1 | /* |
2 | * Copyright (c) 2007-2016 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | /*- |
29 | * Copyright (c) 1999-2002 Robert N. M. Watson |
30 | * Copyright (c) 2001-2005 Networks Associates Technology, Inc. |
31 | * Copyright (c) 2005-2007 SPARTA, Inc. |
32 | * All rights reserved. |
33 | * |
34 | * This software was developed by Robert Watson for the TrustedBSD Project. |
35 | * |
36 | * This software was developed for the FreeBSD Project in part by Network |
37 | * Associates Laboratories, the Security Research Division of Network |
38 | * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), |
39 | * as part of the DARPA CHATS research program. |
40 | * |
41 | * This software was enhanced by SPARTA ISSO under SPAWAR contract |
42 | * N66001-04-C-6019 ("SEFOS"). |
43 | * |
44 | * Redistribution and use in source and binary forms, with or without |
45 | * modification, are permitted provided that the following conditions |
46 | * are met: |
47 | * 1. Redistributions of source code must retain the above copyright |
48 | * notice, this list of conditions and the following disclaimer. |
49 | * 2. Redistributions in binary form must reproduce the above copyright |
50 | * notice, this list of conditions and the following disclaimer in the |
51 | * documentation and/or other materials provided with the distribution. |
52 | * |
53 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
54 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
55 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
56 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
57 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
58 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
59 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
60 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
61 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
62 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
63 | * SUCH DAMAGE. |
64 | * |
65 | * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ |
66 | */ |
67 | |
68 | /** |
69 | @file mac_policy.h |
70 | @brief Kernel Interfaces for MAC policy modules |
71 | |
72 | This header defines the list of operations that are defined by the |
73 | TrustedBSD MAC Framwork on Darwin. MAC Policy modules register |
74 | with the framework to declare interest in a specific set of |
75 | operations. If interest in an entry point is not declared, then |
76 | the policy will be ignored when the Framework evaluates that entry |
77 | point. |
78 | */ |
79 | |
80 | #ifndef _SECURITY_MAC_POLICY_H_ |
81 | #define _SECURITY_MAC_POLICY_H_ |
82 | |
83 | #ifndef PRIVATE |
84 | #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" |
85 | #endif |
86 | |
87 | #include <security/_label.h> |
88 | |
89 | struct attrlist; |
90 | struct auditinfo; |
91 | struct bpf_d; |
92 | struct cs_blob; |
93 | struct devnode; |
94 | struct exception_action; |
95 | struct fileglob; |
96 | struct ifnet; |
97 | struct inpcb; |
98 | struct ipq; |
99 | struct label; |
100 | struct mac_module_data; |
101 | struct mac_policy_conf; |
102 | struct mbuf; |
103 | struct mount; |
104 | struct msg; |
105 | struct msqid_kernel; |
106 | struct pipe; |
107 | struct pseminfo; |
108 | struct pshminfo; |
109 | struct sbuf; |
110 | struct semid_kernel; |
111 | struct shmid_kernel; |
112 | struct socket; |
113 | struct sockopt; |
114 | struct task; |
115 | struct thread; |
116 | struct tty; |
117 | struct ucred; |
118 | struct vfs_attr; |
119 | struct vnode; |
120 | /** @struct dummy */ |
121 | |
122 | |
123 | |
124 | #ifndef _KAUTH_CRED_T |
125 | #define _KAUTH_CRED_T |
126 | typedef struct ucred *kauth_cred_t; |
127 | #endif /* !_KAUTH_CRED_T */ |
128 | |
129 | #ifndef __IOKIT_PORTS_DEFINED__ |
130 | #define __IOKIT_PORTS_DEFINED__ |
131 | #ifdef __cplusplus |
132 | class OSObject; |
133 | typedef OSObject *io_object_t; |
134 | #else |
135 | struct OSObject; |
136 | typedef struct OSObject *io_object_t; |
137 | #endif |
138 | #endif /* __IOKIT_PORTS_DEFINED__ */ |
139 | |
140 | /*- |
141 | * MAC entry points are generally named using the following template: |
142 | * |
143 | * mpo_<object>_<operation>() |
144 | * |
145 | * or: |
146 | * |
147 | * mpo_<object>_check_<operation>() |
148 | * |
149 | * Entry points are sorted by object type. |
150 | * |
151 | * It may be desirable also to consider some subsystems as "objects", such |
152 | * as system, iokit, etc. |
153 | */ |
154 | |
155 | /** |
156 | @name Entry Points for Label Management |
157 | |
158 | These are the entry points corresponding to the life cycle events for |
159 | kernel objects, such as initialization, creation, and destruction. |
160 | |
161 | Most policies (that use labels) will initialize labels by allocating |
162 | space for policy-specific data. In most cases, it is permitted to |
163 | sleep during label initialization operations; it will be noted when |
164 | it is not permitted. |
165 | |
166 | Initialization usually will not require doing more than allocating a |
167 | generic label for the given object. What follows initialization is |
168 | creation, where a label is made specific to the object it is associated |
169 | with. Destruction occurs when the label is no longer needed, such as |
170 | when the corresponding object is destroyed. All necessary cleanup should |
171 | be performed in label destroy operations. |
172 | |
173 | Where possible, the label entry points have identical parameters. If |
174 | the policy module does not require structure-specific label |
175 | information, the same function may be registered in the policy |
176 | operation vector. Many policies will implement two such generic |
177 | allocation calls: one to handle sleepable requests, and one to handle |
178 | potentially non-sleepable requests. |
179 | */ |
180 | |
181 | |
182 | /** |
183 | @brief Audit event postselection |
184 | @param cred Subject credential |
185 | @param syscode Syscall number |
186 | @param args Syscall arguments |
187 | @param error Syscall errno |
188 | @param retval Syscall return value |
189 | |
190 | This is the MAC Framework audit postselect, which is called before |
191 | exiting a syscall to determine if an audit event should be committed. |
192 | A return value of MAC_AUDIT_NO forces the audit record to be suppressed. |
193 | Any other return value results in the audit record being committed. |
194 | |
195 | @warning The suppression behavior will probably go away in Apple's |
196 | future version of the audit implementation. |
197 | |
198 | @return Return MAC_AUDIT_NO to force suppression of the audit record. |
199 | Any other value results in the audit record being committed. |
200 | |
201 | */ |
202 | typedef int mpo_audit_check_postselect_t( |
203 | kauth_cred_t cred, |
204 | unsigned short syscode, |
205 | void *args, |
206 | int error, |
207 | int retval |
208 | ); |
209 | /** |
210 | @brief Audit event preselection |
211 | @param cred Subject credential |
212 | @param syscode Syscall number |
213 | @param args Syscall arguments |
214 | |
215 | This is the MAC Framework audit preselect, which is called before a |
216 | syscall is entered to determine if an audit event should be created. |
217 | If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be |
218 | returned. A return value of MAC_AUDIT_NO causes the audit record to |
219 | be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants |
220 | to defer to the system's existing preselection mechanism. |
221 | |
222 | When policies return different preferences, the Framework decides what action |
223 | to take based on the following policy. If any policy returns MAC_AUDIT_YES, |
224 | then create an audit record, else if any policy returns MAC_AUDIT_NO, then |
225 | suppress the creations of an audit record, else defer to the system's |
226 | existing preselection mechanism. |
227 | |
228 | @warning The audit implementation in Apple's current version is |
229 | incomplete, so the MAC policies have priority over the system's existing |
230 | mechanisms. This will probably change in the future version where |
231 | the audit implementation is more complete. |
232 | |
233 | @return Return MAC_AUDIT_YES to force auditing of the syscall, |
234 | MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT |
235 | to allow auditing mechanisms to determine if the syscall is audited. |
236 | |
237 | */ |
238 | typedef int mpo_audit_check_preselect_t( |
239 | kauth_cred_t cred, |
240 | unsigned short syscode, |
241 | void *args |
242 | ); |
243 | /** |
244 | @brief Initialize BPF descriptor label |
245 | @param label New label to initialize |
246 | |
247 | Initialize the label for a newly instantiated BPF descriptor. |
248 | Sleeping is permitted. |
249 | */ |
250 | typedef void mpo_bpfdesc_label_init_t( |
251 | struct label *label |
252 | ); |
253 | /** |
254 | @brief Destroy BPF descriptor label |
255 | @param label The label to be destroyed |
256 | |
257 | Destroy a BPF descriptor label. Since the BPF descriptor |
258 | is going out of scope, policy modules should free any internal |
259 | storage associated with the label so that it may be destroyed. |
260 | */ |
261 | typedef void mpo_bpfdesc_label_destroy_t( |
262 | struct label *label |
263 | ); |
264 | /** |
265 | @brief Associate a BPF descriptor with a label |
266 | @param cred User credential creating the BPF descriptor |
267 | @param bpf_d The BPF descriptor |
268 | @param bpflabel The new label |
269 | |
270 | Set the label on a newly created BPF descriptor from the passed |
271 | subject credential. This call will be made when a BPF device node |
272 | is opened by a process with the passed subject credential. |
273 | */ |
274 | typedef void mpo_bpfdesc_label_associate_t( |
275 | kauth_cred_t cred, |
276 | struct bpf_d *bpf_d, |
277 | struct label *bpflabel |
278 | ); |
279 | /** |
280 | @brief Check whether BPF can read from a network interface |
281 | @param bpf_d Subject; the BPF descriptor |
282 | @param bpflabel Policy label for bpf_d |
283 | @param ifp Object; the network interface |
284 | @param ifnetlabel Policy label for ifp |
285 | |
286 | Determine whether the MAC framework should permit datagrams from |
287 | the passed network interface to be delivered to the buffers of |
288 | the passed BPF descriptor. Return (0) for success, or an errno |
289 | value for failure. Suggested failure: EACCES for label mismatches, |
290 | EPERM for lack of privilege. |
291 | */ |
292 | typedef int mpo_bpfdesc_check_receive_t( |
293 | struct bpf_d *bpf_d, |
294 | struct label *bpflabel, |
295 | struct ifnet *ifp, |
296 | struct label *ifnetlabel |
297 | ); |
298 | /** |
299 | @brief Indicate desire to change the process label at exec time |
300 | @param old Existing subject credential |
301 | @param vp File being executed |
302 | @param offset Offset of binary within file being executed |
303 | @param scriptvp Script being executed by interpreter, if any. |
304 | @param vnodelabel Label corresponding to vp |
305 | @param scriptvnodelabel Script vnode label |
306 | @param execlabel Userspace provided execution label |
307 | @param p Object process |
308 | @param macpolicyattr MAC policy-specific spawn attribute data |
309 | @param macpolicyattrlen Length of policy-specific spawn attribute data |
310 | @see mac_execve |
311 | @see mpo_cred_label_update_execve_t |
312 | @see mpo_vnode_check_exec_t |
313 | |
314 | Indicate whether this policy intends to update the label of a newly |
315 | created credential from the existing subject credential (old). This |
316 | call occurs when a process executes the passed vnode. If a policy |
317 | returns success from this entry point, the mpo_cred_label_update_execve |
318 | entry point will later be called with the same parameters. Access |
319 | has already been checked via the mpo_vnode_check_exec entry point, |
320 | this entry point is necessary to preserve kernel locking constraints |
321 | during program execution. |
322 | |
323 | The supplied vnode and vnodelabel correspond with the file actually |
324 | being executed; in the case that the file is interpreted (for |
325 | example, a script), the label of the original exec-time vnode has |
326 | been preserved in scriptvnodelabel. |
327 | |
328 | The final label, execlabel, corresponds to a label supplied by a |
329 | user space application through the use of the mac_execve system call. |
330 | |
331 | The vnode lock is held during this operation. No changes should be |
332 | made to the old credential structure. |
333 | |
334 | @warning Even if a policy returns 0, it should behave correctly in |
335 | the presence of an invocation of mpo_cred_label_update_execve, as that |
336 | call may happen as a result of another policy requesting a transition. |
337 | |
338 | @return Non-zero if a transition is required, 0 otherwise. |
339 | */ |
340 | typedef int mpo_cred_check_label_update_execve_t( |
341 | kauth_cred_t old, |
342 | struct vnode *vp, |
343 | off_t offset, |
344 | struct vnode *scriptvp, |
345 | struct label *vnodelabel, |
346 | struct label *scriptvnodelabel, |
347 | struct label *execlabel, |
348 | struct proc *p, |
349 | void *macpolicyattr, |
350 | size_t macpolicyattrlen |
351 | ); |
352 | /** |
353 | @brief Access control check for relabelling processes |
354 | @param cred Subject credential |
355 | @param newlabel New label to apply to the user credential |
356 | @see mpo_cred_label_update_t |
357 | @see mac_set_proc |
358 | |
359 | Determine whether the subject identified by the credential can relabel |
360 | itself to the supplied new label (newlabel). This access control check |
361 | is called when the mac_set_proc system call is invoked. A user space |
362 | application will supply a new value, the value will be internalized |
363 | and provided in newlabel. |
364 | |
365 | @return Return 0 if access is granted, otherwise an appropriate value for |
366 | errno should be returned. |
367 | */ |
368 | typedef int mpo_cred_check_label_update_t( |
369 | kauth_cred_t cred, |
370 | struct label *newlabel |
371 | ); |
372 | /** |
373 | @brief Access control check for visibility of other subjects |
374 | @param u1 Subject credential |
375 | @param u2 Object credential |
376 | |
377 | Determine whether the subject identified by the credential u1 can |
378 | "see" other subjects with the passed subject credential u2. This call |
379 | may be made in a number of situations, including inter-process status |
380 | sysctls used by ps, and in procfs lookups. |
381 | |
382 | @return Return 0 if access is granted, otherwise an appropriate value for |
383 | errno should be returned. Suggested failure: EACCES for label mismatch, |
384 | EPERM for lack of privilege, or ESRCH to hide visibility. |
385 | */ |
386 | typedef int mpo_cred_check_visible_t( |
387 | kauth_cred_t u1, |
388 | kauth_cred_t u2 |
389 | ); |
390 | /** |
391 | @brief Associate a credential with a new process at fork |
392 | @param cred credential to inherited by new process |
393 | @param proc the new process |
394 | |
395 | Allow a process to associate the credential with a new |
396 | process for reference countng purposes. |
397 | NOTE: the credential can be dis-associated in ways other |
398 | than exit - so this strategy is flawed - should just |
399 | catch label destroy callback. |
400 | */ |
401 | typedef void mpo_cred_label_associate_fork_t( |
402 | kauth_cred_t cred, |
403 | proc_t proc |
404 | ); |
405 | /** |
406 | @brief Create the first process |
407 | @param cred Subject credential to be labeled |
408 | |
409 | Create the subject credential of process 0, the parent of all BSD |
410 | kernel processes. Policies should update the label in the |
411 | previously initialized credential structure. |
412 | */ |
413 | typedef void mpo_cred_label_associate_kernel_t( |
414 | kauth_cred_t cred |
415 | ); |
416 | /** |
417 | @brief Create a credential label |
418 | @param parent_cred Parent credential |
419 | @param child_cred Child credential |
420 | |
421 | Set the label of a newly created credential, most likely using the |
422 | information in the supplied parent credential. |
423 | |
424 | @warning This call is made when crcopy or crdup is invoked on a |
425 | newly created struct ucred, and should not be confused with a |
426 | process fork or creation event. |
427 | */ |
428 | typedef void mpo_cred_label_associate_t( |
429 | kauth_cred_t parent_cred, |
430 | kauth_cred_t child_cred |
431 | ); |
432 | /** |
433 | @brief Create the first process |
434 | @param cred Subject credential to be labeled |
435 | |
436 | Create the subject credential of process 1, the parent of all BSD |
437 | user processes. Policies should update the label in the previously |
438 | initialized credential structure. This is the 'init' process. |
439 | */ |
440 | typedef void mpo_cred_label_associate_user_t( |
441 | kauth_cred_t cred |
442 | ); |
443 | /** |
444 | @brief Destroy credential label |
445 | @param label The label to be destroyed |
446 | |
447 | Destroy a user credential label. Since the user credential |
448 | is going out of scope, policy modules should free any internal |
449 | storage associated with the label so that it may be destroyed. |
450 | */ |
451 | typedef void mpo_cred_label_destroy_t( |
452 | struct label *label |
453 | ); |
454 | /** |
455 | @brief Externalize a user credential label for auditing |
456 | @param label Label to be externalized |
457 | @param element_name Name of the label namespace for which labels should be |
458 | externalized |
459 | @param sb String buffer to be filled with a text representation of the label |
460 | |
461 | Produce an external representation of the label on a user credential for |
462 | inclusion in an audit record. An externalized label consists of a text |
463 | representation of the label contents that will be added to the audit record |
464 | as part of a text token. Policy-agnostic user space tools will display |
465 | this externalized version. |
466 | |
467 | @return 0 on success, return non-zero if an error occurs while |
468 | externalizing the label data. |
469 | |
470 | */ |
471 | typedef int mpo_cred_label_externalize_audit_t( |
472 | struct label *label, |
473 | char *element_name, |
474 | struct sbuf *sb |
475 | ); |
476 | /** |
477 | @brief Externalize a user credential label |
478 | @param label Label to be externalized |
479 | @param element_name Name of the label namespace for which labels should be |
480 | externalized |
481 | @param sb String buffer to be filled with a text representation of the label |
482 | |
483 | Produce an external representation of the label on a user |
484 | credential. An externalized label consists of a text representation |
485 | of the label contents that can be used with user applications. |
486 | Policy-agnostic user space tools will display this externalized |
487 | version. |
488 | |
489 | @return 0 on success, return non-zero if an error occurs while |
490 | externalizing the label data. |
491 | |
492 | */ |
493 | typedef int mpo_cred_label_externalize_t( |
494 | struct label *label, |
495 | char *element_name, |
496 | struct sbuf *sb |
497 | ); |
498 | /** |
499 | @brief Initialize user credential label |
500 | @param label New label to initialize |
501 | |
502 | Initialize the label for a newly instantiated user credential. |
503 | Sleeping is permitted. |
504 | */ |
505 | typedef void mpo_cred_label_init_t( |
506 | struct label *label |
507 | ); |
508 | /** |
509 | @brief Internalize a user credential label |
510 | @param label Label to be internalized |
511 | @param element_name Name of the label namespace for which the label should |
512 | be internalized |
513 | @param element_data Text data to be internalized |
514 | |
515 | Produce a user credential label from an external representation. An |
516 | externalized label consists of a text representation of the label |
517 | contents that can be used with user applications. Policy-agnostic |
518 | user space tools will forward text version to the kernel for |
519 | processing by individual policy modules. |
520 | |
521 | The policy's internalize entry points will be called only if the |
522 | policy has registered interest in the label namespace. |
523 | |
524 | @return 0 on success, Otherwise, return non-zero if an error occurs |
525 | while internalizing the label data. |
526 | |
527 | */ |
528 | typedef int mpo_cred_label_internalize_t( |
529 | struct label *label, |
530 | char *element_name, |
531 | char *element_data |
532 | ); |
533 | /** |
534 | @brief Update credential at exec time |
535 | @param old_cred Existing subject credential |
536 | @param new_cred New subject credential to be labeled |
537 | @param p Object process. |
538 | @param vp File being executed |
539 | @param offset Offset of binary within file being executed |
540 | @param scriptvp Script being executed by interpreter, if any. |
541 | @param vnodelabel Label corresponding to vp |
542 | @param scriptvnodelabel Script vnode label |
543 | @param execlabel Userspace provided execution label |
544 | @param csflags Code signing flags to be set after exec |
545 | @param macpolicyattr MAC policy-specific spawn attribute data. |
546 | @param macpolicyattrlen Length of policy-specific spawn attribute data. |
547 | @see mac_execve |
548 | @see mpo_cred_check_label_update_execve_t |
549 | @see mpo_vnode_check_exec_t |
550 | |
551 | Update the label of a newly created credential (new) from the |
552 | existing subject credential (old). This call occurs when a process |
553 | executes the passed vnode and one of the loaded policy modules has |
554 | returned success from the mpo_cred_check_label_update_execve entry point. |
555 | Access has already been checked via the mpo_vnode_check_exec entry |
556 | point, this entry point is only used to update any policy state. |
557 | |
558 | The supplied vnode and vnodelabel correspond with the file actually |
559 | being executed; in the case that the file is interpreted (for |
560 | example, a script), the label of the original exec-time vnode has |
561 | been preserved in scriptvnodelabel. |
562 | |
563 | The final label, execlabel, corresponds to a label supplied by a |
564 | user space application through the use of the mac_execve system call. |
565 | |
566 | If non-NULL, the value pointed to by disjointp will be set to 0 to |
567 | indicate that the old and new credentials are not disjoint, or 1 to |
568 | indicate that they are. |
569 | |
570 | The vnode lock is held during this operation. No changes should be |
571 | made to the old credential structure. |
572 | @return 0 on success, Otherwise, return non-zero if update results in |
573 | termination of child. |
574 | */ |
575 | typedef int mpo_cred_label_update_execve_t( |
576 | kauth_cred_t old_cred, |
577 | kauth_cred_t new_cred, |
578 | struct proc *p, |
579 | struct vnode *vp, |
580 | off_t offset, |
581 | struct vnode *scriptvp, |
582 | struct label *vnodelabel, |
583 | struct label *scriptvnodelabel, |
584 | struct label *execlabel, |
585 | u_int *csflags, |
586 | void *macpolicyattr, |
587 | size_t macpolicyattrlen, |
588 | int *disjointp |
589 | ); |
590 | /** |
591 | @brief Update a credential label |
592 | @param cred The existing credential |
593 | @param newlabel A new label to apply to the credential |
594 | @see mpo_cred_check_label_update_t |
595 | @see mac_set_proc |
596 | |
597 | Update the label on a user credential, using the supplied new label. |
598 | This is called as a result of a process relabel operation. Access |
599 | control was already confirmed by mpo_cred_check_label_update. |
600 | */ |
601 | typedef void mpo_cred_label_update_t( |
602 | kauth_cred_t cred, |
603 | struct label *newlabel |
604 | ); |
605 | /** |
606 | @brief Create a new devfs device |
607 | @param dev Major and minor numbers of special file |
608 | @param de "inode" of new device file |
609 | @param label Destination label |
610 | @param fullpath Path relative to mount (e.g. /dev) of new device file |
611 | |
612 | This entry point labels a new devfs device. The label will likely be based |
613 | on the path to the device, or the major and minor numbers. |
614 | The policy should store an appropriate label into 'label'. |
615 | */ |
616 | typedef void mpo_devfs_label_associate_device_t( |
617 | dev_t dev, |
618 | struct devnode *de, |
619 | struct label *label, |
620 | const char *fullpath |
621 | ); |
622 | /** |
623 | @brief Create a new devfs directory |
624 | @param dirname Name of new directory |
625 | @param dirnamelen Length of 'dirname' |
626 | @param de "inode" of new directory |
627 | @param label Destination label |
628 | @param fullpath Path relative to mount (e.g. /dev) of new directory |
629 | |
630 | This entry point labels a new devfs directory. The label will likely be |
631 | based on the path of the new directory. The policy should store an appropriate |
632 | label into 'label'. The devfs root directory is labelled in this way. |
633 | */ |
634 | typedef void mpo_devfs_label_associate_directory_t( |
635 | const char *dirname, |
636 | int dirnamelen, |
637 | struct devnode *de, |
638 | struct label *label, |
639 | const char *fullpath |
640 | ); |
641 | /** |
642 | @brief Copy a devfs label |
643 | @param src Source devfs label |
644 | @param dest Destination devfs label |
645 | |
646 | Copy the label information from src to dest. The devfs file system |
647 | often duplicates (splits) existing device nodes rather than creating |
648 | new ones. |
649 | */ |
650 | typedef void mpo_devfs_label_copy_t( |
651 | struct label *src, |
652 | struct label *dest |
653 | ); |
654 | /** |
655 | @brief Destroy devfs label |
656 | @param label The label to be destroyed |
657 | |
658 | Destroy a devfs entry label. Since the object is going out |
659 | of scope, policy modules should free any internal storage associated |
660 | with the label so that it may be destroyed. |
661 | */ |
662 | typedef void mpo_devfs_label_destroy_t( |
663 | struct label *label |
664 | ); |
665 | /** |
666 | @brief Initialize devfs label |
667 | @param label New label to initialize |
668 | |
669 | Initialize the label for a newly instantiated devfs entry. Sleeping |
670 | is permitted. |
671 | */ |
672 | typedef void mpo_devfs_label_init_t( |
673 | struct label *label |
674 | ); |
675 | /** |
676 | @brief Update a devfs label after relabelling its vnode |
677 | @param mp Devfs mount point |
678 | @param de Affected devfs directory entry |
679 | @param delabel Label of devfs directory entry |
680 | @param vp Vnode associated with de |
681 | @param vnodelabel New label of vnode |
682 | |
683 | Update a devfs label when its vnode is manually relabelled, |
684 | for example with setfmac(1). Typically, this will simply copy |
685 | the vnode label into the devfs label. |
686 | */ |
687 | typedef void mpo_devfs_label_update_t( |
688 | struct mount *mp, |
689 | struct devnode *de, |
690 | struct label *delabel, |
691 | struct vnode *vp, |
692 | struct label *vnodelabel |
693 | ); |
694 | /** |
695 | @brief Access control for sending an exception to an exception action |
696 | @param crashlabel The crashing process's label |
697 | @param action Exception action |
698 | @param exclabel Policy label for exception action |
699 | |
700 | Determine whether the the exception message caused by the victim |
701 | process can be sent to the exception action. The policy may compare |
702 | credentials in the crashlabel, which are derived from the process at |
703 | the time the exception occurs, with the credentials in the exclabel, |
704 | which was set at the time the exception port was set, to determine |
705 | its decision. Note that any process from which the policy derived |
706 | any credentials may not exist anymore at the time of this policy |
