Subject credential
1810	@mp Filesystem mount point to create snapshot of
1811	@name Name of snapshot to create
1812
1813	Determine whether the subject identified by the credential can
1814	create a snapshot of the filesystem at the given mount point.
1815
1816	@return Return 0 if access is granted, otherwise an appropriate value
1817	for errno should be returned.
1818	*/
1819	typedef int mpo_mount_check_snapshot_create_t(
1820	kauth_cred_t cred,
1821	struct mount *mp,
1822	const char *name
1823	);
1824	/**
1825	@brief Access control check for fs_snapshot_delete
1826	@param cred Subject credential
1827	@mp Filesystem mount point to delete snapshot of
1828	@name Name of snapshot to delete
1829
1830	Determine whether the subject identified by the credential can
1831	delete the named snapshot from the filesystem at the given
1832	mount point.
1833
1834	@return Return 0 if access is granted, otherwise an appropriate value
1835	for errno should be returned.
1836	*/
1837	typedef int mpo_mount_check_snapshot_delete_t(
1838	kauth_cred_t cred,
1839	struct mount *mp,
1840	const char *name
1841	);
1842	/**
1843	@brief Access control check for fs_snapshot_revert
1844	@param cred Subject credential
1845	@mp Filesystem mount point to revert to snapshot
1846	@name Name of snapshot to revert to
1847
1848	Determine whether the subject identified by the credential can
1849	revert the filesystem at the given mount point to the named snapshot.
1850
1851	@return Return 0 if access is granted, otherwise an appropriate value
1852	for errno should be returned.
1853	*/
1854	typedef int mpo_mount_check_snapshot_revert_t(
1855	kauth_cred_t cred,
1856	struct mount *mp,
1857	const char *name
1858	);
1859	/**
1860	@brief Access control check remounting a filesystem
1861	@param cred Subject credential
1862	@param mp The mount point
1863	@param mlabel Label currently associated with the mount point
1864
1865	Determine whether the subject identified by the credential can perform
1866	the remount operation on the target vnode.
1867
1868	@return Return 0 if access is granted, otherwise an appropriate value for
1869	errno should be returned.
1870	*/
1871	typedef int mpo_mount_check_remount_t(
1872	kauth_cred_t cred,
1873	struct mount *mp,
1874	struct label *mlabel
1875	);
1876	/**
1877	@brief Access control check for the settting of file system attributes
1878	@param cred Subject credential
1879	@param mp The mount structure of the file system
1880	@param vfa The attributes requested
1881
1882	This entry point determines whether given subject can set information
1883	about the given file system, for example the volume name.
1884
1885	@return Return 0 if access is granted, otherwise an appropriate value for
1886	errno should be returned.
1887	*/
1888
1889	typedef int mpo_mount_check_setattr_t(
1890	kauth_cred_t cred,
1891	struct mount *mp,
1892	struct label *mp_label,
1893	struct vfs_attr *vfa
1894	);
1895	/**
1896	@brief Access control check for file system statistics
1897	@param cred Subject credential
1898	@param mp Object file system mount
1899	@param mntlabel Policy label for mp
1900
1901	Determine whether the subject identified by the credential can see
1902	the results of a statfs performed on the file system. This call may
1903	be made in a number of situations, including during invocations of
1904	statfs(2) and related calls, as well as to determine what file systems
1905	to exclude from listings of file systems, such as when getfsstat(2)
1906	is invoked.
1907
1908	@return Return 0 if access is granted, otherwise an appropriate value for
1909	errno should be returned. Suggested failure: EACCES for label mismatch
1910	or EPERM for lack of privilege.
1911	*/
1912	typedef int mpo_mount_check_stat_t(
1913	kauth_cred_t cred,
1914	struct mount *mp,
1915	struct label *mntlabel
1916	);
1917	/**
1918	@brief Access control check for unmounting a filesystem
1919	@param cred Subject credential
1920	@param mp The mount point
1921	@param mlabel Label associated with the mount point
1922
1923	Determine whether the subject identified by the credential can perform
1924	the unmount operation on the target vnode.
1925
1926	@return Return 0 if access is granted, otherwise an appropriate value for
1927	errno should be returned.
1928	*/
1929	typedef int mpo_mount_check_umount_t(
1930	kauth_cred_t cred,
1931	struct mount *mp,
1932	struct label *mlabel
1933	);
1934	/**
1935	@brief Create mount labels
1936	@param cred Subject credential
1937	@param mp Mount point of file system being mounted
1938	@param mntlabel Label to associate with the new mount point
1939	@see mpo_mount_label_init_t
1940
1941	Fill out the labels on the mount point being created by the supplied
1942	user credential. This call is made when file systems are first mounted.
1943	*/
1944	typedef void mpo_mount_label_associate_t(
1945	kauth_cred_t cred,
1946	struct mount *mp,
1947	struct label *mntlabel
1948	);
1949	/**
1950	@brief Destroy mount label
1951	@param label The label to be destroyed
1952
1953	Destroy a file system mount label. Since the
1954	object is going out of scope, policy modules should free any
1955	internal storage associated with the label so that it may be
1956	destroyed.
1957	*/
1958	typedef void mpo_mount_label_destroy_t(
1959	struct label *label
1960	);
1961	/**
1962	@brief Externalize a mount point label
1963	@param label Label to be externalized
1964	@param element_name Name of the label namespace for which labels should be
1965	externalized
1966	@param sb String buffer to be filled with a text representation of the label
1967
1968	Produce an external representation of the mount point label. An
1969	externalized label consists of a text representation of the label
1970	contents that can be used with user applications. Policy-agnostic
1971	user space tools will display this externalized version.
1972
1973	The policy's externalize entry points will be called only if the
1974	policy has registered interest in the label namespace.
1975
1976	@return 0 on success, return non-zero if an error occurs while
1977	externalizing the label data.
1978
1979	*/
1980	typedef int mpo_mount_label_externalize_t(
1981	struct label *label,
1982	char *element_name,
1983	struct sbuf *sb
1984	);
1985	/**
1986	@brief Initialize mount point label
1987	@param label New label to initialize
1988
1989	Initialize the label for a newly instantiated mount structure.
1990	This label is typically used to store a default label in the case
1991	that the file system has been mounted singlelabel. Since some
1992	file systems do not support persistent labels (extended attributes)
1993	or are read-only (such as CD-ROMs), it is often necessary to store
1994	a default label separately from the label of the mount point
1995	itself. Sleeping is permitted.
1996	*/
1997	typedef void mpo_mount_label_init_t(
1998	struct label *label
1999	);
2000	/**
2001	@brief Internalize a mount point label
2002	@param label Label to be internalized
2003	@param element_name Name of the label namespace for which the label should
2004	be internalized
2005	@param element_data Text data to be internalized
2006
2007	Produce a mount point file system label from an external representation.
2008	An externalized label consists of a text representation of the label
2009	contents that can be used with user applications. Policy-agnostic
2010	user space tools will forward text version to the kernel for
2011	processing by individual policy modules.
2012
2013	The policy's internalize entry points will be called only if the
2014	policy has registered interest in the label namespace.
2015
2016	@return 0 on success, Otherwise, return non-zero if an error occurs
2017	while internalizing the label data.
2018
2019	*/
2020	typedef int mpo_mount_label_internalize_t(
2021	struct label *label,
2022	char *element_name,
2023	char *element_data
2024	);
2025	/**
2026	@brief Set the label on an IPv4 datagram fragment
2027	@param datagram Datagram being fragmented
2028	@param datagramlabel Policy label for datagram
2029	@param fragment New fragment
2030	@param fragmentlabel Policy label for fragment
2031
2032	Called when an IPv4 datagram is fragmented into several smaller datagrams.
2033	Policies implementing mbuf labels will typically copy the label from the
2034	source datagram to the new fragment.
2035	*/
2036	typedef void mpo_netinet_fragment_t(
2037	struct mbuf *datagram,
2038	struct label *datagramlabel,
2039	struct mbuf *fragment,
2040	struct label *fragmentlabel
2041	);
2042	/**
2043	@brief Set the label on an ICMP reply
2044	@param m mbuf containing the ICMP reply
2045	@param mlabel Policy label for m
2046
2047	A policy may wish to update the label of an mbuf that refers to
2048	an ICMP packet being sent in response to an IP packet. This may
2049	be called in response to a bad packet or an ICMP request.
2050	*/
2051	typedef void mpo_netinet_icmp_reply_t(
2052	struct mbuf *m,
2053	struct label *mlabel
2054	);
2055	/**
2056	@brief Set the label on a TCP reply
2057	@param m mbuf containing the TCP reply
2058	@param mlabel Policy label for m
2059
2060	Called for outgoing TCP packets not associated with an actual socket.
2061	*/
2062	typedef void mpo_netinet_tcp_reply_t(
2063	struct mbuf *m,
2064	struct label *mlabel
2065	);
2066	/**
2067	@brief Access control check for pipe ioctl
2068	@param cred Subject credential
2069	@param cpipe Object to be accessed
2070	@param pipelabel The label on the pipe
2071	@param cmd The ioctl command; see ioctl(2)
2072
2073	Determine whether the subject identified by the credential can perform
2074	the ioctl operation indicated by cmd.
2075
2076	@warning Since ioctl data is opaque from the standpoint of the MAC
2077	framework, policies must exercise extreme care when implementing
2078	access control checks.
2079
2080	@return Return 0 if access is granted, otherwise an appropriate value for
2081	errno should be returned.
2082
2083	*/
2084	typedef int mpo_pipe_check_ioctl_t(
2085	kauth_cred_t cred,
2086	struct pipe *cpipe,
2087	struct label *pipelabel,
2088	unsigned int cmd
2089	);
2090	/**
2091	@brief Access control check for pipe kqfilter
2092	@param cred Subject credential
2093	@param kn Object knote
2094	@param cpipe Object to be accessed
2095	@param pipelabel Policy label for the pipe
2096
2097	Determine whether the subject identified by the credential can
2098	receive the knote on the passed pipe.
2099
2100	@return Return 0 if access if granted, otherwise an appropriate
2101	value for errno should be returned.
2102	*/
2103	typedef int mpo_pipe_check_kqfilter_t(
2104	kauth_cred_t cred,
2105	struct knote *kn,
2106	struct pipe *cpipe,
2107	struct label *pipelabel
2108	);
2109	/**
2110	@brief Access control check for pipe relabel
2111	@param cred Subject credential
2112	@param cpipe Object to be accessed
2113	@param pipelabel The current label on the pipe
2114	@param newlabel The new label to be used
2115
2116	Determine whether the subject identified by the credential can
2117	perform a relabel operation on the passed pipe. The cred object holds
2118	the credentials of the subject performing the operation.
2119
2120	@return Return 0 if access is granted, otherwise an appropriate value for
2121	errno should be returned.
2122
2123	*/
2124	typedef int mpo_pipe_check_label_update_t(
2125	kauth_cred_t cred,
2126	struct pipe *cpipe,
2127	struct label *pipelabel,
2128	struct label *newlabel
2129	);
2130	/**
2131	@brief Access control check for pipe read
2132	@param cred Subject credential
2133	@param cpipe Object to be accessed
2134	@param pipelabel The label on the pipe
2135
2136	Determine whether the subject identified by the credential can
2137	perform a read operation on the passed pipe. The cred object holds
2138	the credentials of the subject performing the operation.
2139
2140	@return Return 0 if access is granted, otherwise an appropriate value for
2141	errno should be returned.
2142
2143	*/
2144	typedef int mpo_pipe_check_read_t(
2145	kauth_cred_t cred,
2146	struct pipe *cpipe,
2147	struct label *pipelabel
2148	);
2149	/**
2150	@brief Access control check for pipe select
2151	@param cred Subject credential
2152	@param cpipe Object to be accessed
2153	@param pipelabel The label on the pipe
2154	@param which The operation selected on: FREAD or FWRITE
2155
2156	Determine whether the subject identified by the credential can
2157	perform a select operation on the passed pipe. The cred object holds
2158	the credentials of the subject performing the operation.
2159
2160	@return Return 0 if access is granted, otherwise an appropriate value for
2161	errno should be returned.
2162
2163	*/
2164	typedef int mpo_pipe_check_select_t(
2165	kauth_cred_t cred,
2166	struct pipe *cpipe,
2167	struct label *pipelabel,
2168	int which
2169	);
2170	/**
2171	@brief Access control check for pipe stat
2172	@param cred Subject credential
2173	@param cpipe Object to be accessed
2174	@param pipelabel The label on the pipe
2175
2176	Determine whether the subject identified by the credential can
2177	perform a stat operation on the passed pipe. The cred object holds
2178	the credentials of the subject performing the operation.
2179
2180	@return Return 0 if access is granted, otherwise an appropriate value for
2181	errno should be returned.
2182
2183	*/
2184	typedef int mpo_pipe_check_stat_t(
2185	kauth_cred_t cred,
2186	struct pipe *cpipe,
2187	struct label *pipelabel
2188	);
2189	/**
2190	@brief Access control check for pipe write
2191	@param cred Subject credential
2192	@param cpipe Object to be accessed
2193	@param pipelabel The label on the pipe
2194
2195	Determine whether the subject identified by the credential can
2196	perform a write operation on the passed pipe. The cred object holds
2197	the credentials of the subject performing the operation.
2198
2199	@return Return 0 if access is granted, otherwise an appropriate value for
2200	errno should be returned.
2201
2202	*/
2203	typedef int mpo_pipe_check_write_t(
2204	kauth_cred_t cred,
2205	struct pipe *cpipe,
2206	struct label *pipelabel
2207	);
2208	/**
2209	@brief Create a pipe label
2210	@param cred Subject credential
2211	@param cpipe object to be labeled
2212	@param pipelabel Label for the pipe object
2213
2214	Create a label for the pipe object being created by the supplied
2215	user credential. This call is made when the pipe is being created
2216	XXXPIPE(for one or both sides of the pipe?).
2217
2218	*/
2219	typedef void mpo_pipe_label_associate_t(
2220	kauth_cred_t cred,
2221	struct pipe *cpipe,
2222	struct label *pipelabel
2223	);
2224	/**
2225	@brief Copy a pipe label
2226	@param src Source pipe label
2227	@param dest Destination pipe label
2228
2229	Copy the pipe label associated with src to dest.
2230	XXXPIPE Describe when this is used: most likely during pipe creation to
2231	copy from rpipe to wpipe.
2232	*/
2233	typedef void mpo_pipe_label_copy_t(
2234	struct label *src,
2235	struct label *dest
2236	);
2237	/**
2238	@brief Destroy pipe label
2239	@param label The label to be destroyed
2240
2241	Destroy a pipe label. Since the object is going out of scope,
2242	policy modules should free any internal storage associated with the
2243	label so that it may be destroyed.
2244	*/
2245	typedef void mpo_pipe_label_destroy_t(
2246	struct label *label
2247	);
2248	/**
2249	@brief Externalize a pipe label
2250	@param label Label to be externalized
2251	@param element_name Name of the label namespace for which labels should be
2252	externalized
2253	@param sb String buffer to be filled with a text representation of the label
2254
2255	Produce an external representation of the label on a pipe.
2256	An externalized label consists of a text representation
2257	of the label contents that can be used with user applications.
2258	Policy-agnostic user space tools will display this externalized
2259	version.
2260
2261	The policy's externalize entry points will be called only if the
2262	policy has registered interest in the label namespace.
2263
2264	@return 0 on success, return non-zero if an error occurs while
2265	externalizing the label data.
2266
2267	*/
2268	typedef int mpo_pipe_label_externalize_t(
2269	struct label *label,
2270	char *element_name,
2271	struct sbuf *sb
2272	);
2273	/**
2274	@brief Initialize pipe label
2275	@param label New label to initialize
2276
2277	Initialize label storage for use with a newly instantiated pipe object.
2278	Sleeping is permitted.
2279	*/
2280	typedef void mpo_pipe_label_init_t(
2281	struct label *label
2282	);
2283	/**
2284	@brief Internalize a pipe label
2285	@param label Label to be internalized
2286	@param element_name Name of the label namespace for which the label should
2287	be internalized
2288	@param element_data Text data to be internalized
2289
2290	Produce a pipe label from an external representation. An
2291	externalized label consists of a text representation of the label
2292	contents that can be used with user applications. Policy-agnostic
2293	user space tools will forward text version to the kernel for
2294	processing by individual policy modules.
2295
2296	The policy's internalize entry points will be called only if the
2297	policy has registered interest in the label namespace.
2298
2299	@return 0 on success, Otherwise, return non-zero if an error occurs
2300	while internalizing the label data.
2301
2302	*/
2303	typedef int mpo_pipe_label_internalize_t(
2304	struct label *label,
2305	char *element_name,
2306	char *element_data
2307	);
2308	/**
2309	@brief Update a pipe label
2310	@param cred Subject credential
2311	@param cpipe Object to be labeled
2312	@param oldlabel Existing pipe label
2313	@param newlabel New label to replace existing label
2314	@see mpo_pipe_check_label_update_t
2315
2316	The subject identified by the credential has previously requested
2317	and was authorized to relabel the pipe; this entry point allows
2318	policies to perform the actual relabel operation. Policies should
2319	update oldlabel using the label stored in the newlabel parameter.
2320
2321	*/
2322	typedef void mpo_pipe_label_update_t(
2323	kauth_cred_t cred,
2324	struct pipe *cpipe,
2325	struct label *oldlabel,
2326	struct label *newlabel
2327	);
2328	/**
2329	@brief Policy unload event
2330	@param mpc MAC policy configuration
2331
2332	This is the MAC Framework policy unload event. This entry point will
2333	only be called if the module's policy configuration allows unload (if
2334	the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
2335	want to be unloaded; they should set their flags to prevent this
2336	entry point from being called.
2337
2338	@warning During this call, the mac policy list mutex is held, so
2339	sleep operations cannot be performed, and calls out to other kernel
2340	subsystems must be made with caution.
2341
2342	@see MPC_LOADTIME_FLAG_UNLOADOK
2343	*/
2344	typedef void mpo_policy_destroy_t(
2345	struct mac_policy_conf *mpc
2346	);
2347	/**
2348	@brief Policy initialization event
2349	@param mpc MAC policy configuration
2350	@see mac_policy_register
2351	@see mpo_policy_initbsd_t
2352
2353	This is the MAC Framework policy initialization event. This entry
2354	point is called during mac_policy_register, when the policy module
2355	is first registered with the MAC Framework. This is often done very
2356	early in the boot process, after the kernel Mach subsystem has been
2357	initialized, but prior to the BSD subsystem being initialized.
2358	Since the kernel BSD services are not yet available, it is possible
2359	that some initialization must occur later, possibly in the
2360	mpo_policy_initbsd_t policy entry point, such as registering BSD system
2361	controls (sysctls). Policy modules loaded at boot time will be
2362	registered and initialized before labeled Mach objects are created.
2363
2364	@warning During this call, the mac policy list mutex is held, so
2365	sleep operations cannot be performed, and calls out to other kernel
2366	subsystems must be made with caution.
2367	*/
2368	typedef void mpo_policy_init_t(
2369	struct mac_policy_conf *mpc
2370	);
2371	/**
2372	@brief Policy BSD initialization event
2373	@param mpc MAC policy configuration
2374	@see mpo_policy_init_t
2375
2376	This entry point is called after the kernel BSD subsystem has been
2377	initialized. By this point, the module should already be loaded,
2378	registered, and initialized. Since policy modules are initialized
2379	before kernel BSD services are available, this second initialization
2380	phase is necessary. At this point, BSD services (memory management,
2381	synchronization primitives, vfs, etc.) are available, but the first
2382	process has not yet been created. Mach-related objects and tasks
2383	will already be fully initialized and may be in use--policies requiring
2384	ubiquitous labeling may also want to implement mpo_policy_init_t.
2385
2386	@warning During this call, the mac policy list mutex is held, so
2387	sleep operations cannot be performed, and calls out to other kernel
2388	subsystems must be made with caution.
2389	*/
2390	typedef void mpo_policy_initbsd_t(
2391	struct mac_policy_conf *mpc
2392	);
2393	/**
2394	@brief Policy extension service
2395	@param p Calling process
2396	@param call Policy-specific syscall number
2397	@param arg Pointer to syscall arguments
2398
2399	This entry point provides a policy-multiplexed system call so that
2400	policies may provide additional services to user processes without
2401	registering specific system calls. The policy name provided during
2402	registration is used to demux calls from userland, and the arguments
2403	will be forwarded to this entry point. When implementing new
2404	services, security modules should be sure to invoke appropriate
2405	access control checks from the MAC framework as needed. For
2406	example, if a policy implements an augmented signal functionality,
2407	it should call the necessary signal access control checks to invoke
2408	the MAC framework and other registered policies.
2409
2410	@warning Since the format and contents of the policy-specific
2411	arguments are unknown to the MAC Framework, modules must perform the
2412	required copyin() of the syscall data on their own. No policy
2413	mediation is performed, so policies must perform any necessary
2414	access control checks themselves. If multiple policies are loaded,
2415	they will currently be unable to mediate calls to other policies.
2416
2417	@return In the event of an error, an appropriate value for errno
2418	should be returned, otherwise return 0 upon success.
2419	*/
2420	typedef int mpo_policy_syscall_t(
2421	struct proc *p,
2422	int call,
2423	user_addr_t arg
2424	);
2425	/**
2426	@brief Access control check for POSIX semaphore create
2427	@param cred Subject credential
2428	@param name String name of the semaphore
2429
2430	Determine whether the subject identified by the credential can create
2431	a POSIX semaphore specified by name.
2432
2433	@return Return 0 if access is granted, otherwise an appropriate value for
2434	errno should be returned.
2435	*/
2436	typedef int mpo_posixsem_check_create_t(
2437	kauth_cred_t cred,
2438	const char *name
2439	);
2440	/**
2441	@brief Access control check for POSIX semaphore open
2442	@param cred Subject credential
2443	@param ps Pointer to semaphore information structure
2444	@param semlabel Label associated with the semaphore
2445
2446	Determine whether the subject identified by the credential can open
2447	the named POSIX semaphore with label semlabel.
2448
2449	@return Return 0 if access is granted, otherwise an appropriate value for
2450	errno should be returned.
2451	*/
2452	typedef int mpo_posixsem_check_open_t(
2453	kauth_cred_t cred,
2454	struct pseminfo *ps,
2455	struct label *semlabel
2456	);
2457	/**
2458	@brief Access control check for POSIX semaphore post
2459	@param cred Subject credential
2460	@param ps Pointer to semaphore information structure
2461	@param semlabel Label associated with the semaphore
2462
2463	Determine whether the subject identified by the credential can unlock
2464	the named POSIX semaphore with label semlabel.
2465
2466	@return Return 0 if access is granted, otherwise an appropriate value for
2467	errno should be returned.
2468	*/
2469	typedef int mpo_posixsem_check_post_t(
2470	kauth_cred_t cred,
2471	struct pseminfo *ps,
2472	struct label *semlabel
2473	);
2474	/**
2475	@brief Access control check for POSIX semaphore unlink
2476	@param cred Subject credential
2477	@param ps Pointer to semaphore information structure
2478	@param semlabel Label associated with the semaphore
2479	@param name String name of the semaphore
2480
2481	Determine whether the subject identified by the credential can remove
2482	the named POSIX semaphore with label semlabel.
2483
2484	@return Return 0 if access is granted, otherwise an appropriate value for
2485	errno should be returned.
2486	*/
2487	typedef int mpo_posixsem_check_unlink_t(
2488	kauth_cred_t cred,
2489	struct pseminfo *ps,
2490	struct label *semlabel,
2491	const char *name
2492	);
2493	/**
2494	@brief Access control check for POSIX semaphore wait
2495	@param cred Subject credential
2496	@param ps Pointer to semaphore information structure
2497	@param semlabel Label associated with the semaphore
2498
2499	Determine whether the subject identified by the credential can lock
2500	the named POSIX semaphore with label semlabel.
2501
2502	@return Return 0 if access is granted, otherwise an appropriate value for
2503	errno should be returned.
2504	*/
2505	typedef int mpo_posixsem_check_wait_t(
2506	kauth_cred_t cred,
2507	struct pseminfo *ps,
2508	struct label *semlabel
2509	);
2510	/**
2511	@brief Create a POSIX semaphore label
2512	@param cred Subject credential
2513	@param ps Pointer to semaphore information structure
2514	@param semlabel Label to associate with the new semaphore
2515	@param name String name of the semaphore
2516
2517	Label a new POSIX semaphore. The label was previously
2518	initialized and associated with the semaphore. At this time, an
2519	appropriate initial label value should be assigned to the object and
2520	stored in semalabel.
2521	*/
2522	typedef void mpo_posixsem_label_associate_t(
2523	kauth_cred_t cred,
2524	struct pseminfo *ps,
2525	struct label *semlabel,
2526	const char *name
2527	);
2528	/**
2529	@brief Destroy POSIX semaphore label
2530	@param label The label to be destroyed
2531
2532	Destroy a POSIX semaphore label. Since the object is
2533	going out of scope, policy modules should free any internal storage
2534	associated with the label so that it may be destroyed.
2535	*/
2536	typedef void mpo_posixsem_label_destroy_t(
2537	struct label *label
2538	);
2539	/**
2540	@brief Initialize POSIX semaphore label
2541	@param label New label to initialize
2542
2543	Initialize the label for a newly instantiated POSIX semaphore. Sleeping
2544	is permitted.
2545	*/
2546	typedef void mpo_posixsem_label_init_t(
2547	struct label *label
2548	);
2549	/**
2550	@brief Access control check for POSIX shared memory region create
2551	@param cred Subject credential
2552	@param name String name of the shared memory region
2553
2554	Determine whether the subject identified by the credential can create
2555	the POSIX shared memory region referenced by name.
2556
2557	@return Return 0 if access is granted, otherwise an appropriate value for
2558	errno should be returned.
2559	*/
2560	typedef int mpo_posixshm_check_create_t(
2561	kauth_cred_t cred,
2562	const char *name
2563	);
2564	/**
2565	@brief Access control check for mapping POSIX shared memory
2566	@param cred Subject credential
2567	@param ps Pointer to shared memory information structure
2568	@param shmlabel Label associated with the shared memory region
2569	@param prot mmap protections; see mmap(2)
2570	@param flags shmat flags; see shmat(2)
2571
2572	Determine whether the subject identified by the credential can map
2573	the POSIX shared memory segment associated with shmlabel.
2574
2575	@return Return 0 if access is granted, otherwise an appropriate value for
2576	errno should be returned.
2577	*/
2578	typedef int mpo_posixshm_check_mmap_t(
2579	kauth_cred_t cred,
2580	struct pshminfo *ps,
2581	struct label *shmlabel,
2582	int prot,
2583	int flags
2584	);
2585	/**
2586	@brief Access control check for POSIX shared memory region open
2587	@param cred Subject credential
2588	@param ps Pointer to shared memory information structure
2589	@param shmlabel Label associated with the shared memory region
2590	@param fflags shm_open(2) open flags ('fflags' encoded)
2591
2592	Determine whether the subject identified by the credential can open
2593	the POSIX shared memory region.
2594
2595	@return Return 0 if access is granted, otherwise an appropriate value for
2596	errno should be returned.
2597	*/
2598	typedef int mpo_posixshm_check_open_t(
2599	kauth_cred_t cred,
2600	struct pshminfo *ps,
2601	struct label *shmlabel,
2602	int fflags
2603	);
2604	/**
2605	@brief Access control check for POSIX shared memory stat
2606	@param cred Subject credential
2607	@param ps Pointer to shared memory information structure
2608	@param shmlabel Label associated with the shared memory region
2609
2610	Determine whether the subject identified by the credential can obtain
2611	status for the POSIX shared memory segment associated with shmlabel.
2612
2613	@return Return 0 if access is granted, otherwise an appropriate value for
2614	errno should be returned.
2615	*/
2616	typedef int mpo_posixshm_check_stat_t(
2617	kauth_cred_t cred,
2618	struct pshminfo *ps,
2619	struct label *shmlabel
2620	);
2621	/**
2622	@brief Access control check for POSIX shared memory truncate
2623	@param cred Subject credential
2624	@param ps Pointer to shared memory information structure
2625	@param shmlabel Label associated with the shared memory region
2626	@param len Length to truncate or extend shared memory segment
2627
2628	Determine whether the subject identified by the credential can truncate
2629	or extend (to len) the POSIX shared memory segment associated with shmlabel.
2630
2631	@return Return 0 if access is granted, otherwise an appropriate value for
2632	errno should be returned.
2633	*/
2634	typedef int mpo_posixshm_check_truncate_t(
2635	kauth_cred_t cred,
2636	struct pshminfo *ps,
2637	struct label *shmlabel,
2638	off_t len
2639	);
2640	/**
2641	@brief Access control check for POSIX shared memory unlink
2642	@param cred Subject credential
2643	@param ps Pointer to shared memory information structure
2644	@param shmlabel Label associated with the shared memory region
2645	@param name String name of the shared memory region
2646
2647	Determine whether the subject identified by the credential can delete
2648	the POSIX shared memory segment associated with shmlabel.
2649
2650	@return Return 0 if access is granted, otherwise an appropriate value for
2651	errno should be returned.
2652	*/
2653	typedef int mpo_posixshm_check_unlink_t(
2654	kauth_cred_t cred,
2655	struct pshminfo *ps,
2656	struct label *shmlabel,
2657	const char *name
2658	);
2659	/**
2660	@brief Create a POSIX shared memory region label
2661	@param cred Subject credential
2662	@param ps Pointer to shared memory information structure
2663	@param shmlabel Label to associate with the new shared memory region
2664	@param name String name of the shared memory region
2665
2666	Label a new POSIX shared memory region. The label was previously
2667	initialized and associated with the shared memory region. At this
2668	time, an appropriate initial label value should be assigned to the
2669	object and stored in shmlabel.
2670	*/
2671	typedef void mpo_posixshm_label_associate_t(
2672	kauth_cred_t cred,
2673	struct pshminfo *ps,
2674	struct label *shmlabel,
2675	const char *name
2676	);
2677	/**
2678	@brief Destroy POSIX shared memory label
2679	@param label The label to be destroyed
2680
2681	Destroy a POSIX shared memory region label. Since the
2682	object is going out of scope, policy modules should free any
2683	internal storage associated with the label so that it may be
2684	destroyed.
2685	*/
2686	typedef void mpo_posixshm_label_destroy_t(
2687	struct label *label
2688	);
2689	/**
2690	@brief Initialize POSIX Shared Memory region label
2691	@param label New label to initialize
2692
2693	Initialize the label for newly a instantiated POSIX Shared Memory
2694	region. Sleeping is permitted.
2695	*/
2696	typedef void mpo_posixshm_label_init_t(
2697	struct label *label
2698	);
2699	/**
2700	@brief Access control check for privileged operations
2701	@param cred Subject credential
2702	@param priv Requested privilege (see sys/priv.h)
2703
2704	Determine whether the subject identified by the credential can perform
2705	a privileged operation. Privileged operations are allowed if the cred
2706	is the superuser or any policy returns zero for mpo_priv_grant, unless
2707	any policy returns nonzero for mpo_priv_check.
2708
2709	@return Return 0 if access is granted, otherwise EPERM should be returned.
2710	*/
2711	typedef int mpo_priv_check_t(
2712	kauth_cred_t cred,
2713	int priv
2714	);
2715	/**
2716	@brief Grant regular users the ability to perform privileged operations
2717	@param cred Subject credential
2718	@param priv Requested privilege (see sys/priv.h)
2719
2720	Determine whether the subject identified by the credential should be
2721	allowed to perform a privileged operation that in the absense of any
2722	MAC policy it would not be able to perform. Privileged operations are
2723	allowed if the cred is the superuser or any policy returns zero for
2724	mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
2725
2726	Unlike other MAC hooks which can only reduce the privilege of a
2727	credential, this hook raises the privilege of a credential when it
2728	returns 0. Extreme care must be taken when implementing this hook to
2729	avoid undermining the security of the system.
2730
2731	@return Return 0 if additional privilege is granted, otherwise EPERM
2732	should be returned.
2733	*/
2734	typedef int mpo_priv_grant_t(
2735	kauth_cred_t cred,
2736	int priv
2737	);
2738	/**
2739	@brief Access control check for debugging process
2740	@param cred Subject credential
2741	@param proc Object process
2742
2743	Determine whether the subject identified by the credential can debug
2744	the passed process. This call may be made in a number of situations,
2745	including use of the ptrace(2) and ktrace(2) APIs, as well as for some
2746	types of procfs operations.
2747
2748	@return Return 0 if access is granted, otherwise an appropriate value for
2749	errno should be returned. Suggested failure: EACCES for label mismatch,
2750	EPERM for lack of privilege, or ESRCH to hide visibility of the target.
2751	*/
2752	typedef int mpo_proc_check_debug_t(
2753	kauth_cred_t cred,
2754	struct proc *proc
2755	);
2756	/**
2757	@brief Access control over fork
2758	@param cred Subject credential
2759	@param proc Subject process trying to fork
2760
2761	Determine whether the subject identified is allowed to fork.
2762
2763	@return Return 0 if access is granted, otherwise an appropriate value for
2764	errno should be returned.
2765	*/
2766	typedef int mpo_proc_check_fork_t(
2767	kauth_cred_t cred,
2768	struct proc *proc
2769	);
2770	/**
2771	@brief Access control check for setting host special ports.
2772	@param cred Subject credential
2773	@param id The host special port to set
2774	@param port The new value to set for the special port
2775
2776	@return Return 0 if access is granted, otherwise an appropriate value for
2777	errno should be returned.
2778	*/
2779	typedef int mpo_proc_check_set_host_special_port_t(
2780	kauth_cred_t cred,
2781	int id,
2782	struct ipc_port *port
2783	);
2784	/**
2785	@brief Access control check for setting host exception ports.
2786	@param cred Subject credential
2787	@param exception Exception port to set
2788
2789	@return Return 0 if access is granted, otherwise an appropriate value for
2790	errno should be returned.
2791	*/
2792	typedef int mpo_proc_check_set_host_exception_port_t(
2793	kauth_cred_t cred,
2794	unsigned int exception
2795	);
2796	/**
2797	@brief Access control over pid_suspend and pid_resume
2798	@param cred Subject credential
2799	@param proc Subject process trying to run pid_suspend or pid_resume
2800	@param sr Call is suspend (0) or resume (1)
2801
2802	Determine whether the subject identified is allowed to suspend or resume
2803	other processes.
2804
2805	@return Return 0 if access is granted, otherwise an appropriate value for
2806	errno should be returned.
2807	*/
2808	typedef int mpo_proc_check_suspend_resume_t(
2809	kauth_cred_t cred,
2810	struct proc *proc,
2811	int sr
2812	);
2813	/**
2814	@brief Access control check for retrieving audit information
2815	@param cred Subject credential
2816
2817	Determine whether the subject identified by the credential can get
2818	audit information such as the audit user ID, the preselection mask,
2819	the terminal ID and the audit session ID, using the getaudit() system call.
2820
2821	@return Return 0 if access is granted, otherwise an appropriate value for
2822	errno should be returned.
2823	*/
2824	typedef int mpo_proc_check_getaudit_t(
2825	kauth_cred_t cred
2826	);
2827	/**
2828	@brief Access control check for retrieving audit user ID
2829	@param cred Subject credential
2830
2831	Determine whether the subject identified by the credential can get
2832	the user identity being used by the auditing system, using the getauid()
2833	system call.
2834
2835	@return Return 0 if access is granted, otherwise an appropriate value for
2836	errno should be returned.
2837	*/
2838	typedef int mpo_proc_check_getauid_t(
2839	kauth_cred_t cred
2840	);
2841	/**
2842	@brief Access control check for retrieving Login Context ID
2843	@param p0 Calling process
2844	@param p Effected process
2845	@param pid syscall PID argument
2846
2847	Determine if getlcid(2) system call is permitted.
2848
2849	Information returned by this system call is similar to that returned via
2850	process listings etc.
2851
2852	@return Return 0 if access is granted, otherwise an appropriate value for
2853	errno should be returned.
2854	*/
2855	typedef int mpo_proc_check_getlcid_t(
2856	struct proc *p0,
2857	struct proc *p,
2858	pid_t pid
2859	);
2860	/**
2861	@brief Access control check for retrieving ledger information
2862	@param cred Subject credential
2863	@param target Object process
2864	@param op ledger operation
2865
2866	Determine if ledger(2) system call is permitted.
2867
2868	Information returned by this system call is similar to that returned via
2869	process listings etc.
2870
2871	@return Return 0 if access is granted, otherwise an appropriate value for
2872	errno should be returned.
2873	*/
2874	typedef int mpo_proc_check_ledger_t(
2875	kauth_cred_t cred,
2876	struct proc *target,
2877	int op
2878	);
2879	/**
2880	@brief Access control check for retrieving process information.
2881	@param cred Subject credential
2882	@param target Target process (may be null, may be zombie)
2883
2884	Determine if a credential has permission to access process information as defined
2885	by call number and flavor on target process
2886
2887	@return Return 0 if access is granted, otherwise an appropriate value for
2888	errno should be returned.
2889	*/
2890	typedef int mpo_proc_check_proc_info_t(
2891	kauth_cred_t cred,
2892	struct proc *target,
2893	int callnum,
2894	int flavor
2895	);
2896	/**
2897	@brief Access control check for retrieving code signing information.
2898	@param cred Subject credential
2899	@param target Target process
2900	@param op Code signing operation being performed
2901
2902	Determine whether the subject identified by the credential should be
2903	allowed to get code signing information about the target process.
2904
2905	@return Return 0 if access is granted, otherwise an appropriate value for
2906	errno should be returned.
2907	*/
2908	typedef int mpo_proc_check_get_cs_info_t(
2909	kauth_cred_t cred,
2910	struct proc *target,
2911	unsigned int op
2912	);
2913	/**
2914	@brief Access control check for setting code signing information.
2915	@param cred Subject credential
2916	@param target Target process
2917	@param op Code signing operation being performed.
2918
2919	Determine whether the subject identified by the credential should be
2920	allowed to set code signing information about the target process.
2921
2922	@return Return 0 if permission is granted, otherwise an appropriate
2923	value of errno should be returned.
2924	*/
2925	typedef int mpo_proc_check_set_cs_info_t(
2926	kauth_cred_t cred,
2927	struct proc *target,
2928	unsigned int op
2929	);
2930	/**
2931	@brief Access control check for mmap MAP_ANON
2932	@param proc User process requesting the memory
2933	@param cred Subject credential
2934	@param u_addr Start address of the memory range
2935	@param u_size Length address of the memory range
2936	@param prot mmap protections; see mmap(2)
2937	@param flags Type of mapped object; see mmap(2)
2938	@param maxprot Maximum rights
2939
2940	Determine whether the subject identified by the credential should be
2941	allowed to obtain anonymous memory using the specified flags and
2942	protections on the new mapping. MAP_ANON will always be present in the
2943	flags. Certain combinations of flags with a non-NULL addr may
2944	cause a mapping to be rejected before this hook is called. The maxprot field
2945	holds the maximum permissions on the new mapping, a combination of
2946	VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
2947	access control checks, a policy should only remove flags from maxprot.
2948
2949	@return Return 0 if access is granted, otherwise an appropriate value for
2950	errno should be returned. Suggested failure: EPERM for lack of privilege.
2951	*/
2952	typedef int mpo_proc_check_map_anon_t(
2953	struct proc *proc,
2954	kauth_cred_t cred,
2955	user_addr_t u_addr,
2956	user_size_t u_size,
2957	int prot,
2958	int flags,
2959	int *maxprot
2960	);
2961	/**
2962	@brief Access control check for setting memory protections
2963	@param cred Subject credential
2964	@param proc User process requesting the change
2965	@param addr Start address of the memory range
2966	@param size Length address of the memory range
2967	@param prot Memory protections, see mmap(2)
2968
2969	Determine whether the subject identified by the credential should
2970	be allowed to set the specified memory protections on memory mapped
2971	in the process proc.
2972
2973	@return Return 0 if access is granted, otherwise an appropriate value for
2974	errno should be returned.
2975	*/
2976	typedef int mpo_proc_check_mprotect_t(
2977	kauth_cred_t cred,
2978	struct proc *proc,
2979	user_addr_t addr,
2980	user_size_t size,
2981	int prot
2982	);
2983	/**
2984	@brief Access control check for changing scheduling parameters
2985	@param cred Subject credential
2986	@param proc Object process
2987
2988	Determine whether the subject identified by the credential can change
2989	the scheduling parameters of the passed process.
2990
2991	@return Return 0 if access is granted, otherwise an appropriate value for
2992	errno should be returned. Suggested failure: EACCES for label mismatch,
2993	EPERM for lack of privilege, or ESRCH to limit visibility.
2994	*/
2995	typedef int mpo_proc_check_sched_t(
2996	kauth_cred_t cred,
2997	struct proc *proc
2998	);
2999	/**
3000	@brief Access control check for setting audit information
3001	@param cred Subject credential
3002	@param ai Audit information
3003
3004	Determine whether the subject identified by the credential can set
3005	audit information such as the the preselection mask, the terminal ID
3006	and the audit session ID, using the setaudit() system call.
3007
3008	@return Return 0 if access is granted, otherwise an appropriate value for
3009	errno should be returned.
3010	*/
3011	typedef int mpo_proc_check_setaudit_t(
3012	kauth_cred_t cred,
3013	struct auditinfo_addr *ai
3014	);
3015	/**
3016	@brief Access control check for setting audit user ID
3017	@param cred Subject credential
3018	@param auid Audit user ID
3019
3020	Determine whether the subject identified by the credential can set
3021	the user identity used by the auditing system, using the setauid()
3022	system call.
3023
3024	@return Return 0 if access is granted, otherwise an appropriate value for
3025	errno should be returned.
3026	*/
3027	typedef int mpo_proc_check_setauid_t(
3028	kauth_cred_t cred,
3029	uid_t auid
3030	);
3031	/**
3032	@brief Access control check for setting the Login Context
3033	@param p0 Calling process
3034	@param p Effected process
3035	@param pid syscall PID argument
3036	@param lcid syscall LCID argument
3037
3038	Determine if setlcid(2) system call is permitted.
3039
3040	See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
3041	decoding syscall arguments to determine action desired by caller.
3042
3043	Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
3044
3045	@return Return 0 if access is granted, otherwise an appropriate value for
3046	errno should be returned.
3047	*/
3048	typedef int mpo_proc_check_setlcid_t(
3049	struct proc *p0,
3050	struct proc *p,
3051	pid_t pid,
3052	pid_t lcid
3053	);
3054	/**
3055	@brief Access control check for delivering signal
3056	@param cred Subject credential
3057	@param proc Object process
3058	@param signum Signal number; see kill(2)
3059
3060	Determine whether the subject identified by the credential can deliver
3061	the passed signal to the passed process.
3062
3063	@warning Programs typically expect to be able to send and receive
3064	signals as part or their normal process lifecycle; caution should be
3065	exercised when implementing access controls over signal events.
3066
3067	@return Return 0 if access is granted, otherwise an appropriate value for
3068	errno should be returned. Suggested failure: EACCES for label mismatch,
3069	EPERM for lack of privilege, or ESRCH to limit visibility.
3070	*/
3071	typedef int mpo_proc_check_signal_t(
3072	kauth_cred_t cred,
3073	struct proc *proc,
3074	int signum
3075	);
3076	/**
3077	@brief Access control check for wait
3078	@param cred Subject credential
3079	@param proc Object process
3080
3081	Determine whether the subject identified by the credential can wait
3082	for process termination.
3083
3084	@warning Caution should be exercised when implementing access
3085	controls for wait, since programs often wait for child processes to
3086	exit. Failure to be notified of a child process terminating may
3087	cause the parent process to hang, or may produce zombie processes.
3088
3089	@return Return 0 if access is granted, otherwise an appropriate value for
3090	errno should be returned.
3091	*/
3092	typedef int mpo_proc_check_wait_t(
3093	kauth_cred_t cred,
3094	struct proc *proc
3095	);
3096	/**
3097	@brief Inform MAC policies that a process has exited.
3098	@param proc Object process
3099
3100	Called after all of the process's threads have terminated and
3101	it has been removed from the process list. KPI that identifies
3102	the process by pid will fail to find the process; KPI that
3103	identifies the process by the object process pointer functions
3104	normally. proc_exiting() returns true for the object process.
3105	*/
3106	typedef void mpo_proc_notify_exit_t(
3107	struct proc *proc
3108	);
3109	/**
3110	@brief Destroy process label
3111	@param label The label to be destroyed
3112
3113	Destroy a process label. Since the object is going
3114	out of scope, policy modules should free any internal storage
3115	associated with the label so that it may be destroyed.