707 | operation. Sleeping is permitted. |
708 | |
709 | @return Return 0 if the message can be sent, otherwise an |
710 | appropriate value for errno should be returned. |
711 | */ |
712 | typedef int mpo_exc_action_check_exception_send_t( |
713 | struct label *crashlabel, |
714 | struct exception_action *action, |
715 | struct label *exclabel |
716 | ); |
717 | /** |
718 | @brief Associate an exception action label |
719 | @param action Exception action to label |
720 | @param exclabel Policy label to be filled in for exception action |
721 | |
722 | Set the label on an exception action. |
723 | */ |
724 | typedef void mpo_exc_action_label_associate_t( |
725 | struct exception_action *action, |
726 | struct label *exclabel |
727 | ); |
728 | /** |
729 | @brief Destroy exception action label |
730 | @param label The label to be destroyed |
731 | |
732 | Destroy the label on an exception action. Since the object is going |
733 | out of scope, policy modules should free any internal storage |
734 | associated with the label so that it may be destroyed. Sleeping is |
735 | permitted. |
736 | */ |
737 | typedef void mpo_exc_action_label_destroy_t( |
738 | struct label *label |
739 | ); |
740 | /** |
741 | @brief Populate an exception action label with process credentials |
742 | @param label The label to be populated |
743 | @param proc Process to derive credentials from |
744 | |
745 | Populate a label with credentials derived from a process. At |
746 | exception delivery time, the policy should compare credentials of the |
747 | process that set an exception ports with the credentials of the |
748 | process or corpse that experienced the exception. Note that the |
749 | process that set the port may not exist at that time anymore, so |
750 | labels should carry copies of live credentials if necessary. |
751 | */ |
752 | typedef void mpo_exc_action_label_populate_t( |
753 | struct label *label, |
754 | struct proc *proc |
755 | ); |
756 | /** |
757 | @brief Initialize exception action label |
758 | @param label New label to initialize |
759 | |
760 | Initialize a label for an exception action. Usually performs |
761 | policy specific allocations. Sleeping is permitted. |
762 | */ |
763 | typedef int mpo_exc_action_label_init_t( |
764 | struct label *label |
765 | ); |
766 | /** |
767 | @brief Update the label on an exception action |
768 | @param action Exception action that the label belongs to (may be |
769 | NULL if none) |
770 | @param label Policy label to update |
771 | @param newlabel New label for update |
772 | |
773 | Update the credentials of an exception action from the given |
774 | label. The policy should copy over any credentials (process and |
775 | otherwise) from the new label into the label to update. Must not |
776 | sleep, must be quick and can be called with locks held. |
777 | */ |
778 | typedef int mpo_exc_action_label_update_t( |
779 | struct exception_action *action, |
780 | struct label *label, |
781 | struct label *newlabel |
782 | ); |
783 | /** |
784 | @brief Access control for changing the offset of a file descriptor |
785 | @param cred Subject credential |
786 | @param fg Fileglob structure |
787 | @param label Policy label for fg |
788 | |
789 | Determine whether the subject identified by the credential can |
790 | change the offset of the file represented by fg. |
791 | |
792 | @return Return 0 if access if granted, otherwise an appropriate |
793 | value for errno should be returned. |
794 | */ |
795 | typedef int mpo_file_check_change_offset_t( |
796 | kauth_cred_t cred, |
797 | struct fileglob *fg, |
798 | struct label *label |
799 | ); |
800 | /** |
801 | @brief Access control for creating a file descriptor |
802 | @param cred Subject credential |
803 | |
804 | Determine whether the subject identified by the credential can |
805 | allocate a new file descriptor. |
806 | |
807 | @return Return 0 if access if granted, otherwise an appropriate |
808 | value for errno should be returned. |
809 | */ |
810 | typedef int mpo_file_check_create_t( |
811 | kauth_cred_t cred |
812 | ); |
813 | /** |
814 | @brief Access control for duplicating a file descriptor |
815 | @param cred Subject credential |
816 | @param fg Fileglob structure |
817 | @param label Policy label for fg |
818 | @param newfd New file descriptor number |
819 | |
820 | Determine whether the subject identified by the credential can |
821 | duplicate the fileglob structure represented by fg and as file |
822 | descriptor number newfd. |
823 | |
824 | @return Return 0 if access if granted, otherwise an appropriate |
825 | value for errno should be returned. |
826 | */ |
827 | typedef int mpo_file_check_dup_t( |
828 | kauth_cred_t cred, |
829 | struct fileglob *fg, |
830 | struct label *label, |
831 | int newfd |
832 | ); |
833 | /** |
834 | @brief Access control check for fcntl |
835 | @param cred Subject credential |
836 | @param fg Fileglob structure |
837 | @param label Policy label for fg |
838 | @param cmd Control operation to be performed; see fcntl(2) |
839 | @param arg fcnt arguments; see fcntl(2) |
840 | |
841 | Determine whether the subject identified by the credential can perform |
842 | the file control operation indicated by cmd. |
843 | |
844 | @return Return 0 if access is granted, otherwise an appropriate value for |
845 | errno should be returned. |
846 | */ |
847 | typedef int mpo_file_check_fcntl_t( |
848 | kauth_cred_t cred, |
849 | struct fileglob *fg, |
850 | struct label *label, |
851 | int cmd, |
852 | user_long_t arg |
853 | ); |
854 | /** |
855 | @brief Access control check for mac_get_fd |
856 | @param cred Subject credential |
857 | @param fg Fileglob structure |
858 | @param elements Element buffer |
859 | @param len Length of buffer |
860 | |
861 | Determine whether the subject identified by the credential should be allowed |
862 | to get an externalized version of the label on the object indicated by fd. |
863 | |
864 | @return Return 0 if access is granted, otherwise an appropriate value for |
865 | errno should be returned. |
866 | */ |
867 | typedef int mpo_file_check_get_t( |
868 | kauth_cred_t cred, |
869 | struct fileglob *fg, |
870 | char *elements, |
871 | int len |
872 | ); |
873 | /** |
874 | @brief Access control for getting the offset of a file descriptor |
875 | @param cred Subject credential |
876 | @param fg Fileglob structure |
877 | @param label Policy label for fg |
878 | |
879 | Determine whether the subject identified by the credential can |
880 | get the offset of the file represented by fg. |
881 | |
882 | @return Return 0 if access if granted, otherwise an appropriate |
883 | value for errno should be returned. |
884 | */ |
885 | typedef int mpo_file_check_get_offset_t( |
886 | kauth_cred_t cred, |
887 | struct fileglob *fg, |
888 | struct label *label |
889 | ); |
890 | /** |
891 | @brief Access control for inheriting a file descriptor |
892 | @param cred Subject credential |
893 | @param fg Fileglob structure |
894 | @param label Policy label for fg |
895 | |
896 | Determine whether the subject identified by the credential can |
897 | inherit the fileglob structure represented by fg. |
898 | |
899 | @return Return 0 if access if granted, otherwise an appropriate |
900 | value for errno should be returned. |
901 | */ |
902 | typedef int mpo_file_check_inherit_t( |
903 | kauth_cred_t cred, |
904 | struct fileglob *fg, |
905 | struct label *label |
906 | ); |
907 | /** |
908 | @brief Access control check for file ioctl |
909 | @param cred Subject credential |
910 | @param fg Fileglob structure |
911 | @param label Policy label for fg |
912 | @param cmd The ioctl command; see ioctl(2) |
913 | |
914 | Determine whether the subject identified by the credential can perform |
915 | the ioctl operation indicated by cmd. |
916 | |
917 | @warning Since ioctl data is opaque from the standpoint of the MAC |
918 | framework, policies must exercise extreme care when implementing |
919 | access control checks. |
920 | |
921 | @return Return 0 if access is granted, otherwise an appropriate value for |
922 | errno should be returned. |
923 | |
924 | */ |
925 | typedef int mpo_file_check_ioctl_t( |
926 | kauth_cred_t cred, |
927 | struct fileglob *fg, |
928 | struct label *label, |
929 | unsigned int cmd |
930 | ); |
931 | /** |
932 | @brief Access control check for file locking |
933 | @param cred Subject credential |
934 | @param fg Fileglob structure |
935 | @param label Policy label for fg |
936 | @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) |
937 | @param fl The flock structure |
938 | |
939 | Determine whether the subject identified by the credential can perform |
940 | the lock operation indicated by op and fl on the file represented by fg. |
941 | |
942 | @return Return 0 if access is granted, otherwise an appropriate value for |
943 | errno should be returned. |
944 | |
945 | */ |
946 | typedef int mpo_file_check_lock_t( |
947 | kauth_cred_t cred, |
948 | struct fileglob *fg, |
949 | struct label *label, |
950 | int op, |
951 | struct flock *fl |
952 | ); |
953 | /** |
954 | @brief Check with library validation if a macho slice is allowed to be combined into a proc. |
955 | @param p Subject process |
956 | @param fg Fileglob structure |
957 | @param slice_offset offset of the code slice |
958 | @param error_message error message returned to user-space in case of error (userspace pointer) |
959 | @param error_message_size error message size |
960 | |
961 | Its a little odd that the MAC/kext writes into userspace since this |
962 | implies there is only one MAC module that implements this, however |
963 | the alterantive is to allocate memory in xnu, on the hope that |
964 | the MAC module will use it, or allocated in the MAC module and then |
965 | free it in xnu. Either of these are very appeling, so lets go with |
966 | the slightly more hacky way. |
967 | |
968 | @return Return 0 if access is granted, otherwise an appropriate value for |
969 | errno should be returned. |
970 | */ |
971 | typedef int mpo_file_check_library_validation_t( |
972 | struct proc *p, |
973 | struct fileglob *fg, |
974 | off_t slice_offset, |
975 | user_long_t error_message, |
976 | size_t error_message_size |
977 | ); |
978 | /** |
979 | @brief Access control check for mapping a file |
980 | @param cred Subject credential |
981 | @param fg fileglob representing file to map |
982 | @param label Policy label associated with vp |
983 | @param prot mmap protections; see mmap(2) |
984 | @param flags Type of mapped object; see mmap(2) |
985 | @param maxprot Maximum rights |
986 | |
987 | Determine whether the subject identified by the credential should be |
988 | allowed to map the file represented by fg with the protections specified |
989 | in prot. The maxprot field holds the maximum permissions on the new |
990 | mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. |
991 | To avoid overriding prior access control checks, a policy should only |
992 | remove flags from maxprot. |
993 | |
994 | @return Return 0 if access is granted, otherwise an appropriate value for |
995 | errno should be returned. Suggested failure: EACCES for label mismatch or |
996 | EPERM for lack of privilege. |
997 | */ |
998 | typedef int mpo_file_check_mmap_t( |
999 | kauth_cred_t cred, |
1000 | struct fileglob *fg, |
1001 | struct label *label, |
1002 | int prot, |
1003 | int flags, |
1004 | uint64_t file_pos, |
1005 | int *maxprot |
1006 | ); |
1007 | /** |
1008 | @brief Downgrade the mmap protections |
1009 | @param cred Subject credential |
1010 | @param fg file to map |
1011 | @param label Policy label associated with vp |
1012 | @param prot mmap protections to be downgraded |
1013 | |
1014 | Downgrade the mmap protections based on the subject and object labels. |
1015 | */ |
1016 | typedef void mpo_file_check_mmap_downgrade_t( |
1017 | kauth_cred_t cred, |
1018 | struct fileglob *fg, |
1019 | struct label *label, |
1020 | int *prot |
1021 | ); |
1022 | /** |
1023 | @brief Access control for receiving a file descriptor |
1024 | @param cred Subject credential |
1025 | @param fg Fileglob structure |
1026 | @param label Policy label for fg |
1027 | |
1028 | Determine whether the subject identified by the credential can |
1029 | receive the fileglob structure represented by fg. |
1030 | |
1031 | @return Return 0 if access if granted, otherwise an appropriate |
1032 | value for errno should be returned. |
1033 | */ |
1034 | typedef int mpo_file_check_receive_t( |
1035 | kauth_cred_t cred, |
1036 | struct fileglob *fg, |
1037 | struct label *label |
1038 | ); |
1039 | /** |
1040 | @brief Access control check for mac_set_fd |
1041 | @param cred Subject credential |
1042 | @param fg Fileglob structure |
1043 | @param elements Elements buffer |
1044 | @param len Length of elements buffer |
1045 | |
1046 | Determine whether the subject identified by the credential can |
1047 | perform the mac_set_fd operation. The mac_set_fd operation is used |
1048 | to associate a MAC label with a file. |
1049 | |
1050 | @return Return 0 if access is granted, otherwise an appropriate value for |
1051 | errno should be returned. |
1052 | */ |
1053 | typedef int mpo_file_check_set_t( |
1054 | kauth_cred_t cred, |
1055 | struct fileglob *fg, |
1056 | char *elements, |
1057 | int len |
1058 | ); |
1059 | /** |
1060 | @brief Create file label |
1061 | @param cred Subject credential |
1062 | @param fg Fileglob structure |
1063 | @param label Policy label for fg |
1064 | */ |
1065 | typedef void mpo_file_label_associate_t( |
1066 | kauth_cred_t cred, |
1067 | struct fileglob *fg, |
1068 | struct label *label |
1069 | ); |
1070 | /** |
1071 | @brief Destroy file label |
1072 | @param label The label to be destroyed |
1073 | |
1074 | Destroy the label on a file descriptor. In this entry point, a |
1075 | policy module should free any internal storage associated with |
1076 | label so that it may be destroyed. |
1077 | */ |
1078 | typedef void mpo_file_label_destroy_t( |
1079 | struct label *label |
1080 | ); |
1081 | /** |
1082 | @brief Initialize file label |
1083 | @param label New label to initialize |
1084 | */ |
1085 | typedef void mpo_file_label_init_t( |
1086 | struct label *label |
1087 | ); |
1088 | /** |
1089 | @brief Access control check for relabeling network interfaces |
1090 | @param cred Subject credential |
1091 | @param ifp network interface being relabeled |
1092 | @param ifnetlabel Current label of the network interfaces |
1093 | @param newlabel New label to apply to the network interfaces |
1094 | @see mpo_ifnet_label_update_t |
1095 | |
1096 | Determine whether the subject identified by the credential can |
1097 | relabel the network interface represented by ifp to the supplied |
1098 | new label (newlabel). |
1099 | |
1100 | @return Return 0 if access is granted, otherwise an appropriate value for |
1101 | errno should be returned. |
1102 | */ |
1103 | typedef int mpo_ifnet_check_label_update_t( |
1104 | kauth_cred_t cred, |
1105 | struct ifnet *ifp, |
1106 | struct label *ifnetlabel, |
1107 | struct label *newlabel |
1108 | ); |
1109 | /** |
1110 | @brief Access control check for relabeling network interfaces |
1111 | @param ifp Network interface mbuf will be transmitted through |
1112 | @param ifnetlabel Label of the network interfaces |
1113 | @param m The mbuf to be transmitted |
1114 | @param mbuflabel Label of the mbuf to be transmitted |
1115 | @param family Address Family, AF_* |
1116 | @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} |
1117 | |
1118 | Determine whether the mbuf with label mbuflabel may be transmitted |
1119 | through the network interface represented by ifp that has the |
1120 | label ifnetlabel. |
1121 | |
1122 | @return Return 0 if access is granted, otherwise an appropriate value for |
1123 | errno should be returned. |
1124 | */ |
1125 | typedef int mpo_ifnet_check_transmit_t( |
1126 | struct ifnet *ifp, |
1127 | struct label *ifnetlabel, |
1128 | struct mbuf *m, |
1129 | struct label *mbuflabel, |
1130 | int family, |
1131 | int type |
1132 | ); |
1133 | /** |
1134 | @brief Create a network interface label |
1135 | @param ifp Network interface labeled |
1136 | @param ifnetlabel Label for the network interface |
1137 | |
1138 | Set the label of a newly created network interface, most likely |
1139 | using the information in the supplied network interface struct. |
1140 | */ |
1141 | typedef void mpo_ifnet_label_associate_t( |
1142 | struct ifnet *ifp, |
1143 | struct label *ifnetlabel |
1144 | ); |
1145 | /** |
1146 | @brief Copy an ifnet label |
1147 | @param src Source ifnet label |
1148 | @param dest Destination ifnet label |
1149 | |
1150 | Copy the label information from src to dest. |
1151 | */ |
1152 | typedef void mpo_ifnet_label_copy_t( |
1153 | struct label *src, |
1154 | struct label *dest |
1155 | ); |
1156 | /** |
1157 | @brief Destroy ifnet label |
1158 | @param label The label to be destroyed |
1159 | |
1160 | Destroy the label on an ifnet label. In this entry point, a |
1161 | policy module should free any internal storage associated with |
1162 | label so that it may be destroyed. |
1163 | */ |
1164 | typedef void mpo_ifnet_label_destroy_t( |
1165 | struct label *label |
1166 | ); |
1167 | /** |
1168 | @brief Externalize an ifnet label |
1169 | @param label Label to be externalized |
1170 | @param element_name Name of the label namespace for which labels should be |
1171 | externalized |
1172 | @param sb String buffer to be filled with a text representation of the label |
1173 | |
1174 | Produce an external representation of the label on an interface. |
1175 | An externalized label consists of a text representation of the |
1176 | label contents that can be used with user applications. |
1177 | Policy-agnostic user space tools will display this externalized |
1178 | version. |
1179 | |
1180 | @return 0 on success, return non-zero if an error occurs while |
1181 | externalizing the label data. |
1182 | |
1183 | */ |
1184 | typedef int mpo_ifnet_label_externalize_t( |
1185 | struct label *label, |
1186 | char *element_name, |
1187 | struct sbuf *sb |
1188 | ); |
1189 | /** |
1190 | @brief Initialize ifnet label |
1191 | @param label New label to initialize |
1192 | */ |
1193 | typedef void mpo_ifnet_label_init_t( |
1194 | struct label *label |
1195 | ); |
1196 | /** |
1197 | @brief Internalize an interface label |
1198 | @param label Label to be internalized |
1199 | @param element_name Name of the label namespace for which the label should |
1200 | be internalized |
1201 | @param element_data Text data to be internalized |
1202 | |
1203 | Produce an interface label from an external representation. An |
1204 | externalized label consists of a text representation of the label |
1205 | contents that can be used with user applications. Policy-agnostic |
1206 | user space tools will forward text version to the kernel for |
1207 | processing by individual policy modules. |
1208 | |
1209 | The policy's internalize entry points will be called only if the |
1210 | policy has registered interest in the label namespace. |
1211 | |
1212 | @return 0 on success, Otherwise, return non-zero if an error occurs |
1213 | while internalizing the label data. |
1214 | |
1215 | */ |
1216 | typedef int mpo_ifnet_label_internalize_t( |
1217 | struct label *label, |
1218 | char *element_name, |
1219 | char *element_data |
1220 | ); |
1221 | /** |
1222 | @brief Recycle up a network interface label |
1223 | @param label The label to be recycled |
1224 | |
1225 | Recycle a network interface label. Darwin caches the struct ifnet |
1226 | of detached ifnets in a "free pool". Before ifnets are returned |
1227 | to the "free pool", policies can cleanup or overwrite any information |
1228 | present in the label. |
1229 | */ |
1230 | typedef void mpo_ifnet_label_recycle_t( |
1231 | struct label *label |
1232 | ); |
1233 | /** |
1234 | @brief Update a network interface label |
1235 | @param cred Subject credential |
1236 | @param ifp The network interface to be relabeled |
1237 | @param ifnetlabel The current label of the network interface |
1238 | @param newlabel A new label to apply to the network interface |
1239 | @see mpo_ifnet_check_label_update_t |
1240 | |
1241 | Update the label on a network interface, using the supplied new label. |
1242 | */ |
1243 | typedef void mpo_ifnet_label_update_t( |
1244 | kauth_cred_t cred, |
1245 | struct ifnet *ifp, |
1246 | struct label *ifnetlabel, |
1247 | struct label *newlabel |
1248 | ); |
1249 | /** |
1250 | @brief Access control check for delivering a packet to a socket |
1251 | @param inp inpcb the socket is associated with |
1252 | @param inplabel Label of the inpcb |
1253 | @param m The mbuf being received |
1254 | @param mbuflabel Label of the mbuf being received |
1255 | @param family Address family, AF_* |
1256 | @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} |
1257 | |
1258 | Determine whether the mbuf with label mbuflabel may be received |
1259 | by the socket associated with inpcb that has the label inplabel. |
1260 | |
1261 | @return Return 0 if access is granted, otherwise an appropriate value for |
1262 | errno should be returned. |
1263 | */ |
1264 | typedef int mpo_inpcb_check_deliver_t( |
1265 | struct inpcb *inp, |
1266 | struct label *inplabel, |
1267 | struct mbuf *m, |
1268 | struct label *mbuflabel, |
1269 | int family, |
1270 | int type |
1271 | ); |
1272 | /** |
1273 | @brief Create an inpcb label |
1274 | @param so Socket containing the inpcb to be labeled |
1275 | @param solabel Label of the socket |
1276 | @param inp inpcb to be labeled |
1277 | @param inplabel Label for the inpcb |
1278 | |
1279 | Set the label of a newly created inpcb, most likely |
1280 | using the information in the socket and/or socket label. |
1281 | */ |
1282 | typedef void mpo_inpcb_label_associate_t( |
1283 | struct socket *so, |
1284 | struct label *solabel, |
1285 | struct inpcb *inp, |
1286 | struct label *inplabel |
1287 | ); |
1288 | /** |
1289 | @brief Destroy inpcb label |
1290 | @param label The label to be destroyed |
1291 | |
1292 | Destroy the label on an inpcb label. In this entry point, a |
1293 | policy module should free any internal storage associated with |
1294 | label so that it may be destroyed. |
1295 | */ |
1296 | typedef void mpo_inpcb_label_destroy_t( |
1297 | struct label *label |
1298 | ); |
1299 | /** |
1300 | @brief Initialize inpcb label |
1301 | @param label New label to initialize |
1302 | @param flag M_WAITOK or M_NOWAIT |
1303 | */ |
1304 | typedef int mpo_inpcb_label_init_t( |
1305 | struct label *label, |
1306 | int flag |
1307 | ); |
1308 | /** |
1309 | @brief Recycle up an inpcb label |
1310 | @param label The label to be recycled |
1311 | |
1312 | Recycle an inpcb label. Darwin allocates the inpcb as part of |
1313 | the socket structure in some cases. For this case we must recycle |
1314 | rather than destroy the inpcb as it will be reused later. |
1315 | */ |
1316 | typedef void mpo_inpcb_label_recycle_t( |
1317 | struct label *label |
1318 | ); |
1319 | /** |
1320 | @brief Update an inpcb label from a socket label |
1321 | @param so Socket containing the inpcb to be relabeled |
1322 | @param solabel New label of the socket |
1323 | @param inp inpcb to be labeled |
1324 | @param inplabel Label for the inpcb |
1325 | |
1326 | Set the label of a newly created inpcb due to a change in the |
1327 | underlying socket label. |
1328 | */ |
1329 | typedef void mpo_inpcb_label_update_t( |
1330 | struct socket *so, |
1331 | struct label *solabel, |
1332 | struct inpcb *inp, |
1333 | struct label *inplabel |
1334 | ); |
1335 | /** |
1336 | @brief Device hardware access control |
1337 | @param devtype Type of device connected |
1338 | |
1339 | This is the MAC Framework device access control, which is called by the I/O |
1340 | Kit when a new device is connected to the system to determine whether that |
1341 | device should be trusted. A list of properties associated with the device |
1342 | is passed as an XML-formatted string. The routine should examine these |
1343 | properties to determine the trustworthiness of the device. A return value |
1344 | of EPERM forces the device to be claimed by a special device driver that |
1345 | will prevent its operation. |
1346 | |
1347 | @warning This is an experimental interface and may change in the future. |
1348 | |
1349 | @return Return EPERM to indicate that the device is untrusted and should |
1350 | not be allowed to operate. Return zero to indicate that the device is |
1351 | trusted and should be allowed to operate normally. |
1352 | |
1353 | */ |
1354 | typedef int mpo_iokit_check_device_t( |
1355 | char *devtype, |
1356 | struct mac_module_data *mdata |
1357 | ); |
1358 | /** |
1359 | @brief Access control check for opening an I/O Kit device |
1360 | @param cred Subject credential |
1361 | @param user_client User client instance |
1362 | @param user_client_type User client type |
1363 | |
1364 | Determine whether the subject identified by the credential can open an |
1365 | I/O Kit device at the passed path of the passed user client class and |
1366 | type. |
1367 | |
1368 | @return Return 0 if access is granted, or an appropriate value for |
1369 | errno should be returned. |
1370 | */ |
1371 | typedef int mpo_iokit_check_open_t( |
1372 | kauth_cred_t cred, |
1373 | io_object_t user_client, |
1374 | unsigned int user_client_type |
1375 | ); |
1376 | /** |
1377 | @brief Access control check for setting I/O Kit device properties |
1378 | @param cred Subject credential |
1379 | @param entry Target device |
1380 | @param properties Property list |
1381 | |
1382 | Determine whether the subject identified by the credential can set |
1383 | properties on an I/O Kit device. |
1384 | |
1385 | @return Return 0 if access is granted, or an appropriate value for |
1386 | errno should be returned. |
1387 | */ |
1388 | typedef int mpo_iokit_check_set_properties_t( |
1389 | kauth_cred_t cred, |
1390 | io_object_t entry, |
1391 | io_object_t properties |
1392 | ); |
1393 | /** |
1394 | @brief Indicate desire to filter I/O Kit devices properties |
1395 | @param cred Subject credential |
1396 | @param entry Target device |
1397 | @see mpo_iokit_check_get_property_t |
1398 | |
1399 | Indicate whether this policy may restrict the subject credential |
1400 | from reading properties of the target device. |
1401 | If a policy returns success from this entry point, the |
1402 | mpo_iokit_check_get_property entry point will later be called |
1403 | for each property that the subject credential tries to read from |
1404 | the target device. |
1405 | |
1406 | This entry point is primarilly to optimize bulk property reads |
1407 | by skipping calls to the mpo_iokit_check_get_property entry point |
1408 | for credentials / devices no MAC policy is interested in. |
1409 | |
1410 | @warning Even if a policy returns 0, it should behave correctly in |
1411 | the presence of an invocation of mpo_iokit_check_get_property, as that |
1412 | call may happen as a result of another policy requesting a transition. |
1413 | |
1414 | @return Non-zero if a transition is required, 0 otherwise. |
1415 | */ |
1416 | typedef int mpo_iokit_check_filter_properties_t( |
1417 | kauth_cred_t cred, |
1418 | io_object_t entry |
1419 | ); |
1420 | /** |
1421 | @brief Access control check for getting I/O Kit device properties |
1422 | @param cred Subject credential |
1423 | @param entry Target device |
1424 | @param name Property name |
1425 | |
1426 | Determine whether the subject identified by the credential can get |
1427 | properties on an I/O Kit device. |
1428 | |
1429 | @return Return 0 if access is granted, or an appropriate value for |
1430 | errno. |
1431 | */ |
1432 | typedef int mpo_iokit_check_get_property_t( |