3116	*/
3117	typedef void mpo_proc_label_destroy_t(
3118	struct label *label
3119	);
3120	/**
3121	@brief Initialize process label
3122	@param label New label to initialize
3123	@see mpo_cred_label_init_t
3124
3125	Initialize the label for a newly instantiated BSD process structure.
3126	Normally, security policies will store the process label in the user
3127	credential rather than here in the process structure. However,
3128	there are some floating label policies that may need to temporarily
3129	store a label in the process structure until it is safe to update
3130	the user credential label. Sleeping is permitted.
3131	*/
3132	typedef void mpo_proc_label_init_t(
3133	struct label *label
3134	);
3135	/**
3136	@brief Access control check for skywalk flow connect
3137	@param cred Subject credential
3138	@param flow Flow object
3139	@param addr Remote address for flow to send data to
3140	@param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM)
3141	@param protocol Network protocol (e.g. IPPROTO_TCP)
3142
3143	Determine whether the subject identified by the credential can
3144	create a flow for sending data to the remote host specified by
3145	addr.
3146
3147	@return Return 0 if access if granted, otherwise an appropriate
3148	value for errno should be returned.
3149	*/
3150	typedef int mpo_skywalk_flow_check_connect_t(
3151	kauth_cred_t cred,
3152	void *flow,
3153	const struct sockaddr *addr,
3154	int type,
3155	int protocol
3156	);
3157	/**
3158	@brief Access control check for skywalk flow listen
3159	@param cred Subject credential
3160	@param flow Flow object
3161	@param addr Local address for flow to listen on
3162	@param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM)
3163	@param protocol Network protocol (e.g. IPPROTO_TCP)
3164
3165	Determine whether the subject identified by the credential can
3166	create a flow for receiving data on the local address specified
3167	by addr.
3168
3169	@return Return 0 if access if granted, otherwise an appropriate
3170	value for errno should be returned.
3171	*/
3172	typedef int mpo_skywalk_flow_check_listen_t(
3173	kauth_cred_t cred,
3174	void *flow,
3175	const struct sockaddr *addr,
3176	int type,
3177	int protocol
3178	);
3179	/**
3180	@brief Access control check for socket accept
3181	@param cred Subject credential
3182	@param so Object socket
3183	@param socklabel Policy label for socket
3184
3185	Determine whether the subject identified by the credential can accept()
3186	a new connection on the socket from the host specified by addr.
3187
3188	@return Return 0 if access if granted, otherwise an appropriate
3189	value for errno should be returned.
3190	*/
3191	typedef int mpo_socket_check_accept_t(
3192	kauth_cred_t cred,
3193	socket_t so,
3194	struct label *socklabel
3195	);
3196	/**
3197	@brief Access control check for a pending socket accept
3198	@param cred Subject credential
3199	@param so Object socket
3200	@param socklabel Policy label for socket
3201	@param addr Address of the listening socket (coming soon)
3202
3203	Determine whether the subject identified by the credential can accept()
3204	a pending connection on the socket from the host specified by addr.
3205
3206	@return Return 0 if access if granted, otherwise an appropriate
3207	value for errno should be returned.
3208	*/
3209	typedef int mpo_socket_check_accepted_t(
3210	kauth_cred_t cred,
3211	socket_t so,
3212	struct label *socklabel,
3213	struct sockaddr *addr
3214	);
3215	/**
3216	@brief Access control check for socket bind
3217	@param cred Subject credential
3218	@param so Object socket
3219	@param socklabel Policy label for socket
3220	@param addr Name to assign to the socket
3221
3222	Determine whether the subject identified by the credential can bind()
3223	the name (addr) to the socket.
3224
3225	@return Return 0 if access if granted, otherwise an appropriate
3226	value for errno should be returned.
3227	*/
3228	typedef int mpo_socket_check_bind_t(
3229	kauth_cred_t cred,
3230	socket_t so,
3231	struct label *socklabel,
3232	struct sockaddr *addr
3233	);
3234	/**
3235	@brief Access control check for socket connect
3236	@param cred Subject credential
3237	@param so Object socket
3238	@param socklabel Policy label for socket
3239	@param addr Name to assign to the socket
3240
3241	Determine whether the subject identified by the credential can
3242	connect() the passed socket to the remote host specified by addr.
3243
3244	@return Return 0 if access if granted, otherwise an appropriate
3245	value for errno should be returned.
3246	*/
3247	typedef int mpo_socket_check_connect_t(
3248	kauth_cred_t cred,
3249	socket_t so,
3250	struct label *socklabel,
3251	struct sockaddr *addr
3252	);
3253	/**
3254	@brief Access control check for socket() system call.
3255	@param cred Subject credential
3256	@param domain communication domain
3257	@param type socket type
3258	@param protocol socket protocol
3259
3260	Determine whether the subject identified by the credential can
3261	make the socket() call.
3262
3263	@return Return 0 if access if granted, otherwise an appropriate
3264	value for errno should be returned.
3265	*/
3266	typedef int mpo_socket_check_create_t(
3267	kauth_cred_t cred,
3268	int domain,
3269	int type,
3270	int protocol
3271	);
3272	/**
3273	@brief Access control check for delivering data to a user's receieve queue
3274	@param so The socket data is being delivered to
3275	@param so_label The label of so
3276	@param m The mbuf whose data will be deposited into the receive queue
3277	@param m_label The label of the sender of the data.
3278
3279	A socket has a queue for receiving incoming data. When a packet arrives
3280	on the wire, it eventually gets deposited into this queue, which the
3281	owner of the socket drains when they read from the socket's file descriptor.
3282
3283	This function determines whether the socket can receive data from
3284	the sender specified by m_label.
3285
3286	@warning There is an outstanding design issue surrounding the placement
3287	of this function. The check must be placed either before or after the
3288	TCP sequence and ACK counters are updated. Placing the check before
3289	the counters are updated causes the incoming packet to be resent by
3290	the remote if the check rejects it. Placing the check after the counters
3291	are updated results in a completely silent drop. As far as each TCP stack
3292	is concerned the packet was received, however, the data will not be in the
3293	socket's receive queue. Another consideration is that the current design
3294	requires using the "failed label" occasionally. In that case, on rejection,
3295	we want the remote TCP to resend the data. Because of this, we chose to
3296	place this check before the counters are updated, so rejected packets will be
3297	resent by the remote host.
3298
3299	If a policy keeps rejecting the same packet, eventually the connection will
3300	be dropped. Policies have several options if this design causes problems.
3301	For example, one options is to sanitize the mbuf such that it is acceptable,
3302	then accept it. That may require negotiation between policies as the
3303	Framework will not know to re-check the packet.
3304
3305	The policy must handle NULL MBUF labels. This will likely be the case
3306	for non-local TCP sockets for example.
3307
3308	@return Return 0 if access if granted, otherwise an appropriate
3309	value for errno should be returned.
3310	*/
3311	typedef int mpo_socket_check_deliver_t(
3312	socket_t so,
3313	struct label *so_label,
3314	struct mbuf *m,
3315	struct label *m_label
3316	);
3317	/**
3318	@brief Access control check for socket ioctl.
3319	@param cred Subject credential
3320	@param so Object socket
3321	@param cmd The ioctl command; see ioctl(2)
3322	@param socklabel Policy label for socket
3323
3324	Determine whether the subject identified by the credential can perform
3325	the ioctl operation indicated by cmd on the given socket.
3326
3327	@warning Since ioctl data is opaque from the standpoint of the MAC
3328	framework, and since ioctls can affect many aspects of system
3329	operation, policies must exercise extreme care when implementing
3330	access control checks.
3331
3332	@return Return 0 if access is granted, otherwise an appropriate value for
3333	errno should be returned.
3334	*/
3335	typedef int mpo_socket_check_ioctl_t(
3336	kauth_cred_t cred,
3337	socket_t so,
3338	unsigned int cmd,
3339	struct label *socklabel
3340	);
3341	/**
3342	@brief Access control check for socket kqfilter
3343	@param cred Subject credential
3344	@param kn Object knote
3345	@param so Object socket
3346	@param socklabel Policy label for socket
3347
3348	Determine whether the subject identified by the credential can
3349	receive the knote on the passed socket.
3350
3351	@return Return 0 if access if granted, otherwise an appropriate
3352	value for errno should be returned.
3353	*/
3354	typedef int mpo_socket_check_kqfilter_t(
3355	kauth_cred_t cred,
3356	struct knote *kn,
3357	socket_t so,
3358	struct label *socklabel
3359	);
3360	/**
3361	@brief Access control check for socket relabel
3362	@param cred Subject credential
3363	@param so Object socket
3364	@param so_label The current label of so
3365	@param newlabel The label to be assigned to so
3366
3367	Determine whether the subject identified by the credential can
3368	change the label on the socket.
3369
3370	@return Return 0 if access if granted, otherwise an appropriate
3371	value for errno should be returned.
3372	*/
3373	typedef int mpo_socket_check_label_update_t(
3374	kauth_cred_t cred,
3375	socket_t so,
3376	struct label *so_label,
3377	struct label *newlabel
3378	);
3379	/**
3380	@brief Access control check for socket listen
3381	@param cred Subject credential
3382	@param so Object socket
3383	@param socklabel Policy label for socket
3384
3385	Determine whether the subject identified by the credential can
3386	listen() on the passed socket.
3387
3388	@return Return 0 if access if granted, otherwise an appropriate
3389	value for errno should be returned.
3390	*/
3391	typedef int mpo_socket_check_listen_t(
3392	kauth_cred_t cred,
3393	socket_t so,
3394	struct label *socklabel
3395	);
3396	/**
3397	@brief Access control check for socket receive
3398	@param cred Subject credential
3399	@param so Object socket
3400	@param socklabel Policy label for socket
3401
3402	Determine whether the subject identified by the credential can
3403	receive data from the socket.
3404
3405	@return Return 0 if access if granted, otherwise an appropriate
3406	value for errno should be returned.
3407	*/
3408	typedef int mpo_socket_check_receive_t(
3409	kauth_cred_t cred,
3410	socket_t so,
3411	struct label *socklabel
3412	);
3413
3414	/**
3415	@brief Access control check for socket receive
3416	@param cred Subject credential
3417	@param sock Object socket
3418	@param socklabel Policy label for socket
3419	@param saddr Name of the remote socket
3420
3421	Determine whether the subject identified by the credential can
3422	receive data from the remote host specified by addr.
3423
3424	@return Return 0 if access if granted, otherwise an appropriate
3425	value for errno should be returned.
3426	*/
3427	typedef int mpo_socket_check_received_t(
3428	kauth_cred_t cred,
3429	struct socket *sock,
3430	struct label *socklabel,
3431	struct sockaddr *saddr
3432	);
3433
3434
3435	/**
3436	@brief Access control check for socket select
3437	@param cred Subject credential
3438	@param so Object socket
3439	@param socklabel Policy label for socket
3440	@param which The operation selected on: FREAD or FWRITE
3441
3442	Determine whether the subject identified by the credential can use the
3443	socket in a call to select().
3444
3445	@return Return 0 if access if granted, otherwise an appropriate
3446	value for errno should be returned.
3447	*/
3448	typedef int mpo_socket_check_select_t(
3449	kauth_cred_t cred,
3450	socket_t so,
3451	struct label *socklabel,
3452	int which
3453	);
3454	/**
3455	@brief Access control check for socket send
3456	@param cred Subject credential
3457	@param so Object socket
3458	@param socklabel Policy label for socket
3459	@param addr Address being sent to
3460
3461	Determine whether the subject identified by the credential can send
3462	data to the socket.
3463
3464	@return Return 0 if access if granted, otherwise an appropriate
3465	value for errno should be returned.
3466	*/
3467	typedef int mpo_socket_check_send_t(
3468	kauth_cred_t cred,
3469	socket_t so,
3470	struct label *socklabel,
3471	struct sockaddr *addr
3472	);
3473	/**
3474	@brief Access control check for retrieving socket status
3475	@param cred Subject credential
3476	@param so Object socket
3477	@param socklabel Policy label for so
3478
3479	Determine whether the subject identified by the credential can
3480	execute the stat() system call on the given socket.
3481
3482	@return Return 0 if access if granted, otherwise an appropriate
3483	value for errno should be returned.
3484	*/
3485	typedef int mpo_socket_check_stat_t(
3486	kauth_cred_t cred,
3487	socket_t so,
3488	struct label *socklabel
3489	);
3490	/**
3491	@brief Access control check for setting socket options
3492	@param cred Subject credential
3493	@param so Object socket
3494	@param socklabel Policy label for so
3495	@param sopt The options being set
3496
3497	Determine whether the subject identified by the credential can
3498	execute the setsockopt system call on the given socket.
3499
3500	@return Return 0 if access if granted, otherwise an appropriate
3501	value for errno should be returned.
3502	*/
3503	typedef int mpo_socket_check_setsockopt_t(
3504	kauth_cred_t cred,
3505	socket_t so,
3506	struct label *socklabel,
3507	struct sockopt *sopt
3508	);
3509	/**
3510	@brief Access control check for getting socket options
3511	@param cred Subject credential
3512	@param so Object socket
3513	@param socklabel Policy label for so
3514	@param sopt The options to get
3515
3516	Determine whether the subject identified by the credential can
3517	execute the getsockopt system call on the given socket.
3518
3519	@return Return 0 if access if granted, otherwise an appropriate
3520	value for errno should be returned.
3521	*/
3522	typedef int mpo_socket_check_getsockopt_t(
3523	kauth_cred_t cred,
3524	socket_t so,
3525	struct label *socklabel,
3526	struct sockopt *sopt
3527	);
3528	/**
3529	@brief Label a socket
3530	@param oldsock Listening socket
3531	@param oldlabel Policy label associated with oldsock
3532	@param newsock New socket
3533	@param newlabel Policy label associated with newsock
3534
3535	A new socket is created when a connection is accept(2)ed. This
3536	function labels the new socket based on the existing listen(2)ing
3537	socket.
3538	*/
3539	typedef void mpo_socket_label_associate_accept_t(
3540	socket_t oldsock,
3541	struct label *oldlabel,
3542	socket_t newsock,
3543	struct label *newlabel
3544	);
3545	/**
3546	@brief Assign a label to a new socket
3547	@param cred Credential of the owning process
3548	@param so The socket being labeled
3549	@param solabel The label
3550	@warning cred can be NULL
3551
3552	Set the label on a newly created socket from the passed subject
3553	credential. This call is made when a socket is created. The
3554	credentials may be null if the socket is being created by the
3555	kernel.
3556	*/
3557	typedef void mpo_socket_label_associate_t(
3558	kauth_cred_t cred,
3559	socket_t so,
3560	struct label *solabel
3561	);
3562	/**
3563	@brief Copy a socket label
3564	@param src Source label
3565	@param dest Destination label
3566
3567	Copy the socket label information in src into dest.
3568	*/
3569	typedef void mpo_socket_label_copy_t(
3570	struct label *src,
3571	struct label *dest
3572	);
3573	/**
3574	@brief Destroy socket label
3575	@param label The label to be destroyed
3576
3577	Destroy a socket label. Since the object is going out of
3578	scope, policy modules should free any internal storage associated
3579	with the label so that it may be destroyed.
3580	*/
3581	typedef void mpo_socket_label_destroy_t(
3582	struct label *label
3583	);
3584	/**
3585	@brief Externalize a socket label
3586	@param label Label to be externalized
3587	@param element_name Name of the label namespace for which labels should be
3588	externalized
3589	@param sb String buffer to be filled with a text representation of label
3590
3591	Produce an externalized socket label based on the label structure passed.
3592	An externalized label consists of a text representation of the label
3593	contents that can be used with userland applications and read by the
3594	user. If element_name does not match a namespace managed by the policy,
3595	simply return 0. Only return nonzero if an error occurs while externalizing
3596	the label data.
3597
3598	@return In the event of an error, an appropriate value for errno
3599	should be returned, otherwise return 0 upon success.
3600	*/
3601	typedef int mpo_socket_label_externalize_t(
3602	struct label *label,
3603	char *element_name,
3604	struct sbuf *sb
3605	);
3606	/**
3607	@brief Initialize socket label
3608	@param label New label to initialize
3609	@param waitok Malloc flags
3610
3611	Initialize the label of a newly instantiated socket. The waitok
3612	field may be one of M_WAITOK and M_NOWAIT, and should be employed to
3613	avoid performing a sleeping malloc(9) during this initialization
3614	call. It it not always safe to sleep during this entry point.
3615
3616	@warning Since it is possible for the waitok flags to be set to
3617	M_NOWAIT, the malloc operation may fail.
3618
3619	@return In the event of an error, an appropriate value for errno
3620	should be returned, otherwise return 0 upon success.
3621	*/
3622	typedef int mpo_socket_label_init_t(
3623	struct label *label,
3624	int waitok
3625	);
3626	/**
3627	@brief Internalize a socket label
3628	@param label Label to be filled in
3629	@param element_name Name of the label namespace for which the label should
3630	be internalized
3631	@param element_data Text data to be internalized
3632
3633	Produce an internal socket label structure based on externalized label
3634	data in text format.
3635
3636	The policy's internalize entry points will be called only if the
3637	policy has registered interest in the label namespace.
3638
3639	@return In the event of an error, an appropriate value for errno
3640	should be returned, otherwise return 0 upon success.
3641	*/
3642	typedef int mpo_socket_label_internalize_t(
3643	struct label *label,
3644	char *element_name,
3645	char *element_data
3646	);
3647	/**
3648	@brief Relabel socket
3649	@param cred Subject credential
3650	@param so Object; socket
3651	@param so_label Current label of the socket
3652	@param newlabel The label to be assigned to so
3653
3654	The subject identified by the credential has previously requested
3655	and was authorized to relabel the socket; this entry point allows
3656	policies to perform the actual label update operation.
3657
3658	@warning XXX This entry point will likely change in future versions.
3659	*/
3660	typedef void mpo_socket_label_update_t(
3661	kauth_cred_t cred,
3662	socket_t so,
3663	struct label *so_label,
3664	struct label *newlabel
3665	);
3666	/**
3667	@brief Set the peer label on a socket from mbuf
3668	@param m Mbuf chain received on socket so
3669	@param m_label Label for m
3670	@param so Current label for the socket
3671	@param so_label Policy label to be filled out for the socket
3672
3673	Set the peer label of a socket based on the label of the sender of the
3674	mbuf.
3675
3676	This is called for every TCP/IP packet received. The first call for a given
3677	socket operates on a newly initialized label, and subsequent calls operate
3678	on existing label data.
3679
3680	@warning Because this can affect performance significantly, it has
3681	different sematics than other 'set' operations. Typically, 'set' operations
3682	operate on newly initialzed labels and policies do not need to worry about
3683	clobbering existing values. In this case, it is too inefficient to
3684	initialize and destroy a label every time data is received for the socket.
3685	Instead, it is up to the policies to determine how to replace the label data.
3686	Most policies should be able to replace the data inline.
3687	*/
3688	typedef void mpo_socketpeer_label_associate_mbuf_t(
3689	struct mbuf *m,
3690	struct label *m_label,
3691	socket_t so,
3692	struct label *so_label
3693	);
3694	/**
3695	@brief Set the peer label on a socket from socket
3696	@param source Local socket
3697	@param sourcelabel Policy label for source
3698	@param target Peer socket
3699	@param targetlabel Policy label to fill in for target
3700
3701	Set the peer label on a stream UNIX domain socket from the passed
3702	remote socket endpoint. This call will be made when the socket pair
3703	is connected, and will be made for both endpoints.
3704
3705	Note that this call is only made on connection; it is currently not updated
3706	during communication.
3707	*/
3708	typedef void mpo_socketpeer_label_associate_socket_t(
3709	socket_t source,
3710	struct label *sourcelabel,
3711	socket_t target,
3712	struct label *targetlabel
3713	);
3714	/**
3715	@brief Destroy socket peer label
3716	@param label The peer label to be destroyed
3717
3718	Destroy a socket peer label. Since the object is going out of
3719	scope, policy modules should free any internal storage associated
3720	with the label so that it may be destroyed.
3721	*/
3722	typedef void mpo_socketpeer_label_destroy_t(
3723	struct label *label
3724	);
3725	/**
3726	@brief Externalize a socket peer label
3727	@param label Label to be externalized
3728	@param element_name Name of the label namespace for which labels should be
3729	externalized
3730	@param sb String buffer to be filled with a text representation of label
3731
3732	Produce an externalized socket peer label based on the label structure
3733	passed. An externalized label consists of a text representation of the
3734	label contents that can be used with userland applications and read by the
3735	user. If element_name does not match a namespace managed by the policy,
3736	simply return 0. Only return nonzero if an error occurs while externalizing
3737	the label data.
3738
3739	@return In the event of an error, an appropriate value for errno
3740	should be returned, otherwise return 0 upon success.
3741	*/
3742	typedef int mpo_socketpeer_label_externalize_t(
3743	struct label *label,
3744	char *element_name,
3745	struct sbuf *sb
3746	);
3747	/**
3748	@brief Initialize socket peer label
3749	@param label New label to initialize
3750	@param waitok Malloc flags
3751
3752	Initialize the peer label of a newly instantiated socket. The
3753	waitok field may be one of M_WAITOK and M_NOWAIT, and should be
3754	employed to avoid performing a sleeping malloc(9) during this
3755	initialization call. It it not always safe to sleep during this
3756	entry point.
3757
3758	@warning Since it is possible for the waitok flags to be set to
3759	M_NOWAIT, the malloc operation may fail.
3760
3761	@return In the event of an error, an appropriate value for errno
3762	should be returned, otherwise return 0 upon success.
3763	*/
3764	typedef int mpo_socketpeer_label_init_t(
3765	struct label *label,
3766	int waitok
3767	);
3768	/**
3769	@brief Access control check for enabling accounting
3770	@param cred Subject credential
3771	@param vp Accounting file
3772	@param vlabel Label associated with vp
3773
3774	Determine whether the subject should be allowed to enable accounting,
3775	based on its label and the label of the accounting log file. See
3776	acct(5) for more information.
3777
3778	As accounting is disabled by passing NULL to the acct(2) system call,
3779	the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
3780
3781	@return Return 0 if access is granted, otherwise an appropriate value for
3782	errno should be returned.
3783	*/
3784	typedef int mpo_system_check_acct_t(
3785	kauth_cred_t cred,
3786	struct vnode *vp,
3787	struct label *vlabel
3788	);
3789	/**
3790	@brief Access control check for audit
3791	@param cred Subject credential
3792	@param record Audit record
3793	@param length Audit record length
3794
3795	Determine whether the subject identified by the credential can submit
3796	an audit record for inclusion in the audit log via the audit() system call.
3797
3798	@return Return 0 if access is granted, otherwise an appropriate value for
3799	errno should be returned.
3800	*/
3801	typedef int mpo_system_check_audit_t(
3802	kauth_cred_t cred,
3803	void *record,
3804	int length
3805	);
3806	/**
3807	@brief Access control check for controlling audit
3808	@param cred Subject credential
3809	@param vp Audit file
3810	@param vl Label associated with vp
3811
3812	Determine whether the subject should be allowed to enable auditing using
3813	the auditctl() system call, based on its label and the label of the proposed
3814	audit file.
3815
3816	@return Return 0 if access is granted, otherwise an appropriate value for
3817	errno should be returned.
3818	*/
3819	typedef int mpo_system_check_auditctl_t(
3820	kauth_cred_t cred,
3821	struct vnode *vp,
3822	struct label *vl
3823	);
3824	/**
3825	@brief Access control check for manipulating auditing
3826	@param cred Subject credential
3827	@param cmd Audit control command
3828
3829	Determine whether the subject identified by the credential can perform
3830	the audit subsystem control operation cmd via the auditon() system call.
3831
3832	@return Return 0 if access is granted, otherwise an appropriate value for
3833	errno should be returned.
3834	*/
3835	typedef int mpo_system_check_auditon_t(
3836	kauth_cred_t cred,
3837	int cmd
3838	);
3839	/**
3840	@brief Access control check for using CHUD facilities
3841	@param cred Subject credential
3842
3843	Determine whether the subject identified by the credential can perform
3844	performance-related tasks using the CHUD system call. This interface is
3845	deprecated.
3846
3847	@return Return 0 if access is granted, otherwise an appropriate value for
3848	errno should be returned.
3849	*/
3850	typedef int mpo_system_check_chud_t(
3851	kauth_cred_t cred
3852	);
3853	/**
3854	@brief Access control check for obtaining the host control port
3855	@param cred Subject credential
3856
3857	Determine whether the subject identified by the credential can
3858	obtain the host control port.
3859
3860	@return Return 0 if access is granted, or non-zero otherwise.
3861	*/
3862	typedef int mpo_system_check_host_priv_t(
3863	kauth_cred_t cred
3864	);
3865	/**
3866	@brief Access control check for obtaining system information
3867	@param cred Subject credential
3868	@param info_type A description of the information requested
3869
3870	Determine whether the subject identified by the credential should be
3871	allowed to obtain information about the system.
3872
3873	This is a generic hook that can be used in a variety of situations where
3874	information is being returned that might be considered sensitive.
3875	Rather than adding a new MAC hook for every such interface, this hook can
3876	be called with a string identifying the type of information requested.
3877
3878	@return Return 0 if access is granted, otherwise an appropriate value for
3879	errno should be returned.
3880	*/
3881	typedef int mpo_system_check_info_t(
3882	kauth_cred_t cred,
3883	const char *info_type
3884	);
3885	/**
3886	@brief Access control check for calling NFS services
3887	@param cred Subject credential
3888
3889	Determine whether the subject identified by the credential should be
3890	allowed to call nfssrv(2).
3891
3892	@return Return 0 if access is granted, otherwise an appropriate value for
3893	errno should be returned.
3894	*/
3895	typedef int mpo_system_check_nfsd_t(
3896	kauth_cred_t cred
3897	);
3898	/**
3899	@brief Access control check for reboot
3900	@param cred Subject credential
3901	@param howto howto parameter from reboot(2)
3902
3903	Determine whether the subject identified by the credential should be
3904	allowed to reboot the system in the specified manner.
3905
3906	@return Return 0 if access is granted, otherwise an appropriate value for
3907	errno should be returned.
3908	*/
3909	typedef int mpo_system_check_reboot_t(
3910	kauth_cred_t cred,
3911	int howto
3912	);
3913	/**
3914	@brief Access control check for setting system clock
3915	@param cred Subject credential
3916
3917	Determine whether the subject identified by the credential should be
3918	allowed to set the system clock.
3919
3920	@return Return 0 if access is granted, otherwise an appropriate value for
3921	errno should be returned.
3922	*/
3923	typedef int mpo_system_check_settime_t(
3924	kauth_cred_t cred
3925	);
3926	/**
3927	@brief Access control check for removing swap devices
3928	@param cred Subject credential
3929	@param vp Swap device
3930	@param label Label associated with vp
3931
3932	Determine whether the subject identified by the credential should be
3933	allowed to remove vp as a swap device.
3934
3935	@return Return 0 if access is granted, otherwise an appropriate value for
3936	errno should be returned.
3937	*/
3938	typedef int mpo_system_check_swapoff_t(
3939	kauth_cred_t cred,
3940	struct vnode *vp,
3941	struct label *label
3942	);
3943	/**
3944	@brief Access control check for adding swap devices
3945	@param cred Subject credential
3946	@param vp Swap device
3947	@param label Label associated with vp
3948
3949	Determine whether the subject identified by the credential should be
3950	allowed to add vp as a swap device.
3951
3952	@return Return 0 if access is granted, otherwise an appropriate value for
3953	errno should be returned.
3954	*/
3955	typedef int mpo_system_check_swapon_t(
3956	kauth_cred_t cred,
3957	struct vnode *vp,
3958	struct label *label
3959	);
3960	/**
3961	@brief Access control check for sysctl
3962	@param cred Subject credential
3963	@param namestring String representation of sysctl name.
3964	@param name Integer name; see sysctl(3)
3965	@param namelen Length of name array of integers; see sysctl(3)
3966	@param old 0 or address where to store old value; see sysctl(3)
3967	@param oldlen Length of old buffer; see sysctl(3)
3968	@param newvalue 0 or address of new value; see sysctl(3)
3969	@param newlen Length of new buffer; see sysctl(3)
3970
3971	Determine whether the subject identified by the credential should be
3972	allowed to make the specified sysctl(3) transaction.
3973
3974	The sysctl(3) call specifies that if the old value is not desired,
3975	oldp and oldlenp should be set to NULL. Likewise, if a new value is
3976	not to be set, newp should be set to NULL and newlen set to 0.
3977
3978	@return Return 0 if access is granted, otherwise an appropriate value for
3979	errno should be returned.
3980	*/
3981	typedef int mpo_system_check_sysctlbyname_t(
3982	kauth_cred_t cred,
3983	const char *namestring,
3984	int *name,
3985	u_int namelen,
3986	user_addr_t old, / NULLOK /
3987	size_t oldlen,
3988	user_addr_t newvalue, / NULLOK /
3989	size_t newlen
3990	);
3991	/**
3992	@brief Access control check for kas_info
3993	@param cred Subject credential
3994	@param selector Category of information to return. See kas_info.h
3995
3996	Determine whether the subject identified by the credential can perform
3997	introspection of the kernel address space layout for
3998	debugging/performance analysis.
3999
4000	@return Return 0 if access is granted, otherwise an appropriate value for
4001	errno should be returned.
4002	*/
4003	typedef int mpo_system_check_kas_info_t(
4004	kauth_cred_t cred,
4005	int selector
4006	);
4007	/**
4008	@brief Create a System V message label
4009	@param cred Subject credential
4010	@param msqptr The message queue the message will be placed in
4011	@param msqlabel The label of the message queue
4012	@param msgptr The message
4013	@param msglabel The label of the message
4014
4015	Label the message as its placed in the message queue.
4016	*/
4017	typedef void mpo_sysvmsg_label_associate_t(
4018	kauth_cred_t cred,
4019	struct msqid_kernel *msqptr,
4020	struct label *msqlabel,
4021	struct msg *msgptr,
4022	struct label *msglabel
4023	);
4024	/**
4025	@brief Destroy System V message label
4026	@param label The label to be destroyed
4027
4028	Destroy a System V message label. Since the object is
4029	going out of scope, policy modules should free any internal storage
4030	associated with the label so that it may be destroyed.
4031	*/
4032	typedef void mpo_sysvmsg_label_destroy_t(
4033	struct label *label
4034	);
4035	/**
4036	@brief Initialize System V message label
4037	@param label New label to initialize
4038
4039	Initialize the label for a newly instantiated System V message.
4040	*/
4041	typedef void mpo_sysvmsg_label_init_t(
4042	struct label *label
4043	);
4044	/**
4045	@brief Clean up a System V message label
4046	@param label The label to be destroyed
4047
4048	Clean up a System V message label. Darwin pre-allocates
4049	messages at system boot time and re-uses them rather than
4050	allocating new ones. Before messages are returned to the "free
4051	pool", policies can cleanup or overwrite any information present in
4052	the label.
4053	*/
4054	typedef void mpo_sysvmsg_label_recycle_t(
4055	struct label *label
4056	);
4057	/**
4058	@brief Access control check for System V message enqueuing
4059	@param cred Subject credential
4060	@param msgptr The message
4061	@param msglabel The message's label
4062	@param msqptr The message queue
4063	@param msqlabel The message queue's label
4064
4065	Determine whether the subject identified by the credential can add the
4066	given message to the given message queue.
4067
4068	@return Return 0 if access is granted, otherwise an appropriate value for
4069	errno should be returned.
4070	*/
4071	typedef int mpo_sysvmsq_check_enqueue_t(
4072	kauth_cred_t cred,
4073	struct msg *msgptr,
4074	struct label *msglabel,
4075	struct msqid_kernel *msqptr,
4076	struct label *msqlabel
4077	);
4078	/**
4079	@brief Access control check for System V message reception
4080	@param cred The credential of the intended recipient
4081	@param msgptr The message
4082	@param msglabel The message's label
4083
4084	Determine whether the subject identified by the credential can receive
4085	the given message.
4086
4087	@return Return 0 if access is granted, otherwise an appropriate value for
4088	errno should be returned.
4089	*/
4090	typedef int mpo_sysvmsq_check_msgrcv_t(
4091	kauth_cred_t cred,
4092	struct msg *msgptr,
4093	struct label *msglabel
4094	);
4095	/**
4096	@brief Access control check for System V message queue removal
4097	@param cred The credential of the caller
4098	@param msgptr The message
4099	@param msglabel The message's label
4100
4101	System V message queues are removed using the msgctl() system call.
4102	The system will iterate over each messsage in the queue, calling this
4103	function for each, to determine whether the caller has the appropriate
4104	credentials.
4105
4106	@return Return 0 if access is granted, otherwise an appropriate value for
4107	errno should be returned.
4108	*/
4109	typedef int mpo_sysvmsq_check_msgrmid_t(
4110	kauth_cred_t cred,
4111	struct msg *msgptr,
4112	struct label *msglabel
4113	);
4114	/**
4115	@brief Access control check for msgctl()
4116	@param cred The credential of the caller
4117	@param msqptr The message queue
4118	@param msqlabel The message queue's label
4119
4120	This access check is performed to validate calls to msgctl().
4121
4122	@return Return 0 if access is granted, otherwise an appropriate value for
4123	errno should be returned.
4124	*/
4125	typedef int mpo_sysvmsq_check_msqctl_t(
4126	kauth_cred_t cred,
4127	struct msqid_kernel *msqptr,
4128	struct label *msqlabel,
4129	int cmd
4130	);
4131	/**
4132	@brief Access control check to get a System V message queue
4133	@param cred The credential of the caller
4134	@param msqptr The message queue requested
4135	@param msqlabel The message queue's label
4136
4137	On a call to msgget(), if the queue requested already exists,
4138	and it is a public queue, this check will be performed before the
4139	queue's ID is returned to the user.
4140
4141	@return Return 0 if access is granted, otherwise an appropriate value for
4142	errno should be returned.
4143	*/
4144	typedef int mpo_sysvmsq_check_msqget_t(
4145	kauth_cred_t cred,
4146	struct msqid_kernel *msqptr,
4147	struct label *msqlabel
4148	);
4149	/**
4150	@brief Access control check to receive a System V message from the given queue
4151	@param cred The credential of the caller
4152	@param msqptr The message queue to receive from
4153	@param msqlabel The message queue's label
4154
4155	On a call to msgrcv(), this check is performed to determine whether the
4156	caller has receive rights on the given queue.
4157
4158	@return Return 0 if access is granted, otherwise an appropriate value for
4159	errno should be returned.
4160	*/
4161	typedef int mpo_sysvmsq_check_msqrcv_t(
4162	kauth_cred_t cred,
4163	struct msqid_kernel *msqptr,
4164	struct label *msqlabel
4165	);
4166	/**
4167	@brief Access control check to send a System V message to the given queue
4168	@param cred The credential of the caller
4169	@param msqptr The message queue to send to
4170	@param msqlabel The message queue's label
4171
4172	On a call to msgsnd(), this check is performed to determine whether the
4173	caller has send rights on the given queue.
4174
4175	@return Return 0 if access is granted, otherwise an appropriate value for
4176	errno should be returned.
4177	*/
4178	typedef int mpo_sysvmsq_check_msqsnd_t(
4179	kauth_cred_t cred,
4180	struct msqid_kernel *msqptr,
4181	struct label *msqlabel
4182	);
4183	/**
4184	@brief Create a System V message queue label
4185	@param cred Subject credential
4186	@param msqptr The message queue
4187	@param msqlabel The label of the message queue
4188
4189	*/
4190	typedef void mpo_sysvmsq_label_associate_t(
4191	kauth_cred_t cred,
4192	struct msqid_kernel *msqptr,
4193	struct label *msqlabel
4194	);
4195	/**
4196	@brief Destroy System V message queue label
4197	@param label The label to be destroyed
4198
4199	Destroy a System V message queue label. Since the object is
4200	going out of scope, policy modules should free any internal storage
4201	associated with the label so that it may be destroyed.
4202	*/
4203	typedef void mpo_sysvmsq_label_destroy_t(
4204	struct label *label
4205	);
4206	/**
4207	@brief Initialize System V message queue label
4208	@param label New label to initialize
4209
4210	Initialize the label for a newly instantiated System V message queue.
4211	*/
4212	typedef void mpo_sysvmsq_label_init_t(
4213	struct label *label
4214	);
4215	/**
4216	@brief Clean up a System V message queue label
4217	@param label The label to be destroyed
4218
4219	Clean up a System V message queue label. Darwin pre-allocates
4220	message queues at system boot time and re-uses them rather than
4221	allocating new ones. Before message queues are returned to the "free
4222	pool", policies can cleanup or overwrite any information present in
4223	the label.
4224	*/
4225	typedef void mpo_sysvmsq_label_recycle_t(
4226	struct label *label
4227	);
4228	/**
4229	@brief Access control check for System V semaphore control operation
4230	@param cred Subject credential
4231	@param semakptr Pointer to semaphore identifier
4232	@param semaklabel Label associated with semaphore
4233	@param cmd Control operation to be performed; see semctl(2)
4234
4235	Determine whether the subject identified by the credential can perform
4236	the operation indicated by cmd on the System V semaphore semakptr.
4237
4238	@return Return 0 if access is granted, otherwise an appropriate value for
4239	errno should be returned.
4240	*/
4241	typedef int mpo_sysvsem_check_semctl_t(
4242	kauth_cred_t cred,
4243	struct semid_kernel *semakptr,
4244	struct label *semaklabel,
4245	int cmd
4246	);
4247	/**
4248	@brief Access control check for obtaining a System V semaphore
4249	@param cred Subject credential
4250	@param semakptr Pointer to semaphore identifier
4251	@param semaklabel Label to associate with the semaphore
4252
4253	Determine whether the subject identified by the credential can
4254	obtain a System V semaphore.
4255
4256	@return Return 0 if access is granted, otherwise an appropriate value for
4257	errno should be returned.
4258	*/
4259	typedef int mpo_sysvsem_check_semget_t(
4260	kauth_cred_t cred,
4261	struct semid_kernel *semakptr,
4262	struct label *semaklabel
4263	);
4264	/**
4265	@brief Access control check for System V semaphore operations
4266	@param cred Subject credential
4267	@param semakptr Pointer to semaphore identifier
4268	@param semaklabel Label associated with the semaphore
4269	@param accesstype Flags to indicate access (read and/or write)
4270
4271	Determine whether the subject identified by the credential can
4272	perform the operations on the System V semaphore indicated by
4273	semakptr. The accesstype flags hold the maximum set of permissions
4274	from the sem_op array passed to the semop system call. It may
4275	contain SEM_R for read-only operations or SEM_A for read/write
4276	operations.
4277
4278	@return Return 0 if access is granted, otherwise an appropriate value for
4279	errno should be returned.
4280	*/
4281	typedef int mpo_sysvsem_check_semop_t(
4282	kauth_cred_t cred,
4283	struct semid_kernel *semakptr,
4284	struct label *semaklabel,
4285	size_t accesstype
4286	);
4287	/**
4288	@brief Create a System V semaphore label
4289	@param cred Subject credential
4290	@param semakptr The semaphore being created
4291	@param semalabel Label to associate with the new semaphore
4292
4293	Label a new System V semaphore. The label was previously
4294	initialized and associated with the semaphore. At this time, an
4295	appropriate initial label value should be assigned to the object and
4296	stored in semalabel.
4297	*/
4298	typedef void mpo_sysvsem_label_associate_t(
4299	kauth_cred_t cred,
4300	struct semid_kernel *semakptr,
4301	struct label *semalabel
4302	);
4303	/**
4304	@brief Destroy System V semaphore label
4305	@param label The label to be destroyed
4306
4307	Destroy a System V semaphore label. Since the object is
4308	going out of scope, policy modules should free any internal storage
4309	associated with the label so that it may be destroyed.
4310	*/
4311	typedef void mpo_sysvsem_label_destroy_t(
4312	struct label *label
4313	);
4314	/**
4315	@brief Initialize System V semaphore label
4316	@param label New label to initialize
4317
4318	Initialize the label for a newly instantiated System V semaphore. Sleeping
4319	is permitted.
4320	*/
4321	typedef void mpo_sysvsem_label_init_t(
4322	struct label *label
4323	);
4324	/**
4325	@brief Clean up a System V semaphore label
4326	@param label The label to be cleaned
4327
4328	Clean up a System V semaphore label. Darwin pre-allocates
4329	semaphores at system boot time and re-uses them rather than
4330	allocating new ones. Before semaphores are returned to the "free
4331	pool", policies can cleanup or overwrite any information present in
4332	the label.
4333	*/
4334	typedef void mpo_sysvsem_label_recycle_t(
4335	struct label *label
4336	);
4337	/**
4338	@brief Access control check for mapping System V shared memory
4339	@param cred Subject credential
4340	@param shmsegptr Pointer to shared memory segment identifier
4341	@param shmseglabel Label associated with the shared memory segment
4342	@param shmflg shmat flags; see shmat(2)
4343
4344	Determine whether the subject identified by the credential can map
4345	the System V shared memory segment associated with shmsegptr.
4346
4347	@return Return 0 if access is granted, otherwise an appropriate value for
4348	errno should be returned.
4349	*/
4350	typedef int mpo_sysvshm_check_shmat_t(
4351	kauth_cred_t cred,
4352	struct shmid_kernel *shmsegptr,
4353	struct label *shmseglabel,
4354	int shmflg
4355	);
4356	/**
4357	@brief Access control check for System V shared memory control operation
4358	@param cred Subject credential
4359	@param shmsegptr Pointer to shared memory segment identifier
4360	@param shmseglabel Label associated with the shared memory segment
4361	@param cmd Control operation to be performed; see shmctl(2)
4362
4363	Determine whether the subject identified by the credential can perform
4364	the operation indicated by cmd on the System V shared memory segment
4365	shmsegptr.
4366
4367	@return Return 0 if access is granted, otherwise an appropriate value for
4368	errno should be returned.
4369	*/
4370	typedef int mpo_sysvshm_check_shmctl_t(
4371	kauth_cred_t cred,
4372	struct shmid_kernel *shmsegptr,
4373	struct label *shmseglabel,
4374	int cmd
4375	);
4376	/**
4377	@brief Access control check for unmapping System V shared memory
4378	@param cred Subject credential
4379	@param shmsegptr Pointer to shared memory segment identifier
4380	@param shmseglabel Label associated with the shared memory segment
4381
4382	Determine whether the subject identified by the credential can unmap
4383	the System V shared memory segment associated with shmsegptr.
4384
4385	@return Return 0 if access is granted, otherwise an appropriate value for
4386	errno should be returned.
4387	*/
4388	typedef int mpo_sysvshm_check_shmdt_t(
4389	kauth_cred_t cred,
4390	struct shmid_kernel *shmsegptr,
4391	struct label *shmseglabel
4392	);
4393	/**
4394	@brief Access control check obtaining System V shared memory identifier
4395	@param cred Subject credential
4396	@param shmsegptr Pointer to shared memory segment identifier
4397	@param shmseglabel Label associated with the shared memory segment
4398	@param shmflg shmget flags; see shmget(2)
4399
4400	Determine whether the subject identified by the credential can get
4401	the System V shared memory segment address.
4402
4403	@return Return 0 if access is granted, otherwise an appropriate value for
4404	errno should be returned.
4405	*/
4406	typedef int mpo_sysvshm_check_shmget_t(
4407	kauth_cred_t cred,
4408	struct shmid_kernel *shmsegptr,
4409	struct label *shmseglabel,
4410	int shmflg
4411	);
4412	/**
4413	@brief Create a System V shared memory region label
4414	@param cred Subject credential
4415	@param shmsegptr The shared memory region being created
4416	@param shmlabel Label to associate with the new shared memory region
4417
4418	Label a new System V shared memory region. The label was previously
4419	initialized and associated with the shared memory region. At this
4420	time, an appropriate initial label value should be assigned to the
4421	object and stored in shmlabel.
4422	*/
4423	typedef void mpo_sysvshm_label_associate_t(
4424	kauth_cred_t cred,
4425	struct shmid_kernel *shmsegptr,
4426	struct label *shmlabel
4427	);
4428	/**
4429	@brief Destroy System V shared memory label
4430	@param label The label to be destroyed
4431
4432	Destroy a System V shared memory region label. Since the
4433	object is going out of scope, policy modules should free any
4434	internal storage associated with the label so that it may be
4435	destroyed.
4436	*/
4437	typedef void mpo_sysvshm_label_destroy_t(
4438	struct label *label
4439	);
4440	/**
4441	@brief Initialize System V Shared Memory region label
4442	@param label New label to initialize
4443
4444	Initialize the label for a newly instantiated System V Shared Memory
4445	region. Sleeping is permitted.