1433 | kauth_cred_t cred, |
1434 | io_object_t entry, |
1435 | const char *name |
1436 | ); |
1437 | /** |
1438 | @brief Access control check for software HID control |
1439 | @param cred Subject credential |
1440 | |
1441 | Determine whether the subject identified by the credential can |
1442 | control the HID (Human Interface Device) subsystem, such as to |
1443 | post synthetic keypresses, pointer movement and clicks. |
1444 | |
1445 | @return Return 0 if access is granted, or an appropriate value for |
1446 | errno. |
1447 | */ |
1448 | typedef int mpo_iokit_check_hid_control_t( |
1449 | kauth_cred_t cred |
1450 | ); |
1451 | /** |
1452 | @brief Create an IP reassembly queue label |
1453 | @param fragment First received IP fragment |
1454 | @param fragmentlabel Policy label for fragment |
1455 | @param ipq IP reassembly queue to be labeled |
1456 | @param ipqlabel Policy label to be filled in for ipq |
1457 | |
1458 | Set the label on a newly created IP reassembly queue from |
1459 | the mbuf header of the first received fragment. |
1460 | */ |
1461 | typedef void mpo_ipq_label_associate_t( |
1462 | struct mbuf *fragment, |
1463 | struct label *fragmentlabel, |
1464 | struct ipq *ipq, |
1465 | struct label *ipqlabel |
1466 | ); |
1467 | /** |
1468 | @brief Compare an mbuf header label to an ipq label |
1469 | @param fragment IP datagram fragment |
1470 | @param fragmentlabel Policy label for fragment |
1471 | @param ipq IP fragment reassembly queue |
1472 | @param ipqlabel Policy label for ipq |
1473 | |
1474 | Compare the label of the mbuf header containing an IP datagram |
1475 | (fragment) fragment with the label of the passed IP fragment |
1476 | reassembly queue (ipq). Return (1) for a successful match, or (0) |
1477 | for no match. This call is made when the IP stack attempts to |
1478 | find an existing fragment reassembly queue for a newly received |
1479 | fragment; if this fails, a new fragment reassembly queue may be |
1480 | instantiated for the fragment. Policies may use this entry point |
1481 | to prevent the reassembly of otherwise matching IP fragments if |
1482 | policy does not permit them to be reassembled based on the label |
1483 | or other information. |
1484 | */ |
1485 | typedef int mpo_ipq_label_compare_t( |
1486 | struct mbuf *fragment, |
1487 | struct label *fragmentlabel, |
1488 | struct ipq *ipq, |
1489 | struct label *ipqlabel |
1490 | ); |
1491 | /** |
1492 | @brief Destroy IP reassembly queue label |
1493 | @param label The label to be destroyed |
1494 | |
1495 | Destroy the label on an IP fragment queue. In this entry point, a |
1496 | policy module should free any internal storage associated with |
1497 | label so that it may be destroyed. |
1498 | */ |
1499 | typedef void mpo_ipq_label_destroy_t( |
1500 | struct label *label |
1501 | ); |
1502 | /** |
1503 | @brief Initialize IP reassembly queue label |
1504 | @param label New label to initialize |
1505 | @param flag M_WAITOK or M_NOWAIT |
1506 | |
1507 | Initialize the label on a newly instantiated IP fragment reassembly |
1508 | queue. The flag field may be one of M_WAITOK and M_NOWAIT, and |
1509 | should be employed to avoid performing a sleeping malloc(9) during |
1510 | this initialization call. IP fragment reassembly queue allocation |
1511 | frequently occurs in performance sensitive environments, and the |
1512 | implementation should be careful to avoid sleeping or long-lived |
1513 | operations. This entry point is permitted to fail resulting in |
1514 | the failure to allocate the IP fragment reassembly queue. |
1515 | */ |
1516 | typedef int mpo_ipq_label_init_t( |
1517 | struct label *label, |
1518 | int flag |
1519 | ); |
1520 | /** |
1521 | @brief Update the label on an IP fragment reassembly queue |
1522 | @param fragment IP fragment |
1523 | @param fragmentlabel Policy label for fragment |
1524 | @param ipq IP fragment reassembly queue |
1525 | @param ipqlabel Policy label to be updated for ipq |
1526 | |
1527 | Update the label on an IP fragment reassembly queue (ipq) based |
1528 | on the acceptance of the passed IP fragment mbuf header (fragment). |
1529 | */ |
1530 | typedef void mpo_ipq_label_update_t( |
1531 | struct mbuf *fragment, |
1532 | struct label *fragmentlabel, |
1533 | struct ipq *ipq, |
1534 | struct label *ipqlabel |
1535 | ); |
1536 | /** |
1537 | @brief Assign a label to a new mbuf |
1538 | @param bpf_d BPF descriptor |
1539 | @param b_label Policy label for bpf_d |
1540 | @param m Object; mbuf |
1541 | @param m_label Policy label to fill in for m |
1542 | |
1543 | Set the label on the mbuf header of a newly created datagram |
1544 | generated using the passed BPF descriptor. This call is made when |
1545 | a write is performed to the BPF device associated with the passed |
1546 | BPF descriptor. |
1547 | */ |
1548 | typedef void mpo_mbuf_label_associate_bpfdesc_t( |
1549 | struct bpf_d *bpf_d, |
1550 | struct label *b_label, |
1551 | struct mbuf *m, |
1552 | struct label *m_label |
1553 | ); |
1554 | /** |
1555 | @brief Assign a label to a new mbuf |
1556 | @param ifp Interface descriptor |
1557 | @param i_label Existing label of ifp |
1558 | @param m Object; mbuf |
1559 | @param m_label Policy label to fill in for m |
1560 | |
1561 | Label an mbuf based on the interface from which it was received. |
1562 | */ |
1563 | typedef void mpo_mbuf_label_associate_ifnet_t( |
1564 | struct ifnet *ifp, |
1565 | struct label *i_label, |
1566 | struct mbuf *m, |
1567 | struct label *m_label |
1568 | ); |
1569 | /** |
1570 | @brief Assign a label to a new mbuf |
1571 | @param inp inpcb structure |
1572 | @param i_label Existing label of inp |
1573 | @param m Object; mbuf |
1574 | @param m_label Policy label to fill in for m |
1575 | |
1576 | Label an mbuf based on the inpcb from which it was derived. |
1577 | */ |
1578 | typedef void mpo_mbuf_label_associate_inpcb_t( |
1579 | struct inpcb *inp, |
1580 | struct label *i_label, |
1581 | struct mbuf *m, |
1582 | struct label *m_label |
1583 | ); |
1584 | /** |
1585 | @brief Set the label on a newly reassembled IP datagram |
1586 | @param ipq IP fragment reassembly queue |
1587 | @param ipqlabel Policy label for ipq |
1588 | @param mbuf IP datagram to be labeled |
1589 | @param mbuflabel Policy label to be filled in for mbuf |
1590 | |
1591 | Set the label on a newly reassembled IP datagram (mbuf) from the IP |
1592 | fragment reassembly queue (ipq) from which it was generated. |
1593 | */ |
1594 | typedef void mpo_mbuf_label_associate_ipq_t( |
1595 | struct ipq *ipq, |
1596 | struct label *ipqlabel, |
1597 | struct mbuf *mbuf, |
1598 | struct label *mbuflabel |
1599 | ); |
1600 | /** |
1601 | @brief Assign a label to a new mbuf |
1602 | @param ifp Subject; network interface |
1603 | @param i_label Existing label of ifp |
1604 | @param m Object; mbuf |
1605 | @param m_label Policy label to fill in for m |
1606 | |
1607 | Set the label on the mbuf header of a newly created datagram |
1608 | generated for the purposes of a link layer response for the passed |
1609 | interface. This call may be made in a number of situations, including |
1610 | for ARP or ND6 responses in the IPv4 and IPv6 stacks. |
1611 | */ |
1612 | typedef void mpo_mbuf_label_associate_linklayer_t( |
1613 | struct ifnet *ifp, |
1614 | struct label *i_label, |
1615 | struct mbuf *m, |
1616 | struct label *m_label |
1617 | ); |
1618 | /** |
1619 | @brief Assign a label to a new mbuf |
1620 | @param oldmbuf mbuf headerder for existing datagram for existing datagram |
1621 | @param oldmbuflabel Policy label for oldmbuf |
1622 | @param ifp Network interface |
1623 | @param ifplabel Policy label for ifp |
1624 | @param newmbuf mbuf header to be labeled for new datagram |
1625 | @param newmbuflabel Policy label for newmbuf |
1626 | |
1627 | Set the label on the mbuf header of a newly created datagram |
1628 | generated from the existing passed datagram when it is processed |
1629 | by the passed multicast encapsulation interface. This call is made |
1630 | when an mbuf is to be delivered using the virtual interface. |
1631 | */ |
1632 | typedef void mpo_mbuf_label_associate_multicast_encap_t( |
1633 | struct mbuf *oldmbuf, |
1634 | struct label *oldmbuflabel, |
1635 | struct ifnet *ifp, |
1636 | struct label *ifplabel, |
1637 | struct mbuf *newmbuf, |
1638 | struct label *newmbuflabel |
1639 | ); |
1640 | /** |
1641 | @brief Assign a label to a new mbuf |
1642 | @param oldmbuf Received datagram |
1643 | @param oldmbuflabel Policy label for oldmbuf |
1644 | @param newmbuf Newly created datagram |
1645 | @param newmbuflabel Policy label for newmbuf |
1646 | |
1647 | Set the label on the mbuf header of a newly created datagram generated |
1648 | by the IP stack in response to an existing received datagram (oldmbuf). |
1649 | This call may be made in a number of situations, including when responding |
1650 | to ICMP request datagrams. |
1651 | */ |
1652 | typedef void mpo_mbuf_label_associate_netlayer_t( |
1653 | struct mbuf *oldmbuf, |
1654 | struct label *oldmbuflabel, |
1655 | struct mbuf *newmbuf, |
1656 | struct label *newmbuflabel |
1657 | ); |
1658 | /** |
1659 | @brief Assign a label to a new mbuf |
1660 | @param so Socket to label |
1661 | @param so_label Policy label for socket |
1662 | @param m Object; mbuf |
1663 | @param m_label Policy label to fill in for m |
1664 | |
1665 | An mbuf structure is used to store network traffic in transit. |
1666 | When an application sends data to a socket or a pipe, it is wrapped |
1667 | in an mbuf first. This function sets the label on a newly created mbuf header |
1668 | based on the socket sending the data. The contents of the label should be |
1669 | suitable for performing an access check on the receiving side of the |
1670 | communication. |
1671 | |
1672 | Only labeled MBUFs will be presented to the policy via this entrypoint. |
1673 | */ |
1674 | typedef void mpo_mbuf_label_associate_socket_t( |
1675 | socket_t so, |
1676 | struct label *so_label, |
1677 | struct mbuf *m, |
1678 | struct label *m_label |
1679 | ); |
1680 | /** |
1681 | @brief Copy a mbuf label |
1682 | @param src Source label |
1683 | @param dest Destination label |
1684 | |
1685 | Copy the mbuf label information in src into dest. |
1686 | |
1687 | Only called when both source and destination mbufs have labels. |
1688 | */ |
1689 | typedef void mpo_mbuf_label_copy_t( |
1690 | struct label *src, |
1691 | struct label *dest |
1692 | ); |
1693 | /** |
1694 | @brief Destroy mbuf label |
1695 | @param label The label to be destroyed |
1696 | |
1697 | Destroy a mbuf label. Since the |
1698 | object is going out of scope, policy modules should free any |
1699 | internal storage associated with the label so that it may be |
1700 | destroyed. |
1701 | */ |
1702 | typedef void mpo_mbuf_label_destroy_t( |
1703 | struct label *label |
1704 | ); |
1705 | /** |
1706 | @brief Initialize mbuf label |
1707 | @param label New label to initialize |
1708 | @param flag Malloc flags |
1709 | |
1710 | Initialize the label for a newly instantiated mbuf. |
1711 | |
1712 | @warning Since it is possible for the flags to be set to |
1713 | M_NOWAIT, the malloc operation may fail. |
1714 | |
1715 | @return On success, 0, otherwise, an appropriate errno return value. |
1716 | */ |
1717 | typedef int mpo_mbuf_label_init_t( |
1718 | struct label *label, |
1719 | int flag |
1720 | ); |
1721 | /** |
1722 | @brief Access control check for fsctl |
1723 | @param cred Subject credential |
1724 | @param mp The mount point |
1725 | @param label Label associated with the mount point |
1726 | @param cmd Filesystem-dependent request code; see fsctl(2) |
1727 | |
1728 | Determine whether the subject identified by the credential can perform |
1729 | the volume operation indicated by com. |
1730 | |
1731 | @warning The fsctl() system call is directly analogous to ioctl(); since |
1732 | the associated data is opaque from the standpoint of the MAC framework |
1733 | and since these operations can affect many aspects of system operation, |
1734 | policies must exercise extreme care when implementing access control checks. |
1735 | |
1736 | @return Return 0 if access is granted, otherwise an appropriate value for |
1737 | errno should be returned. |
1738 | */ |
1739 | typedef int mpo_mount_check_fsctl_t( |
1740 | kauth_cred_t cred, |
1741 | struct mount *mp, |
1742 | struct label *label, |
1743 | unsigned int cmd |
1744 | ); |
1745 | /** |
1746 | @brief Access control check for the retrieval of file system attributes |
1747 | @param cred Subject credential |
1748 | @param mp The mount structure of the file system |
1749 | @param vfa The attributes requested |
1750 | |
1751 | This entry point determines whether given subject can get information |
1752 | about the given file system. This check happens during statfs() syscalls, |
1753 | but is also used by other parts within the kernel such as the audit system. |
1754 | |
1755 | @return Return 0 if access is granted, otherwise an appropriate value for |
1756 | errno should be returned. |
1757 | |
1758 | @note Policies may change the contents of vfa to alter the list of |
1759 | file system attributes returned. |
1760 | */ |
1761 | |
1762 | typedef int mpo_mount_check_getattr_t( |
1763 | kauth_cred_t cred, |
1764 | struct mount *mp, |
1765 | struct label *mp_label, |
1766 | struct vfs_attr *vfa |
1767 | ); |
1768 | /** |
1769 | @brief Access control check for mount point relabeling |
1770 | @param cred Subject credential |
1771 | @param mp Object file system mount point |
1772 | @param mntlabel Policy label for fle system mount point |
1773 | |
1774 | Determine whether the subject identified by the credential can relabel |
1775 | the mount point. This call is made when a file system mount is updated. |
1776 | |
1777 | @return Return 0 if access is granted, otherwise an appropriate value for |
1778 | errno should be returned. Suggested failure: EACCES for label mismatch |
1779 | or EPERM for lack of privilege. |
1780 | */ |
1781 | typedef int mpo_mount_check_label_update_t( |
1782 | kauth_cred_t cred, |
1783 | struct mount *mp, |
1784 | struct label *mntlabel |
1785 | ); |
1786 | /** |
1787 | @brief Access control check for mounting a file system |
1788 | @param cred Subject credential |
1789 | @param vp Vnode that is to be the mount point |
1790 | @param vlabel Label associated with the vnode |
1791 | @param cnp Component name for vp |
1792 | @param vfc_name Filesystem type name |
1793 | |
1794 | Determine whether the subject identified by the credential can perform |
1795 | the mount operation on the target vnode. |
1796 | |
1797 | @return Return 0 if access is granted, otherwise an appropriate value for |
1798 | errno should be returned. |
1799 | */ |
1800 | typedef int mpo_mount_check_mount_t( |
1801 | kauth_cred_t cred, |
1802 | struct vnode *vp, |
1803 | struct label *vlabel, |
1804 | struct componentname *cnp, |
1805 | const char *vfc_name |
1806 | ); |
1807 | /** |
1808 | @brief Access control check for fs_snapshot_create |
1809 | @param cred Subject credential |
1810 | @mp Filesystem mount point to create snapshot of |
1811 | @name Name of snapshot to create |
1812 | |
1813 | Determine whether the subject identified by the credential can |
1814 | create a snapshot of the filesystem at the given mount point. |
1815 | |
1816 | @return Return 0 if access is granted, otherwise an appropriate value |
1817 | for errno should be returned. |
1818 | */ |
1819 | typedef int mpo_mount_check_snapshot_create_t( |
1820 | kauth_cred_t cred, |
1821 | struct mount *mp, |
1822 | const char *name |
1823 | ); |
1824 | /** |
1825 | @brief Access control check for fs_snapshot_delete |
1826 | @param cred Subject credential |
1827 | @mp Filesystem mount point to delete snapshot of |
1828 | @name Name of snapshot to delete |
1829 | |
1830 | Determine whether the subject identified by the credential can |
1831 | delete the named snapshot from the filesystem at the given |
1832 | mount point. |
1833 | |
1834 | @return Return 0 if access is granted, otherwise an appropriate value |
1835 | for errno should be returned. |
1836 | */ |
1837 | typedef int mpo_mount_check_snapshot_delete_t( |
1838 | kauth_cred_t cred, |
1839 | struct mount *mp, |
1840 | const char *name |
1841 | ); |
1842 | /** |
1843 | @brief Access control check for fs_snapshot_revert |
1844 | @param cred Subject credential |
1845 | @mp Filesystem mount point to revert to snapshot |
1846 | @name Name of snapshot to revert to |
1847 | |
1848 | Determine whether the subject identified by the credential can |
1849 | revert the filesystem at the given mount point to the named snapshot. |
1850 | |
1851 | @return Return 0 if access is granted, otherwise an appropriate value |
1852 | for errno should be returned. |
1853 | */ |
1854 | typedef int mpo_mount_check_snapshot_revert_t( |
1855 | kauth_cred_t cred, |
1856 | struct mount *mp, |
1857 | const char *name |
1858 | ); |
1859 | /** |
1860 | @brief Access control check remounting a filesystem |
1861 | @param cred Subject credential |
1862 | @param mp The mount point |
1863 | @param mlabel Label currently associated with the mount point |
1864 | |
1865 | Determine whether the subject identified by the credential can perform |
1866 | the remount operation on the target vnode. |
1867 | |
1868 | @return Return 0 if access is granted, otherwise an appropriate value for |
1869 | errno should be returned. |
1870 | */ |
1871 | typedef int mpo_mount_check_remount_t( |
1872 | kauth_cred_t cred, |
1873 | struct mount *mp, |
1874 | struct label *mlabel |
1875 | ); |
1876 | /** |
1877 | @brief Access control check for the settting of file system attributes |
1878 | @param cred Subject credential |
1879 | @param mp The mount structure of the file system |
1880 | @param vfa The attributes requested |
1881 | |
1882 | This entry point determines whether given subject can set information |
1883 | about the given file system, for example the volume name. |
1884 | |
1885 | @return Return 0 if access is granted, otherwise an appropriate value for |
1886 | errno should be returned. |
1887 | */ |
1888 | |
1889 | typedef int mpo_mount_check_setattr_t( |
1890 | kauth_cred_t cred, |
1891 | struct mount *mp, |
1892 | struct label *mp_label, |
1893 | struct vfs_attr *vfa |
1894 | ); |
1895 | /** |
1896 | @brief Access control check for file system statistics |
1897 | @param cred Subject credential |
1898 | @param mp Object file system mount |
1899 | @param mntlabel Policy label for mp |
1900 | |
1901 | Determine whether the subject identified by the credential can see |
1902 | the results of a statfs performed on the file system. This call may |
1903 | be made in a number of situations, including during invocations of |
1904 | statfs(2) and related calls, as well as to determine what file systems |
1905 | to exclude from listings of file systems, such as when getfsstat(2) |
1906 | is invoked. |
1907 | |
1908 | @return Return 0 if access is granted, otherwise an appropriate value for |
1909 | errno should be returned. Suggested failure: EACCES for label mismatch |
1910 | or EPERM for lack of privilege. |
1911 | */ |
1912 | typedef int mpo_mount_check_stat_t( |
1913 | kauth_cred_t cred, |
1914 | struct mount *mp, |
1915 | struct label *mntlabel |
1916 | ); |
1917 | /** |
1918 | @brief Access control check for unmounting a filesystem |
1919 | @param cred Subject credential |
1920 | @param mp The mount point |
1921 | @param mlabel Label associated with the mount point |
1922 | |
1923 | Determine whether the subject identified by the credential can perform |
1924 | the unmount operation on the target vnode. |
1925 | |
1926 | @return Return 0 if access is granted, otherwise an appropriate value for |
1927 | errno should be returned. |
1928 | */ |
1929 | typedef int mpo_mount_check_umount_t( |
1930 | kauth_cred_t cred, |
1931 | struct mount *mp, |
1932 | struct label *mlabel |
1933 | ); |
1934 | /** |
1935 | @brief Create mount labels |
1936 | @param cred Subject credential |
1937 | @param mp Mount point of file system being mounted |
1938 | @param mntlabel Label to associate with the new mount point |
1939 | @see mpo_mount_label_init_t |
1940 | |
1941 | Fill out the labels on the mount point being created by the supplied |
1942 | user credential. This call is made when file systems are first mounted. |
1943 | */ |
1944 | typedef void mpo_mount_label_associate_t( |
1945 | kauth_cred_t cred, |
1946 | struct mount *mp, |
1947 | struct label *mntlabel |
1948 | ); |
1949 | /** |
1950 | @brief Destroy mount label |
1951 | @param label The label to be destroyed |
1952 | |
1953 | Destroy a file system mount label. Since the |
1954 | object is going out of scope, policy modules should free any |
1955 | internal storage associated with the label so that it may be |
1956 | destroyed. |
1957 | */ |
1958 | typedef void mpo_mount_label_destroy_t( |
1959 | struct label *label |
1960 | ); |
1961 | /** |
1962 | @brief Externalize a mount point label |
1963 | @param label Label to be externalized |
1964 | @param element_name Name of the label namespace for which labels should be |
1965 | externalized |
1966 | @param sb String buffer to be filled with a text representation of the label |
1967 | |
1968 | Produce an external representation of the mount point label. An |
1969 | externalized label consists of a text representation of the label |
1970 | contents that can be used with user applications. Policy-agnostic |
1971 | user space tools will display this externalized version. |
1972 | |
1973 | The policy's externalize entry points will be called only if the |
1974 | policy has registered interest in the label namespace. |
1975 | |
1976 | @return 0 on success, return non-zero if an error occurs while |
1977 | externalizing the label data. |
1978 | |
1979 | */ |
1980 | typedef int mpo_mount_label_externalize_t( |
1981 | struct label *label, |
1982 | char *element_name, |
1983 | struct sbuf *sb |
1984 | ); |
1985 | /** |
1986 | @brief Initialize mount point label |
1987 | @param label New label to initialize |
1988 | |
1989 | Initialize the label for a newly instantiated mount structure. |
1990 | This label is typically used to store a default label in the case |
1991 | that the file system has been mounted singlelabel. Since some |
1992 | file systems do not support persistent labels (extended attributes) |
1993 | or are read-only (such as CD-ROMs), it is often necessary to store |
1994 | a default label separately from the label of the mount point |
1995 | itself. Sleeping is permitted. |
1996 | */ |
1997 | typedef void mpo_mount_label_init_t( |
1998 | struct label *label |
1999 | ); |
2000 | /** |
2001 | @brief Internalize a mount point label |
2002 | @param label Label to be internalized |
2003 | @param element_name Name of the label namespace for which the label should |
2004 | be internalized |
2005 | @param element_data Text data to be internalized |
2006 | |
2007 | Produce a mount point file system label from an external representation. |
2008 | An externalized label consists of a text representation of the label |
2009 | contents that can be used with user applications. Policy-agnostic |
2010 | user space tools will forward text version to the kernel for |
2011 | processing by individual policy modules. |
2012 | |
2013 | The policy's internalize entry points will be called only if the |
2014 | policy has registered interest in the label namespace. |
2015 | |
2016 | @return 0 on success, Otherwise, return non-zero if an error occurs |
2017 | while internalizing the label data. |
2018 | |
2019 | */ |
2020 | typedef int mpo_mount_label_internalize_t( |
2021 | struct label *label, |
2022 | char *element_name, |
2023 | char *element_data |
2024 | ); |
2025 | /** |
2026 | @brief Set the label on an IPv4 datagram fragment |
2027 | @param datagram Datagram being fragmented |
2028 | @param datagramlabel Policy label for datagram |
2029 | @param fragment New fragment |
2030 | @param fragmentlabel Policy label for fragment |
2031 | |
2032 | Called when an IPv4 datagram is fragmented into several smaller datagrams. |
2033 | Policies implementing mbuf labels will typically copy the label from the |
2034 | source datagram to the new fragment. |
2035 | */ |
2036 | typedef void mpo_netinet_fragment_t( |
2037 | struct mbuf *datagram, |
2038 | struct label *datagramlabel, |
2039 | struct mbuf *fragment, |
2040 | struct label *fragmentlabel |
2041 | ); |
2042 | /** |
2043 | @brief Set the label on an ICMP reply |
2044 | @param m mbuf containing the ICMP reply |
2045 | @param mlabel Policy label for m |
2046 | |
2047 | A policy may wish to update the label of an mbuf that refers to |
2048 | an ICMP packet being sent in response to an IP packet. This may |
2049 | be called in response to a bad packet or an ICMP request. |
2050 | */ |
2051 | typedef void mpo_netinet_icmp_reply_t( |
2052 | struct mbuf *m, |
2053 | struct label *mlabel |
2054 | ); |
2055 | /** |
2056 | @brief Set the label on a TCP reply |
2057 | @param m mbuf containing the TCP reply |
2058 | @param mlabel Policy label for m |
2059 | |
2060 | Called for outgoing TCP packets not associated with an actual socket. |
2061 | */ |
2062 | typedef void mpo_netinet_tcp_reply_t( |
2063 | struct mbuf *m, |
2064 | struct label *mlabel |
2065 | ); |
2066 | /** |
2067 | @brief Access control check for pipe ioctl |
2068 | @param cred Subject credential |
2069 | @param cpipe Object to be accessed |
2070 | @param pipelabel The label on the pipe |
2071 | @param cmd The ioctl command; see ioctl(2) |
2072 | |
2073 | Determine whether the subject identified by the credential can perform |
2074 | the ioctl operation indicated by cmd. |
2075 | |
2076 | @warning Since ioctl data is opaque from the standpoint of the MAC |
2077 | framework, policies must exercise extreme care when implementing |
2078 | access control checks. |
2079 | |
2080 | @return Return 0 if access is granted, otherwise an appropriate value for |
2081 | errno should be returned. |
2082 | |
2083 | */ |
2084 | typedef int mpo_pipe_check_ioctl_t( |
2085 | kauth_cred_t cred, |
2086 | struct pipe *cpipe, |
2087 | struct label *pipelabel, |
2088 | unsigned int cmd |
2089 | ); |
2090 | /** |
2091 | @brief Access control check for pipe kqfilter |
2092 | @param cred Subject credential |
2093 | @param kn Object knote |
2094 | @param cpipe Object to be accessed |
2095 | @param pipelabel Policy label for the pipe |
2096 | |
2097 | Determine whether the subject identified by the credential can |
2098 | receive the knote on the passed pipe. |
2099 | |
2100 | @return Return 0 if access if granted, otherwise an appropriate |
2101 | value for errno should be returned. |
2102 | */ |
2103 | typedef int mpo_pipe_check_kqfilter_t( |
2104 | kauth_cred_t cred, |
2105 | struct knote *kn, |
2106 | struct pipe *cpipe, |
2107 | struct label *pipelabel |
2108 | ); |
2109 | /** |
2110 | @brief Access control check for pipe relabel |
2111 | @param cred Subject credential |
2112 | @param cpipe Object to be accessed |
2113 | @param pipelabel The current label on the pipe |
2114 | @param newlabel The new label to be used |
2115 | |
2116 | Determine whether the subject identified by the credential can |
2117 | perform a relabel operation on the passed pipe. The cred object holds |
2118 | the credentials of the subject performing the operation. |
2119 | |
2120 | @return Return 0 if access is granted, otherwise an appropriate value for |
2121 | errno should be returned. |
2122 | |
2123 | */ |
2124 | typedef int mpo_pipe_check_label_update_t( |
2125 | kauth_cred_t cred, |
2126 | struct pipe *cpipe, |
2127 | struct label *pipelabel, |
2128 | struct label *newlabel |
2129 | ); |
2130 | /** |
2131 | @brief Access control check for pipe read |