4446	*/
4447	typedef void mpo_sysvshm_label_init_t(
4448	struct label *label
4449	);
4450	/**
4451	@brief Clean up a System V Share Memory Region label
4452	@param shmlabel The label to be cleaned
4453
4454	Clean up a System V Shared Memory Region label. Darwin
4455	pre-allocates these objects at system boot time and re-uses them
4456	rather than allocating new ones. Before the memory regions are
4457	returned to the "free pool", policies can cleanup or overwrite any
4458	information present in the label.
4459	*/
4460	typedef void mpo_sysvshm_label_recycle_t(
4461	struct label *shmlabel
4462	);
4463	/**
4464	@brief Access control check for getting a process's task name
4465	@param cred Subject credential
4466	@param p Object process
4467
4468	Determine whether the subject identified by the credential can get
4469	the passed process's task name port.
4470	This call is used by the task_name_for_pid(2) API.
4471
4472	@return Return 0 if access is granted, otherwise an appropriate value for
4473	errno should be returned. Suggested failure: EACCES for label mismatch,
4474	EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4475	*/
4476	typedef int mpo_proc_check_get_task_name_t(
4477	kauth_cred_t cred,
4478	struct proc *p
4479	);
4480	/**
4481	@brief Access control check for getting a process's task port
4482	@param cred Subject credential
4483	@param p Object process
4484
4485	Determine whether the subject identified by the credential can get
4486	the passed process's task control port.
4487	This call is used by the task_for_pid(2) API.
4488
4489	@return Return 0 if access is granted, otherwise an appropriate value for
4490	errno should be returned. Suggested failure: EACCES for label mismatch,
4491	EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4492	*/
4493	typedef int mpo_proc_check_get_task_t(
4494	kauth_cred_t cred,
4495	struct proc *p
4496	);
4497
4498	/**
4499	@brief Access control check for exposing a process's task port
4500	@param cred Subject credential
4501	@param p Object process
4502
4503	Determine whether the subject identified by the credential can expose
4504	the passed process's task control port.
4505	This call is used by the accessor APIs like processor_set_tasks() and
4506	processor_set_threads().
4507
4508	@return Return 0 if access is granted, otherwise an appropriate value for
4509	errno should be returned. Suggested failure: EACCES for label mismatch,
4510	EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4511	*/
4512	typedef int mpo_proc_check_expose_task_t(
4513	kauth_cred_t cred,
4514	struct proc *p
4515	);
4516
4517	/**
4518	@brief Check whether task's IPC may inherit across process exec
4519	@param p current process instance
4520	@param cur_vp vnode pointer to current instance
4521	@param cur_offset offset of binary of currently executing image
4522	@param img_vp vnode pointer to to be exec'ed image
4523	@param img_offset offset into file which is selected for execution
4524	@param scriptvp vnode pointer of script file if any.
4525	@return Return 0 if access is granted.
4526	EPERM if parent does not have any entitlements.
4527	EACCESS if mismatch in entitlements
4528	*/
4529	typedef int mpo_proc_check_inherit_ipc_ports_t(
4530	struct proc *p,
4531	struct vnode *cur_vp,
4532	off_t cur_offset,
4533	struct vnode *img_vp,
4534	off_t img_offset,
4535	struct vnode *scriptvp
4536	);
4537
4538	/**
4539	@brief Privilege check for a process to run invalid
4540	@param p Object process
4541
4542	Determine whether the process may execute even though the system determined
4543	that it is untrusted (eg unidentified / modified code).
4544
4545	@return Return 0 if access is granted, otherwise an appropriate value for
4546	errno should be returned.
4547	*/
4548	typedef int mpo_proc_check_run_cs_invalid_t(
4549	struct proc *p
4550	);
4551
4552	/**
4553	@brief Notification a process is finished with exec and will jump to userspace
4554	@param p Object process
4555
4556	Notifies all MAC policies that a process has completed an exec and is about to
4557	jump to userspace to continue execution. This may result in process termination
4558	via signals. Hook is designed to hold no/minimal locks so it can be used for any
4559	necessary upcalls.
4560	*/
4561	typedef void mpo_proc_notify_exec_complete_t(
4562	struct proc *p
4563	);
4564
4565	/**
4566	@brief Perform MAC-related events when a thread returns to user space
4567	@param thread Mach (not BSD) thread that is returning
4568
4569	This entry point permits policy modules to perform MAC-related
4570	events when a thread returns to user space, via a system call
4571	return or trap return.
4572	*/
4573	typedef void mpo_thread_userret_t(
4574	struct thread *thread
4575	);
4576
4577	/**
4578	@brief Check vnode access
4579	@param cred Subject credential
4580	@param vp Object vnode
4581	@param label Label for vp
4582	@param acc_mode access(2) flags
4583
4584	Determine how invocations of access(2) and related calls by the
4585	subject identified by the credential should return when performed
4586	on the passed vnode using the passed access flags. This should
4587	generally be implemented using the same semantics used in
4588	mpo_vnode_check_open.
4589
4590	@return Return 0 if access is granted, otherwise an appropriate value for
4591	errno should be returned. Suggested failure: EACCES for label mismatch or
4592	EPERM for lack of privilege.
4593	*/
4594	typedef int mpo_vnode_check_access_t(
4595	kauth_cred_t cred,
4596	struct vnode *vp,
4597	struct label *label,
4598	int acc_mode
4599	);
4600	/**
4601	@brief Access control check for changing working directory
4602	@param cred Subject credential
4603	@param dvp Object; vnode to chdir(2) into
4604	@param dlabel Policy label for dvp
4605
4606	Determine whether the subject identified by the credential can change
4607	the process working directory to the passed vnode.
4608
4609	@return Return 0 if access is granted, otherwise an appropriate value for
4610	errno should be returned. Suggested failure: EACCES for label mismatch or
4611	EPERM for lack of privilege.
4612	*/
4613	typedef int mpo_vnode_check_chdir_t(
4614	kauth_cred_t cred,
4615	struct vnode *dvp,
4616	struct label *dlabel
4617	);
4618	/**
4619	@brief Access control check for changing root directory
4620	@param cred Subject credential
4621	@param dvp Directory vnode
4622	@param dlabel Policy label associated with dvp
4623	@param cnp Component name for dvp
4624
4625	Determine whether the subject identified by the credential should be
4626	allowed to chroot(2) into the specified directory (dvp).
4627
4628	@return In the event of an error, an appropriate value for errno
4629	should be returned, otherwise return 0 upon success.
4630	*/
4631	typedef int mpo_vnode_check_chroot_t(
4632	kauth_cred_t cred,
4633	struct vnode *dvp,
4634	struct label *dlabel,
4635	struct componentname *cnp
4636	);
4637	/**
4638	@brief Access control check for creating clone
4639	@param cred Subject credential
4640	@param dvp Vnode of directory to create the clone in
4641	@param dlabel Policy label associated with dvp
4642	@param vp Vnode of the file to clone from
4643	@param label Policy label associated with vp
4644	@param cnp Component name for the clone being created
4645
4646	Determine whether the subject identified by the credential should be
4647	allowed to create a clone of the vnode vp with the name specified by cnp.
4648
4649	@return Return 0 if access is granted, otherwise an appropriate value for
4650	errno should be returned.
4651	*/
4652	typedef int mpo_vnode_check_clone_t(
4653	kauth_cred_t cred,
4654	struct vnode *dvp,
4655	struct label *dlabel,
4656	struct vnode *vp,
4657	struct label *label,
4658	struct componentname *cnp
4659	);
4660	/**
4661	@brief Access control check for creating vnode
4662	@param cred Subject credential
4663	@param dvp Directory vnode
4664	@param dlabel Policy label for dvp
4665	@param cnp Component name for dvp
4666	@param vap vnode attributes for vap
4667
4668	Determine whether the subject identified by the credential can create
4669	a vnode with the passed parent directory, passed name information,
4670	and passed attribute information. This call may be made in a number of
4671	situations, including as a result of calls to open(2) with O_CREAT,
4672	mknod(2), mkfifo(2), and others.
4673
4674	@return Return 0 if access is granted, otherwise an appropriate value for
4675	errno should be returned. Suggested failure: EACCES for label mismatch or
4676	EPERM for lack of privilege.
4677	*/
4678	typedef int mpo_vnode_check_create_t(
4679	kauth_cred_t cred,
4680	struct vnode *dvp,
4681	struct label *dlabel,
4682	struct componentname *cnp,
4683	struct vnode_attr *vap
4684	);
4685	/**
4686	@brief Access control check for deleting extended attribute
4687	@param cred Subject credential
4688	@param vp Object vnode
4689	@param vlabel Label associated with vp
4690	@param name Extended attribute name
4691
4692	Determine whether the subject identified by the credential can delete
4693	the extended attribute from the passed vnode.
4694
4695	@return Return 0 if access is granted, otherwise an appropriate value for
4696	errno should be returned. Suggested failure: EACCES for label mismatch or
4697	EPERM for lack of privilege.
4698	*/
4699	typedef int mpo_vnode_check_deleteextattr_t(
4700	kauth_cred_t cred,
4701	struct vnode *vp,
4702	struct label *vlabel,
4703	const char *name
4704	);
4705	/**
4706	@brief Access control check for exchanging file data
4707	@param cred Subject credential
4708	@param v1 vnode 1 to swap
4709	@param vl1 Policy label for v1
4710	@param v2 vnode 2 to swap
4711	@param vl2 Policy label for v2
4712
4713	Determine whether the subject identified by the credential can swap the data
4714	in the two supplied vnodes.
4715
4716	@return Return 0 if access is granted, otherwise an appropriate value for
4717	errno should be returned. Suggested failure: EACCES for label mismatch or
4718	EPERM for lack of privilege.
4719	*/
4720	typedef int mpo_vnode_check_exchangedata_t(
4721	kauth_cred_t cred,
4722	struct vnode *v1,
4723	struct label *vl1,
4724	struct vnode *v2,
4725	struct label *vl2
4726	);
4727	/**
4728	@brief Access control check for executing the vnode
4729	@param cred Subject credential
4730	@param vp Object vnode to execute
4731	@param scriptvp Script being executed by interpreter, if any.
4732	@param vnodelabel Label corresponding to vp
4733	@param scriptlabel Script vnode label
4734	@param execlabel Userspace provided execution label
4735	@param cnp Component name for file being executed
4736	@param macpolicyattr MAC policy-specific spawn attribute data.
4737	@param macpolicyattrlen Length of policy-specific spawn attribute data.
4738
4739	Determine whether the subject identified by the credential can execute
4740	the passed vnode. Determination of execute privilege is made separately
4741	from decisions about any process label transitioning event.
4742
4743	The final label, execlabel, corresponds to a label supplied by a
4744	user space application through the use of the mac_execve system call.
4745	This label will be NULL if the user application uses the the vendor
4746	execve(2) call instead of the MAC Framework mac_execve() call.
4747
4748	@return Return 0 if access is granted, otherwise an appropriate value for
4749	errno should be returned. Suggested failure: EACCES for label mismatch or
4750	EPERM for lack of privilege.
4751	*/
4752	typedef int mpo_vnode_check_exec_t(
4753	kauth_cred_t cred,
4754	struct vnode *vp,
4755	struct vnode *scriptvp,
4756	struct label *vnodelabel,
4757	struct label *scriptlabel,
4758	struct label execlabel, /* NULLOK /
4759	struct componentname *cnp,
4760	u_int *csflags,
4761	void *macpolicyattr,
4762	size_t macpolicyattrlen
4763	);
4764	/**
4765	@brief Access control check for fsgetpath
4766	@param cred Subject credential
4767	@param vp Vnode for which a path will be returned
4768	@param label Label associated with the vnode
4769
4770	Determine whether the subject identified by the credential can get the path
4771	of the given vnode with fsgetpath.
4772
4773	@return Return 0 if access is granted, otherwise an appropriate value for
4774	errno should be returned.
4775	*/
4776	typedef int mpo_vnode_check_fsgetpath_t(
4777	kauth_cred_t cred,
4778	struct vnode *vp,
4779	struct label *label
4780	);
4781	/**
4782	@brief Access control check for retrieving file attributes
4783	@param active_cred Subject credential
4784	@param file_cred Credential associated with the struct fileproc
4785	@param vp Object vnode
4786	@param vlabel Policy label for vp
4787	@param va Vnode attributes to retrieve
4788
4789	Determine whether the subject identified by the credential can
4790	get information about the passed vnode. The active_cred hold
4791	the credentials of the subject performing the operation, and
4792	file_cred holds the credentials of the subject that originally
4793	opened the file. This check happens during stat(), lstat(),
4794	fstat(), and getattrlist() syscalls. See <sys/vnode.h> for
4795	definitions of the attributes.
4796
4797	@return Return 0 if access is granted, otherwise an appropriate value for
4798	errno should be returned.
4799
4800	@note Policies may change the contents of va to alter the list of
4801	file attributes returned.
4802	*/
4803	typedef int mpo_vnode_check_getattr_t(
4804	kauth_cred_t active_cred,
4805	kauth_cred_t file_cred, / NULLOK /
4806	struct vnode *vp,
4807	struct label *vlabel,
4808	struct vnode_attr *va
4809	);
4810	/**
4811	@brief Access control check for retrieving file attributes
4812	@param cred Subject credential
4813	@param vp Object vnode
4814	@param vlabel Policy label for vp
4815	@param alist List of attributes to retrieve
4816
4817	Determine whether the subject identified by the credential can read
4818	various attributes of the specified vnode, or the filesystem or volume on
4819	which that vnode resides. See <sys/attr.h> for definitions of the
4820	attributes.
4821
4822	@return Return 0 if access is granted, otherwise an appropriate value for
4823	errno should be returned. Suggested failure: EACCES for label mismatch or
4824	EPERM for lack of privilege. Access control covers all attributes requested
4825	with this call; the security policy is not permitted to change the set of
4826	attributes requested.
4827	*/
4828	typedef int mpo_vnode_check_getattrlist_t(
4829	kauth_cred_t cred,
4830	struct vnode *vp,
4831	struct label *vlabel,
4832	struct attrlist *alist
4833	);
4834	/**
4835	@brief Access control check for retrieving an extended attribute
4836	@param cred Subject credential
4837	@param vp Object vnode
4838	@param label Policy label for vp
4839	@param name Extended attribute name
4840	@param uio I/O structure pointer
4841
4842	Determine whether the subject identified by the credential can retrieve
4843	the extended attribute from the passed vnode. The uio parameter
4844	will be NULL when the getxattr(2) call has been made with a NULL data
4845	value; this is done to request the size of the data only.
4846
4847	@return Return 0 if access is granted, otherwise an appropriate value for
4848	errno should be returned. Suggested failure: EACCES for label mismatch or
4849	EPERM for lack of privilege.
4850	*/
4851	typedef int mpo_vnode_check_getextattr_t(
4852	kauth_cred_t cred,
4853	struct vnode *vp,
4854	struct label label, /* NULLOK /
4855	const char *name,
4856	struct uio uio /* NULLOK /
4857	);
4858	/**
4859	@brief Access control check for ioctl
4860	@param cred Subject credential
4861	@param vp Object vnode
4862	@param label Policy label for vp
4863	@param cmd Device-dependent request code; see ioctl(2)
4864
4865	Determine whether the subject identified by the credential can perform
4866	the ioctl operation indicated by com.
4867
4868	@warning Since ioctl data is opaque from the standpoint of the MAC
4869	framework, and since ioctls can affect many aspects of system
4870	operation, policies must exercise extreme care when implementing
4871	access control checks.
4872
4873	@return Return 0 if access is granted, otherwise an appropriate value for
4874	errno should be returned.
4875	*/
4876	typedef int mpo_vnode_check_ioctl_t(
4877	kauth_cred_t cred,
4878	struct vnode *vp,
4879	struct label *label,
4880	unsigned int cmd
4881	);
4882	/**
4883	@brief Access control check for vnode kqfilter
4884	@param active_cred Subject credential
4885	@param kn Object knote
4886	@param vp Object vnode
4887	@param label Policy label for vp
4888
4889	Determine whether the subject identified by the credential can
4890	receive the knote on the passed vnode.
4891
4892	@return Return 0 if access if granted, otherwise an appropriate
4893	value for errno should be returned.
4894	*/
4895	typedef int mpo_vnode_check_kqfilter_t(
4896	kauth_cred_t active_cred,
4897	kauth_cred_t file_cred, / NULLOK /
4898	struct knote *kn,
4899	struct vnode *vp,
4900	struct label *label
4901	);
4902	/**
4903	@brief Access control check for relabel
4904	@param cred Subject credential
4905	@param vp Object vnode
4906	@param vnodelabel Existing policy label for vp
4907	@param newlabel Policy label update to later be applied to vp
4908	@see mpo_relable_vnode_t
4909
4910	Determine whether the subject identified by the credential can relabel
4911	the passed vnode to the passed label update. If all policies permit
4912	the label change, the actual relabel entry point (mpo_vnode_label_update)
4913	will follow.
4914
4915	@return Return 0 if access is granted, otherwise an appropriate value for
4916	errno should be returned.
4917	*/
4918	typedef int mpo_vnode_check_label_update_t(
4919	struct ucred *cred,
4920	struct vnode *vp,
4921	struct label *vnodelabel,
4922	struct label *newlabel
4923	);
4924	/**
4925	@brief Access control check for creating link
4926	@param cred Subject credential
4927	@param dvp Directory vnode
4928	@param dlabel Policy label associated with dvp
4929	@param vp Link destination vnode
4930	@param label Policy label associated with vp
4931	@param cnp Component name for the link being created
4932
4933	Determine whether the subject identified by the credential should be
4934	allowed to create a link to the vnode vp with the name specified by cnp.
4935
4936	@return Return 0 if access is granted, otherwise an appropriate value for
4937	errno should be returned.
4938	*/
4939	typedef int mpo_vnode_check_link_t(
4940	kauth_cred_t cred,
4941	struct vnode *dvp,
4942	struct label *dlabel,
4943	struct vnode *vp,
4944	struct label *label,
4945	struct componentname *cnp
4946	);
4947	/**
4948	@brief Access control check for listing extended attributes
4949	@param cred Subject credential
4950	@param vp Object vnode
4951	@param vlabel Policy label associated with vp
4952
4953	Determine whether the subject identified by the credential can retrieve
4954	a list of named extended attributes from a vnode.
4955
4956	@return Return 0 if access is granted, otherwise an appropriate value for
4957	errno should be returned.
4958	*/
4959	typedef int mpo_vnode_check_listextattr_t(
4960	kauth_cred_t cred,
4961	struct vnode *vp,
4962	struct label *vlabel
4963	);
4964	/**
4965	@brief Access control check for lookup
4966	@param cred Subject credential
4967	@param dvp Directory vnode
4968	@param dlabel Policy label for dvp
4969	@param path Path being looked up
4970	@param pathlen Length of path in bytes
4971
4972	Determine whether the subject identified by the credential can perform
4973	a lookup of the passed path relative to the passed directory vnode.
4974
4975	@return Return 0 if access is granted, otherwise an appropriate value for
4976	errno should be returned. Suggested failure: EACCES for label mismatch or
4977	EPERM for lack of privilege.
4978
4979	@note The path may contain untrusted input. If approved, lookup proceeds
4980	on the path; if a component is found to be a symlink then this hook is
4981	called again with the updated path.
4982	*/
4983	typedef int mpo_vnode_check_lookup_preflight_t(
4984	kauth_cred_t cred,
4985	struct vnode *dvp,
4986	struct label *dlabel,
4987	const char *path,
4988	size_t pathlen
4989	);
4990	/**
4991	@brief Access control check for lookup
4992	@param cred Subject credential
4993	@param dvp Object vnode
4994	@param dlabel Policy label for dvp
4995	@param cnp Component name being looked up
4996
4997	Determine whether the subject identified by the credential can perform
4998	a lookup in the passed directory vnode for the passed name (cnp).
4999
5000	@return Return 0 if access is granted, otherwise an appropriate value for
5001	errno should be returned. Suggested failure: EACCES for label mismatch or
5002	EPERM for lack of privilege.
5003	*/
5004	typedef int mpo_vnode_check_lookup_t(
5005	kauth_cred_t cred,
5006	struct vnode *dvp,
5007	struct label *dlabel,
5008	struct componentname *cnp
5009	);
5010	/**
5011	@brief Access control check for open
5012	@param cred Subject credential
5013	@param vp Object vnode
5014	@param label Policy label associated with vp
5015	@param acc_mode open(2) access mode
5016
5017	Determine whether the subject identified by the credential can perform
5018	an open operation on the passed vnode with the passed access mode.
5019
5020	@return Return 0 if access is granted, otherwise an appropriate value for
5021	errno should be returned. Suggested failure: EACCES for label mismatch or
5022	EPERM for lack of privilege.
5023	*/
5024	typedef int mpo_vnode_check_open_t(
5025	kauth_cred_t cred,
5026	struct vnode *vp,
5027	struct label *label,
5028	int acc_mode
5029	);
5030	/**
5031	@brief Access control check for read
5032	@param active_cred Subject credential
5033	@param file_cred Credential associated with the struct fileproc
5034	@param vp Object vnode
5035	@param label Policy label for vp
5036
5037	Determine whether the subject identified by the credential can perform
5038	a read operation on the passed vnode. The active_cred hold the credentials
5039	of the subject performing the operation, and file_cred holds the
5040	credentials of the subject that originally opened the file.
5041
5042	@return Return 0 if access is granted, otherwise an appropriate value for
5043	errno should be returned. Suggested failure: EACCES for label mismatch or
5044	EPERM for lack of privilege.
5045	*/
5046	typedef int mpo_vnode_check_read_t(
5047	kauth_cred_t active_cred, / SUBJECT /
5048	kauth_cred_t file_cred, / NULLOK /
5049	struct vnode vp, /* OBJECT /
5050	struct label label /* LABEL /
5051	);
5052	/**
5053	@brief Access control check for read directory
5054	@param cred Subject credential
5055	@param dvp Object directory vnode
5056	@param dlabel Policy label for dvp
5057
5058	Determine whether the subject identified by the credential can
5059	perform a readdir operation on the passed directory vnode.
5060
5061	@return Return 0 if access is granted, otherwise an appropriate value for
5062	errno should be returned. Suggested failure: EACCES for label mismatch or
5063	EPERM for lack of privilege.
5064	*/
5065	typedef int mpo_vnode_check_readdir_t(
5066	kauth_cred_t cred, / SUBJECT /
5067	struct vnode dvp, /* OBJECT /
5068	struct label dlabel /* LABEL /
5069	);
5070	/**
5071	@brief Access control check for read link
5072	@param cred Subject credential
5073	@param vp Object vnode
5074	@param label Policy label for vp
5075
5076	Determine whether the subject identified by the credential can perform
5077	a readlink operation on the passed symlink vnode. This call can be made
5078	in a number of situations, including an explicit readlink call by the
5079	user process, or as a result of an implicit readlink during a name
5080	lookup by the process.
5081
5082	@return Return 0 if access is granted, otherwise an appropriate value for
5083	errno should be returned. Suggested failure: EACCES for label mismatch or
5084	EPERM for lack of privilege.
5085	*/
5086	typedef int mpo_vnode_check_readlink_t(
5087	kauth_cred_t cred,
5088	struct vnode *vp,
5089	struct label *label
5090	);
5091	/**
5092	@brief Access control check for rename
5093	@param cred Subject credential
5094	@param dvp Directory vnode
5095	@param dlabel Policy label associated with dvp
5096	@param vp vnode to be renamed
5097	@param label Policy label associated with vp
5098	@param cnp Component name for vp
5099	@param tdvp Destination directory vnode
5100	@param tdlabel Policy label associated with tdvp
5101	@param tvp Overwritten vnode
5102	@param tlabel Policy label associated with tvp
5103	@param tcnp Destination component name
5104
5105	Determine whether the subject identified by the credential should be allowed
5106	to rename the vnode vp to something else.
5107
5108	@return Return 0 if access is granted, otherwise an appropriate value for
5109	errno should be returned.
5110	*/
5111	typedef int mpo_vnode_check_rename_t(
5112	kauth_cred_t cred,
5113	struct vnode *dvp,
5114	struct label *dlabel,
5115	struct vnode *vp,
5116	struct label *label,
5117	struct componentname *cnp,
5118	struct vnode *tdvp,
5119	struct label *tdlabel,
5120	struct vnode *tvp,
5121	struct label *tlabel,
5122	struct componentname *tcnp
5123	);
5124	/**
5125	@brief Access control check for rename from
5126	@param cred Subject credential
5127	@param dvp Directory vnode
5128	@param dlabel Policy label associated with dvp
5129	@param vp vnode to be renamed
5130	@param label Policy label associated with vp
5131	@param cnp Component name for vp
5132	@see mpo_vnode_check_rename_t
5133	@see mpo_vnode_check_rename_to_t
5134
5135	Determine whether the subject identified by the credential should be
5136	allowed to rename the vnode vp to something else.
5137
5138	Due to VFS locking constraints (to make sure proper vnode locks are
5139	held during this entry point), the vnode relabel checks had to be
5140	split into two parts: relabel_from and relabel to.
5141
5142	This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
5143
5144	@return Return 0 if access is granted, otherwise an appropriate value for
5145	errno should be returned.
5146	*/
5147	typedef int mpo_vnode_check_rename_from_t(
5148	kauth_cred_t cred,
5149	struct vnode *dvp,
5150	struct label *dlabel,
5151	struct vnode *vp,
5152	struct label *label,
5153	struct componentname *cnp
5154	);
5155	/**
5156	@brief Access control check for rename to
5157	@param cred Subject credential
5158	@param dvp Directory vnode
5159	@param dlabel Policy label associated with dvp
5160	@param vp Overwritten vnode
5161	@param label Policy label associated with vp
5162	@param samedir Boolean; 1 if the source and destination directories are the same
5163	@param cnp Destination component name
5164	@see mpo_vnode_check_rename_t
5165	@see mpo_vnode_check_rename_from_t
5166
5167	Determine whether the subject identified by the credential should be
5168	allowed to rename to the vnode vp, into the directory dvp, or to the
5169	name represented by cnp. If there is no existing file to overwrite,
5170	vp and label will be NULL.
5171
5172	Due to VFS locking constraints (to make sure proper vnode locks are
5173	held during this entry point), the vnode relabel checks had to be
5174	split into two parts: relabel_from and relabel to.
5175
5176	This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
5177
5178	@return Return 0 if access is granted, otherwise an appropriate value for
5179	errno should be returned.
5180	*/
5181	typedef int mpo_vnode_check_rename_to_t(
5182	kauth_cred_t cred,
5183	struct vnode *dvp,
5184	struct label *dlabel,
5185	struct vnode vp, /* NULLOK /
5186	struct label label, /* NULLOK /
5187	int samedir,
5188	struct componentname *cnp
5189	);
5190	/**
5191	@brief Access control check for revoke
5192	@param cred Subject credential
5193	@param vp Object vnode
5194	@param label Policy label for vp
5195
5196	Determine whether the subject identified by the credential can revoke
5197	access to the passed vnode.
5198
5199	@return Return 0 if access is granted, otherwise an appropriate value for
5200	errno should be returned. Suggested failure: EACCES for label mismatch or
5201	EPERM for lack of privilege.
5202	*/
5203	typedef int mpo_vnode_check_revoke_t(
5204	kauth_cred_t cred,
5205	struct vnode *vp,
5206	struct label *label
5207	);
5208	/**
5209	@brief Access control check for searchfs
5210	@param cred Subject credential
5211	@param vp Object vnode
5212	@param vlabel Policy label for vp
5213	@param alist List of attributes used as search criteria
5214
5215	Determine whether the subject identified by the credential can search the
5216	vnode using the searchfs system call.
5217
5218	@return Return 0 if access is granted, otherwise an appropriate value for
5219	errno should be returned.
5220	*/
5221	typedef int mpo_vnode_check_searchfs_t(
5222	kauth_cred_t cred,
5223	struct vnode *vp,
5224	struct label *vlabel,
5225	struct attrlist *alist
5226	);
5227	/**
5228	@brief Access control check for select
5229	@param cred Subject credential
5230	@param vp Object vnode
5231	@param label Policy label for vp
5232	@param which The operation selected on: FREAD or FWRITE
5233
5234	Determine whether the subject identified by the credential can select
5235	the vnode.
5236
5237	@return Return 0 if access is granted, otherwise an appropriate value for
5238	errno should be returned.
5239	*/
5240	typedef int mpo_vnode_check_select_t(
5241	kauth_cred_t cred,
5242	struct vnode *vp,
5243	struct label *label,
5244	int which
5245	);
5246	/**
5247	@brief Access control check for setting ACL
5248	@param cred Subject credential
5249	@param vp Object node
5250	@param label Policy label for vp
5251	@param acl ACL structure pointer
5252
5253	Determine whether the subject identified by the credential can set an ACL
5254	on the specified vnode. The ACL pointer will be NULL when removing an ACL.
5255
5256	@return Return 0 if access is granted, otherwise an appropriate value for
5257	errno should be returned. Suggested failure: EACCES for label mismatch or
5258	EPERM for lack of privilege.
5259	*/
5260	typedef int mpo_vnode_check_setacl_t(
5261	kauth_cred_t cred,
5262	struct vnode *vp,
5263	struct label *label,
5264	struct kauth_acl *acl
5265	);
5266	/**
5267	@brief Access control check for setting file attributes
5268	@param cred Subject credential
5269	@param vp Object vnode
5270	@param vlabel Policy label for vp
5271	@param alist List of attributes to set
5272
5273	Determine whether the subject identified by the credential can set
5274	various attributes of the specified vnode, or the filesystem or volume on
5275	which that vnode resides. See <sys/attr.h> for definitions of the
5276	attributes.
5277
5278	@return Return 0 if access is granted, otherwise an appropriate value for
5279	errno should be returned. Suggested failure: EACCES for label mismatch or
5280	EPERM for lack of privilege. Access control covers all attributes requested
5281	with this call.
5282	*/
5283	typedef int mpo_vnode_check_setattrlist_t(
5284	kauth_cred_t cred,
5285	struct vnode *vp,
5286	struct label *vlabel,
5287	struct attrlist *alist
5288	);
5289	/**
5290	@brief Access control check for setting extended attribute
5291	@param cred Subject credential
5292	@param vp Object vnode
5293	@param label Policy label for vp
5294	@param name Extended attribute name
5295	@param uio I/O structure pointer
5296
5297	Determine whether the subject identified by the credential can set the
5298	extended attribute of passed name and passed namespace on the passed
5299	vnode. Policies implementing security labels backed into extended
5300	attributes may want to provide additional protections for those
5301	attributes. Additionally, policies should avoid making decisions based
5302	on the data referenced from uio, as there is a potential race condition
5303	between this check and the actual operation. The uio may also be NULL
5304	if a delete operation is being performed.
5305
5306	@return Return 0 if access is granted, otherwise an appropriate value for
5307	errno should be returned. Suggested failure: EACCES for label mismatch or
5308	EPERM for lack of privilege.
5309	*/
5310	typedef int mpo_vnode_check_setextattr_t(
5311	kauth_cred_t cred,
5312	struct vnode *vp,
5313	struct label *label,
5314	const char *name,
5315	struct uio *uio
5316	);
5317	/**
5318	@brief Access control check for setting flags
5319	@param cred Subject credential
5320	@param vp Object vnode
5321	@param label Policy label for vp
5322	@param flags File flags; see chflags(2)
5323
5324	Determine whether the subject identified by the credential can set
5325	the passed flags on the passed vnode.
5326
5327	@return Return 0 if access is granted, otherwise an appropriate value for
5328	errno should be returned. Suggested failure: EACCES for label mismatch or
5329	EPERM for lack of privilege.
5330	*/
5331	typedef int mpo_vnode_check_setflags_t(
5332	kauth_cred_t cred,
5333	struct vnode *vp,
5334	struct label *label,
5335	u_long flags
5336	);
5337	/**
5338	@brief Access control check for setting mode
5339	@param cred Subject credential
5340	@param vp Object vnode
5341	@param label Policy label for vp
5342	@param mode File mode; see chmod(2)
5343
5344	Determine whether the subject identified by the credential can set
5345	the passed mode on the passed vnode.
5346
5347	@return Return 0 if access is granted, otherwise an appropriate value for
5348	errno should be returned. Suggested failure: EACCES for label mismatch or
5349	EPERM for lack of privilege.
5350	*/
5351	typedef int mpo_vnode_check_setmode_t(
5352	kauth_cred_t cred,
5353	struct vnode *vp,
5354	struct label *label,
5355	mode_t mode
5356	);
5357	/**
5358	@brief Access control check for setting uid and gid
5359	@param cred Subject credential
5360	@param vp Object vnode
5361	@param label Policy label for vp
5362	@param uid User ID
5363	@param gid Group ID
5364
5365	Determine whether the subject identified by the credential can set
5366	the passed uid and passed gid as file uid and file gid on the passed
5367	vnode. The IDs may be set to (-1) to request no update.
5368
5369	@return Return 0 if access is granted, otherwise an appropriate value for
5370	errno should be returned. Suggested failure: EACCES for label mismatch or
5371	EPERM for lack of privilege.
5372	*/
5373	typedef int mpo_vnode_check_setowner_t(
5374	kauth_cred_t cred,
5375	struct vnode *vp,
5376	struct label *label,
5377	uid_t uid,
5378	gid_t gid
5379	);
5380	/**
5381	@brief Access control check for setting timestamps
5382	@param cred Subject credential
5383	@param vp Object vnode
5384	@param label Policy label for vp
5385	@param atime Access time; see utimes(2)
5386	@param mtime Modification time; see utimes(2)
5387
5388	Determine whether the subject identified by the credential can set
5389	the passed access timestamps on the passed vnode.
5390
5391	@return Return 0 if access is granted, otherwise an appropriate value for
5392	errno should be returned. Suggested failure: EACCES for label mismatch or
5393	EPERM for lack of privilege.
5394	*/
5395	typedef int mpo_vnode_check_setutimes_t(
5396	kauth_cred_t cred,
5397	struct vnode *vp,
5398	struct label *label,
5399	struct timespec atime,
5400	struct timespec mtime
5401	);
5402	/**
5403	@brief Access control check after determining the code directory hash
5404	@param vp vnode vnode to combine into proc
5405	@param label label associated with the vnode
5406	@param cpu_type cpu type of the signature being checked
5407	@param cs_blob the code signature to check
5408	@param cs_flags update code signing flags if needed
5409	@param signer_type output parameter for the code signature's signer type
5410	@param flags operational flag to mpo_vnode_check_signature
5411	@param fatal_failure_desc description of fatal failure
5412	@param fatal_failure_desc_len failure description len, failure is fatal if non-0
5413
5414	@return Return 0 if access is granted, otherwise an appropriate value for
5415	errno should be returned.
5416	*/
5417	typedef int mpo_vnode_check_signature_t(
5418	struct vnode *vp,
5419	struct label *label,
5420	cpu_type_t cpu_type,
5421	struct cs_blob *cs_blob,
5422	unsigned int *cs_flags,
5423	unsigned int *signer_type,
5424	int flags,
5425	char *fatal_failure_desc, size_t fatal_failure_desc_len
5426	);
5427	/**
5428	@brief Access control check for stat
5429	@param active_cred Subject credential
5430	@param file_cred Credential associated with the struct fileproc
5431	@param vp Object vnode
5432	@param label Policy label for vp
5433
5434	Determine whether the subject identified by the credential can stat
5435	the passed vnode. See stat(2) for more information. The active_cred
5436	hold the credentials of the subject performing the operation, and
5437	file_cred holds the credentials of the subject that originally
5438	opened the file.
5439
5440	@return Return 0 if access is granted, otherwise an appropriate value for
5441	errno should be returned. Suggested failure: EACCES for label mismatch or
5442	EPERM for lack of privilege.
5443	*/
5444	typedef int mpo_vnode_check_stat_t(
5445	struct ucred *active_cred,
5446	struct ucred file_cred, /* NULLOK /
5447	struct vnode *vp,
5448	struct label *label
5449	);
5450	/**
5451	@brief Access control check for vnode trigger resolution
5452	@param cred Subject credential
5453	@param dvp Object vnode
5454	@param dlabel Policy label for dvp
5455	@param cnp Component name that triggered resolution
5456
5457	Determine whether the subject identified by the credential can trigger
5458	resolution of the passed name (cnp) in the passed directory vnode
5459	via an external trigger resolver.
5460
5461	@return Return 0 if access is granted, otherwise an appropriate value for
5462	errno should be returned. Suggested failure: EACCES for label mismatch or
5463	EPERM for lack of privilege.
5464	*/
5465	typedef int mpo_vnode_check_trigger_resolve_t(
5466	kauth_cred_t cred,
5467	struct vnode *dvp,
5468	struct label *dlabel,
5469	struct componentname *cnp
5470	);
5471	/**
5472	@brief Access control check for truncate/ftruncate
5473	@param active_cred Subject credential
5474	@param file_cred Credential associated with the struct fileproc
5475	@param vp Object vnode
5476	@param label Policy label for vp
5477
5478	Determine whether the subject identified by the credential can
5479	perform a truncate operation on the passed vnode. The active_cred hold
5480	the credentials of the subject performing the operation, and
5481	file_cred holds the credentials of the subject that originally
5482	opened the file.
5483
5484	@return Return 0 if access is granted, otherwise an appropriate value for
5485	errno should be returned. Suggested failure: EACCES for label mismatch or
5486	EPERM for lack of privilege.
5487	*/
5488	typedef int mpo_vnode_check_truncate_t(
5489	kauth_cred_t active_cred,
5490	kauth_cred_t file_cred, / NULLOK /
5491	struct vnode *vp,
5492	struct label *label
5493	);
5494	/**
5495	@brief Access control check for binding UNIX domain socket
5496	@param cred Subject credential
5497	@param dvp Directory vnode
5498	@param dlabel Policy label for dvp
5499	@param cnp Component name for dvp
5500	@param vap vnode attributes for vap
5501
5502	Determine whether the subject identified by the credential can perform a
5503	bind operation on a UNIX domain socket with the passed parent directory,
5504	passed name information, and passed attribute information.
5505
5506	@return Return 0 if access is granted, otherwise an appropriate value for
5507	errno should be returned. Suggested failure: EACCES for label mismatch or
5508	EPERM for lack of privilege.
5509	*/
5510	typedef int mpo_vnode_check_uipc_bind_t(
5511	kauth_cred_t cred,
5512	struct vnode *dvp,
5513	struct label *dlabel,
5514	struct componentname *cnp,
5515	struct vnode_attr *vap
5516	);
5517	/**
5518	@brief Access control check for connecting UNIX domain socket
5519	@param cred Subject credential
5520	@param vp Object vnode
5521	@param label Policy label associated with vp
5522	@param so Socket
5523
5524	Determine whether the subject identified by the credential can perform a
5525	connect operation on the passed UNIX domain socket vnode.
5526
5527	@return Return 0 if access is granted, otherwise an appropriate value for
5528	errno should be returned. Suggested failure: EACCES for label mismatch or
5529	EPERM for lack of privilege.
5530	*/
5531	typedef int mpo_vnode_check_uipc_connect_t(
5532	kauth_cred_t cred,
5533	struct vnode *vp,
5534	struct label *label,
5535	socket_t so
5536	);
5537	/**
5538	@brief Access control check for deleting vnode
5539	@param cred Subject credential
5540	@param dvp Parent directory vnode
5541	@param dlabel Policy label for dvp
5542	@param vp Object vnode to delete
5543	@param label Policy label for vp
5544	@param cnp Component name for vp
5545	@see mpo_check_rename_to_t
5546
5547	Determine whether the subject identified by the credential can delete
5548	a vnode from the passed parent directory and passed name information.
5549	This call may be made in a number of situations, including as a
5550	results of calls to unlink(2) and rmdir(2). Policies implementing
5551	this entry point should also implement mpo_check_rename_to to
5552	authorize deletion of objects as a result of being the target of a rename.
5553
5554	@return Return 0 if access is granted, otherwise an appropriate value for
5555	errno should be returned. Suggested failure: EACCES for label mismatch or
5556	EPERM for lack of privilege.
5557	*/
5558	typedef int mpo_vnode_check_unlink_t(
5559	kauth_cred_t cred,
5560	struct vnode *dvp,
5561	struct label *dlabel,
5562	struct vnode *vp,
5563	struct label *label,
5564	struct componentname *cnp
5565	);
5566	/**
5567	@brief Access control check for write
5568	@param active_cred Subject credential
5569	@param file_cred Credential associated with the struct fileproc
5570	@param vp Object vnode
5571	@param label Policy label for vp
5572
5573	Determine whether the subject identified by the credential can
5574	perform a write operation on the passed vnode. The active_cred hold
5575	the credentials of the subject performing the operation, and
5576	file_cred holds the credentials of the subject that originally
5577	opened the file.
5578
5579	@return Return 0 if access is granted, otherwise an appropriate value for
5580	errno should be returned. Suggested failure: EACCES for label mismatch or
5581	EPERM for lack of privilege.
5582	*/
5583	typedef int mpo_vnode_check_write_t(
5584	kauth_cred_t active_cred,
5585	kauth_cred_t file_cred, / NULLOK /
5586	struct vnode *vp,
5587	struct label *label
5588	);
5589	/**
5590	@brief Associate a vnode with a devfs entry
5591	@param mp Devfs mount point
5592	@param mntlabel Devfs mount point label
5593	@param de Devfs directory entry
5594	@param delabel Label associated with de
5595	@param vp vnode associated with de
5596	@param vlabel Label associated with vp
5597
5598	Fill in the label (vlabel) for a newly created devfs vnode. The
5599	label is typically derived from the label on the devfs directory
5600	entry or the label on the filesystem, supplied as parameters.
5601	*/
5602	typedef void mpo_vnode_label_associate_devfs_t(
5603	struct mount *mp,
5604	struct label *mntlabel,
5605	struct devnode *de,
5606	struct label *delabel,
5607	struct vnode *vp,
5608	struct label *vlabel
5609	);
5610	/**
5611	@brief Associate a label with a vnode
5612	@param mp File system mount point
5613	@param mntlabel File system mount point label
5614	@param vp Vnode to label
5615	@param vlabel Label associated with vp
5616
5617	Attempt to retrieve label information for the vnode, vp, from the
5618	file system extended attribute store. The label should be stored in
5619	the supplied vlabel parameter. If a policy cannot retrieve an
5620	extended attribute, sometimes it is acceptible to fallback to using
5621	the mntlabel.
5622
5623	If the policy requires vnodes to have a valid label elsewhere it
5624	MUST NOT return other than temporary errors, and must always provide
5625	a valid label of some sort. Returning an error will cause vnode
5626	labeling to be retried at a later access. Failure to handle policy
5627	centric errors internally (corrupt labels etc.) will result in
5628	inaccessible files.
5629
5630	@return In the event of an error, an appropriate value for errno
5631	should be returned, otherwise return 0 upon success.
5632	*/
5633	typedef int mpo_vnode_label_associate_extattr_t(
5634	struct mount *mp,
5635	struct label *mntlabel,
5636	struct vnode *vp,
5637	struct label *vlabel
5638	);
5639	/**
5640	@brief Associate a file label with a vnode
5641	@param cred User credential
5642	@param mp Fdesc mount point
5643	@param mntlabel Fdesc mount point label
5644	@param fg Fileglob structure
5645	@param label Policy label for fg
5646	@param vp Vnode to label
5647	@param vlabel Label associated with vp
5648
5649	Associate label information for the vnode, vp, with the label of
5650	the open file descriptor described by fg.
5651	The label should be stored in the supplied vlabel parameter.
5652	*/
5653	typedef void mpo_vnode_label_associate_file_t(
5654	struct ucred *cred,
5655	struct mount *mp,
5656	struct label *mntlabel,
5657	struct fileglob *fg,
5658	struct label *label,
5659	struct vnode *vp,
5660	struct label *vlabel
5661	);
5662	/**
5663	@brief Associate a pipe label with a vnode
5664	@param cred User credential for the process that opened the pipe
5665	@param cpipe Pipe structure
5666	@param pipelabel Label associated with pipe
5667	@param vp Vnode to label
5668	@param vlabel Label associated with vp
5669
5670	Associate label information for the vnode, vp, with the label of
5671	the pipe described by the pipe structure cpipe.
5672	The label should be stored in the supplied vlabel parameter.
5673	*/
5674	typedef void mpo_vnode_label_associate_pipe_t(
5675	struct ucred *cred,
5676	struct pipe *cpipe,
5677	struct label *pipelabel,
5678	struct vnode *vp,
5679	struct label *vlabel
5680	);
5681	/**
5682	@brief Associate a POSIX semaphore label with a vnode
5683	@param cred User credential for the process that create psem
5684	@param psem POSIX semaphore structure
5685	@param psemlabel Label associated with psem
5686	@param vp Vnode to label
5687	@param vlabel Label associated with vp
5688
5689	Associate label information for the vnode, vp, with the label of
5690	the POSIX semaphore described by psem.