2132 | @param cred Subject credential |
2133 | @param cpipe Object to be accessed |
2134 | @param pipelabel The label on the pipe |
2135 | |
2136 | Determine whether the subject identified by the credential can |
2137 | perform a read operation on the passed pipe. The cred object holds |
2138 | the credentials of the subject performing the operation. |
2139 | |
2140 | @return Return 0 if access is granted, otherwise an appropriate value for |
2141 | errno should be returned. |
2142 | |
2143 | */ |
2144 | typedef int mpo_pipe_check_read_t( |
2145 | kauth_cred_t cred, |
2146 | struct pipe *cpipe, |
2147 | struct label *pipelabel |
2148 | ); |
2149 | /** |
2150 | @brief Access control check for pipe select |
2151 | @param cred Subject credential |
2152 | @param cpipe Object to be accessed |
2153 | @param pipelabel The label on the pipe |
2154 | @param which The operation selected on: FREAD or FWRITE |
2155 | |
2156 | Determine whether the subject identified by the credential can |
2157 | perform a select operation on the passed pipe. The cred object holds |
2158 | the credentials of the subject performing the operation. |
2159 | |
2160 | @return Return 0 if access is granted, otherwise an appropriate value for |
2161 | errno should be returned. |
2162 | |
2163 | */ |
2164 | typedef int mpo_pipe_check_select_t( |
2165 | kauth_cred_t cred, |
2166 | struct pipe *cpipe, |
2167 | struct label *pipelabel, |
2168 | int which |
2169 | ); |
2170 | /** |
2171 | @brief Access control check for pipe stat |
2172 | @param cred Subject credential |
2173 | @param cpipe Object to be accessed |
2174 | @param pipelabel The label on the pipe |
2175 | |
2176 | Determine whether the subject identified by the credential can |
2177 | perform a stat operation on the passed pipe. The cred object holds |
2178 | the credentials of the subject performing the operation. |
2179 | |
2180 | @return Return 0 if access is granted, otherwise an appropriate value for |
2181 | errno should be returned. |
2182 | |
2183 | */ |
2184 | typedef int mpo_pipe_check_stat_t( |
2185 | kauth_cred_t cred, |
2186 | struct pipe *cpipe, |
2187 | struct label *pipelabel |
2188 | ); |
2189 | /** |
2190 | @brief Access control check for pipe write |
2191 | @param cred Subject credential |
2192 | @param cpipe Object to be accessed |
2193 | @param pipelabel The label on the pipe |
2194 | |
2195 | Determine whether the subject identified by the credential can |
2196 | perform a write operation on the passed pipe. The cred object holds |
2197 | the credentials of the subject performing the operation. |
2198 | |
2199 | @return Return 0 if access is granted, otherwise an appropriate value for |
2200 | errno should be returned. |
2201 | |
2202 | */ |
2203 | typedef int mpo_pipe_check_write_t( |
2204 | kauth_cred_t cred, |
2205 | struct pipe *cpipe, |
2206 | struct label *pipelabel |
2207 | ); |
2208 | /** |
2209 | @brief Create a pipe label |
2210 | @param cred Subject credential |
2211 | @param cpipe object to be labeled |
2212 | @param pipelabel Label for the pipe object |
2213 | |
2214 | Create a label for the pipe object being created by the supplied |
2215 | user credential. This call is made when the pipe is being created |
2216 | XXXPIPE(for one or both sides of the pipe?). |
2217 | |
2218 | */ |
2219 | typedef void mpo_pipe_label_associate_t( |
2220 | kauth_cred_t cred, |
2221 | struct pipe *cpipe, |
2222 | struct label *pipelabel |
2223 | ); |
2224 | /** |
2225 | @brief Copy a pipe label |
2226 | @param src Source pipe label |
2227 | @param dest Destination pipe label |
2228 | |
2229 | Copy the pipe label associated with src to dest. |
2230 | XXXPIPE Describe when this is used: most likely during pipe creation to |
2231 | copy from rpipe to wpipe. |
2232 | */ |
2233 | typedef void mpo_pipe_label_copy_t( |
2234 | struct label *src, |
2235 | struct label *dest |
2236 | ); |
2237 | /** |
2238 | @brief Destroy pipe label |
2239 | @param label The label to be destroyed |
2240 | |
2241 | Destroy a pipe label. Since the object is going out of scope, |
2242 | policy modules should free any internal storage associated with the |
2243 | label so that it may be destroyed. |
2244 | */ |
2245 | typedef void mpo_pipe_label_destroy_t( |
2246 | struct label *label |
2247 | ); |
2248 | /** |
2249 | @brief Externalize a pipe label |
2250 | @param label Label to be externalized |
2251 | @param element_name Name of the label namespace for which labels should be |
2252 | externalized |
2253 | @param sb String buffer to be filled with a text representation of the label |
2254 | |
2255 | Produce an external representation of the label on a pipe. |
2256 | An externalized label consists of a text representation |
2257 | of the label contents that can be used with user applications. |
2258 | Policy-agnostic user space tools will display this externalized |
2259 | version. |
2260 | |
2261 | The policy's externalize entry points will be called only if the |
2262 | policy has registered interest in the label namespace. |
2263 | |
2264 | @return 0 on success, return non-zero if an error occurs while |
2265 | externalizing the label data. |
2266 | |
2267 | */ |
2268 | typedef int mpo_pipe_label_externalize_t( |
2269 | struct label *label, |
2270 | char *element_name, |
2271 | struct sbuf *sb |
2272 | ); |
2273 | /** |
2274 | @brief Initialize pipe label |
2275 | @param label New label to initialize |
2276 | |
2277 | Initialize label storage for use with a newly instantiated pipe object. |
2278 | Sleeping is permitted. |
2279 | */ |
2280 | typedef void mpo_pipe_label_init_t( |
2281 | struct label *label |
2282 | ); |
2283 | /** |
2284 | @brief Internalize a pipe label |
2285 | @param label Label to be internalized |
2286 | @param element_name Name of the label namespace for which the label should |
2287 | be internalized |
2288 | @param element_data Text data to be internalized |
2289 | |
2290 | Produce a pipe label from an external representation. An |
2291 | externalized label consists of a text representation of the label |
2292 | contents that can be used with user applications. Policy-agnostic |
2293 | user space tools will forward text version to the kernel for |
2294 | processing by individual policy modules. |
2295 | |
2296 | The policy's internalize entry points will be called only if the |
2297 | policy has registered interest in the label namespace. |
2298 | |
2299 | @return 0 on success, Otherwise, return non-zero if an error occurs |
2300 | while internalizing the label data. |
2301 | |
2302 | */ |
2303 | typedef int mpo_pipe_label_internalize_t( |
2304 | struct label *label, |
2305 | char *element_name, |
2306 | char *element_data |
2307 | ); |
2308 | /** |
2309 | @brief Update a pipe label |
2310 | @param cred Subject credential |
2311 | @param cpipe Object to be labeled |
2312 | @param oldlabel Existing pipe label |
2313 | @param newlabel New label to replace existing label |
2314 | @see mpo_pipe_check_label_update_t |
2315 | |
2316 | The subject identified by the credential has previously requested |
2317 | and was authorized to relabel the pipe; this entry point allows |
2318 | policies to perform the actual relabel operation. Policies should |
2319 | update oldlabel using the label stored in the newlabel parameter. |
2320 | |
2321 | */ |
2322 | typedef void mpo_pipe_label_update_t( |
2323 | kauth_cred_t cred, |
2324 | struct pipe *cpipe, |
2325 | struct label *oldlabel, |
2326 | struct label *newlabel |
2327 | ); |
2328 | /** |
2329 | @brief Policy unload event |
2330 | @param mpc MAC policy configuration |
2331 | |
2332 | This is the MAC Framework policy unload event. This entry point will |
2333 | only be called if the module's policy configuration allows unload (if |
2334 | the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't |
2335 | want to be unloaded; they should set their flags to prevent this |
2336 | entry point from being called. |
2337 | |
2338 | @warning During this call, the mac policy list mutex is held, so |
2339 | sleep operations cannot be performed, and calls out to other kernel |
2340 | subsystems must be made with caution. |
2341 | |
2342 | @see MPC_LOADTIME_FLAG_UNLOADOK |
2343 | */ |
2344 | typedef void mpo_policy_destroy_t( |
2345 | struct mac_policy_conf *mpc |
2346 | ); |
2347 | /** |
2348 | @brief Policy initialization event |
2349 | @param mpc MAC policy configuration |
2350 | @see mac_policy_register |
2351 | @see mpo_policy_initbsd_t |
2352 | |
2353 | This is the MAC Framework policy initialization event. This entry |
2354 | point is called during mac_policy_register, when the policy module |
2355 | is first registered with the MAC Framework. This is often done very |
2356 | early in the boot process, after the kernel Mach subsystem has been |
2357 | initialized, but prior to the BSD subsystem being initialized. |
2358 | Since the kernel BSD services are not yet available, it is possible |
2359 | that some initialization must occur later, possibly in the |
2360 | mpo_policy_initbsd_t policy entry point, such as registering BSD system |
2361 | controls (sysctls). Policy modules loaded at boot time will be |
2362 | registered and initialized before labeled Mach objects are created. |
2363 | |
2364 | @warning During this call, the mac policy list mutex is held, so |
2365 | sleep operations cannot be performed, and calls out to other kernel |
2366 | subsystems must be made with caution. |
2367 | */ |
2368 | typedef void mpo_policy_init_t( |
2369 | struct mac_policy_conf *mpc |
2370 | ); |
2371 | /** |
2372 | @brief Policy BSD initialization event |
2373 | @param mpc MAC policy configuration |
2374 | @see mpo_policy_init_t |
2375 | |
2376 | This entry point is called after the kernel BSD subsystem has been |
2377 | initialized. By this point, the module should already be loaded, |
2378 | registered, and initialized. Since policy modules are initialized |
2379 | before kernel BSD services are available, this second initialization |
2380 | phase is necessary. At this point, BSD services (memory management, |
2381 | synchronization primitives, vfs, etc.) are available, but the first |
2382 | process has not yet been created. Mach-related objects and tasks |
2383 | will already be fully initialized and may be in use--policies requiring |
2384 | ubiquitous labeling may also want to implement mpo_policy_init_t. |
2385 | |
2386 | @warning During this call, the mac policy list mutex is held, so |
2387 | sleep operations cannot be performed, and calls out to other kernel |
2388 | subsystems must be made with caution. |
2389 | */ |
2390 | typedef void mpo_policy_initbsd_t( |
2391 | struct mac_policy_conf *mpc |
2392 | ); |
2393 | /** |
2394 | @brief Policy extension service |
2395 | @param p Calling process |
2396 | @param call Policy-specific syscall number |
2397 | @param arg Pointer to syscall arguments |
2398 | |
2399 | This entry point provides a policy-multiplexed system call so that |
2400 | policies may provide additional services to user processes without |
2401 | registering specific system calls. The policy name provided during |
2402 | registration is used to demux calls from userland, and the arguments |
2403 | will be forwarded to this entry point. When implementing new |
2404 | services, security modules should be sure to invoke appropriate |
2405 | access control checks from the MAC framework as needed. For |
2406 | example, if a policy implements an augmented signal functionality, |
2407 | it should call the necessary signal access control checks to invoke |
2408 | the MAC framework and other registered policies. |
2409 | |
2410 | @warning Since the format and contents of the policy-specific |
2411 | arguments are unknown to the MAC Framework, modules must perform the |
2412 | required copyin() of the syscall data on their own. No policy |
2413 | mediation is performed, so policies must perform any necessary |
2414 | access control checks themselves. If multiple policies are loaded, |
2415 | they will currently be unable to mediate calls to other policies. |
2416 | |
2417 | @return In the event of an error, an appropriate value for errno |
2418 | should be returned, otherwise return 0 upon success. |
2419 | */ |
2420 | typedef int mpo_policy_syscall_t( |
2421 | struct proc *p, |
2422 | int call, |
2423 | user_addr_t arg |
2424 | ); |
2425 | /** |
2426 | @brief Access control check for POSIX semaphore create |
2427 | @param cred Subject credential |
2428 | @param name String name of the semaphore |
2429 | |
2430 | Determine whether the subject identified by the credential can create |
2431 | a POSIX semaphore specified by name. |
2432 | |
2433 | @return Return 0 if access is granted, otherwise an appropriate value for |
2434 | errno should be returned. |
2435 | */ |
2436 | typedef int mpo_posixsem_check_create_t( |
2437 | kauth_cred_t cred, |
2438 | const char *name |
2439 | ); |
2440 | /** |
2441 | @brief Access control check for POSIX semaphore open |
2442 | @param cred Subject credential |
2443 | @param ps Pointer to semaphore information structure |
2444 | @param semlabel Label associated with the semaphore |
2445 | |
2446 | Determine whether the subject identified by the credential can open |
2447 | the named POSIX semaphore with label semlabel. |
2448 | |
2449 | @return Return 0 if access is granted, otherwise an appropriate value for |
2450 | errno should be returned. |
2451 | */ |
2452 | typedef int mpo_posixsem_check_open_t( |
2453 | kauth_cred_t cred, |
2454 | struct pseminfo *ps, |
2455 | struct label *semlabel |
2456 | ); |
2457 | /** |
2458 | @brief Access control check for POSIX semaphore post |
2459 | @param cred Subject credential |
2460 | @param ps Pointer to semaphore information structure |
2461 | @param semlabel Label associated with the semaphore |
2462 | |
2463 | Determine whether the subject identified by the credential can unlock |
2464 | the named POSIX semaphore with label semlabel. |
2465 | |
2466 | @return Return 0 if access is granted, otherwise an appropriate value for |
2467 | errno should be returned. |
2468 | */ |
2469 | typedef int mpo_posixsem_check_post_t( |
2470 | kauth_cred_t cred, |
2471 | struct pseminfo *ps, |
2472 | struct label *semlabel |
2473 | ); |
2474 | /** |
2475 | @brief Access control check for POSIX semaphore unlink |
2476 | @param cred Subject credential |
2477 | @param ps Pointer to semaphore information structure |
2478 | @param semlabel Label associated with the semaphore |
2479 | @param name String name of the semaphore |
2480 | |
2481 | Determine whether the subject identified by the credential can remove |
2482 | the named POSIX semaphore with label semlabel. |
2483 | |
2484 | @return Return 0 if access is granted, otherwise an appropriate value for |
2485 | errno should be returned. |
2486 | */ |
2487 | typedef int mpo_posixsem_check_unlink_t( |
2488 | kauth_cred_t cred, |
2489 | struct pseminfo *ps, |
2490 | struct label *semlabel, |
2491 | const char *name |
2492 | ); |
2493 | /** |
2494 | @brief Access control check for POSIX semaphore wait |
2495 | @param cred Subject credential |
2496 | @param ps Pointer to semaphore information structure |
2497 | @param semlabel Label associated with the semaphore |
2498 | |
2499 | Determine whether the subject identified by the credential can lock |
2500 | the named POSIX semaphore with label semlabel. |
2501 | |
2502 | @return Return 0 if access is granted, otherwise an appropriate value for |
2503 | errno should be returned. |
2504 | */ |
2505 | typedef int mpo_posixsem_check_wait_t( |
2506 | kauth_cred_t cred, |
2507 | struct pseminfo *ps, |
2508 | struct label *semlabel |
2509 | ); |
2510 | /** |
2511 | @brief Create a POSIX semaphore label |
2512 | @param cred Subject credential |
2513 | @param ps Pointer to semaphore information structure |
2514 | @param semlabel Label to associate with the new semaphore |
2515 | @param name String name of the semaphore |
2516 | |
2517 | Label a new POSIX semaphore. The label was previously |
2518 | initialized and associated with the semaphore. At this time, an |
2519 | appropriate initial label value should be assigned to the object and |
2520 | stored in semalabel. |
2521 | */ |
2522 | typedef void mpo_posixsem_label_associate_t( |
2523 | kauth_cred_t cred, |
2524 | struct pseminfo *ps, |
2525 | struct label *semlabel, |
2526 | const char *name |
2527 | ); |
2528 | /** |
2529 | @brief Destroy POSIX semaphore label |
2530 | @param label The label to be destroyed |
2531 | |
2532 | Destroy a POSIX semaphore label. Since the object is |
2533 | going out of scope, policy modules should free any internal storage |
2534 | associated with the label so that it may be destroyed. |
2535 | */ |
2536 | typedef void mpo_posixsem_label_destroy_t( |
2537 | struct label *label |
2538 | ); |
2539 | /** |
2540 | @brief Initialize POSIX semaphore label |
2541 | @param label New label to initialize |
2542 | |
2543 | Initialize the label for a newly instantiated POSIX semaphore. Sleeping |
2544 | is permitted. |
2545 | */ |
2546 | typedef void mpo_posixsem_label_init_t( |
2547 | struct label *label |
2548 | ); |
2549 | /** |
2550 | @brief Access control check for POSIX shared memory region create |
2551 | @param cred Subject credential |
2552 | @param name String name of the shared memory region |
2553 | |
2554 | Determine whether the subject identified by the credential can create |
2555 | the POSIX shared memory region referenced by name. |
2556 | |
2557 | @return Return 0 if access is granted, otherwise an appropriate value for |
2558 | errno should be returned. |
2559 | */ |
2560 | typedef int mpo_posixshm_check_create_t( |
2561 | kauth_cred_t cred, |
2562 | const char *name |
2563 | ); |
2564 | /** |
2565 | @brief Access control check for mapping POSIX shared memory |
2566 | @param cred Subject credential |
2567 | @param ps Pointer to shared memory information structure |
2568 | @param shmlabel Label associated with the shared memory region |
2569 | @param prot mmap protections; see mmap(2) |
2570 | @param flags shmat flags; see shmat(2) |
2571 | |
2572 | Determine whether the subject identified by the credential can map |
2573 | the POSIX shared memory segment associated with shmlabel. |
2574 | |
2575 | @return Return 0 if access is granted, otherwise an appropriate value for |
2576 | errno should be returned. |
2577 | */ |
2578 | typedef int mpo_posixshm_check_mmap_t( |
2579 | kauth_cred_t cred, |
2580 | struct pshminfo *ps, |
2581 | struct label *shmlabel, |
2582 | int prot, |
2583 | int flags |
2584 | ); |
2585 | /** |
2586 | @brief Access control check for POSIX shared memory region open |
2587 | @param cred Subject credential |
2588 | @param ps Pointer to shared memory information structure |
2589 | @param shmlabel Label associated with the shared memory region |
2590 | @param fflags shm_open(2) open flags ('fflags' encoded) |
2591 | |
2592 | Determine whether the subject identified by the credential can open |
2593 | the POSIX shared memory region. |
2594 | |
2595 | @return Return 0 if access is granted, otherwise an appropriate value for |
2596 | errno should be returned. |
2597 | */ |
2598 | typedef int mpo_posixshm_check_open_t( |
2599 | kauth_cred_t cred, |
2600 | struct pshminfo *ps, |
2601 | struct label *shmlabel, |
2602 | int fflags |
2603 | ); |
2604 | /** |
2605 | @brief Access control check for POSIX shared memory stat |
2606 | @param cred Subject credential |
2607 | @param ps Pointer to shared memory information structure |
2608 | @param shmlabel Label associated with the shared memory region |
2609 | |
2610 | Determine whether the subject identified by the credential can obtain |
2611 | status for the POSIX shared memory segment associated with shmlabel. |
2612 | |
2613 | @return Return 0 if access is granted, otherwise an appropriate value for |
2614 | errno should be returned. |
2615 | */ |
2616 | typedef int mpo_posixshm_check_stat_t( |
2617 | kauth_cred_t cred, |
2618 | struct pshminfo *ps, |
2619 | struct label *shmlabel |
2620 | ); |
2621 | /** |
2622 | @brief Access control check for POSIX shared memory truncate |
2623 | @param cred Subject credential |
2624 | @param ps Pointer to shared memory information structure |
2625 | @param shmlabel Label associated with the shared memory region |
2626 | @param len Length to truncate or extend shared memory segment |
2627 | |
2628 | Determine whether the subject identified by the credential can truncate |
2629 | or extend (to len) the POSIX shared memory segment associated with shmlabel. |
2630 | |
2631 | @return Return 0 if access is granted, otherwise an appropriate value for |
2632 | errno should be returned. |
2633 | */ |
2634 | typedef int mpo_posixshm_check_truncate_t( |
2635 | kauth_cred_t cred, |
2636 | struct pshminfo *ps, |
2637 | struct label *shmlabel, |
2638 | off_t len |
2639 | ); |
2640 | /** |
2641 | @brief Access control check for POSIX shared memory unlink |
2642 | @param cred Subject credential |
2643 | @param ps Pointer to shared memory information structure |
2644 | @param shmlabel Label associated with the shared memory region |
2645 | @param name String name of the shared memory region |
2646 | |
2647 | Determine whether the subject identified by the credential can delete |
2648 | the POSIX shared memory segment associated with shmlabel. |
2649 | |
2650 | @return Return 0 if access is granted, otherwise an appropriate value for |
2651 | errno should be returned. |
2652 | */ |
2653 | typedef int mpo_posixshm_check_unlink_t( |
2654 | kauth_cred_t cred, |
2655 | struct pshminfo *ps, |
2656 | struct label *shmlabel, |
2657 | const char *name |
2658 | ); |
2659 | /** |
2660 | @brief Create a POSIX shared memory region label |
2661 | @param cred Subject credential |
2662 | @param ps Pointer to shared memory information structure |
2663 | @param shmlabel Label to associate with the new shared memory region |
2664 | @param name String name of the shared memory region |
2665 | |
2666 | Label a new POSIX shared memory region. The label was previously |
2667 | initialized and associated with the shared memory region. At this |
2668 | time, an appropriate initial label value should be assigned to the |
2669 | object and stored in shmlabel. |
2670 | */ |
2671 | typedef void mpo_posixshm_label_associate_t( |
2672 | kauth_cred_t cred, |
2673 | struct pshminfo *ps, |
2674 | struct label *shmlabel, |
2675 | const char *name |
2676 | ); |
2677 | /** |
2678 | @brief Destroy POSIX shared memory label |
2679 | @param label The label to be destroyed |
2680 | |
2681 | Destroy a POSIX shared memory region label. Since the |
2682 | object is going out of scope, policy modules should free any |
2683 | internal storage associated with the label so that it may be |
2684 | destroyed. |
2685 | */ |
2686 | typedef void mpo_posixshm_label_destroy_t( |
2687 | struct label *label |
2688 | ); |
2689 | /** |
2690 | @brief Initialize POSIX Shared Memory region label |
2691 | @param label New label to initialize |
2692 | |
2693 | Initialize the label for newly a instantiated POSIX Shared Memory |
2694 | region. Sleeping is permitted. |
2695 | */ |
2696 | typedef void mpo_posixshm_label_init_t( |
2697 | struct label *label |
2698 | ); |
2699 | /** |
2700 | @brief Access control check for privileged operations |
2701 | @param cred Subject credential |
2702 | @param priv Requested privilege (see sys/priv.h) |
2703 | |
2704 | Determine whether the subject identified by the credential can perform |
2705 | a privileged operation. Privileged operations are allowed if the cred |
2706 | is the superuser or any policy returns zero for mpo_priv_grant, unless |
2707 | any policy returns nonzero for mpo_priv_check. |
2708 | |
2709 | @return Return 0 if access is granted, otherwise EPERM should be returned. |
2710 | */ |
2711 | typedef int mpo_priv_check_t( |
2712 | kauth_cred_t cred, |
2713 | int priv |
2714 | ); |
2715 | /** |
2716 | @brief Grant regular users the ability to perform privileged operations |
2717 | @param cred Subject credential |
2718 | @param priv Requested privilege (see sys/priv.h) |
2719 | |
2720 | Determine whether the subject identified by the credential should be |
2721 | allowed to perform a privileged operation that in the absense of any |
2722 | MAC policy it would not be able to perform. Privileged operations are |
2723 | allowed if the cred is the superuser or any policy returns zero for |
2724 | mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. |
2725 | |
2726 | Unlike other MAC hooks which can only reduce the privilege of a |
2727 | credential, this hook raises the privilege of a credential when it |
2728 | returns 0. Extreme care must be taken when implementing this hook to |
2729 | avoid undermining the security of the system. |
2730 | |
2731 | @return Return 0 if additional privilege is granted, otherwise EPERM |
2732 | should be returned. |
2733 | */ |
2734 | typedef int mpo_priv_grant_t( |
2735 | kauth_cred_t cred, |
2736 | int priv |
2737 | ); |
2738 | /** |
2739 | @brief Access control check for debugging process |
2740 | @param cred Subject credential |
2741 | @param proc Object process |
2742 | |
2743 | Determine whether the subject identified by the credential can debug |
2744 | the passed process. This call may be made in a number of situations, |
2745 | including use of the ptrace(2) and ktrace(2) APIs, as well as for some |
2746 | types of procfs operations. |
2747 | |
2748 | @return Return 0 if access is granted, otherwise an appropriate value for |
2749 | errno should be returned. Suggested failure: EACCES for label mismatch, |
2750 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. |
2751 | */ |
2752 | typedef int mpo_proc_check_debug_t( |
2753 | kauth_cred_t cred, |
2754 | struct proc *proc |
2755 | ); |
2756 | /** |
2757 | @brief Access control over fork |
2758 | @param cred Subject credential |
2759 | @param proc Subject process trying to fork |
2760 | |
2761 | Determine whether the subject identified is allowed to fork. |
2762 | |
2763 | @return Return 0 if access is granted, otherwise an appropriate value for |
2764 | errno should be returned. |
2765 | */ |
2766 | typedef int mpo_proc_check_fork_t( |
2767 | kauth_cred_t cred, |
2768 | struct proc *proc |
2769 | ); |
2770 | /** |
2771 | @brief Access control check for setting host special ports. |
2772 | @param cred Subject credential |
2773 | @param id The host special port to set |
2774 | @param port The new value to set for the special port |
2775 | |
2776 | @return Return 0 if access is granted, otherwise an appropriate value for |
2777 | errno should be returned. |
2778 | */ |
2779 | typedef int mpo_proc_check_set_host_special_port_t( |
2780 | kauth_cred_t cred, |
2781 | int id, |
2782 | struct ipc_port *port |
2783 | ); |
2784 | /** |
2785 | @brief Access control check for setting host exception ports. |
2786 | @param cred Subject credential |
2787 | @param exception Exception port to set |
2788 | |
2789 | @return Return 0 if access is granted, otherwise an appropriate value for |
2790 | errno should be returned. |
2791 | */ |
2792 | typedef int mpo_proc_check_set_host_exception_port_t( |
2793 | kauth_cred_t cred, |
2794 | unsigned int exception |
2795 | ); |
2796 | /** |
2797 | @brief Access control over pid_suspend and pid_resume |
2798 | @param cred Subject credential |
2799 | @param proc Subject process trying to run pid_suspend or pid_resume |
2800 | @param sr Call is suspend (0) or resume (1) |
2801 | |
2802 | Determine whether the subject identified is allowed to suspend or resume |
2803 | other processes. |
2804 | |
2805 | @return Return 0 if access is granted, otherwise an appropriate value for |
2806 | errno should be returned. |
2807 | */ |
2808 | typedef int mpo_proc_check_suspend_resume_t( |