5691	The label should be stored in the supplied vlabel parameter.
5692	*/
5693	typedef void mpo_vnode_label_associate_posixsem_t(
5694	struct ucred *cred,
5695	struct pseminfo *psem,
5696	struct label *psemlabel,
5697	struct vnode *vp,
5698	struct label *vlabel
5699	);
5700	/**
5701	@brief Associate a POSIX shared memory label with a vnode
5702	@param cred User credential for the process that created pshm
5703	@param pshm POSIX shared memory structure
5704	@param pshmlabel Label associated with pshm
5705	@param vp Vnode to label
5706	@param vlabel Label associated with vp
5707
5708	Associate label information for the vnode, vp, with the label of
5709	the POSIX shared memory region described by pshm.
5710	The label should be stored in the supplied vlabel parameter.
5711	*/
5712	typedef void mpo_vnode_label_associate_posixshm_t(
5713	struct ucred *cred,
5714	struct pshminfo *pshm,
5715	struct label *pshmlabel,
5716	struct vnode *vp,
5717	struct label *vlabel
5718	);
5719	/**
5720	@brief Associate a label with a vnode
5721	@param mp File system mount point
5722	@param mntlabel File system mount point label
5723	@param vp Vnode to label
5724	@param vlabel Label associated with vp
5725
5726	On non-multilabel file systems, set the label for a vnode. The
5727	label will most likely be based on the file system label.
5728	*/
5729	typedef void mpo_vnode_label_associate_singlelabel_t(
5730	struct mount *mp,
5731	struct label *mntlabel,
5732	struct vnode *vp,
5733	struct label *vlabel
5734	);
5735	/**
5736	@brief Associate a socket label with a vnode
5737	@param cred User credential for the process that opened the socket
5738	@param so Socket structure
5739	@param solabel Label associated with so
5740	@param vp Vnode to label
5741	@param vlabel Label associated with vp
5742
5743	Associate label information for the vnode, vp, with the label of
5744	the open socket described by the socket structure so.
5745	The label should be stored in the supplied vlabel parameter.
5746	*/
5747	typedef void mpo_vnode_label_associate_socket_t(
5748	kauth_cred_t cred,
5749	socket_t so,
5750	struct label *solabel,
5751	struct vnode *vp,
5752	struct label *vlabel
5753	);
5754	/**
5755	@brief Copy a vnode label
5756	@param src Source vnode label
5757	@param dest Destination vnode label
5758
5759	Copy the vnode label information from src to dest. On Darwin, this
5760	is currently only necessary when executing interpreted scripts, but
5761	will later be used if vnode label externalization cannot be an
5762	atomic operation.
5763	*/
5764	typedef void mpo_vnode_label_copy_t(
5765	struct label *src,
5766	struct label *dest
5767	);
5768	/**
5769	@brief Destroy vnode label
5770	@param label The label to be destroyed
5771
5772	Destroy a vnode label. Since the object is going out of scope,
5773	policy modules should free any internal storage associated with the
5774	label so that it may be destroyed.
5775	*/
5776	typedef void mpo_vnode_label_destroy_t(
5777	struct label *label
5778	);
5779	/**
5780	@brief Externalize a vnode label for auditing
5781	@param label Label to be externalized
5782	@param element_name Name of the label namespace for which labels should be
5783	externalized
5784	@param sb String buffer to be filled with a text representation of the label
5785
5786	Produce an external representation of the label on a vnode suitable for
5787	inclusion in an audit record. An externalized label consists of a text
5788	representation of the label contents that will be added to the audit record
5789	as part of a text token. Policy-agnostic user space tools will display
5790	this externalized version.
5791
5792	@return 0 on success, return non-zero if an error occurs while
5793	externalizing the label data.
5794
5795	*/
5796	typedef int mpo_vnode_label_externalize_audit_t(
5797	struct label *label,
5798	char *element_name,
5799	struct sbuf *sb
5800	);
5801	/**
5802	@brief Externalize a vnode label
5803	@param label Label to be externalized
5804	@param element_name Name of the label namespace for which labels should be
5805	externalized
5806	@param sb String buffer to be filled with a text representation of the label
5807
5808	Produce an external representation of the label on a vnode. An
5809	externalized label consists of a text representation of the label
5810	contents that can be used with user applications. Policy-agnostic
5811	user space tools will display this externalized version.
5812
5813	@return 0 on success, return non-zero if an error occurs while
5814	externalizing the label data.
5815
5816	*/
5817	typedef int mpo_vnode_label_externalize_t(
5818	struct label *label,
5819	char *element_name,
5820	struct sbuf *sb
5821	);
5822	/**
5823	@brief Initialize vnode label
5824	@param label New label to initialize
5825
5826	Initialize label storage for use with a newly instantiated vnode, or
5827	for temporary storage associated with the copying in or out of a
5828	vnode label. While it is necessary to allocate space for a
5829	kernel-resident vnode label, it is not yet necessary to link this vnode
5830	with persistent label storage facilities, such as extended attributes.
5831	Sleeping is permitted.
5832	*/
5833	typedef void mpo_vnode_label_init_t(
5834	struct label *label
5835	);
5836	/**
5837	@brief Internalize a vnode label
5838	@param label Label to be internalized
5839	@param element_name Name of the label namespace for which the label should
5840	be internalized
5841	@param element_data Text data to be internalized
5842
5843	Produce a vnode label from an external representation. An
5844	externalized label consists of a text representation of the label
5845	contents that can be used with user applications. Policy-agnostic
5846	user space tools will forward text version to the kernel for
5847	processing by individual policy modules.
5848
5849	The policy's internalize entry points will be called only if the
5850	policy has registered interest in the label namespace.
5851
5852	@return 0 on success, Otherwise, return non-zero if an error occurs
5853	while internalizing the label data.
5854	*/
5855	typedef int mpo_vnode_label_internalize_t(
5856	struct label *label,
5857	char *element_name,
5858	char *element_data
5859	);
5860	/**
5861	@brief Clean up a vnode label
5862	@param label The label to be cleaned for re-use
5863
5864	Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
5865	typically never frees them. Before vnodes are placed back on free lists for
5866	re-use, policies can cleanup or overwrite any information present in the label.
5867	*/
5868	typedef void mpo_vnode_label_recycle_t(
5869	struct label *label
5870	);
5871	/**
5872	@brief Write a label to a extended attribute
5873	@param cred Subject credential
5874	@param vp The vnode for which the label is being stored
5875	@param vlabel Label associated with vp
5876	@param intlabel The new label to store
5877
5878	Store a new label in the extended attribute corresponding to the
5879	supplied vnode. The policy has already authorized the operation;
5880	this call must be implemented in order to perform the actual
5881	operation.
5882
5883	@return In the event of an error, an appropriate value for errno
5884	should be returned, otherwise return 0 upon success.
5885
5886	@warning XXX After examining the extended attribute implementation on
5887	Apple's future release, this entry point may be changed.
5888	*/
5889	typedef int mpo_vnode_label_store_t(
5890	kauth_cred_t cred,
5891	struct vnode *vp,
5892	struct label *vlabel,
5893	struct label *intlabel
5894	);
5895	/**
5896	@brief Update vnode label from extended attributes
5897	@param mp File system mount point
5898	@param mntlabel Mount point label
5899	@param vp Vnode to label
5900	@param vlabel Label associated with vp
5901	@param name Name of the xattr
5902	@see mpo_vnode_check_setextattr_t
5903
5904	When an extended attribute is updated via the Vendor attribute management
5905	functions, the MAC vnode label might also require an update.
5906	Policies should first determine if 'name' matches their xattr label
5907	name. If it does, the kernel is has either replaced or removed the
5908	named extended attribute that was previously associated with the
5909	vnode. Normally labels should only be modified via MAC Framework label
5910	management calls, but sometimes the user space components will directly
5911	modify extended attributes. For example, 'cp', 'tar', etc. manage
5912	extended attributes in userspace, not the kernel.
5913
5914	This entry point is called after the label update has occurred, so
5915	it cannot return a failure. However, the operation is preceded by
5916	the mpo_vnode_check_setextattr() access control check.
5917
5918	If the vnode label needs to be updated the policy should return
5919	a non-zero value. The vnode label will be marked for re-association
5920	by the framework.
5921	*/
5922	typedef int mpo_vnode_label_update_extattr_t(
5923	struct mount *mp,
5924	struct label *mntlabel,
5925	struct vnode *vp,
5926	struct label *vlabel,
5927	const char *name
5928	);
5929	/**
5930	@brief Update a vnode label
5931	@param cred Subject credential
5932	@param vp The vnode to relabel
5933	@param vnodelabel Existing vnode label
5934	@param label New label to replace existing label
5935	@see mpo_vnode_check_label_update_t
5936
5937	The subject identified by the credential has previously requested
5938	and was authorized to relabel the vnode; this entry point allows
5939	policies to perform the actual relabel operation. Policies should
5940	update vnodelabel using the label stored in the label parameter.
5941	*/
5942	typedef void mpo_vnode_label_update_t(
5943	kauth_cred_t cred,
5944	struct vnode *vp,
5945	struct label *vnodelabel,
5946	struct label *label
5947	);
5948	/**
5949	@brief Find deatched signatures for a shared library
5950	@param p file trying to find the signature
5951	@param vp The vnode to relabel
5952	@param offset offset in the macho that the signature is requested for (for fat binaries)
5953	@param label Existing vnode label
5954
5955	*/
5956	typedef int mpo_vnode_find_sigs_t(
5957	struct proc *p,
5958	struct vnode *vp,
5959	off_t offset,
5960	struct label *label
5961	);
5962	/**
5963	@brief Create a new vnode, backed by extended attributes
5964	@param cred User credential for the creating process
5965	@param mp File system mount point
5966	@param mntlabel File system mount point label
5967	@param dvp Parent directory vnode
5968	@param dlabel Parent directory vnode label
5969	@param vp Newly created vnode
5970	@param vlabel Label to associate with the new vnode
5971	@param cnp Component name for vp
5972
5973	Write out the label for the newly created vnode, most likely storing
5974	the results in a file system extended attribute. Most policies will
5975	derive the new vnode label using information from a combination
5976	of the subject (user) credential, the file system label, the parent
5977	directory label, and potentially the path name component.
5978
5979	@return If the operation succeeds, store the new label in vlabel and
5980	return 0. Otherwise, return an appropriate errno value.
5981	*/
5982	typedef int mpo_vnode_notify_create_t(
5983	kauth_cred_t cred,
5984	struct mount *mp,
5985	struct label *mntlabel,
5986	struct vnode *dvp,
5987	struct label *dlabel,
5988	struct vnode *vp,
5989	struct label *vlabel,
5990	struct componentname *cnp
5991	);
5992
5993	/**
5994	@brief Inform MAC policies that a vnode has been opened
5995	@param cred User credential for the creating process
5996	@param vp vnode opened
5997	@param label Policy label for the vp
5998	@param acc_mode open(2) access mode used
5999
6000	Inform Mac policies that a vnode have been successfully opened
6001	(passing all MAC polices and DAC).
6002	*/
6003	typedef void mpo_vnode_notify_open_t(
6004	kauth_cred_t cred,
6005	struct vnode *vp,
6006	struct label *label,
6007	int acc_mode
6008	);
6009
6010	/**
6011	@brief Inform MAC policies that a vnode has been renamed
6012	@param cred User credential for the renaming process
6013	@param vp Vnode that's being renamed
6014	@param label Policy label for vp
6015	@param dvp Parent directory for the destination
6016	@param dlabel Policy label for dvp
6017	@param cnp Component name for the destination
6018
6019	Inform MAC policies that a vnode has been renamed.
6020	*/
6021	typedef void mpo_vnode_notify_rename_t(
6022	kauth_cred_t cred,
6023	struct vnode *vp,
6024	struct label *label,
6025	struct vnode *dvp,
6026	struct label *dlabel,
6027	struct componentname *cnp
6028	);
6029
6030	/**
6031	@brief Inform MAC policies that a vnode has been linked
6032	@param cred User credential for the renaming process
6033	@param dvp Parent directory for the destination
6034	@param dlabel Policy label for dvp
6035	@param vp Vnode that's being linked
6036	@param vlabel Policy label for vp
6037	@param cnp Component name for the destination
6038
6039	Inform MAC policies that a vnode has been linked.
6040	*/
6041	typedef void mpo_vnode_notify_link_t(
6042	kauth_cred_t cred,
6043	struct vnode *dvp,
6044	struct label *dlabel,
6045	struct vnode *vp,
6046	struct label *vlabel,
6047	struct componentname *cnp
6048	);
6049
6050	/**
6051	@brief Inform MAC policies that an extended attribute has been removed from a vnode
6052	@param cred Subject credential
6053	@param vp Object node
6054	@param label Policy label for vp
6055	@param name Extended attribute name
6056
6057	Inform MAC policies that an extended attribute has been removed from a vnode.
6058	*/
6059	typedef void mpo_vnode_notify_deleteextattr_t(
6060	kauth_cred_t cred,
6061	struct vnode *vp,
6062	struct label *label,
6063	const char *name
6064	);
6065
6066
6067	/**
6068	@brief Inform MAC policies that an ACL has been set on a vnode
6069	@param cred Subject credential
6070	@param vp Object node
6071	@param label Policy label for vp
6072	@param acl ACL structure pointer
6073
6074	Inform MAC policies that an ACL has been set on a vnode.
6075	*/
6076	typedef void mpo_vnode_notify_setacl_t(
6077	kauth_cred_t cred,
6078	struct vnode *vp,
6079	struct label *label,
6080	struct kauth_acl *acl
6081	);
6082
6083	/**
6084	@brief Inform MAC policies that an attributes have been set on a vnode
6085	@param cred Subject credential
6086	@param vp Object vnode
6087	@param label Policy label for vp
6088	@param alist List of attributes to set
6089
6090	Inform MAC policies that an attributes have been set on a vnode.
6091	*/
6092	typedef void mpo_vnode_notify_setattrlist_t(
6093	kauth_cred_t cred,
6094	struct vnode *vp,
6095	struct label *label,
6096	struct attrlist *alist
6097	);
6098
6099	/**
6100	@brief Inform MAC policies that an extended attribute has been set on a vnode
6101	@param cred Subject credential
6102	@param vp Object vnode
6103	@param label Policy label for vp
6104	@param name Extended attribute name
6105	@param uio I/O structure pointer
6106
6107	Inform MAC policies that an extended attribute has been set on a vnode.
6108	*/
6109	typedef void mpo_vnode_notify_setextattr_t(
6110	kauth_cred_t cred,
6111	struct vnode *vp,
6112	struct label *label,
6113	const char *name,
6114	struct uio *uio
6115	);
6116
6117	/**
6118	@brief Inform MAC policies that flags have been set on a vnode
6119	@param cred Subject credential
6120	@param vp Object vnode
6121	@param label Policy label for vp
6122	@param flags File flags; see chflags(2)
6123
6124	Inform MAC policies that flags have been set on a vnode.
6125	*/
6126	typedef void mpo_vnode_notify_setflags_t(
6127	kauth_cred_t cred,
6128	struct vnode *vp,
6129	struct label *label,
6130	u_long flags
6131	);
6132
6133	/**
6134	@brief Inform MAC policies that a new mode has been set on a vnode
6135	@param cred Subject credential
6136	@param vp Object vnode
6137	@param label Policy label for vp
6138	@param mode File mode; see chmod(2)
6139
6140	Inform MAC policies that a new mode has been set on a vnode.
6141	*/
6142	typedef void mpo_vnode_notify_setmode_t(
6143	kauth_cred_t cred,
6144	struct vnode *vp,
6145	struct label *label,
6146	mode_t mode
6147	);
6148
6149	/**
6150	@brief Inform MAC policies that new uid/gid have been set on a vnode
6151	@param cred Subject credential
6152	@param vp Object vnode
6153	@param label Policy label for vp
6154	@param uid User ID
6155	@param gid Group ID
6156
6157	Inform MAC policies that new uid/gid have been set on a vnode.
6158	*/
6159	typedef void mpo_vnode_notify_setowner_t(
6160	kauth_cred_t cred,
6161	struct vnode *vp,
6162	struct label *label,
6163	uid_t uid,
6164	gid_t gid
6165	);
6166
6167	/**
6168	@brief Inform MAC policies that new timestamps have been set on a vnode
6169	@param cred Subject credential
6170	@param vp Object vnode
6171	@param label Policy label for vp
6172	@param atime Access time; see utimes(2)
6173	@param mtime Modification time; see utimes(2)
6174
6175	Inform MAC policies that new timestamps have been set on a vnode.
6176	*/
6177	typedef void mpo_vnode_notify_setutimes_t(
6178	kauth_cred_t cred,
6179	struct vnode *vp,
6180	struct label *label,
6181	struct timespec atime,
6182	struct timespec mtime
6183	);
6184
6185	/**
6186	@brief Inform MAC policies that a vnode has been truncated
6187	@param cred Subject credential
6188	@param file_cred Credential associated with the struct fileproc
6189	@param vp Object vnode
6190	@param label Policy label for vp
6191
6192	Inform MAC policies that a vnode has been truncated.
6193	*/
6194	typedef void mpo_vnode_notify_truncate_t(
6195	kauth_cred_t cred,
6196	kauth_cred_t file_cred,
6197	struct vnode *vp,
6198	struct label *label
6199	);
6200
6201
6202	/**
6203	@brief Inform MAC policies that a pty slave has been granted
6204	@param p Responsible process
6205	@param tp tty data structure
6206	@param dev Major and minor numbers of device
6207	@param label Policy label for tp
6208
6209	Inform MAC policies that a pty slave has been granted.
6210	*/
6211	typedef void mpo_pty_notify_grant_t(
6212	proc_t p,
6213	struct tty *tp,
6214	dev_t dev,
6215	struct label *label
6216	);
6217
6218	/**
6219	@brief Inform MAC policies that a pty master has been closed
6220	@param p Responsible process
6221	@param tp tty data structure
6222	@param dev Major and minor numbers of device
6223	@param label Policy label for tp
6224
6225	Inform MAC policies that a pty master has been closed.
6226	*/
6227	typedef void mpo_pty_notify_close_t(
6228	proc_t p,
6229	struct tty *tp,
6230	dev_t dev,
6231	struct label *label
6232	);
6233
6234	/**
6235	@brief Access control check for kext loading
6236	@param cred Subject credential
6237	@param identifier Kext identifier
6238
6239	Determine whether the subject identified by the credential can load the
6240	specified kext.
6241
6242	@return Return 0 if access is granted, otherwise an appropriate value for
6243	errno should be returned. Suggested failure: EPERM for lack of privilege.
6244	*/
6245	typedef int mpo_kext_check_load_t(
6246	kauth_cred_t cred,
6247	const char *identifier
6248	);
6249
6250	/**
6251	@brief Access control check for kext unloading
6252	@param cred Subject credential
6253	@param identifier Kext identifier
6254
6255	Determine whether the subject identified by the credential can unload the
6256	specified kext.
6257
6258	@return Return 0 if access is granted, otherwise an appropriate value for
6259	errno should be returned. Suggested failure: EPERM for lack of privilege.
6260	*/
6261	typedef int mpo_kext_check_unload_t(
6262	kauth_cred_t cred,
6263	const char *identifier
6264	);
6265
6266	/**
6267	@brief Access control check for querying information about loaded kexts
6268	@param cred Subject credential
6269
6270	Determine whether the subject identified by the credential can query
6271	information about loaded kexts.
6272
6273	@return Return 0 if access is granted, otherwise an appropriate value for
6274	errno should be returned. Suggested failure: EPERM for lack of privilege.
6275	*/
6276	typedef int mpo_kext_check_query_t(
6277	kauth_cred_t cred
6278	);
6279
6280	/*
6281	* Placeholder for future events that may need mac hooks.
6282	*/
6283	typedef void mpo_reserved_hook_t(void);
6284
6285	/*
6286	* Policy module operations.
6287	*
6288	* Please note that this should be kept in sync with the check assumptions
6289	* policy in bsd/kern/policy_check.c (policy_ops struct).