2809 | kauth_cred_t cred, |
2810 | struct proc *proc, |
2811 | int sr |
2812 | ); |
2813 | /** |
2814 | @brief Access control check for retrieving audit information |
2815 | @param cred Subject credential |
2816 | |
2817 | Determine whether the subject identified by the credential can get |
2818 | audit information such as the audit user ID, the preselection mask, |
2819 | the terminal ID and the audit session ID, using the getaudit() system call. |
2820 | |
2821 | @return Return 0 if access is granted, otherwise an appropriate value for |
2822 | errno should be returned. |
2823 | */ |
2824 | typedef int mpo_proc_check_getaudit_t( |
2825 | kauth_cred_t cred |
2826 | ); |
2827 | /** |
2828 | @brief Access control check for retrieving audit user ID |
2829 | @param cred Subject credential |
2830 | |
2831 | Determine whether the subject identified by the credential can get |
2832 | the user identity being used by the auditing system, using the getauid() |
2833 | system call. |
2834 | |
2835 | @return Return 0 if access is granted, otherwise an appropriate value for |
2836 | errno should be returned. |
2837 | */ |
2838 | typedef int mpo_proc_check_getauid_t( |
2839 | kauth_cred_t cred |
2840 | ); |
2841 | /** |
2842 | @brief Access control check for retrieving Login Context ID |
2843 | @param p0 Calling process |
2844 | @param p Effected process |
2845 | @param pid syscall PID argument |
2846 | |
2847 | Determine if getlcid(2) system call is permitted. |
2848 | |
2849 | Information returned by this system call is similar to that returned via |
2850 | process listings etc. |
2851 | |
2852 | @return Return 0 if access is granted, otherwise an appropriate value for |
2853 | errno should be returned. |
2854 | */ |
2855 | typedef int mpo_proc_check_getlcid_t( |
2856 | struct proc *p0, |
2857 | struct proc *p, |
2858 | pid_t pid |
2859 | ); |
2860 | /** |
2861 | @brief Access control check for retrieving ledger information |
2862 | @param cred Subject credential |
2863 | @param target Object process |
2864 | @param op ledger operation |
2865 | |
2866 | Determine if ledger(2) system call is permitted. |
2867 | |
2868 | Information returned by this system call is similar to that returned via |
2869 | process listings etc. |
2870 | |
2871 | @return Return 0 if access is granted, otherwise an appropriate value for |
2872 | errno should be returned. |
2873 | */ |
2874 | typedef int mpo_proc_check_ledger_t( |
2875 | kauth_cred_t cred, |
2876 | struct proc *target, |
2877 | int op |
2878 | ); |
2879 | /** |
2880 | @brief Access control check for retrieving process information. |
2881 | @param cred Subject credential |
2882 | @param target Target process (may be null, may be zombie) |
2883 | |
2884 | Determine if a credential has permission to access process information as defined |
2885 | by call number and flavor on target process |
2886 | |
2887 | @return Return 0 if access is granted, otherwise an appropriate value for |
2888 | errno should be returned. |
2889 | */ |
2890 | typedef int mpo_proc_check_proc_info_t( |
2891 | kauth_cred_t cred, |
2892 | struct proc *target, |
2893 | int callnum, |
2894 | int flavor |
2895 | ); |
2896 | /** |
2897 | @brief Access control check for retrieving code signing information. |
2898 | @param cred Subject credential |
2899 | @param target Target process |
2900 | @param op Code signing operation being performed |
2901 | |
2902 | Determine whether the subject identified by the credential should be |
2903 | allowed to get code signing information about the target process. |
2904 | |
2905 | @return Return 0 if access is granted, otherwise an appropriate value for |
2906 | errno should be returned. |
2907 | */ |
2908 | typedef int mpo_proc_check_get_cs_info_t( |
2909 | kauth_cred_t cred, |
2910 | struct proc *target, |
2911 | unsigned int op |
2912 | ); |
2913 | /** |
2914 | @brief Access control check for setting code signing information. |
2915 | @param cred Subject credential |
2916 | @param target Target process |
2917 | @param op Code signing operation being performed. |
2918 | |
2919 | Determine whether the subject identified by the credential should be |
2920 | allowed to set code signing information about the target process. |
2921 | |
2922 | @return Return 0 if permission is granted, otherwise an appropriate |
2923 | value of errno should be returned. |
2924 | */ |
2925 | typedef int mpo_proc_check_set_cs_info_t( |
2926 | kauth_cred_t cred, |
2927 | struct proc *target, |
2928 | unsigned int op |
2929 | ); |
2930 | /** |
2931 | @brief Access control check for mmap MAP_ANON |
2932 | @param proc User process requesting the memory |
2933 | @param cred Subject credential |
2934 | @param u_addr Start address of the memory range |
2935 | @param u_size Length address of the memory range |
2936 | @param prot mmap protections; see mmap(2) |
2937 | @param flags Type of mapped object; see mmap(2) |
2938 | @param maxprot Maximum rights |
2939 | |
2940 | Determine whether the subject identified by the credential should be |
2941 | allowed to obtain anonymous memory using the specified flags and |
2942 | protections on the new mapping. MAP_ANON will always be present in the |
2943 | flags. Certain combinations of flags with a non-NULL addr may |
2944 | cause a mapping to be rejected before this hook is called. The maxprot field |
2945 | holds the maximum permissions on the new mapping, a combination of |
2946 | VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior |
2947 | access control checks, a policy should only remove flags from maxprot. |
2948 | |
2949 | @return Return 0 if access is granted, otherwise an appropriate value for |
2950 | errno should be returned. Suggested failure: EPERM for lack of privilege. |
2951 | */ |
2952 | typedef int mpo_proc_check_map_anon_t( |
2953 | struct proc *proc, |
2954 | kauth_cred_t cred, |
2955 | user_addr_t u_addr, |
2956 | user_size_t u_size, |
2957 | int prot, |
2958 | int flags, |
2959 | int *maxprot |
2960 | ); |
2961 | /** |
2962 | @brief Access control check for setting memory protections |
2963 | @param cred Subject credential |
2964 | @param proc User process requesting the change |
2965 | @param addr Start address of the memory range |
2966 | @param size Length address of the memory range |
2967 | @param prot Memory protections, see mmap(2) |
2968 | |
2969 | Determine whether the subject identified by the credential should |
2970 | be allowed to set the specified memory protections on memory mapped |
2971 | in the process proc. |
2972 | |
2973 | @return Return 0 if access is granted, otherwise an appropriate value for |
2974 | errno should be returned. |
2975 | */ |
2976 | typedef int mpo_proc_check_mprotect_t( |
2977 | kauth_cred_t cred, |
2978 | struct proc *proc, |
2979 | user_addr_t addr, |
2980 | user_size_t size, |
2981 | int prot |
2982 | ); |
2983 | /** |
2984 | @brief Access control check for changing scheduling parameters |
2985 | @param cred Subject credential |
2986 | @param proc Object process |
2987 | |
2988 | Determine whether the subject identified by the credential can change |
2989 | the scheduling parameters of the passed process. |
2990 | |
2991 | @return Return 0 if access is granted, otherwise an appropriate value for |
2992 | errno should be returned. Suggested failure: EACCES for label mismatch, |
2993 | EPERM for lack of privilege, or ESRCH to limit visibility. |
2994 | */ |
2995 | typedef int mpo_proc_check_sched_t( |
2996 | kauth_cred_t cred, |
2997 | struct proc *proc |
2998 | ); |
2999 | /** |
3000 | @brief Access control check for setting audit information |
3001 | @param cred Subject credential |
3002 | @param ai Audit information |
3003 | |
3004 | Determine whether the subject identified by the credential can set |
3005 | audit information such as the the preselection mask, the terminal ID |
3006 | and the audit session ID, using the setaudit() system call. |
3007 | |
3008 | @return Return 0 if access is granted, otherwise an appropriate value for |
3009 | errno should be returned. |
3010 | */ |
3011 | typedef int mpo_proc_check_setaudit_t( |
3012 | kauth_cred_t cred, |
3013 | struct auditinfo_addr *ai |
3014 | ); |
3015 | /** |
3016 | @brief Access control check for setting audit user ID |
3017 | @param cred Subject credential |
3018 | @param auid Audit user ID |
3019 | |
3020 | Determine whether the subject identified by the credential can set |
3021 | the user identity used by the auditing system, using the setauid() |
3022 | system call. |
3023 | |
3024 | @return Return 0 if access is granted, otherwise an appropriate value for |
3025 | errno should be returned. |
3026 | */ |
3027 | typedef int mpo_proc_check_setauid_t( |
3028 | kauth_cred_t cred, |
3029 | uid_t auid |
3030 | ); |
3031 | /** |
3032 | @brief Access control check for setting the Login Context |
3033 | @param p0 Calling process |
3034 | @param p Effected process |
3035 | @param pid syscall PID argument |
3036 | @param lcid syscall LCID argument |
3037 | |
3038 | Determine if setlcid(2) system call is permitted. |
3039 | |
3040 | See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of |
3041 | decoding syscall arguments to determine action desired by caller. |
3042 | |
3043 | Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN |
3044 | |
3045 | @return Return 0 if access is granted, otherwise an appropriate value for |
3046 | errno should be returned. |
3047 | */ |
3048 | typedef int mpo_proc_check_setlcid_t( |
3049 | struct proc *p0, |
3050 | struct proc *p, |
3051 | pid_t pid, |
3052 | pid_t lcid |
3053 | ); |
3054 | /** |
3055 | @brief Access control check for delivering signal |
3056 | @param cred Subject credential |
3057 | @param proc Object process |
3058 | @param signum Signal number; see kill(2) |
3059 | |
3060 | Determine whether the subject identified by the credential can deliver |
3061 | the passed signal to the passed process. |
3062 | |
3063 | @warning Programs typically expect to be able to send and receive |
3064 | signals as part or their normal process lifecycle; caution should be |
3065 | exercised when implementing access controls over signal events. |
3066 | |
3067 | @return Return 0 if access is granted, otherwise an appropriate value for |
3068 | errno should be returned. Suggested failure: EACCES for label mismatch, |
3069 | EPERM for lack of privilege, or ESRCH to limit visibility. |
3070 | */ |
3071 | typedef int mpo_proc_check_signal_t( |
3072 | kauth_cred_t cred, |
3073 | struct proc *proc, |
3074 | int signum |
3075 | ); |
3076 | /** |
3077 | @brief Access control check for wait |
3078 | @param cred Subject credential |
3079 | @param proc Object process |
3080 | |
3081 | Determine whether the subject identified by the credential can wait |
3082 | for process termination. |
3083 | |
3084 | @warning Caution should be exercised when implementing access |
3085 | controls for wait, since programs often wait for child processes to |
3086 | exit. Failure to be notified of a child process terminating may |
3087 | cause the parent process to hang, or may produce zombie processes. |
3088 | |
3089 | @return Return 0 if access is granted, otherwise an appropriate value for |
3090 | errno should be returned. |
3091 | */ |
3092 | typedef int mpo_proc_check_wait_t( |
3093 | kauth_cred_t cred, |
3094 | struct proc *proc |
3095 | ); |
3096 | /** |
3097 | @brief Inform MAC policies that a process has exited. |
3098 | @param proc Object process |
3099 | |
3100 | Called after all of the process's threads have terminated and |
3101 | it has been removed from the process list. KPI that identifies |
3102 | the process by pid will fail to find the process; KPI that |
3103 | identifies the process by the object process pointer functions |
3104 | normally. proc_exiting() returns true for the object process. |
3105 | */ |
3106 | typedef void mpo_proc_notify_exit_t( |
3107 | struct proc *proc |
3108 | ); |
3109 | /** |
3110 | @brief Destroy process label |
3111 | @param label The label to be destroyed |
3112 | |
3113 | Destroy a process label. Since the object is going |
3114 | out of scope, policy modules should free any internal storage |
3115 | associated with the label so that it may be destroyed. |
3116 | */ |
3117 | typedef void mpo_proc_label_destroy_t( |
3118 | struct label *label |
3119 | ); |
3120 | /** |
3121 | @brief Initialize process label |
3122 | @param label New label to initialize |
3123 | @see mpo_cred_label_init_t |
3124 | |
3125 | Initialize the label for a newly instantiated BSD process structure. |
3126 | Normally, security policies will store the process label in the user |
3127 | credential rather than here in the process structure. However, |
3128 | there are some floating label policies that may need to temporarily |
3129 | store a label in the process structure until it is safe to update |
3130 | the user credential label. Sleeping is permitted. |
3131 | */ |
3132 | typedef void mpo_proc_label_init_t( |
3133 | struct label *label |
3134 | ); |
3135 | /** |
3136 | @brief Access control check for skywalk flow connect |
3137 | @param cred Subject credential |
3138 | @param flow Flow object |
3139 | @param addr Remote address for flow to send data to |
3140 | @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) |
3141 | @param protocol Network protocol (e.g. IPPROTO_TCP) |
3142 | |
3143 | Determine whether the subject identified by the credential can |
3144 | create a flow for sending data to the remote host specified by |
3145 | addr. |
3146 | |
3147 | @return Return 0 if access if granted, otherwise an appropriate |
3148 | value for errno should be returned. |
3149 | */ |
3150 | typedef int mpo_skywalk_flow_check_connect_t( |
3151 | kauth_cred_t cred, |
3152 | void *flow, |
3153 | const struct sockaddr *addr, |
3154 | int type, |
3155 | int protocol |
3156 | ); |
3157 | /** |
3158 | @brief Access control check for skywalk flow listen |
3159 | @param cred Subject credential |
3160 | @param flow Flow object |
3161 | @param addr Local address for flow to listen on |
3162 | @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) |
3163 | @param protocol Network protocol (e.g. IPPROTO_TCP) |
3164 | |
3165 | Determine whether the subject identified by the credential can |
3166 | create a flow for receiving data on the local address specified |
3167 | by addr. |
3168 | |
3169 | @return Return 0 if access if granted, otherwise an appropriate |
3170 | value for errno should be returned. |
3171 | */ |
3172 | typedef int mpo_skywalk_flow_check_listen_t( |
3173 | kauth_cred_t cred, |
3174 | void *flow, |
3175 | const struct sockaddr *addr, |
3176 | int type, |
3177 | int protocol |
3178 | ); |
3179 | /** |
3180 | @brief Access control check for socket accept |
3181 | @param cred Subject credential |
3182 | @param so Object socket |
3183 | @param socklabel Policy label for socket |
3184 | |
3185 | Determine whether the subject identified by the credential can accept() |
3186 | a new connection on the socket from the host specified by addr. |
3187 | |
3188 | @return Return 0 if access if granted, otherwise an appropriate |
3189 | value for errno should be returned. |
3190 | */ |
3191 | typedef int mpo_socket_check_accept_t( |
3192 | kauth_cred_t cred, |
3193 | socket_t so, |
3194 | struct label *socklabel |
3195 | ); |
3196 | /** |
3197 | @brief Access control check for a pending socket accept |
3198 | @param cred Subject credential |
3199 | @param so Object socket |
3200 | @param socklabel Policy label for socket |
3201 | @param addr Address of the listening socket (coming soon) |
3202 | |
3203 | Determine whether the subject identified by the credential can accept() |
3204 | a pending connection on the socket from the host specified by addr. |
3205 | |
3206 | @return Return 0 if access if granted, otherwise an appropriate |
3207 | value for errno should be returned. |
3208 | */ |
3209 | typedef int mpo_socket_check_accepted_t( |
3210 | kauth_cred_t cred, |
3211 | socket_t so, |
3212 | struct label *socklabel, |
3213 | struct sockaddr *addr |
3214 | ); |
3215 | /** |
3216 | @brief Access control check for socket bind |
3217 | @param cred Subject credential |
3218 | @param so Object socket |
3219 | @param socklabel Policy label for socket |
3220 | @param addr Name to assign to the socket |
3221 | |
3222 | Determine whether the subject identified by the credential can bind() |
3223 | the name (addr) to the socket. |
3224 | |
3225 | @return Return 0 if access if granted, otherwise an appropriate |
3226 | value for errno should be returned. |
3227 | */ |
3228 | typedef int mpo_socket_check_bind_t( |
3229 | kauth_cred_t cred, |
3230 | socket_t so, |
3231 | struct label *socklabel, |
3232 | struct sockaddr *addr |
3233 | ); |
3234 | /** |
3235 | @brief Access control check for socket connect |
3236 | @param cred Subject credential |
3237 | @param so Object socket |
3238 | @param socklabel Policy label for socket |
3239 | @param addr Name to assign to the socket |
3240 | |
3241 | Determine whether the subject identified by the credential can |
3242 | connect() the passed socket to the remote host specified by addr. |
3243 | |
3244 | @return Return 0 if access if granted, otherwise an appropriate |
3245 | value for errno should be returned. |
3246 | */ |
3247 | typedef int mpo_socket_check_connect_t( |
3248 | kauth_cred_t cred, |
3249 | socket_t so, |
3250 | struct label *socklabel, |
3251 | struct sockaddr *addr |
3252 | ); |
3253 | /** |
3254 | @brief Access control check for socket() system call. |
3255 | @param cred Subject credential |
3256 | @param domain communication domain |
3257 | @param type socket type |
3258 | @param protocol socket protocol |
3259 | |
3260 | Determine whether the subject identified by the credential can |
3261 | make the socket() call. |
3262 | |
3263 | @return Return 0 if access if granted, otherwise an appropriate |
3264 | value for errno should be returned. |
3265 | */ |
3266 | typedef int mpo_socket_check_create_t( |
3267 | kauth_cred_t cred, |
3268 | int domain, |
3269 | int type, |
3270 | int protocol |
3271 | ); |
3272 | /** |
3273 | @brief Access control check for delivering data to a user's receieve queue |
3274 | @param so The socket data is being delivered to |
3275 | @param so_label The label of so |
3276 | @param m The mbuf whose data will be deposited into the receive queue |
3277 | @param m_label The label of the sender of the data. |
3278 | |
3279 | A socket has a queue for receiving incoming data. When a packet arrives |
3280 | on the wire, it eventually gets deposited into this queue, which the |
3281 | owner of the socket drains when they read from the socket's file descriptor. |
3282 | |
3283 | This function determines whether the socket can receive data from |
3284 | the sender specified by m_label. |
3285 | |
3286 | @warning There is an outstanding design issue surrounding the placement |
3287 | of this function. The check must be placed either before or after the |
3288 | TCP sequence and ACK counters are updated. Placing the check before |
3289 | the counters are updated causes the incoming packet to be resent by |
3290 | the remote if the check rejects it. Placing the check after the counters |
3291 | are updated results in a completely silent drop. As far as each TCP stack |
3292 | is concerned the packet was received, however, the data will not be in the |
3293 | socket's receive queue. Another consideration is that the current design |
3294 | requires using the "failed label" occasionally. In that case, on rejection, |
3295 | we want the remote TCP to resend the data. Because of this, we chose to |
3296 | place this check before the counters are updated, so rejected packets will be |
3297 | resent by the remote host. |
3298 | |
3299 | If a policy keeps rejecting the same packet, eventually the connection will |
3300 | be dropped. Policies have several options if this design causes problems. |
3301 | For example, one options is to sanitize the mbuf such that it is acceptable, |
3302 | then accept it. That may require negotiation between policies as the |
3303 | Framework will not know to re-check the packet. |
3304 | |
3305 | The policy must handle NULL MBUF labels. This will likely be the case |
3306 | for non-local TCP sockets for example. |
3307 | |
3308 | @return Return 0 if access if granted, otherwise an appropriate |
3309 | value for errno should be returned. |
3310 | */ |
3311 | typedef int mpo_socket_check_deliver_t( |
3312 | socket_t so, |
3313 | struct label *so_label, |
3314 | struct mbuf *m, |
3315 | struct label *m_label |
3316 | ); |
3317 | /** |
3318 | @brief Access control check for socket ioctl. |
3319 | @param cred Subject credential |
3320 | @param so Object socket |
3321 | @param cmd The ioctl command; see ioctl(2) |
3322 | @param socklabel Policy label for socket |
3323 | |
3324 | Determine whether the subject identified by the credential can perform |
3325 | the ioctl operation indicated by cmd on the given socket. |
3326 | |
3327 | @warning Since ioctl data is opaque from the standpoint of the MAC |
3328 | framework, and since ioctls can affect many aspects of system |
3329 | operation, policies must exercise extreme care when implementing |
3330 | access control checks. |
3331 | |
3332 | @return Return 0 if access is granted, otherwise an appropriate value for |
3333 | errno should be returned. |
3334 | */ |
3335 | typedef int mpo_socket_check_ioctl_t( |
3336 | kauth_cred_t cred, |
3337 | socket_t so, |
3338 | unsigned int cmd, |
3339 | struct label *socklabel |
3340 | ); |
3341 | /** |
3342 | @brief Access control check for socket kqfilter |
3343 | @param cred Subject credential |
3344 | @param kn Object knote |
3345 | @param so Object socket |
3346 | @param socklabel Policy label for socket |
3347 | |
3348 | Determine whether the subject identified by the credential can |
3349 | receive the knote on the passed socket. |
3350 | |
3351 | @return Return 0 if access if granted, otherwise an appropriate |
3352 | value for errno should be returned. |
3353 | */ |
3354 | typedef int mpo_socket_check_kqfilter_t( |
3355 | kauth_cred_t cred, |
3356 | struct knote *kn, |
3357 | socket_t so, |
3358 | struct label *socklabel |
3359 | ); |
3360 | /** |
3361 | @brief Access control check for socket relabel |
3362 | @param cred Subject credential |
3363 | @param so Object socket |
3364 | @param so_label The current label of so |
3365 | @param newlabel The label to be assigned to so |
3366 | |
3367 | Determine whether the subject identified by the credential can |
3368 | change the label on the socket. |
3369 | |
3370 | @return Return 0 if access if granted, otherwise an appropriate |
3371 | value for errno should be returned. |
3372 | */ |
3373 | typedef int mpo_socket_check_label_update_t( |
3374 | kauth_cred_t cred, |
3375 | socket_t so, |
3376 | struct label *so_label, |
3377 | struct label *newlabel |
3378 | ); |
3379 | /** |
3380 | @brief Access control check for socket listen |
3381 | @param cred Subject credential |
3382 | @param so Object socket |
3383 | @param socklabel Policy label for socket |
3384 | |
3385 | Determine whether the subject identified by the credential can |
3386 | listen() on the passed socket. |
3387 | |
3388 | @return Return 0 if access if granted, otherwise an appropriate |
3389 | value for errno should be returned. |
3390 | */ |
3391 | typedef int mpo_socket_check_listen_t( |
3392 | kauth_cred_t cred, |
3393 | socket_t so, |
3394 | struct label *socklabel |
3395 | ); |
3396 | /** |
3397 | @brief Access control check for socket receive |
3398 | @param cred Subject credential |
3399 | @param so Object socket |
3400 | @param socklabel Policy label for socket |
3401 | |
3402 | Determine whether the subject identified by the credential can |
3403 | receive data from the socket. |
3404 | |
3405 | @return Return 0 if access if granted, otherwise an appropriate |
3406 | value for errno should be returned. |
3407 | */ |
3408 | typedef int mpo_socket_check_receive_t( |
3409 | kauth_cred_t cred, |
3410 | socket_t so, |
3411 | struct label *socklabel |
3412 | ); |
3413 | |
3414 | /** |
3415 | @brief Access control check for socket receive |
3416 | @param cred Subject credential |
3417 | @param sock Object socket |
3418 | @param socklabel Policy label for socket |
3419 | @param saddr Name of the remote socket |
3420 | |
3421 | Determine whether the subject identified by the credential can |
3422 | receive data from the remote host specified by addr. |
3423 | |
3424 | @return Return 0 if access if granted, otherwise an appropriate |
3425 | value for errno should be returned. |
3426 | */ |
3427 | typedef int mpo_socket_check_received_t( |
3428 | kauth_cred_t cred, |
3429 | struct socket *sock, |
3430 | struct label *socklabel, |
3431 | struct sockaddr *saddr |
3432 | ); |
3433 | |
3434 | |
3435 | /** |
3436 | @brief Access control check for socket select |
3437 | @param cred Subject credential |
3438 | @param so Object socket |
3439 | @param socklabel Policy label for socket |
3440 | @param which The operation selected on: FREAD or FWRITE |
3441 | |
3442 | Determine whether the subject identified by the credential can use the |
3443 | socket in a call to select(). |
3444 | |
3445 | @return Return 0 if access if granted, otherwise an appropriate |
3446 | value for errno should be returned. |
3447 | */ |
3448 | typedef int mpo_socket_check_select_t( |
3449 | kauth_cred_t cred, |
3450 | socket_t so, |
3451 | struct label *socklabel, |
3452 | int which |
3453 | ); |
3454 | /** |
3455 | @brief Access control check for socket send |
3456 | @param cred Subject credential |
3457 | @param so Object socket |
3458 | @param socklabel Policy label for socket |
3459 | @param addr Address being sent to |
3460 | |
3461 | Determine whether the subject identified by the credential can send |
3462 | data to the socket. |
3463 | |
3464 | @return Return 0 if access if granted, otherwise an appropriate |
3465 | value for errno should be returned. |
3466 | */ |
3467 | typedef int mpo_socket_check_send_t( |
3468 | kauth_cred_t cred, |
3469 | socket_t so, |
3470 | struct label *socklabel, |
3471 | struct sockaddr *addr |
3472 | ); |
3473 | /** |
3474 | @brief Access control check for retrieving socket status |
3475 | @param cred Subject credential |
3476 | @param so Object socket |
3477 | @param socklabel Policy label for so |
3478 | |
3479 | Determine whether the subject identified by the credential can |
3480 | execute the stat() system call on the given socket. |
3481 | |
3482 | @return Return 0 if access if granted, otherwise an appropriate |
3483 | value for errno should be returned. |
3484 | */ |
3485 | typedef int mpo_socket_check_stat_t( |
3486 | kauth_cred_t cred, |
3487 | socket_t so, |
3488 | struct label *socklabel |
3489 | ); |
3490 | /** |
3491 | @brief Access control check for setting socket options |
3492 | @param cred Subject credential |
3493 | @param so Object socket |
3494 | @param socklabel Policy label for so |
3495 | @param sopt The options being set |
3496 | |
3497 | Determine whether the subject identified by the credential can |
3498 | execute the setsockopt system call on the given socket. |
3499 | |
3500 | @return Return 0 if access if granted, otherwise an appropriate |
3501 | value for errno should be returned. |
3502 | */ |
3503 | typedef int mpo_socket_check_setsockopt_t( |
3504 | kauth_cred_t cred, |
3505 | socket_t so, |
3506 | struct label *socklabel, |
3507 | struct sockopt *sopt |
3508 | ); |
3509 | /** |
3510 | @brief Access control check for getting socket options |
3511 | @param cred Subject credential |
3512 | @param so Object socket |
3513 | @param socklabel Policy label for so |
3514 | @param sopt The options to get |
3515 | |
3516 | Determine whether the subject identified by the credential can |
3517 | execute the getsockopt system call on the given socket. |
3518 | |
3519 | @return Return 0 if access if granted, otherwise an appropriate |
3520 | value for errno should be returned. |
3521 | */ |
3522 | typedef int mpo_socket_check_getsockopt_t( |
3523 | kauth_cred_t cred, |
3524 | socket_t so, |
3525 | struct label *socklabel, |
3526 | struct sockopt *sopt |
3527 | ); |
3528 | /** |
3529 | @brief Label a socket |
3530 | @param oldsock Listening socket |
3531 | @param oldlabel Policy label associated with oldsock |
3532 | @param newsock New socket |
3533 | @param newlabel Policy label associated with newsock |
3534 | |
3535 | A new socket is created when a connection is accept(2)ed. This |
3536 | function labels the new socket based on the existing listen(2)ing |
3537 | socket. |
3538 | */ |
3539 | typedef void mpo_socket_label_associate_accept_t( |
3540 | socket_t oldsock, |
3541 | struct label *oldlabel, |
3542 | socket_t newsock, |
3543 | struct label *newlabel |
3544 | ); |
3545 | /** |
3546 | @brief Assign a label to a new socket |
3547 | @param cred Credential of the owning process |
3548 | @param so The socket being labeled |
3549 | @param solabel The label |
3550 | @warning cred can be NULL |
3551 | |
3552 | Set the label on a newly created socket from the passed subject |
3553 | credential. This call is made when a socket is created. The |
3554 | credentials may be null if the socket is being created by the |
3555 | kernel. |
3556 | */ |
3557 | typedef void mpo_socket_label_associate_t( |
3558 | kauth_cred_t cred, |
3559 | socket_t so, |
3560 | struct label *solabel |
3561 | ); |
3562 | /** |
3563 | @brief Copy a socket label |
3564 | @param src Source label |
3565 | @param dest Destination label |
3566 | |
3567 | Copy the socket label information in src into dest. |
3568 | */ |
3569 | typedef void mpo_socket_label_copy_t( |
3570 | struct label *src, |
3571 | struct label *dest |
3572 | ); |
3573 | /** |
3574 | @brief Destroy socket label |
3575 | @param label The label to be destroyed |
3576 | |
3577 | Destroy a socket label. Since the object is going out of |
3578 | scope, policy modules should free any internal storage associated |
3579 | with the label so that it may be destroyed. |
3580 | */ |
3581 | typedef void mpo_socket_label_destroy_t( |
3582 | struct label *label |
3583 | ); |
3584 | /** |
3585 | @brief Externalize a socket label |
3586 | @param label Label to be externalized |
3587 | @param element_name Name of the label namespace for which labels should be |
3588 | externalized |
3589 | @param sb String buffer to be filled with a text representation of label |
3590 | |
3591 | Produce an externalized socket label based on the label structure passed. |
3592 | An externalized label consists of a text representation of the label |
3593 | contents that can be used with userland applications and read by the |
3594 | user. If element_name does not match a namespace managed by the policy, |
3595 | simply return 0. Only return nonzero if an error occurs while externalizing |
3596 | the label data. |
3597 | |
3598 | @return In the event of an error, an appropriate value for errno |
3599 | should be returned, otherwise return 0 upon success. |
3600 | */ |
3601 | typedef int mpo_socket_label_externalize_t( |
3602 | struct label *label, |
3603 | char *element_name, |
3604 | struct sbuf *sb |
3605 | ); |
3606 | /** |
3607 | @brief Initialize socket label |
3608 | @param label New label to initialize |
3609 | @param waitok Malloc flags |
3610 | |
3611 | Initialize the label of a newly instantiated socket. The waitok |
3612 | field may be one of M_WAITOK and M_NOWAIT, and should be employed to |
3613 | avoid performing a sleeping malloc(9) during this initialization |
3614 | call. It it not always safe to sleep during this entry point. |
3615 | |
3616 | @warning Since it is possible for the waitok flags to be set to |
3617 | M_NOWAIT, the malloc operation may fail. |
3618 | |
3619 | @return In the event of an error, an appropriate value for errno |
3620 | should be returned, otherwise return 0 upon success. |
3621 | */ |
3622 | typedef int mpo_socket_label_init_t( |
3623 | struct label *label, |
3624 | int waitok |
3625 | ); |
3626 | /** |
3627 | @brief Internalize a socket label |
3628 | @param label Label to be filled in |
3629 | @param element_name Name of the label namespace for which the label should |
3630 | be internalized |
3631 | @param element_data Text data to be internalized |
3632 | |
3633 | Produce an internal socket label structure based on externalized label |
3634 | data in text format. |
3635 | |
3636 | The policy's internalize entry points will be called only if the |
3637 | policy has registered interest in the label namespace. |
3638 | |
3639 | @return In the event of an error, an appropriate value for errno |
3640 | should be returned, otherwise return 0 upon success. |
3641 | */ |
3642 | typedef int mpo_socket_label_internalize_t( |
3643 | struct label *label, |
3644 | char *element_name, |
3645 | char *element_data |
3646 | ); |
3647 | /** |
3648 | @brief Relabel socket |
3649 | @param cred Subject credential |
3650 | @param so Object; socket |
3651 | @param so_label Current label of the socket |
3652 | @param newlabel The label to be assigned to so |
3653 | |
3654 | The subject identified by the credential has previously requested |
3655 | and was authorized to relabel the socket; this entry point allows |
3656 | policies to perform the actual label update operation. |
3657 | |
3658 | @warning XXX This entry point will likely change in future versions. |
3659 | */ |
3660 | typedef void mpo_socket_label_update_t( |
3661 | kauth_cred_t cred, |
3662 | socket_t so, |
3663 | struct label *so_label, |
3664 | struct label *newlabel |
3665 | ); |
3666 | /** |
3667 | @brief Set the peer label on a socket from mbuf |
3668 | @param m Mbuf chain received on socket so |
3669 | @param m_label Label for m |
3670 | @param so Current label for the socket |
3671 | @param so_label Policy label to be filled out for the socket |
3672 | |
3673 | Set the peer label of a socket based on the label of the sender of the |
3674 | mbuf. |
3675 | |
3676 | This is called for every TCP/IP packet received. The first call for a given |
3677 | socket operates on a newly initialized label, and subsequent calls operate |
3678 | on existing label data. |
3679 | |
3680 | @warning Because this can affect performance significantly, it has |
3681 | different sematics than other 'set' operations. Typically, 'set' operations |
3682 | operate on newly initialzed labels and policies do not need to worry about |
3683 | clobbering existing values. In this case, it is too inefficient to |
3684 | initialize and destroy a label every time data is received for the socket. |
3685 | Instead, it is up to the policies to determine how to replace the label data. |
3686 | Most policies should be able to replace the data inline. |
3687 | */ |
3688 | typedef void mpo_socketpeer_label_associate_mbuf_t( |
3689 | struct mbuf *m, |
3690 | struct label *m_label, |
3691 | socket_t so, |
3692 | struct label *so_label |
3693 | ); |
3694 | /** |
3695 | @brief Set the peer label on a socket from socket |
3696 | @param source Local socket |
3697 | @param sourcelabel Policy label for source |
3698 | @param target Peer socket |
3699 | @param targetlabel Policy label to fill in for target |
3700 | |
3701 | Set the peer label on a stream UNIX domain socket from the passed |
3702 | remote socket endpoint. This call will be made when the socket pair |
3703 | is connected, and will be made for both endpoints. |
3704 | |
3705 | Note that this call is only made on connection; it is currently not updated |
3706 | during communication. |
3707 | */ |
3708 | typedef void mpo_socketpeer_label_associate_socket_t( |
3709 | socket_t source, |
3710 | struct label *sourcelabel, |
3711 | socket_t target, |
3712 | struct label *targetlabel |
3713 | ); |
3714 | /** |
3715 | @brief Destroy socket peer label |
3716 | @param label The peer label to be destroyed |
3717 | |
3718 | Destroy a socket peer label. Since the object is going out of |
3719 | scope, policy modules should free any internal storage associated |
3720 | with the label so that it may be destroyed. |
3721 | */ |
3722 | typedef void mpo_socketpeer_label_destroy_t( |
3723 | struct label *label |
3724 | ); |
3725 | /** |
3726 | @brief Externalize a socket peer label |
3727 | @param label Label to be externalized |
3728 | @param element_name Name of the label namespace for which labels should be |
3729 | externalized |
3730 | @param sb String buffer to be filled with a text representation of label |
3731 | |
3732 | Produce an externalized socket peer label based on the label structure |
3733 | passed. An externalized label consists of a text representation of the |
3734 | label contents that can be used with userland applications and read by the |
3735 | user. If element_name does not match a namespace managed by the policy, |
3736 | simply return 0. Only return nonzero if an error occurs while externalizing |
3737 | the label data. |
3738 | |
3739 | @return In the event of an error, an appropriate value for errno |
3740 | should be returned, otherwise return 0 upon success. |
3741 | */ |
3742 | typedef int mpo_socketpeer_label_externalize_t( |
3743 | struct label *label, |
3744 | char *element_name, |
3745 | struct sbuf *sb |
3746 | ); |
3747 | /** |
3748 | @brief Initialize socket peer label |
3749 | @param label New label to initialize |
3750 | @param waitok Malloc flags |
3751 | |
3752 | Initialize the peer label of a newly instantiated socket. The |
3753 | waitok field may be one of M_WAITOK and M_NOWAIT, and should be |
3754 | employed to avoid performing a sleeping malloc(9) during this |
3755 | initialization call. It it not always safe to sleep during this |
3756 | entry point. |
3757 | |
3758 | @warning Since it is possible for the waitok flags to be set to |
3759 | M_NOWAIT, the malloc operation may fail. |
3760 | |
3761 | @return In the event of an error, an appropriate value for errno |
3762 | should be returned, otherwise return 0 upon success. |
3763 | */ |
3764 | typedef int mpo_socketpeer_label_init_t( |
3765 | struct label *label, |
3766 | int waitok |
3767 | ); |
3768 | /** |
3769 | @brief Access control check for enabling accounting |
3770 | @param cred Subject credential |
3771 | @param vp Accounting file |
3772 | @param vlabel Label associated with vp |
3773 | |
3774 | Determine whether the subject should be allowed to enable accounting, |
3775 | based on its label and the label of the accounting log file. See |
3776 | acct(5) for more information. |
3777 | |
3778 | As accounting is disabled by passing NULL to the acct(2) system call, |
3779 | the policy should be prepared for both 'vp' and 'vlabel' to be NULL. |
3780 | |
3781 | @return Return 0 if access is granted, otherwise an appropriate value for |
3782 | errno should be returned. |
3783 | */ |
3784 | typedef int mpo_system_check_acct_t( |
3785 | kauth_cred_t cred, |
3786 | struct vnode *vp, |
3787 | struct label *vlabel |
3788 | ); |
3789 | /** |
3790 | @brief Access control check for audit |
3791 | @param cred Subject credential |
3792 | @param record Audit record |
3793 | @param length Audit record length |
3794 | |
3795 | Determine whether the subject identified by the credential can submit |
3796 | an audit record for inclusion in the audit log via the audit() system call. |
3797 | |
3798 | @return Return 0 if access is granted, otherwise an appropriate value for |
3799 | errno should be returned. |
3800 | */ |
3801 | typedef int mpo_system_check_audit_t( |
3802 | kauth_cred_t cred, |
3803 | void *record, |
3804 | int length |
3805 | ); |
3806 | /** |
3807 | @brief Access control check for controlling audit |
3808 | @param cred Subject credential |
3809 | @param vp Audit file |
3810 | @param vl Label associated with vp |
3811 | |
3812 | Determine whether the subject should be allowed to enable auditing using |
3813 | the auditctl() system call, based on its label and the label of the proposed |
3814 | audit file. |
3815 | |
3816 | @return Return 0 if access is granted, otherwise an appropriate value for |
3817 | errno should be returned. |
3818 | */ |
3819 | typedef int mpo_system_check_auditctl_t( |
3820 | kauth_cred_t cred, |
3821 | struct vnode *vp, |
3822 | struct label *vl |
3823 | ); |
3824 | /** |
3825 | @brief Access control check for manipulating auditing |
3826 | @param cred Subject credential |
3827 | @param cmd Audit control command |
3828 | |
3829 | Determine whether the subject identified by the credential can perform |
3830 | the audit subsystem control operation cmd via the auditon() system call. |
3831 | |
3832 | @return Return 0 if access is granted, otherwise an appropriate value for |
3833 | errno should be returned. |
3834 | */ |
3835 | typedef int mpo_system_check_auditon_t( |
3836 | kauth_cred_t cred, |
3837 | int cmd |
3838 | ); |
3839 | /** |
3840 | @brief Access control check for using CHUD facilities |
3841 | @param cred Subject credential |
3842 | |
3843 | Determine whether the subject identified by the credential can perform |
3844 | performance-related tasks using the CHUD system call. This interface is |
3845 | deprecated. |
3846 | |
3847 | @return Return 0 if access is granted, otherwise an appropriate value for |
3848 | errno should be returned. |
3849 | */ |
3850 | typedef int mpo_system_check_chud_t( |
3851 | kauth_cred_t cred |
3852 | ); |
3853 | /** |
3854 | @brief Access control check for obtaining the host control port |
3855 | @param cred Subject credential |
3856 | |
3857 | Determine whether the subject identified by the credential can |
3858 | obtain the host control port. |
3859 | |
3860 | @return Return 0 if access is granted, or non-zero otherwise. |
3861 | */ |
3862 | typedef int mpo_system_check_host_priv_t( |
3863 | kauth_cred_t cred |
3864 | ); |
3865 | /** |
3866 | @brief Access control check for obtaining system information |
3867 | @param cred Subject credential |
3868 | @param info_type A description of the information requested |
3869 | |
3870 | Determine whether the subject identified by the credential should be |
3871 | allowed to obtain information about the system. |
3872 | |
3873 | This is a generic hook that can be used in a variety of situations where |
3874 | information is being returned that might be considered sensitive. |
3875 | Rather than adding a new MAC hook for every such interface, this hook can |
3876 | be called with a string identifying the type of information requested. |
3877 | |
3878 | @return Return 0 if access is granted, otherwise an appropriate value for |
3879 | errno should be returned. |
3880 | */ |
3881 | typedef int mpo_system_check_info_t( |
3882 | kauth_cred_t cred, |
3883 | const char *info_type |
3884 | ); |
3885 | /** |
3886 | @brief Access control check for calling NFS services |
3887 | @param cred Subject credential |
3888 | |
3889 | Determine whether the subject identified by the credential should be |
3890 | allowed to call nfssrv(2). |
3891 | |
3892 | @return Return 0 if access is granted, otherwise an appropriate value for |
3893 | errno should be returned. |
3894 | */ |
3895 | typedef int mpo_system_check_nfsd_t( |
3896 | kauth_cred_t cred |
3897 | ); |
3898 | /** |
3899 | @brief Access control check for reboot |
3900 | @param cred Subject credential |
3901 | @param howto howto parameter from reboot(2) |
3902 | |
3903 | Determine whether the subject identified by the credential should be |
3904 | allowed to reboot the system in the specified manner. |
3905 | |
3906 | @return Return 0 if access is granted, otherwise an appropriate value for |
3907 | errno should be returned. |
3908 | */ |
3909 | typedef int mpo_system_check_reboot_t( |
3910 | kauth_cred_t cred, |
3911 | int howto |
3912 | ); |
3913 | /** |
3914 | @brief Access control check for setting system clock |
3915 | @param cred Subject credential |
3916 | |
3917 | Determine whether the subject identified by the credential should be |
3918 | allowed to set the system clock. |
3919 | |
3920 | @return Return 0 if access is granted, otherwise an appropriate value for |
3921 | errno should be returned. |
3922 | */ |
3923 | typedef int mpo_system_check_settime_t( |
3924 | kauth_cred_t cred |
3925 | ); |
3926 | /** |
3927 | @brief Access control check for removing swap devices |
3928 | @param cred Subject credential |
3929 | @param vp Swap device |
3930 | @param label Label associated with vp |
3931 | |
3932 | Determine whether the subject identified by the credential should be |
3933 | allowed to remove vp as a swap device. |
3934 | |
3935 | @return Return 0 if access is granted, otherwise an appropriate value for |
3936 | errno should be returned. |
3937 | */ |
3938 | typedef int mpo_system_check_swapoff_t( |
3939 | kauth_cred_t cred, |
3940 | struct vnode *vp, |
3941 | struct label *label |
3942 | ); |
3943 | /** |
3944 | @brief Access control check for adding swap devices |
3945 | @param cred Subject credential |
3946 | @param vp Swap device |
3947 | @param label Label associated with vp |
3948 | |
3949 | Determine whether the subject identified by the credential should be |
3950 | allowed to add vp as a swap device. |
3951 | |
3952 | @return Return 0 if access is granted, otherwise an appropriate value for |
3953 | errno should be returned. |
3954 | */ |
3955 | typedef int mpo_system_check_swapon_t( |
3956 | kauth_cred_t cred, |
3957 | struct vnode *vp, |
3958 | struct label *label |
3959 | ); |
3960 | /** |
3961 | @brief Access control check for sysctl |
3962 | @param cred Subject credential |
3963 | @param namestring String representation of sysctl name. |
3964 | @param name Integer name; see sysctl(3) |
3965 | @param namelen Length of name array of integers; see sysctl(3) |
3966 | @param old 0 or address where to store old value; see sysctl(3) |
3967 | @param oldlen Length of old buffer; see sysctl(3) |
3968 | @param newvalue 0 or address of new value; see sysctl(3) |
3969 | @param newlen Length of new buffer; see sysctl(3) |
3970 | |
3971 | Determine whether the subject identified by the credential should be |
3972 | allowed to make the specified sysctl(3) transaction. |
3973 | |
3974 | The sysctl(3) call specifies that if the old value is not desired, |
3975 | oldp and oldlenp should be set to NULL. Likewise, if a new value is |
3976 | not to be set, newp should be set to NULL and newlen set to 0. |
3977 | |
3978 | @return Return 0 if access is granted, otherwise an appropriate value for |
3979 | errno should be returned. |
3980 | */ |
3981 | typedef int mpo_system_check_sysctlbyname_t( |
3982 | kauth_cred_t cred, |
3983 | const char *namestring, |
3984 | int *name, |
3985 | u_int namelen, |
3986 | user_addr_t old, /* NULLOK */ |
3987 | size_t oldlen, |
3988 | user_addr_t newvalue, /* NULLOK */ |
3989 | size_t newlen |
3990 | ); |
3991 | /** |
3992 | @brief Access control check for kas_info |
3993 | @param cred Subject credential |
3994 | @param selector Category of information to return. See kas_info.h |
3995 | |
3996 | Determine whether the subject identified by the credential can perform |
3997 | introspection of the kernel address space layout for |
3998 | debugging/performance analysis. |
3999 | |
4000 | @return Return 0 if access is granted, otherwise an appropriate value for |
4001 | errno should be returned. |
4002 | */ |
4003 | typedef int mpo_system_check_kas_info_t( |
4004 | kauth_cred_t cred, |
4005 | int selector |
4006 | ); |
4007 | /** |
4008 | @brief Create a System V message label |
4009 | @param cred Subject credential |
4010 | @param msqptr The message queue the message will be placed in |
4011 | @param msqlabel The label of the message queue |
4012 | @param msgptr The message |
4013 | @param msglabel The label of the message |
4014 | |
4015 | Label the message as its placed in the message queue. |
4016 | */ |
4017 | typedef void mpo_sysvmsg_label_associate_t( |
4018 | kauth_cred_t cred, |
4019 | struct msqid_kernel *msqptr, |
4020 | struct label *msqlabel, |
4021 | struct msg *msgptr, |
4022 | struct label *msglabel |
4023 | ); |
4024 | /** |
4025 | @brief Destroy System V message label |
4026 | @param label The label to be destroyed |
4027 | |
4028 | Destroy a System V message label. Since the object is |
4029 | going out of scope, policy modules should free any internal storage |
4030 | associated with the label so that it may be destroyed. |
4031 | */ |
4032 | typedef void mpo_sysvmsg_label_destroy_t( |
4033 | struct label *label |
4034 | ); |
4035 | /** |
4036 | @brief Initialize System V message label |
4037 | @param label New label to initialize |
4038 | |
4039 | Initialize the label for a newly instantiated System V message. |
4040 | */ |
4041 | typedef void mpo_sysvmsg_label_init_t( |
4042 | struct label *label |
4043 | ); |
4044 | /** |
4045 | @brief Clean up a System V message label |
4046 | @param label The label to be destroyed |
4047 | |
4048 | Clean up a System V message label. Darwin pre-allocates |
4049 | messages at system boot time and re-uses them rather than |
4050 | allocating new ones. Before messages are returned to the "free |
4051 | pool", policies can cleanup or overwrite any information present in |
4052 | the label. |
4053 | */ |
4054 | typedef void mpo_sysvmsg_label_recycle_t( |
4055 | struct label *label |
4056 | ); |
4057 | /** |
4058 | @brief Access control check for System V message enqueuing |
4059 | @param cred Subject credential |
4060 | @param msgptr The message |
4061 | @param msglabel The message's label |
4062 | @param msqptr The message queue |
4063 | @param msqlabel The message queue's label |
4064 | |
4065 | Determine whether the subject identified by the credential can add the |
4066 | given message to the given message queue. |
4067 | |
4068 | @return Return 0 if access is granted, otherwise an appropriate value for |
4069 | errno should be returned. |
4070 | */ |
4071 | typedef int mpo_sysvmsq_check_enqueue_t( |
4072 | kauth_cred_t cred, |
4073 | struct msg *msgptr, |
4074 | struct label *msglabel, |
4075 | struct msqid_kernel *msqptr, |
4076 | struct label *msqlabel |
4077 | ); |
4078 | /** |
4079 | @brief Access control check for System V message reception |
4080 | @param cred The credential of the intended recipient |
4081 | @param msgptr The message |
4082 | @param msglabel The message's label |
4083 | |
4084 | Determine whether the subject identified by the credential can receive |
4085 | the given message. |
4086 | |
4087 | @return Return 0 if access is granted, otherwise an appropriate value for |
4088 | errno should be returned. |
4089 | */ |
4090 | typedef int mpo_sysvmsq_check_msgrcv_t( |
4091 | kauth_cred_t cred, |
4092 | struct msg *msgptr, |
4093 | struct label *msglabel |
4094 | ); |
4095 | /** |
4096 | @brief Access control check for System V message queue removal |
4097 | @param cred The credential of the caller |
4098 | @param msgptr The message |
4099 | @param msglabel The message's label |
4100 | |
4101 | System V message queues are removed using the msgctl() system call. |
4102 | The system will iterate over each messsage in the queue, calling this |
4103 | function for each, to determine whether the caller has the appropriate |
4104 | credentials. |
4105 | |
4106 | @return Return 0 if access is granted, otherwise an appropriate value for |
4107 | errno should be returned. |
4108 | */ |
4109 | typedef int mpo_sysvmsq_check_msgrmid_t( |
4110 | kauth_cred_t cred, |
4111 | struct msg *msgptr, |
4112 | struct label *msglabel |
4113 | ); |
4114 | /** |
4115 | @brief Access control check for msgctl() |
4116 | @param cred The credential of the caller |
4117 | @param msqptr The message queue |
4118 | @param msqlabel The message queue's label |
4119 | |
4120 | This access check is performed to validate calls to msgctl(). |
4121 | |
4122 | @return Return 0 if access is granted, otherwise an appropriate value for |
4123 | errno should be returned. |
4124 | */ |
4125 | typedef int mpo_sysvmsq_check_msqctl_t( |
4126 | kauth_cred_t cred, |
4127 | struct msqid_kernel *msqptr, |
4128 | struct label *msqlabel, |
4129 | int cmd |
4130 | ); |
4131 | /** |
4132 | @brief Access control check to get a System V message queue |
4133 | @param cred The credential of the caller |
4134 | @param msqptr The message queue requested |
4135 | @param msqlabel The message queue's label |
4136 | |
4137 | On a call to msgget(), if the queue requested already exists, |
4138 | and it is a public queue, this check will be performed before the |
4139 | queue's ID is returned to the user. |
4140 | |
4141 | @return Return 0 if access is granted, otherwise an appropriate value for |
4142 | errno should be returned. |
4143 | */ |
4144 | typedef int mpo_sysvmsq_check_msqget_t( |
4145 | kauth_cred_t cred, |
4146 | struct msqid_kernel *msqptr, |
4147 | struct label *msqlabel |
4148 | ); |
4149 | /** |
4150 | @brief Access control check to receive a System V message from the given queue |
4151 | @param cred The credential of the caller |
4152 | @param msqptr The message queue to receive from |
4153 | @param msqlabel The message queue's label |
4154 | |
4155 | On a call to msgrcv(), this check is performed to determine whether the |
4156 | caller has receive rights on the given queue. |
4157 | |
4158 | @return Return 0 if access is granted, otherwise an appropriate value for |
4159 | errno should be returned. |
4160 | */ |
4161 | typedef int mpo_sysvmsq_check_msqrcv_t( |
4162 | kauth_cred_t cred, |
4163 | struct msqid_kernel *msqptr, |
4164 | struct label *msqlabel |
4165 | ); |
4166 | /** |
4167 | @brief Access control check to send a System V message to the given queue |
4168 | @param cred The credential of the caller |
4169 | @param msqptr The message queue to send to |
4170 | @param msqlabel The message queue's label |
4171 | |
4172 | On a call to msgsnd(), this check is performed to determine whether the |
4173 | caller has send rights on the given queue. |
4174 | |
4175 | @return Return 0 if access is granted, otherwise an appropriate value for |
4176 | errno should be returned. |
4177 | */ |
4178 | typedef int mpo_sysvmsq_check_msqsnd_t( |
4179 | kauth_cred_t cred, |
4180 | struct msqid_kernel *msqptr, |
4181 | struct label *msqlabel |
4182 | ); |
4183 | /** |
4184 | @brief Create a System V message queue label |
4185 | @param cred Subject credential |
4186 | @param msqptr The message queue |
4187 | @param msqlabel The label of the message queue |
4188 | |
4189 | */ |
4190 | typedef void mpo_sysvmsq_label_associate_t( |
4191 | kauth_cred_t cred, |
4192 | struct msqid_kernel *msqptr, |
4193 | struct label *msqlabel |
4194 | ); |
4195 | /** |
4196 | @brief Destroy System V message queue label |
4197 | @param label The label to be destroyed |
4198 | |
4199 | Destroy a System V message queue label. Since the object is |
4200 | going out of scope, policy modules should free any internal storage |
4201 | associated with the label so that it may be destroyed. |
4202 | */ |
4203 | typedef void mpo_sysvmsq_label_destroy_t( |
4204 | struct label *label |
4205 | ); |
4206 | /** |
4207 | @brief Initialize System V message queue label |
4208 | @param label New label to initialize |
4209 | |
4210 | Initialize the label for a newly instantiated System V message queue. |
4211 | */ |
4212 | typedef void mpo_sysvmsq_label_init_t( |
4213 | struct label *label |
4214 | ); |
4215 | /** |
4216 | @brief Clean up a System V message queue label |
4217 | @param label The label to be destroyed |
4218 | |
4219 | Clean up a System V message queue label. Darwin pre-allocates |
4220 | message queues at system boot time and re-uses them rather than |
4221 | allocating new ones. Before message queues are returned to the "free |