6290	*/
6291	#define MAC_POLICY_OPS_VERSION 55 /* inc when new reserved slots are taken */
6292	struct mac_policy_ops {
6293	mpo_audit_check_postselect_t *mpo_audit_check_postselect;
6294	mpo_audit_check_preselect_t *mpo_audit_check_preselect;
6295
6296	mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
6297	mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
6298	mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
6299	mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
6300
6301	mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
6302	mpo_cred_check_label_update_t *mpo_cred_check_label_update;
6303	mpo_cred_check_visible_t *mpo_cred_check_visible;
6304	mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
6305	mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
6306	mpo_cred_label_associate_t *mpo_cred_label_associate;
6307	mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
6308	mpo_cred_label_destroy_t *mpo_cred_label_destroy;
6309	mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
6310	mpo_cred_label_externalize_t *mpo_cred_label_externalize;
6311	mpo_cred_label_init_t *mpo_cred_label_init;
6312	mpo_cred_label_internalize_t *mpo_cred_label_internalize;
6313	mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
6314	mpo_cred_label_update_t *mpo_cred_label_update;
6315
6316	mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
6317	mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
6318	mpo_devfs_label_copy_t *mpo_devfs_label_copy;
6319	mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
6320	mpo_devfs_label_init_t *mpo_devfs_label_init;
6321	mpo_devfs_label_update_t *mpo_devfs_label_update;
6322
6323	mpo_file_check_change_offset_t *mpo_file_check_change_offset;
6324	mpo_file_check_create_t *mpo_file_check_create;
6325	mpo_file_check_dup_t *mpo_file_check_dup;
6326	mpo_file_check_fcntl_t *mpo_file_check_fcntl;
6327	mpo_file_check_get_offset_t *mpo_file_check_get_offset;
6328	mpo_file_check_get_t *mpo_file_check_get;
6329	mpo_file_check_inherit_t *mpo_file_check_inherit;
6330	mpo_file_check_ioctl_t *mpo_file_check_ioctl;
6331	mpo_file_check_lock_t *mpo_file_check_lock;
6332	mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
6333	mpo_file_check_mmap_t *mpo_file_check_mmap;
6334	mpo_file_check_receive_t *mpo_file_check_receive;
6335	mpo_file_check_set_t *mpo_file_check_set;
6336	mpo_file_label_init_t *mpo_file_label_init;
6337	mpo_file_label_destroy_t *mpo_file_label_destroy;
6338	mpo_file_label_associate_t *mpo_file_label_associate;
6339
6340	mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
6341	mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
6342	mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
6343	mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
6344	mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
6345	mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
6346	mpo_ifnet_label_init_t *mpo_ifnet_label_init;
6347	mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
6348	mpo_ifnet_label_update_t *mpo_ifnet_label_update;
6349	mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
6350
6351	mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
6352	mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
6353	mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
6354	mpo_inpcb_label_init_t *mpo_inpcb_label_init;
6355	mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
6356	mpo_inpcb_label_update_t *mpo_inpcb_label_update;
6357
6358	mpo_iokit_check_device_t *mpo_iokit_check_device;
6359
6360	mpo_ipq_label_associate_t *mpo_ipq_label_associate;
6361	mpo_ipq_label_compare_t *mpo_ipq_label_compare;
6362	mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
6363	mpo_ipq_label_init_t *mpo_ipq_label_init;
6364	mpo_ipq_label_update_t *mpo_ipq_label_update;
6365
6366	mpo_file_check_library_validation_t *mpo_file_check_library_validation;
6367	mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl;
6368	mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist;
6369	mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr;
6370	mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags;
6371	mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode;
6372	mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner;
6373	mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes;
6374	mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate;
6375
6376	mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
6377	mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
6378	mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
6379	mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
6380	mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
6381	mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
6382	mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
6383	mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
6384	mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
6385	mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
6386	mpo_mbuf_label_init_t *mpo_mbuf_label_init;
6387
6388	mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
6389	mpo_mount_check_getattr_t *mpo_mount_check_getattr;
6390	mpo_mount_check_label_update_t *mpo_mount_check_label_update;
6391	mpo_mount_check_mount_t *mpo_mount_check_mount;
6392	mpo_mount_check_remount_t *mpo_mount_check_remount;
6393	mpo_mount_check_setattr_t *mpo_mount_check_setattr;
6394	mpo_mount_check_stat_t *mpo_mount_check_stat;
6395	mpo_mount_check_umount_t *mpo_mount_check_umount;
6396	mpo_mount_label_associate_t *mpo_mount_label_associate;
6397	mpo_mount_label_destroy_t *mpo_mount_label_destroy;
6398	mpo_mount_label_externalize_t *mpo_mount_label_externalize;
6399	mpo_mount_label_init_t *mpo_mount_label_init;
6400	mpo_mount_label_internalize_t *mpo_mount_label_internalize;
6401
6402	mpo_netinet_fragment_t *mpo_netinet_fragment;
6403	mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
6404	mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
6405
6406	mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
6407	mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
6408	mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
6409	mpo_pipe_check_read_t *mpo_pipe_check_read;
6410	mpo_pipe_check_select_t *mpo_pipe_check_select;
6411	mpo_pipe_check_stat_t *mpo_pipe_check_stat;
6412	mpo_pipe_check_write_t *mpo_pipe_check_write;
6413	mpo_pipe_label_associate_t *mpo_pipe_label_associate;
6414	mpo_pipe_label_copy_t *mpo_pipe_label_copy;
6415	mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
6416	mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
6417	mpo_pipe_label_init_t *mpo_pipe_label_init;
6418	mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
6419	mpo_pipe_label_update_t *mpo_pipe_label_update;
6420
6421	mpo_policy_destroy_t *mpo_policy_destroy;
6422	mpo_policy_init_t *mpo_policy_init;
6423	mpo_policy_initbsd_t *mpo_policy_initbsd;
6424	mpo_policy_syscall_t *mpo_policy_syscall;
6425
6426	mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname;
6427	mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports;
6428	mpo_vnode_check_rename_t *mpo_vnode_check_rename;
6429	mpo_kext_check_query_t *mpo_kext_check_query;
6430	mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete;
6431	mpo_reserved_hook_t *mpo_reserved5;
6432	mpo_reserved_hook_t *mpo_reserved6;
6433	mpo_proc_check_expose_task_t *mpo_proc_check_expose_task;
6434	mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port;
6435	mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port;
6436	mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send;
6437	mpo_exc_action_label_associate_t *mpo_exc_action_label_associate;
6438	mpo_exc_action_label_populate_t *mpo_exc_action_label_populate;
6439	mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy;
6440	mpo_exc_action_label_init_t *mpo_exc_action_label_init;
6441	mpo_exc_action_label_update_t *mpo_exc_action_label_update;
6442
6443	mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve;
6444	mpo_reserved_hook_t *mpo_reserved1;
6445	mpo_reserved_hook_t *mpo_reserved2;
6446	mpo_reserved_hook_t *mpo_reserved3;
6447	mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect;
6448	mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen;
6449
6450	mpo_posixsem_check_create_t *mpo_posixsem_check_create;
6451	mpo_posixsem_check_open_t *mpo_posixsem_check_open;
6452	mpo_posixsem_check_post_t *mpo_posixsem_check_post;
6453	mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
6454	mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
6455	mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
6456	mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
6457	mpo_posixsem_label_init_t *mpo_posixsem_label_init;
6458	mpo_posixshm_check_create_t *mpo_posixshm_check_create;
6459	mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
6460	mpo_posixshm_check_open_t *mpo_posixshm_check_open;
6461	mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
6462	mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
6463	mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
6464	mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
6465	mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
6466	mpo_posixshm_label_init_t *mpo_posixshm_label_init;
6467
6468	mpo_proc_check_debug_t *mpo_proc_check_debug;
6469	mpo_proc_check_fork_t *mpo_proc_check_fork;
6470	mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
6471	mpo_proc_check_get_task_t *mpo_proc_check_get_task;
6472	mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
6473	mpo_proc_check_getauid_t *mpo_proc_check_getauid;
6474	mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
6475	mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
6476	mpo_proc_check_sched_t *mpo_proc_check_sched;
6477	mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
6478	mpo_proc_check_setauid_t *mpo_proc_check_setauid;
6479	mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
6480	mpo_proc_check_signal_t *mpo_proc_check_signal;
6481	mpo_proc_check_wait_t *mpo_proc_check_wait;
6482	mpo_proc_label_destroy_t *mpo_proc_label_destroy;
6483	mpo_proc_label_init_t *mpo_proc_label_init;
6484
6485	mpo_socket_check_accept_t *mpo_socket_check_accept;
6486	mpo_socket_check_accepted_t *mpo_socket_check_accepted;
6487	mpo_socket_check_bind_t *mpo_socket_check_bind;
6488	mpo_socket_check_connect_t *mpo_socket_check_connect;
6489	mpo_socket_check_create_t *mpo_socket_check_create;
6490	mpo_socket_check_deliver_t *mpo_socket_check_deliver;
6491	mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
6492	mpo_socket_check_label_update_t *mpo_socket_check_label_update;
6493	mpo_socket_check_listen_t *mpo_socket_check_listen;
6494	mpo_socket_check_receive_t *mpo_socket_check_receive;
6495	mpo_socket_check_received_t *mpo_socket_check_received;
6496	mpo_socket_check_select_t *mpo_socket_check_select;
6497	mpo_socket_check_send_t *mpo_socket_check_send;
6498	mpo_socket_check_stat_t *mpo_socket_check_stat;
6499	mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
6500	mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
6501	mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
6502	mpo_socket_label_associate_t *mpo_socket_label_associate;
6503	mpo_socket_label_copy_t *mpo_socket_label_copy;
6504	mpo_socket_label_destroy_t *mpo_socket_label_destroy;
6505	mpo_socket_label_externalize_t *mpo_socket_label_externalize;
6506	mpo_socket_label_init_t *mpo_socket_label_init;
6507	mpo_socket_label_internalize_t *mpo_socket_label_internalize;
6508	mpo_socket_label_update_t *mpo_socket_label_update;
6509
6510	mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
6511	mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
6512	mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
6513	mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
6514	mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
6515
6516	mpo_system_check_acct_t *mpo_system_check_acct;
6517	mpo_system_check_audit_t *mpo_system_check_audit;
6518	mpo_system_check_auditctl_t *mpo_system_check_auditctl;
6519	mpo_system_check_auditon_t *mpo_system_check_auditon;
6520	mpo_system_check_host_priv_t *mpo_system_check_host_priv;
6521	mpo_system_check_nfsd_t *mpo_system_check_nfsd;
6522	mpo_system_check_reboot_t *mpo_system_check_reboot;
6523	mpo_system_check_settime_t *mpo_system_check_settime;
6524	mpo_system_check_swapoff_t *mpo_system_check_swapoff;
6525	mpo_system_check_swapon_t *mpo_system_check_swapon;
6526	mpo_socket_check_ioctl_t *mpo_socket_check_ioctl;
6527
6528	mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
6529	mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
6530	mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
6531	mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
6532	mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
6533	mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
6534	mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
6535	mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
6536	mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
6537	mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
6538	mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
6539	mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
6540	mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
6541	mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
6542	mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
6543	mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
6544	mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
6545	mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
6546	mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
6547	mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
6548	mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
6549	mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
6550	mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
6551	mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
6552	mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
6553	mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
6554	mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
6555	mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
6556	mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
6557	mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
6558
6559	mpo_proc_notify_exit_t *mpo_proc_notify_exit;
6560	mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert;
6561	mpo_vnode_check_getattr_t *mpo_vnode_check_getattr;
6562	mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create;
6563	mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete;
6564	mpo_vnode_check_clone_t *mpo_vnode_check_clone;
6565	mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info;
6566	mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info;
6567
6568	mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
6569
6570	mpo_vnode_check_access_t *mpo_vnode_check_access;
6571	mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
6572	mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
6573	mpo_vnode_check_create_t *mpo_vnode_check_create;
6574	mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
6575	mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
6576	mpo_vnode_check_exec_t *mpo_vnode_check_exec;
6577	mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
6578	mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
6579	mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
6580	mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
6581	mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
6582	mpo_vnode_check_link_t *mpo_vnode_check_link;
6583	mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
6584	mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
6585	mpo_vnode_check_open_t *mpo_vnode_check_open;
6586	mpo_vnode_check_read_t *mpo_vnode_check_read;
6587	mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
6588	mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
6589	mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
6590	mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
6591	mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
6592	mpo_vnode_check_select_t *mpo_vnode_check_select;
6593	mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
6594	mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
6595	mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
6596	mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
6597	mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
6598	mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
6599	mpo_vnode_check_stat_t *mpo_vnode_check_stat;
6600	mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
6601	mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
6602	mpo_vnode_check_write_t *mpo_vnode_check_write;
6603	mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
6604	mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
6605	mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
6606	mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
6607	mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
6608	mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
6609	mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
6610	mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
6611	mpo_vnode_label_copy_t *mpo_vnode_label_copy;
6612	mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
6613	mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
6614	mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
6615	mpo_vnode_label_init_t *mpo_vnode_label_init;
6616	mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
6617	mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
6618	mpo_vnode_label_store_t *mpo_vnode_label_store;
6619	mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
6620	mpo_vnode_label_update_t *mpo_vnode_label_update;
6621	mpo_vnode_notify_create_t *mpo_vnode_notify_create;
6622	mpo_vnode_check_signature_t *mpo_vnode_check_signature;
6623	mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
6624	mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
6625
6626	mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
6627	mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
6628
6629	mpo_thread_userret_t *mpo_thread_userret;
6630
6631	mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
6632
6633	mpo_system_check_chud_t *mpo_system_check_chud;
6634
6635	mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
6636
6637	mpo_priv_check_t *mpo_priv_check;
6638	mpo_priv_grant_t *mpo_priv_grant;
6639
6640	mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
6641
6642	mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
6643
6644	mpo_iokit_check_open_t *mpo_iokit_check_open;
6645
6646	mpo_proc_check_ledger_t *mpo_proc_check_ledger;
6647
6648	mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
6649
6650	mpo_vnode_check_setacl_t *mpo_vnode_check_setacl;
6651
6652	mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr;
6653
6654	mpo_system_check_kas_info_t *mpo_system_check_kas_info;
6655
6656	mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight;
6657
6658	mpo_vnode_notify_open_t *mpo_vnode_notify_open;
6659
6660	mpo_system_check_info_t *mpo_system_check_info;
6661
6662	mpo_pty_notify_grant_t *mpo_pty_notify_grant;
6663	mpo_pty_notify_close_t *mpo_pty_notify_close;
6664
6665	mpo_vnode_find_sigs_t *mpo_vnode_find_sigs;
6666
6667	mpo_kext_check_load_t *mpo_kext_check_load;
6668	mpo_kext_check_unload_t *mpo_kext_check_unload;
6669
6670	mpo_proc_check_proc_info_t *mpo_proc_check_proc_info;
6671	mpo_vnode_notify_link_t *mpo_vnode_notify_link;
6672	mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties;
6673	mpo_iokit_check_get_property_t *mpo_iokit_check_get_property;
6674	};
6675
6676	/**
6677	@brief MAC policy handle type
6678
6679	The MAC handle is used to uniquely identify a loaded policy within
6680	the MAC Framework.
6681
6682	A variable of this type is set by mac_policy_register().
6683	*/
6684	typedef unsigned int mac_policy_handle_t;
6685
6686	#define mpc_t struct mac_policy_conf *
6687
6688	/**
6689	@brief Mac policy configuration
6690
6691	This structure specifies the configuration information for a
6692	MAC policy module. A policy module developer must supply
6693	a short unique policy name, a more descriptive full name, a list of label
6694	namespaces and count, a pointer to the registered enty point operations,
6695	any load time flags, and optionally, a pointer to a label slot identifier.
6696
6697	The Framework will update the runtime flags (mpc_runtime_flags) to
6698	indicate that the module has been registered.
6699
6700	If the label slot identifier (mpc_field_off) is NULL, the Framework
6701	will not provide label storage for the policy. Otherwise, the
6702	Framework will store the label location (slot) in this field.
6703
6704	The mpc_list field is used by the Framework and should not be
6705	modified by policies.
6706	*/
6707	/ XXX - reorder these for better aligment on 64bit platforms /
6708	struct mac_policy_conf {
6709	const char mpc_name; /** policy name /
6710	const char mpc_fullname; /** full name /
6711	char const * const mpc_labelnames; /** managed label namespaces /
6712	unsigned int mpc_labelname_count; /* number of managed label namespaces /
6713	const struct mac_policy_ops mpc_ops; /** operation vector /
6714	int mpc_loadtime_flags; /* load time flags /
6715	int mpc_field_off; /** label slot /
6716	int mpc_runtime_flags; /* run time flags /
6717	mpc_t mpc_list; /* List reference /
6718	void mpc_data; /** module data /
6719	};
6720
6721	/**
6722	@brief MAC policy module registration routine
6723
6724	This function is called to register a policy with the
6725	MAC framework. A policy module will typically call this from the
6726	Darwin KEXT registration routine.
6727	*/
6728	int mac_policy_register(struct mac_policy_conf *mpc,
6729	mac_policy_handle_t handlep, void* *xd);
6730
6731	/**
6732	@brief MAC policy module de-registration routine
6733
6734	This function is called to de-register a policy with theD
6735	MAC framework. A policy module will typically call this from the
6736	Darwin KEXT de-registration routine.
6737	*/
6738	int mac_policy_unregister(mac_policy_handle_t handle);
6739
6740	/*
6741	* Framework entry points for the policies to add audit data.
6742	*/
6743	int mac_audit_text(char *text, mac_policy_handle_t handle);
6744
6745	/*
6746	* Calls to assist with use of Apple XATTRs within policy modules.
6747	*/
6748	int mac_vnop_setxattr(struct vnode , const* char , char* *, size_t);
6749	int mac_vnop_getxattr(struct vnode , const* char , char* *, size_t,
6750	size_t *);
6751	int mac_vnop_removexattr(struct vnode , const* char *);
6752
6753	/**
6754	@brief Set an extended attribute on a vnode-based fileglob.
6755	@param fg fileglob representing file to attach the extended attribute
6756	@param name extended attribute name
6757	@param buf buffer of data to use as the extended attribute value
6758	@param len size of buffer
6759
6760	Sets the value of an extended attribute on a file.
6761
6762	Caller must hold an iocount on the vnode represented by the fileglob.
6763	*/
6764	int mac_file_setxattr(struct fileglob fg, const* char name, char* *buf, size_t len);
6765
6766	/**
6767	@brief Get an extended attribute from a vnode-based fileglob.
6768	@param fg fileglob representing file to read the extended attribute
6769	@param name extended attribute name
6770	@param buf buffer of data to hold the extended attribute value
6771	@param len size of buffer
6772	@param attrlen size of full extended attribute value
6773
6774	Gets the value of an extended attribute on a file.
6775
6776	Caller must hold an iocount on the vnode represented by the fileglob.
6777	*/
6778	int mac_file_getxattr(struct fileglob fg, const* char name, char* *buf, size_t len,
6779	size_t *attrlen);
6780
6781	/**
6782	@brief Remove an extended attribute from a vnode-based fileglob.
6783	@param fg fileglob representing file to remove the extended attribute
6784	@param name extended attribute name
6785
6786	Removes the named extended attribute from the file.
6787
6788	Caller must hold an iocount on the vnode represented by the fileglob.
6789	*/
6790	int mac_file_removexattr(struct fileglob fg, const* char *name);
6791
6792
6793	/*
6794	* Arbitrary limit on how much data will be logged by the audit
6795	* entry points above.
6796	*/
6797	#define MAC_AUDIT_DATA_LIMIT 1024
6798
6799	/*
6800	* Values returned by mac_audit_{pre,post}select. To combine the responses
6801	* of the security policies into a single decision,
6802	* mac_audit_{pre,post}select() choose the greatest value returned.
6803	*/
6804	#define MAC_AUDIT_DEFAULT 0 /* use system behavior */
6805	#define MAC_AUDIT_NO 1 /* force not auditing this event */
6806	#define MAC_AUDIT_YES 2 /* force auditing this event */
6807
6808	// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
6809
6810	/**
6811	@name Flags for the mpc_loadtime_flags field
6812	@see mac_policy_conf
6813
6814	This is the complete list of flags that are supported by the
6815	mpc_loadtime_flags field of the mac_policy_conf structure. These
6816	flags specify the load time behavior of MAC Framework policy
6817	modules.
6818	*/
6819
6820	/@{/
6821
6822	/**
6823	@brief Flag to indicate registration preference
6824
6825	This flag indicates that the policy module must be loaded and
6826	initialized early in the boot process. If the flag is specified,
6827	attempts to register the module following boot will be rejected. The
6828	flag may be used by policies that require pervasive labeling of all
6829	system objects, and cannot handle objects that have not been
6830	properly initialized by the policy.
6831	*/
6832	#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
6833
6834	/**
6835	@brief Flag to indicate unload preference
6836
6837	This flag indicates that the policy module may be unloaded. If this
6838	flag is not set, then the policy framework will reject requests to
6839	unload the module. This flag might be used by modules that allocate
6840	label state and are unable to free that state at runtime, or for
6841	modules that simply do not want to permit unload operations.
6842	*/
6843	#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
6844
6845	/**
6846	@brief Unsupported
6847
6848	XXX This flag is not yet supported.
6849	*/
6850	#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
6851
6852	/**
6853	@brief Flag to indicate a base policy
6854
6855	This flag indicates that the policy module is a base policy. Only
6856	one module can declare itself as base, otherwise the boot process
6857	will be halted.
6858	*/
6859	#define MPC_LOADTIME_BASE_POLICY 0x00000008
6860
6861	/@}/
6862
6863	/**
6864	@brief Policy registration flag
6865	@see mac_policy_conf
6866
6867	This flag indicates that the policy module has been successfully
6868	registered with the TrustedBSD MAC Framework. The Framework will
6869	set this flag in the mpc_runtime_flags field of the policy's
6870	mac_policy_conf structure after registering the policy.
6871	*/
6872	#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
6873
6874	/*
6875	* Depends on POLICY_VER
6876	*/
6877
6878	#ifndef POLICY_VER
6879	#define POLICY_VER 1.0
6880	#endif
6881
6882	#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
6883	static struct mac_policy_conf mpname##_mac_policy_conf = { \
6884	.mpc_name = #mpname, \
6885	.mpc_fullname = mpfullname, \
6886	.mpc_labelnames = lnames, \
6887	.mpc_labelname_count = lcount, \
6888	.mpc_ops = mpops, \
6889	.mpc_loadtime_flags = lflags, \
6890	.mpc_field_off = slot, \
6891	.mpc_runtime_flags = rflags \
6892	}; \
6893	\
6894	static kern_return_t \
6895	kmod_start(kmod_info_t ki, void xd) \
6896	{ \
6897	return mac_policy_register(&mpname##_mac_policy_conf, \
6898	&handle, xd); \
6899	} \
6900	\
6901	static kern_return_t \
6902	kmod_stop(kmod_info_t ki, void xd) \
6903	{ \
6904	return mac_policy_unregister(handle); \
6905	} \
6906	\
6907	extern kern_return_t _start(kmod_info_t ki, void data); \
6908	extern kern_return_t _stop(kmod_info_t ki, void data); \
6909	\
6910	KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
6911	kmod_start_func_t *_realmain = kmod_start; \
6912	kmod_stop_func_t *_antimain = kmod_stop; \
6913	int _kext_apple_cc = __APPLE_CC__
6914
6915
6916	#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
6917
6918	/*
6919	* Policy interface to map a struct label pointer to per-policy data.
6920	* Typically, policies wrap this in their own accessor macro that casts an
6921	* intptr_t to a policy-specific data type.
6922	*/
6923	intptr_t mac_label_get(struct label l, int* slot);
6924	void mac_label_set(struct label l, int* slot, intptr_t v);
6925
6926	#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
6927
6928	/**
6929	@name Flags for MAC allocator interfaces
6930
6931	These flags are passed to the Darwin kernel allocator routines to
6932	indicate whether the allocation is permitted to block or not.
6933	Caution should be taken; some operations are not permitted to sleep,
6934	and some types of locks cannot be held when sleeping.
6935	*/
6936
6937	/@{/
6938
6939	/**
6940	@brief Allocation operations may block
6941
6942	If memory is not immediately available, the allocation routine
6943	will block (typically sleeping) until memory is available.
6944
6945	@warning Inappropriate use of this flag may cause kernel panics.
6946	*/
6947	#define MAC_WAITOK 0
6948
6949	/**
6950	@brief Allocation operations may not block
6951
6952	Rather than blocking, the allocator may return an error if memory
6953	is not immediately available. This type of allocation will not
6954	sleep, preserving locking semantics.
6955	*/
6956	#define MAC_NOWAIT 1
6957
6958	/@}/
6959
6960	#endif /* !_SECURITY_MAC_POLICY_H_ */
6961

Browse the source code of xnu/BUILD/obj/EXPORT_HDRS/security/security/mac_policy.h