4222 | pool", policies can cleanup or overwrite any information present in |
4223 | the label. |
4224 | */ |
4225 | typedef void mpo_sysvmsq_label_recycle_t( |
4226 | struct label *label |
4227 | ); |
4228 | /** |
4229 | @brief Access control check for System V semaphore control operation |
4230 | @param cred Subject credential |
4231 | @param semakptr Pointer to semaphore identifier |
4232 | @param semaklabel Label associated with semaphore |
4233 | @param cmd Control operation to be performed; see semctl(2) |
4234 | |
4235 | Determine whether the subject identified by the credential can perform |
4236 | the operation indicated by cmd on the System V semaphore semakptr. |
4237 | |
4238 | @return Return 0 if access is granted, otherwise an appropriate value for |
4239 | errno should be returned. |
4240 | */ |
4241 | typedef int mpo_sysvsem_check_semctl_t( |
4242 | kauth_cred_t cred, |
4243 | struct semid_kernel *semakptr, |
4244 | struct label *semaklabel, |
4245 | int cmd |
4246 | ); |
4247 | /** |
4248 | @brief Access control check for obtaining a System V semaphore |
4249 | @param cred Subject credential |
4250 | @param semakptr Pointer to semaphore identifier |
4251 | @param semaklabel Label to associate with the semaphore |
4252 | |
4253 | Determine whether the subject identified by the credential can |
4254 | obtain a System V semaphore. |
4255 | |
4256 | @return Return 0 if access is granted, otherwise an appropriate value for |
4257 | errno should be returned. |
4258 | */ |
4259 | typedef int mpo_sysvsem_check_semget_t( |
4260 | kauth_cred_t cred, |
4261 | struct semid_kernel *semakptr, |
4262 | struct label *semaklabel |
4263 | ); |
4264 | /** |
4265 | @brief Access control check for System V semaphore operations |
4266 | @param cred Subject credential |
4267 | @param semakptr Pointer to semaphore identifier |
4268 | @param semaklabel Label associated with the semaphore |
4269 | @param accesstype Flags to indicate access (read and/or write) |
4270 | |
4271 | Determine whether the subject identified by the credential can |
4272 | perform the operations on the System V semaphore indicated by |
4273 | semakptr. The accesstype flags hold the maximum set of permissions |
4274 | from the sem_op array passed to the semop system call. It may |
4275 | contain SEM_R for read-only operations or SEM_A for read/write |
4276 | operations. |
4277 | |
4278 | @return Return 0 if access is granted, otherwise an appropriate value for |
4279 | errno should be returned. |
4280 | */ |
4281 | typedef int mpo_sysvsem_check_semop_t( |
4282 | kauth_cred_t cred, |
4283 | struct semid_kernel *semakptr, |
4284 | struct label *semaklabel, |
4285 | size_t accesstype |
4286 | ); |
4287 | /** |
4288 | @brief Create a System V semaphore label |
4289 | @param cred Subject credential |
4290 | @param semakptr The semaphore being created |
4291 | @param semalabel Label to associate with the new semaphore |
4292 | |
4293 | Label a new System V semaphore. The label was previously |
4294 | initialized and associated with the semaphore. At this time, an |
4295 | appropriate initial label value should be assigned to the object and |
4296 | stored in semalabel. |
4297 | */ |
4298 | typedef void mpo_sysvsem_label_associate_t( |
4299 | kauth_cred_t cred, |
4300 | struct semid_kernel *semakptr, |
4301 | struct label *semalabel |
4302 | ); |
4303 | /** |
4304 | @brief Destroy System V semaphore label |
4305 | @param label The label to be destroyed |
4306 | |
4307 | Destroy a System V semaphore label. Since the object is |
4308 | going out of scope, policy modules should free any internal storage |
4309 | associated with the label so that it may be destroyed. |
4310 | */ |
4311 | typedef void mpo_sysvsem_label_destroy_t( |
4312 | struct label *label |
4313 | ); |
4314 | /** |
4315 | @brief Initialize System V semaphore label |
4316 | @param label New label to initialize |
4317 | |
4318 | Initialize the label for a newly instantiated System V semaphore. Sleeping |
4319 | is permitted. |
4320 | */ |
4321 | typedef void mpo_sysvsem_label_init_t( |
4322 | struct label *label |
4323 | ); |
4324 | /** |
4325 | @brief Clean up a System V semaphore label |
4326 | @param label The label to be cleaned |
4327 | |
4328 | Clean up a System V semaphore label. Darwin pre-allocates |
4329 | semaphores at system boot time and re-uses them rather than |
4330 | allocating new ones. Before semaphores are returned to the "free |
4331 | pool", policies can cleanup or overwrite any information present in |
4332 | the label. |
4333 | */ |
4334 | typedef void mpo_sysvsem_label_recycle_t( |
4335 | struct label *label |
4336 | ); |
4337 | /** |
4338 | @brief Access control check for mapping System V shared memory |
4339 | @param cred Subject credential |
4340 | @param shmsegptr Pointer to shared memory segment identifier |
4341 | @param shmseglabel Label associated with the shared memory segment |
4342 | @param shmflg shmat flags; see shmat(2) |
4343 | |
4344 | Determine whether the subject identified by the credential can map |
4345 | the System V shared memory segment associated with shmsegptr. |
4346 | |
4347 | @return Return 0 if access is granted, otherwise an appropriate value for |
4348 | errno should be returned. |
4349 | */ |
4350 | typedef int mpo_sysvshm_check_shmat_t( |
4351 | kauth_cred_t cred, |
4352 | struct shmid_kernel *shmsegptr, |
4353 | struct label *shmseglabel, |
4354 | int shmflg |
4355 | ); |
4356 | /** |
4357 | @brief Access control check for System V shared memory control operation |
4358 | @param cred Subject credential |
4359 | @param shmsegptr Pointer to shared memory segment identifier |
4360 | @param shmseglabel Label associated with the shared memory segment |
4361 | @param cmd Control operation to be performed; see shmctl(2) |
4362 | |
4363 | Determine whether the subject identified by the credential can perform |
4364 | the operation indicated by cmd on the System V shared memory segment |
4365 | shmsegptr. |
4366 | |
4367 | @return Return 0 if access is granted, otherwise an appropriate value for |
4368 | errno should be returned. |
4369 | */ |
4370 | typedef int mpo_sysvshm_check_shmctl_t( |
4371 | kauth_cred_t cred, |
4372 | struct shmid_kernel *shmsegptr, |
4373 | struct label *shmseglabel, |
4374 | int cmd |
4375 | ); |
4376 | /** |
4377 | @brief Access control check for unmapping System V shared memory |
4378 | @param cred Subject credential |
4379 | @param shmsegptr Pointer to shared memory segment identifier |
4380 | @param shmseglabel Label associated with the shared memory segment |
4381 | |
4382 | Determine whether the subject identified by the credential can unmap |
4383 | the System V shared memory segment associated with shmsegptr. |
4384 | |
4385 | @return Return 0 if access is granted, otherwise an appropriate value for |
4386 | errno should be returned. |
4387 | */ |
4388 | typedef int mpo_sysvshm_check_shmdt_t( |
4389 | kauth_cred_t cred, |
4390 | struct shmid_kernel *shmsegptr, |
4391 | struct label *shmseglabel |
4392 | ); |
4393 | /** |
4394 | @brief Access control check obtaining System V shared memory identifier |
4395 | @param cred Subject credential |
4396 | @param shmsegptr Pointer to shared memory segment identifier |
4397 | @param shmseglabel Label associated with the shared memory segment |
4398 | @param shmflg shmget flags; see shmget(2) |
4399 | |
4400 | Determine whether the subject identified by the credential can get |
4401 | the System V shared memory segment address. |
4402 | |
4403 | @return Return 0 if access is granted, otherwise an appropriate value for |
4404 | errno should be returned. |
4405 | */ |
4406 | typedef int mpo_sysvshm_check_shmget_t( |
4407 | kauth_cred_t cred, |
4408 | struct shmid_kernel *shmsegptr, |
4409 | struct label *shmseglabel, |
4410 | int shmflg |
4411 | ); |
4412 | /** |
4413 | @brief Create a System V shared memory region label |
4414 | @param cred Subject credential |
4415 | @param shmsegptr The shared memory region being created |
4416 | @param shmlabel Label to associate with the new shared memory region |
4417 | |
4418 | Label a new System V shared memory region. The label was previously |
4419 | initialized and associated with the shared memory region. At this |
4420 | time, an appropriate initial label value should be assigned to the |
4421 | object and stored in shmlabel. |
4422 | */ |
4423 | typedef void mpo_sysvshm_label_associate_t( |
4424 | kauth_cred_t cred, |
4425 | struct shmid_kernel *shmsegptr, |
4426 | struct label *shmlabel |
4427 | ); |
4428 | /** |
4429 | @brief Destroy System V shared memory label |
4430 | @param label The label to be destroyed |
4431 | |
4432 | Destroy a System V shared memory region label. Since the |
4433 | object is going out of scope, policy modules should free any |
4434 | internal storage associated with the label so that it may be |
4435 | destroyed. |
4436 | */ |
4437 | typedef void mpo_sysvshm_label_destroy_t( |
4438 | struct label *label |
4439 | ); |
4440 | /** |
4441 | @brief Initialize System V Shared Memory region label |
4442 | @param label New label to initialize |
4443 | |
4444 | Initialize the label for a newly instantiated System V Shared Memory |
4445 | region. Sleeping is permitted. |
4446 | */ |
4447 | typedef void mpo_sysvshm_label_init_t( |
4448 | struct label *label |
4449 | ); |
4450 | /** |
4451 | @brief Clean up a System V Share Memory Region label |
4452 | @param shmlabel The label to be cleaned |
4453 | |
4454 | Clean up a System V Shared Memory Region label. Darwin |
4455 | pre-allocates these objects at system boot time and re-uses them |
4456 | rather than allocating new ones. Before the memory regions are |
4457 | returned to the "free pool", policies can cleanup or overwrite any |
4458 | information present in the label. |
4459 | */ |
4460 | typedef void mpo_sysvshm_label_recycle_t( |
4461 | struct label *shmlabel |
4462 | ); |
4463 | /** |
4464 | @brief Access control check for getting a process's task name |
4465 | @param cred Subject credential |
4466 | @param p Object process |
4467 | |
4468 | Determine whether the subject identified by the credential can get |
4469 | the passed process's task name port. |
4470 | This call is used by the task_name_for_pid(2) API. |
4471 | |
4472 | @return Return 0 if access is granted, otherwise an appropriate value for |
4473 | errno should be returned. Suggested failure: EACCES for label mismatch, |
4474 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. |
4475 | */ |
4476 | typedef int mpo_proc_check_get_task_name_t( |
4477 | kauth_cred_t cred, |
4478 | struct proc *p |
4479 | ); |
4480 | /** |
4481 | @brief Access control check for getting a process's task port |
4482 | @param cred Subject credential |
4483 | @param p Object process |
4484 | |
4485 | Determine whether the subject identified by the credential can get |
4486 | the passed process's task control port. |
4487 | This call is used by the task_for_pid(2) API. |
4488 | |
4489 | @return Return 0 if access is granted, otherwise an appropriate value for |
4490 | errno should be returned. Suggested failure: EACCES for label mismatch, |
4491 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. |
4492 | */ |
4493 | typedef int mpo_proc_check_get_task_t( |
4494 | kauth_cred_t cred, |
4495 | struct proc *p |
4496 | ); |
4497 | |
4498 | /** |
4499 | @brief Access control check for exposing a process's task port |
4500 | @param cred Subject credential |
4501 | @param p Object process |
4502 | |
4503 | Determine whether the subject identified by the credential can expose |
4504 | the passed process's task control port. |
4505 | This call is used by the accessor APIs like processor_set_tasks() and |
4506 | processor_set_threads(). |
4507 | |
4508 | @return Return 0 if access is granted, otherwise an appropriate value for |
4509 | errno should be returned. Suggested failure: EACCES for label mismatch, |
4510 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. |
4511 | */ |
4512 | typedef int mpo_proc_check_expose_task_t( |
4513 | kauth_cred_t cred, |
4514 | struct proc *p |
4515 | ); |
4516 | |
4517 | /** |
4518 | @brief Check whether task's IPC may inherit across process exec |
4519 | @param p current process instance |
4520 | @param cur_vp vnode pointer to current instance |
4521 | @param cur_offset offset of binary of currently executing image |
4522 | @param img_vp vnode pointer to to be exec'ed image |
4523 | @param img_offset offset into file which is selected for execution |
4524 | @param scriptvp vnode pointer of script file if any. |
4525 | @return Return 0 if access is granted. |
4526 | EPERM if parent does not have any entitlements. |
4527 | EACCESS if mismatch in entitlements |
4528 | */ |
4529 | typedef int mpo_proc_check_inherit_ipc_ports_t( |
4530 | struct proc *p, |
4531 | struct vnode *cur_vp, |
4532 | off_t cur_offset, |
4533 | struct vnode *img_vp, |
4534 | off_t img_offset, |
4535 | struct vnode *scriptvp |
4536 | ); |
4537 | |
4538 | /** |
4539 | @brief Privilege check for a process to run invalid |
4540 | @param p Object process |
4541 | |
4542 | Determine whether the process may execute even though the system determined |
4543 | that it is untrusted (eg unidentified / modified code). |
4544 | |
4545 | @return Return 0 if access is granted, otherwise an appropriate value for |
4546 | errno should be returned. |
4547 | */ |
4548 | typedef int mpo_proc_check_run_cs_invalid_t( |
4549 | struct proc *p |
4550 | ); |
4551 | |
4552 | /** |
4553 | @brief Notification a process is finished with exec and will jump to userspace |
4554 | @param p Object process |
4555 | |
4556 | Notifies all MAC policies that a process has completed an exec and is about to |
4557 | jump to userspace to continue execution. This may result in process termination |
4558 | via signals. Hook is designed to hold no/minimal locks so it can be used for any |
4559 | necessary upcalls. |
4560 | */ |
4561 | typedef void mpo_proc_notify_exec_complete_t( |
4562 | struct proc *p |
4563 | ); |
4564 | |
4565 | /** |
4566 | @brief Perform MAC-related events when a thread returns to user space |
4567 | @param thread Mach (not BSD) thread that is returning |
4568 | |
4569 | This entry point permits policy modules to perform MAC-related |
4570 | events when a thread returns to user space, via a system call |
4571 | return or trap return. |
4572 | */ |
4573 | typedef void mpo_thread_userret_t( |
4574 | struct thread *thread |
4575 | ); |
4576 | |
4577 | /** |
4578 | @brief Check vnode access |
4579 | @param cred Subject credential |
4580 | @param vp Object vnode |
4581 | @param label Label for vp |
4582 | @param acc_mode access(2) flags |
4583 | |
4584 | Determine how invocations of access(2) and related calls by the |
4585 | subject identified by the credential should return when performed |
4586 | on the passed vnode using the passed access flags. This should |
4587 | generally be implemented using the same semantics used in |
4588 | mpo_vnode_check_open. |
4589 | |
4590 | @return Return 0 if access is granted, otherwise an appropriate value for |
4591 | errno should be returned. Suggested failure: EACCES for label mismatch or |
4592 | EPERM for lack of privilege. |
4593 | */ |
4594 | typedef int mpo_vnode_check_access_t( |
4595 | kauth_cred_t cred, |
4596 | struct vnode *vp, |
4597 | struct label *label, |
4598 | int acc_mode |
4599 | ); |
4600 | /** |
4601 | @brief Access control check for changing working directory |
4602 | @param cred Subject credential |
4603 | @param dvp Object; vnode to chdir(2) into |
4604 | @param dlabel Policy label for dvp |
4605 | |
4606 | Determine whether the subject identified by the credential can change |
4607 | the process working directory to the passed vnode. |
4608 | |
4609 | @return Return 0 if access is granted, otherwise an appropriate value for |
4610 | errno should be returned. Suggested failure: EACCES for label mismatch or |
4611 | EPERM for lack of privilege. |
4612 | */ |
4613 | typedef int mpo_vnode_check_chdir_t( |
4614 | kauth_cred_t cred, |
4615 | struct vnode *dvp, |
4616 | struct label *dlabel |
4617 | ); |
4618 | /** |
4619 | @brief Access control check for changing root directory |
4620 | @param cred Subject credential |
4621 | @param dvp Directory vnode |
4622 | @param dlabel Policy label associated with dvp |
4623 | @param cnp Component name for dvp |
4624 | |
4625 | Determine whether the subject identified by the credential should be |
4626 | allowed to chroot(2) into the specified directory (dvp). |
4627 | |
4628 | @return In the event of an error, an appropriate value for errno |
4629 | should be returned, otherwise return 0 upon success. |
4630 | */ |
4631 | typedef int mpo_vnode_check_chroot_t( |
4632 | kauth_cred_t cred, |
4633 | struct vnode *dvp, |
4634 | struct label *dlabel, |
4635 | struct componentname *cnp |
4636 | ); |
4637 | /** |
4638 | @brief Access control check for creating clone |
4639 | @param cred Subject credential |
4640 | @param dvp Vnode of directory to create the clone in |
4641 | @param dlabel Policy label associated with dvp |
4642 | @param vp Vnode of the file to clone from |
4643 | @param label Policy label associated with vp |
4644 | @param cnp Component name for the clone being created |
4645 | |
4646 | Determine whether the subject identified by the credential should be |
4647 | allowed to create a clone of the vnode vp with the name specified by cnp. |
4648 | |
4649 | @return Return 0 if access is granted, otherwise an appropriate value for |
4650 | errno should be returned. |
4651 | */ |
4652 | typedef int mpo_vnode_check_clone_t( |
4653 | kauth_cred_t cred, |
4654 | struct vnode *dvp, |
4655 | struct label *dlabel, |
4656 | struct vnode *vp, |
4657 | struct label *label, |
4658 | struct componentname *cnp |
4659 | ); |
4660 | /** |
4661 | @brief Access control check for creating vnode |
4662 | @param cred Subject credential |
4663 | @param dvp Directory vnode |
4664 | @param dlabel Policy label for dvp |
4665 | @param cnp Component name for dvp |
4666 | @param vap vnode attributes for vap |
4667 | |
4668 | Determine whether the subject identified by the credential can create |
4669 | a vnode with the passed parent directory, passed name information, |
4670 | and passed attribute information. This call may be made in a number of |
4671 | situations, including as a result of calls to open(2) with O_CREAT, |
4672 | mknod(2), mkfifo(2), and others. |
4673 | |
4674 | @return Return 0 if access is granted, otherwise an appropriate value for |
4675 | errno should be returned. Suggested failure: EACCES for label mismatch or |
4676 | EPERM for lack of privilege. |
4677 | */ |
4678 | typedef int mpo_vnode_check_create_t( |
4679 | kauth_cred_t cred, |
4680 | struct vnode *dvp, |
4681 | struct label *dlabel, |
4682 | struct componentname *cnp, |
4683 | struct vnode_attr *vap |
4684 | ); |
4685 | /** |
4686 | @brief Access control check for deleting extended attribute |
4687 | @param cred Subject credential |
4688 | @param vp Object vnode |
4689 | @param vlabel Label associated with vp |
4690 | @param name Extended attribute name |
4691 | |
4692 | Determine whether the subject identified by the credential can delete |
4693 | the extended attribute from the passed vnode. |
4694 | |
4695 | @return Return 0 if access is granted, otherwise an appropriate value for |
4696 | errno should be returned. Suggested failure: EACCES for label mismatch or |
4697 | EPERM for lack of privilege. |
4698 | */ |
4699 | typedef int mpo_vnode_check_deleteextattr_t( |
4700 | kauth_cred_t cred, |
4701 | struct vnode *vp, |
4702 | struct label *vlabel, |
4703 | const char *name |
4704 | ); |
4705 | /** |
4706 | @brief Access control check for exchanging file data |
4707 | @param cred Subject credential |
4708 | @param v1 vnode 1 to swap |
4709 | @param vl1 Policy label for v1 |
4710 | @param v2 vnode 2 to swap |
4711 | @param vl2 Policy label for v2 |
4712 | |
4713 | Determine whether the subject identified by the credential can swap the data |
4714 | in the two supplied vnodes. |
4715 | |
4716 | @return Return 0 if access is granted, otherwise an appropriate value for |
4717 | errno should be returned. Suggested failure: EACCES for label mismatch or |
4718 | EPERM for lack of privilege. |
4719 | */ |
4720 | typedef int mpo_vnode_check_exchangedata_t( |
4721 | kauth_cred_t cred, |
4722 | struct vnode *v1, |
4723 | struct label *vl1, |
4724 | struct vnode *v2, |
4725 | struct label *vl2 |
4726 | ); |
4727 | /** |
4728 | @brief Access control check for executing the vnode |
4729 | @param cred Subject credential |
4730 | @param vp Object vnode to execute |
4731 | @param scriptvp Script being executed by interpreter, if any. |
4732 | @param vnodelabel Label corresponding to vp |
4733 | @param scriptlabel Script vnode label |
4734 | @param execlabel Userspace provided execution label |
4735 | @param cnp Component name for file being executed |
4736 | @param macpolicyattr MAC policy-specific spawn attribute data. |
4737 | @param macpolicyattrlen Length of policy-specific spawn attribute data. |
4738 | |
4739 | Determine whether the subject identified by the credential can execute |
4740 | the passed vnode. Determination of execute privilege is made separately |
4741 | from decisions about any process label transitioning event. |
4742 | |
4743 | The final label, execlabel, corresponds to a label supplied by a |
4744 | user space application through the use of the mac_execve system call. |
4745 | This label will be NULL if the user application uses the the vendor |
4746 | execve(2) call instead of the MAC Framework mac_execve() call. |
4747 | |
4748 | @return Return 0 if access is granted, otherwise an appropriate value for |
4749 | errno should be returned. Suggested failure: EACCES for label mismatch or |
4750 | EPERM for lack of privilege. |
4751 | */ |
4752 | typedef int mpo_vnode_check_exec_t( |
4753 | kauth_cred_t cred, |
4754 | struct vnode *vp, |
4755 | struct vnode *scriptvp, |
4756 | struct label *vnodelabel, |
4757 | struct label *scriptlabel, |
4758 | struct label *execlabel, /* NULLOK */ |
4759 | struct componentname *cnp, |
4760 | u_int *csflags, |
4761 | void *macpolicyattr, |
4762 | size_t macpolicyattrlen |
4763 | ); |
4764 | /** |
4765 | @brief Access control check for fsgetpath |
4766 | @param cred Subject credential |
4767 | @param vp Vnode for which a path will be returned |
4768 | @param label Label associated with the vnode |
4769 | |
4770 | Determine whether the subject identified by the credential can get the path |
4771 | of the given vnode with fsgetpath. |
4772 | |
4773 | @return Return 0 if access is granted, otherwise an appropriate value for |
4774 | errno should be returned. |
4775 | */ |
4776 | typedef int mpo_vnode_check_fsgetpath_t( |
4777 | kauth_cred_t cred, |
4778 | struct vnode *vp, |
4779 | struct label *label |
4780 | ); |
4781 | /** |
4782 | @brief Access control check for retrieving file attributes |
4783 | @param active_cred Subject credential |
4784 | @param file_cred Credential associated with the struct fileproc |
4785 | @param vp Object vnode |
4786 | @param vlabel Policy label for vp |
4787 | @param va Vnode attributes to retrieve |
4788 | |
4789 | Determine whether the subject identified by the credential can |
4790 | get information about the passed vnode. The active_cred hold |
4791 | the credentials of the subject performing the operation, and |
4792 | file_cred holds the credentials of the subject that originally |
4793 | opened the file. This check happens during stat(), lstat(), |
4794 | fstat(), and getattrlist() syscalls. See <sys/vnode.h> for |
4795 | definitions of the attributes. |
4796 | |
4797 | @return Return 0 if access is granted, otherwise an appropriate value for |
4798 | errno should be returned. |
4799 | |
4800 | @note Policies may change the contents of va to alter the list of |
4801 | file attributes returned. |
4802 | */ |
4803 | typedef int mpo_vnode_check_getattr_t( |
4804 | kauth_cred_t active_cred, |
4805 | kauth_cred_t file_cred, /* NULLOK */ |
4806 | struct vnode *vp, |
4807 | struct label *vlabel, |
4808 | struct vnode_attr *va |
4809 | ); |
4810 | /** |
4811 | @brief Access control check for retrieving file attributes |
4812 | @param cred Subject credential |
4813 | @param vp Object vnode |
4814 | @param vlabel Policy label for vp |
4815 | @param alist List of attributes to retrieve |
4816 | |
4817 | Determine whether the subject identified by the credential can read |
4818 | various attributes of the specified vnode, or the filesystem or volume on |
4819 | which that vnode resides. See <sys/attr.h> for definitions of the |
4820 | attributes. |
4821 | |
4822 | @return Return 0 if access is granted, otherwise an appropriate value for |
4823 | errno should be returned. Suggested failure: EACCES for label mismatch or |
4824 | EPERM for lack of privilege. Access control covers all attributes requested |
4825 | with this call; the security policy is not permitted to change the set of |
4826 | attributes requested. |
4827 | */ |
4828 | typedef int mpo_vnode_check_getattrlist_t( |
4829 | kauth_cred_t cred, |
4830 | struct vnode *vp, |
4831 | struct label *vlabel, |
4832 | struct attrlist *alist |
4833 | ); |
4834 | /** |
4835 | @brief Access control check for retrieving an extended attribute |
4836 | @param cred Subject credential |
4837 | @param vp Object vnode |
4838 | @param label Policy label for vp |
4839 | @param name Extended attribute name |
4840 | @param uio I/O structure pointer |
4841 | |
4842 | Determine whether the subject identified by the credential can retrieve |
4843 | the extended attribute from the passed vnode. The uio parameter |
4844 | will be NULL when the getxattr(2) call has been made with a NULL data |
4845 | value; this is done to request the size of the data only. |
4846 | |
4847 | @return Return 0 if access is granted, otherwise an appropriate value for |
4848 | errno should be returned. Suggested failure: EACCES for label mismatch or |
4849 | EPERM for lack of privilege. |
4850 | */ |
4851 | typedef int mpo_vnode_check_getextattr_t( |
4852 | kauth_cred_t cred, |
4853 | struct vnode *vp, |
4854 | struct label *label, /* NULLOK */ |
4855 | const char *name, |
4856 | struct uio *uio /* NULLOK */ |
4857 | ); |
4858 | /** |
4859 | @brief Access control check for ioctl |
4860 | @param cred Subject credential |
4861 | @param vp Object vnode |
4862 | @param label Policy label for vp |
4863 | @param cmd Device-dependent request code; see ioctl(2) |
4864 | |
4865 | Determine whether the subject identified by the credential can perform |
4866 | the ioctl operation indicated by com. |
4867 | |
4868 | @warning Since ioctl data is opaque from the standpoint of the MAC |
4869 | framework, and since ioctls can affect many aspects of system |
4870 | operation, policies must exercise extreme care when implementing |
4871 | access control checks. |
4872 | |
4873 | @return Return 0 if access is granted, otherwise an appropriate value for |
4874 | errno should be returned. |
4875 | */ |
4876 | typedef int mpo_vnode_check_ioctl_t( |
4877 | kauth_cred_t cred, |
4878 | struct vnode *vp, |
4879 | struct label *label, |
4880 | unsigned int cmd |
4881 | ); |
4882 | /** |
4883 | @brief Access control check for vnode kqfilter |
4884 | @param active_cred Subject credential |
4885 | @param kn Object knote |
4886 | @param vp Object vnode |
4887 | @param label Policy label for vp |
4888 | |
4889 | Determine whether the subject identified by the credential can |
4890 | receive the knote on the passed vnode. |
4891 | |
4892 | @return Return 0 if access if granted, otherwise an appropriate |
4893 | value for errno should be returned. |
4894 | */ |
4895 | typedef int mpo_vnode_check_kqfilter_t( |
4896 | kauth_cred_t active_cred, |
4897 | kauth_cred_t file_cred, /* NULLOK */ |
4898 | struct knote *kn, |
4899 | struct vnode *vp, |
4900 | struct label *label |
4901 | ); |
4902 | /** |
4903 | @brief Access control check for relabel |
4904 | @param cred Subject credential |
4905 | @param vp Object vnode |
4906 | @param vnodelabel Existing policy label for vp |
4907 | @param newlabel Policy label update to later be applied to vp |
4908 | @see mpo_relable_vnode_t |
4909 | |
4910 | Determine whether the subject identified by the credential can relabel |
4911 | the passed vnode to the passed label update. If all policies permit |
4912 | the label change, the actual relabel entry point (mpo_vnode_label_update) |
4913 | will follow. |
4914 | |
4915 | @return Return 0 if access is granted, otherwise an appropriate value for |
4916 | errno should be returned. |
4917 | */ |
4918 | typedef int mpo_vnode_check_label_update_t( |
4919 | struct ucred *cred, |
4920 | struct vnode *vp, |
4921 | struct label *vnodelabel, |
4922 | struct label *newlabel |
4923 | ); |
4924 | /** |
4925 | @brief Access control check for creating link |
4926 | @param cred Subject credential |
4927 | @param dvp Directory vnode |
4928 | @param dlabel Policy label associated with dvp |
4929 | @param vp Link destination vnode |
4930 | @param label Policy label associated with vp |
4931 | @param cnp Component name for the link being created |
4932 | |
4933 | Determine whether the subject identified by the credential should be |
4934 | allowed to create a link to the vnode vp with the name specified by cnp. |
4935 | |
4936 | @return Return 0 if access is granted, otherwise an appropriate value for |
4937 | errno should be returned. |
4938 | */ |
4939 | typedef int mpo_vnode_check_link_t( |
4940 | kauth_cred_t cred, |
4941 | struct vnode *dvp, |
4942 | struct label *dlabel, |
4943 | struct vnode *vp, |
4944 | struct label *label, |
4945 | struct componentname *cnp |
4946 | ); |
4947 | /** |
4948 | @brief Access control check for listing extended attributes |
4949 | @param cred Subject credential |
4950 | @param vp Object vnode |
4951 | @param vlabel Policy label associated with vp |
4952 | |
4953 | Determine whether the subject identified by the credential can retrieve |
4954 | a list of named extended attributes from a vnode. |
4955 | |
4956 | @return Return 0 if access is granted, otherwise an appropriate value for |
4957 | errno should be returned. |
4958 | */ |
4959 | typedef int mpo_vnode_check_listextattr_t( |
4960 | kauth_cred_t cred, |
4961 | struct vnode *vp, |
4962 | struct label *vlabel |
4963 | ); |
4964 | /** |
4965 | @brief Access control check for lookup |
4966 | @param cred Subject credential |
4967 | @param dvp Directory vnode |
4968 | @param dlabel Policy label for dvp |
4969 | @param path Path being looked up |
4970 | @param pathlen Length of path in bytes |
4971 | |
4972 | Determine whether the subject identified by the credential can perform |
4973 | a lookup of the passed path relative to the passed directory vnode. |
4974 | |
4975 | @return Return 0 if access is granted, otherwise an appropriate value for |
4976 | errno should be returned. Suggested failure: EACCES for label mismatch or |
4977 | EPERM for lack of privilege. |
4978 | |
4979 | @note The path may contain untrusted input. If approved, lookup proceeds |
4980 | on the path; if a component is found to be a symlink then this hook is |
4981 | called again with the updated path. |
4982 | */ |
4983 | typedef int mpo_vnode_check_lookup_preflight_t( |
4984 | kauth_cred_t cred, |
4985 | struct vnode *dvp, |
4986 | struct label *dlabel, |
4987 | const char *path, |
4988 | size_t pathlen |
4989 | ); |
4990 | /** |
4991 | @brief Access control check for lookup |
4992 | @param cred Subject credential |
4993 | @param dvp Object vnode |
4994 | @param dlabel Policy label for dvp |
4995 | @param cnp Component name being looked up |
4996 | |
4997 | Determine whether the subject identified by the credential can perform |
4998 | a lookup in the passed directory vnode for the passed name (cnp). |
4999 | |
5000 | @return Return 0 if access is granted, otherwise an appropriate value for |
5001 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5002 | EPERM for lack of privilege. |
5003 | */ |
5004 | typedef int mpo_vnode_check_lookup_t( |
5005 | kauth_cred_t cred, |
5006 | struct vnode *dvp, |
5007 | struct label *dlabel, |
5008 | struct componentname *cnp |
5009 | ); |
5010 | /** |
5011 | @brief Access control check for open |
5012 | @param cred Subject credential |
5013 | @param vp Object vnode |
5014 | @param label Policy label associated with vp |
5015 | @param acc_mode open(2) access mode |
5016 | |
5017 | Determine whether the subject identified by the credential can perform |
5018 | an open operation on the passed vnode with the passed access mode. |
5019 | |
5020 | @return Return 0 if access is granted, otherwise an appropriate value for |
5021 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5022 | EPERM for lack of privilege. |
5023 | */ |
5024 | typedef int mpo_vnode_check_open_t( |
5025 | kauth_cred_t cred, |
5026 | struct vnode *vp, |
5027 | struct label *label, |
5028 | int acc_mode |
5029 | ); |
5030 | /** |
5031 | @brief Access control check for read |
5032 | @param active_cred Subject credential |
5033 | @param file_cred Credential associated with the struct fileproc |
5034 | @param vp Object vnode |
5035 | @param label Policy label for vp |
5036 | |
5037 | Determine whether the subject identified by the credential can perform |
5038 | a read operation on the passed vnode. The active_cred hold the credentials |
5039 | of the subject performing the operation, and file_cred holds the |
5040 | credentials of the subject that originally opened the file. |
5041 | |
5042 | @return Return 0 if access is granted, otherwise an appropriate value for |
5043 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5044 | EPERM for lack of privilege. |
5045 | */ |
5046 | typedef int mpo_vnode_check_read_t( |
5047 | kauth_cred_t active_cred, /* SUBJECT */ |
5048 | kauth_cred_t file_cred, /* NULLOK */ |
5049 | struct vnode *vp, /* OBJECT */ |
5050 | struct label *label /* LABEL */ |
5051 | ); |
5052 | /** |
5053 | @brief Access control check for read directory |
5054 | @param cred Subject credential |
5055 | @param dvp Object directory vnode |
5056 | @param dlabel Policy label for dvp |
5057 | |
5058 | Determine whether the subject identified by the credential can |
5059 | perform a readdir operation on the passed directory vnode. |
5060 | |
5061 | @return Return 0 if access is granted, otherwise an appropriate value for |
5062 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5063 | EPERM for lack of privilege. |
5064 | */ |
5065 | typedef int mpo_vnode_check_readdir_t( |
5066 | kauth_cred_t cred, /* SUBJECT */ |
5067 | struct vnode *dvp, /* OBJECT */ |
5068 | struct label *dlabel /* LABEL */ |
5069 | ); |
5070 | /** |
5071 | @brief Access control check for read link |
5072 | @param cred Subject credential |
5073 | @param vp Object vnode |
5074 | @param label Policy label for vp |
5075 | |
5076 | Determine whether the subject identified by the credential can perform |
5077 | a readlink operation on the passed symlink vnode. This call can be made |
5078 | in a number of situations, including an explicit readlink call by the |
5079 | user process, or as a result of an implicit readlink during a name |
5080 | lookup by the process. |
5081 | |
5082 | @return Return 0 if access is granted, otherwise an appropriate value for |
5083 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5084 | EPERM for lack of privilege. |
5085 | */ |
5086 | typedef int mpo_vnode_check_readlink_t( |
5087 | kauth_cred_t cred, |
5088 | struct vnode *vp, |
5089 | struct label *label |
5090 | ); |
5091 | /** |
5092 | @brief Access control check for rename |
5093 | @param cred Subject credential |
5094 | @param dvp Directory vnode |
5095 | @param dlabel Policy label associated with dvp |
5096 | @param vp vnode to be renamed |
5097 | @param label Policy label associated with vp |
5098 | @param cnp Component name for vp |
5099 | @param tdvp Destination directory vnode |
5100 | @param tdlabel Policy label associated with tdvp |
5101 | @param tvp Overwritten vnode |
5102 | @param tlabel Policy label associated with tvp |
5103 | @param tcnp Destination component name |
5104 | |
5105 | Determine whether the subject identified by the credential should be allowed |
5106 | to rename the vnode vp to something else. |
5107 | |
5108 | @return Return 0 if access is granted, otherwise an appropriate value for |
5109 | errno should be returned. |
5110 | */ |
5111 | typedef int mpo_vnode_check_rename_t( |
5112 | kauth_cred_t cred, |
5113 | struct vnode *dvp, |
5114 | struct label *dlabel, |
5115 | struct vnode *vp, |
5116 | struct label *label, |
5117 | struct componentname *cnp, |
5118 | struct vnode *tdvp, |
5119 | struct label *tdlabel, |
5120 | struct vnode *tvp, |
5121 | struct label *tlabel, |
5122 | struct componentname *tcnp |
5123 | ); |
5124 | /** |
5125 | @brief Access control check for rename from |
5126 | @param cred Subject credential |
5127 | @param dvp Directory vnode |
5128 | @param dlabel Policy label associated with dvp |
5129 | @param vp vnode to be renamed |
5130 | @param label Policy label associated with vp |
5131 | @param cnp Component name for vp |
5132 | @see mpo_vnode_check_rename_t |
5133 | @see mpo_vnode_check_rename_to_t |
5134 | |
5135 | Determine whether the subject identified by the credential should be |
5136 | allowed to rename the vnode vp to something else. |
5137 | |
5138 | Due to VFS locking constraints (to make sure proper vnode locks are |
5139 | held during this entry point), the vnode relabel checks had to be |
5140 | split into two parts: relabel_from and relabel to. |
5141 | |
5142 | This hook is deprecated, mpo_vnode_check_rename_t should be used instead. |
5143 | |
5144 | @return Return 0 if access is granted, otherwise an appropriate value for |
5145 | errno should be returned. |
5146 | */ |
5147 | typedef int mpo_vnode_check_rename_from_t( |
5148 | kauth_cred_t cred, |
5149 | struct vnode *dvp, |
5150 | struct label *dlabel, |
5151 | struct vnode *vp, |
5152 | struct label *label, |
5153 | struct componentname *cnp |
5154 | ); |
5155 | /** |
5156 | @brief Access control check for rename to |
5157 | @param cred Subject credential |
5158 | @param dvp Directory vnode |
5159 | @param dlabel Policy label associated with dvp |
5160 | @param vp Overwritten vnode |
5161 | @param label Policy label associated with vp |
5162 | @param samedir Boolean; 1 if the source and destination directories are the same |
5163 | @param cnp Destination component name |
5164 | @see mpo_vnode_check_rename_t |
5165 | @see mpo_vnode_check_rename_from_t |
5166 | |
5167 | Determine whether the subject identified by the credential should be |
5168 | allowed to rename to the vnode vp, into the directory dvp, or to the |
5169 | name represented by cnp. If there is no existing file to overwrite, |
5170 | vp and label will be NULL. |
5171 | |
5172 | Due to VFS locking constraints (to make sure proper vnode locks are |
5173 | held during this entry point), the vnode relabel checks had to be |
5174 | split into two parts: relabel_from and relabel to. |
5175 | |
5176 | This hook is deprecated, mpo_vnode_check_rename_t should be used instead. |
5177 | |
5178 | @return Return 0 if access is granted, otherwise an appropriate value for |
5179 | errno should be returned. |
5180 | */ |
5181 | typedef int mpo_vnode_check_rename_to_t( |
5182 | kauth_cred_t cred, |
5183 | struct vnode *dvp, |
5184 | struct label *dlabel, |
5185 | struct vnode *vp, /* NULLOK */ |
5186 | struct label *label, /* NULLOK */ |
5187 | int samedir, |
5188 | struct componentname *cnp |
5189 | ); |
5190 | /** |
5191 | @brief Access control check for revoke |
5192 | @param cred Subject credential |
5193 | @param vp Object vnode |
5194 | @param label Policy label for vp |
5195 | |
5196 | Determine whether the subject identified by the credential can revoke |
5197 | access to the passed vnode. |
5198 | |
5199 | @return Return 0 if access is granted, otherwise an appropriate value for |
5200 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5201 | EPERM for lack of privilege. |
5202 | */ |
5203 | typedef int mpo_vnode_check_revoke_t( |
5204 | kauth_cred_t cred, |
5205 | struct vnode *vp, |
5206 | struct label *label |
5207 | ); |
5208 | /** |
5209 | @brief Access control check for searchfs |
5210 | @param cred Subject credential |
5211 | @param vp Object vnode |
5212 | @param vlabel Policy label for vp |
5213 | @param alist List of attributes used as search criteria |
5214 | |
5215 | Determine whether the subject identified by the credential can search the |
5216 | vnode using the searchfs system call. |
5217 | |
5218 | @return Return 0 if access is granted, otherwise an appropriate value for |
5219 | errno should be returned. |
5220 | */ |
5221 | typedef int mpo_vnode_check_searchfs_t( |
5222 | kauth_cred_t cred, |
5223 | struct vnode *vp, |
5224 | struct label *vlabel, |
5225 | struct attrlist *alist |
5226 | ); |
5227 | /** |
5228 | @brief Access control check for select |
5229 | @param cred Subject credential |
5230 | @param vp Object vnode |
5231 | @param label Policy label for vp |
5232 | @param which The operation selected on: FREAD or FWRITE |
5233 | |
5234 | Determine whether the subject identified by the credential can select |
5235 | the vnode. |
5236 | |
5237 | @return Return 0 if access is granted, otherwise an appropriate value for |
5238 | errno should be returned. |
5239 | */ |
5240 | typedef int mpo_vnode_check_select_t( |
5241 | kauth_cred_t cred, |
5242 | struct vnode *vp, |
5243 | struct label *label, |
5244 | int which |
5245 | ); |
5246 | /** |
5247 | @brief Access control check for setting ACL |
5248 | @param cred Subject credential |
5249 | @param vp Object node |
5250 | @param label Policy label for vp |
5251 | @param acl ACL structure pointer |
5252 | |
5253 | Determine whether the subject identified by the credential can set an ACL |
5254 | on the specified vnode. The ACL pointer will be NULL when removing an ACL. |
5255 | |
5256 | @return Return 0 if access is granted, otherwise an appropriate value for |
5257 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5258 | EPERM for lack of privilege. |
5259 | */ |
5260 | typedef int mpo_vnode_check_setacl_t( |
5261 | kauth_cred_t cred, |
5262 | struct vnode *vp, |
5263 | struct label *label, |
5264 | struct kauth_acl *acl |
5265 | ); |
5266 | /** |
5267 | @brief Access control check for setting file attributes |
5268 | @param cred Subject credential |
5269 | @param vp Object vnode |
5270 | @param vlabel Policy label for vp |
5271 | @param alist List of attributes to set |
5272 | |
5273 | Determine whether the subject identified by the credential can set |
5274 | various attributes of the specified vnode, or the filesystem or volume on |
5275 | which that vnode resides. See <sys/attr.h> for definitions of the |
5276 | attributes. |
5277 | |
5278 | @return Return 0 if access is granted, otherwise an appropriate value for |
5279 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5280 | EPERM for lack of privilege. Access control covers all attributes requested |
5281 | with this call. |
5282 | */ |
5283 | typedef int mpo_vnode_check_setattrlist_t( |
5284 | kauth_cred_t cred, |
5285 | struct vnode *vp, |
5286 | struct label *vlabel, |
5287 | struct attrlist *alist |
5288 | ); |
5289 | /** |
5290 | @brief Access control check for setting extended attribute |
5291 | @param cred Subject credential |
5292 | @param vp Object vnode |
5293 | @param label Policy label for vp |
5294 | @param name Extended attribute name |
5295 | @param uio I/O structure pointer |
5296 | |
5297 | Determine whether the subject identified by the credential can set the |
5298 | extended attribute of passed name and passed namespace on the passed |
5299 | vnode. Policies implementing security labels backed into extended |
5300 | attributes may want to provide additional protections for those |
5301 | attributes. Additionally, policies should avoid making decisions based |
5302 | on the data referenced from uio, as there is a potential race condition |
5303 | between this check and the actual operation. The uio may also be NULL |
5304 | if a delete operation is being performed. |
5305 | |
5306 | @return Return 0 if access is granted, otherwise an appropriate value for |
5307 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5308 | EPERM for lack of privilege. |
5309 | */ |
5310 | typedef int mpo_vnode_check_setextattr_t( |
5311 | kauth_cred_t cred, |
5312 | struct vnode *vp, |
5313 | struct label *label, |
5314 | const char *name, |
5315 | struct uio *uio |
5316 | ); |
5317 | /** |
5318 | @brief Access control check for setting flags |
5319 | @param cred Subject credential |
5320 | @param vp Object vnode |
5321 | @param label Policy label for vp |
5322 | @param flags File flags; see chflags(2) |
5323 | |
5324 | Determine whether the subject identified by the credential can set |
5325 | the passed flags on the passed vnode. |
5326 | |
5327 | @return Return 0 if access is granted, otherwise an appropriate value for |
5328 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5329 | EPERM for lack of privilege. |
5330 | */ |
5331 | typedef int mpo_vnode_check_setflags_t( |
5332 | kauth_cred_t cred, |
5333 | struct vnode *vp, |
5334 | struct label *label, |
5335 | u_long flags |
5336 | ); |
5337 | /** |
5338 | @brief Access control check for setting mode |
5339 | @param cred Subject credential |
5340 | @param vp Object vnode |
5341 | @param label Policy label for vp |
5342 | @param mode File mode; see chmod(2) |
5343 | |
5344 | Determine whether the subject identified by the credential can set |
5345 | the passed mode on the passed vnode. |
5346 | |
5347 | @return Return 0 if access is granted, otherwise an appropriate value for |
5348 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5349 | EPERM for lack of privilege. |
5350 | */ |
5351 | typedef int mpo_vnode_check_setmode_t( |
5352 | kauth_cred_t cred, |
5353 | struct vnode *vp, |
5354 | struct label *label, |
5355 | mode_t mode |
5356 | ); |
5357 | /** |
5358 | @brief Access control check for setting uid and gid |
5359 | @param cred Subject credential |
5360 | @param vp Object vnode |
5361 | @param label Policy label for vp |
5362 | @param uid User ID |
5363 | @param gid Group ID |
5364 | |
5365 | Determine whether the subject identified by the credential can set |
5366 | the passed uid and passed gid as file uid and file gid on the passed |
5367 | vnode. The IDs may be set to (-1) to request no update. |
5368 | |
5369 | @return Return 0 if access is granted, otherwise an appropriate value for |
5370 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5371 | EPERM for lack of privilege. |
5372 | */ |
5373 | typedef int mpo_vnode_check_setowner_t( |
5374 | kauth_cred_t cred, |
5375 | struct vnode *vp, |
5376 | struct label *label, |
5377 | uid_t uid, |
5378 | gid_t gid |
5379 | ); |
5380 | /** |
5381 | @brief Access control check for setting timestamps |
5382 | @param cred Subject credential |
5383 | @param vp Object vnode |
5384 | @param label Policy label for vp |
5385 | @param atime Access time; see utimes(2) |
5386 | @param mtime Modification time; see utimes(2) |
5387 | |
5388 | Determine whether the subject identified by the credential can set |
5389 | the passed access timestamps on the passed vnode. |
5390 | |
5391 | @return Return 0 if access is granted, otherwise an appropriate value for |
5392 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5393 | EPERM for lack of privilege. |
5394 | */ |
5395 | typedef int mpo_vnode_check_setutimes_t( |
5396 | kauth_cred_t cred, |
5397 | struct vnode *vp, |
5398 | struct label *label, |
5399 | struct timespec atime, |
5400 | struct timespec mtime |
5401 | ); |
5402 | /** |
5403 | @brief Access control check after determining the code directory hash |
5404 | @param vp vnode vnode to combine into proc |
5405 | @param label label associated with the vnode |
5406 | @param cpu_type cpu type of the signature being checked |
5407 | @param cs_blob the code signature to check |
5408 | @param cs_flags update code signing flags if needed |
5409 | @param signer_type output parameter for the code signature's signer type |
5410 | @param flags operational flag to mpo_vnode_check_signature |
5411 | @param fatal_failure_desc description of fatal failure |
5412 | @param fatal_failure_desc_len failure description len, failure is fatal if non-0 |
5413 | |
5414 | @return Return 0 if access is granted, otherwise an appropriate value for |
5415 | errno should be returned. |
5416 | */ |
5417 | typedef int mpo_vnode_check_signature_t( |
5418 | struct vnode *vp, |
5419 | struct label *label, |
5420 | cpu_type_t cpu_type, |
5421 | struct cs_blob *cs_blob, |
5422 | unsigned int *cs_flags, |
5423 | unsigned int *signer_type, |
5424 | int flags, |
5425 | char **fatal_failure_desc, size_t *fatal_failure_desc_len |
5426 | ); |
5427 | /** |
5428 | @brief Access control check for stat |
5429 | @param active_cred Subject credential |
5430 | @param file_cred Credential associated with the struct fileproc |
5431 | @param vp Object vnode |
5432 | @param label Policy label for vp |
5433 | |
5434 | Determine whether the subject identified by the credential can stat |
5435 | the passed vnode. See stat(2) for more information. The active_cred |
5436 | hold the credentials of the subject performing the operation, and |
5437 | file_cred holds the credentials of the subject that originally |
5438 | opened the file. |
5439 | |
5440 | @return Return 0 if access is granted, otherwise an appropriate value for |
5441 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5442 | EPERM for lack of privilege. |
5443 | */ |
5444 | typedef int mpo_vnode_check_stat_t( |
5445 | struct ucred *active_cred, |
5446 | struct ucred *file_cred, /* NULLOK */ |
5447 | struct vnode *vp, |
5448 | struct label *label |
5449 | ); |
5450 | /** |
5451 | @brief Access control check for vnode trigger resolution |
5452 | @param cred Subject credential |
5453 | @param dvp Object vnode |
5454 | @param dlabel Policy label for dvp |
5455 | @param cnp Component name that triggered resolution |
5456 | |
5457 | Determine whether the subject identified by the credential can trigger |
5458 | resolution of the passed name (cnp) in the passed directory vnode |
5459 | via an external trigger resolver. |
5460 | |
5461 | @return Return 0 if access is granted, otherwise an appropriate value for |
5462 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5463 | EPERM for lack of privilege. |
5464 | */ |
5465 | typedef int mpo_vnode_check_trigger_resolve_t( |
5466 | kauth_cred_t cred, |
5467 | struct vnode *dvp, |
5468 | struct label *dlabel, |
5469 | struct componentname *cnp |
5470 | ); |
5471 | /** |
5472 | @brief Access control check for truncate/ftruncate |
5473 | @param active_cred Subject credential |
5474 | @param file_cred Credential associated with the struct fileproc |
5475 | @param vp Object vnode |
5476 | @param label Policy label for vp |
5477 | |
5478 | Determine whether the subject identified by the credential can |
5479 | perform a truncate operation on the passed vnode. The active_cred hold |
5480 | the credentials of the subject performing the operation, and |
5481 | file_cred holds the credentials of the subject that originally |
5482 | opened the file. |
5483 | |
5484 | @return Return 0 if access is granted, otherwise an appropriate value for |
5485 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5486 | EPERM for lack of privilege. |
5487 | */ |
5488 | typedef int mpo_vnode_check_truncate_t( |
5489 | kauth_cred_t active_cred, |
5490 | kauth_cred_t file_cred, /* NULLOK */ |
5491 | struct vnode *vp, |
5492 | struct label *label |
5493 | ); |
5494 | /** |
5495 | @brief Access control check for binding UNIX domain socket |
5496 | @param cred Subject credential |
5497 | @param dvp Directory vnode |
5498 | @param dlabel Policy label for dvp |
5499 | @param cnp Component name for dvp |
5500 | @param vap vnode attributes for vap |
5501 | |
5502 | Determine whether the subject identified by the credential can perform a |
5503 | bind operation on a UNIX domain socket with the passed parent directory, |
5504 | passed name information, and passed attribute information. |
5505 | |
5506 | @return Return 0 if access is granted, otherwise an appropriate value for |
5507 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5508 | EPERM for lack of privilege. |
5509 | */ |
5510 | typedef int mpo_vnode_check_uipc_bind_t( |
5511 | kauth_cred_t cred, |
5512 | struct vnode *dvp, |
5513 | struct label *dlabel, |
5514 | struct componentname *cnp, |
5515 | struct vnode_attr *vap |
5516 | ); |
5517 | /** |
5518 | @brief Access control check for connecting UNIX domain socket |
5519 | @param cred Subject credential |
5520 | @param vp Object vnode |
5521 | @param label Policy label associated with vp |
5522 | @param so Socket |
5523 | |
5524 | Determine whether the subject identified by the credential can perform a |
5525 | connect operation on the passed UNIX domain socket vnode. |
5526 | |
5527 | @return Return 0 if access is granted, otherwise an appropriate value for |
5528 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5529 | EPERM for lack of privilege. |
5530 | */ |
5531 | typedef int mpo_vnode_check_uipc_connect_t( |
5532 | kauth_cred_t cred, |
5533 | struct vnode *vp, |
5534 | struct label *label, |
5535 | socket_t so |
5536 | ); |
5537 | /** |
5538 | @brief Access control check for deleting vnode |
5539 | @param cred Subject credential |
5540 | @param dvp Parent directory vnode |
5541 | @param dlabel Policy label for dvp |
5542 | @param vp Object vnode to delete |
5543 | @param label Policy label for vp |
5544 | @param cnp Component name for vp |
5545 | @see mpo_check_rename_to_t |
5546 | |
5547 | Determine whether the subject identified by the credential can delete |
5548 | a vnode from the passed parent directory and passed name information. |
5549 | This call may be made in a number of situations, including as a |
5550 | results of calls to unlink(2) and rmdir(2). Policies implementing |
5551 | this entry point should also implement mpo_check_rename_to to |
5552 | authorize deletion of objects as a result of being the target of a rename. |
5553 | |
5554 | @return Return 0 if access is granted, otherwise an appropriate value for |
5555 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5556 | EPERM for lack of privilege. |
5557 | */ |
5558 | typedef int mpo_vnode_check_unlink_t( |
5559 | kauth_cred_t cred, |
5560 | struct vnode *dvp, |
5561 | struct label *dlabel, |
5562 | struct vnode *vp, |
5563 | struct label *label, |
5564 | struct componentname *cnp |
5565 | ); |
5566 | /** |
5567 | @brief Access control check for write |
5568 | @param active_cred Subject credential |
5569 | @param file_cred Credential associated with the struct fileproc |
5570 | @param vp Object vnode |
5571 | @param label Policy label for vp |
5572 | |
5573 | Determine whether the subject identified by the credential can |
5574 | perform a write operation on the passed vnode. The active_cred hold |
5575 | the credentials of the subject performing the operation, and |
5576 | file_cred holds the credentials of the subject that originally |
5577 | opened the file. |
5578 | |
5579 | @return Return 0 if access is granted, otherwise an appropriate value for |
5580 | errno should be returned. Suggested failure: EACCES for label mismatch or |
5581 | EPERM for lack of privilege. |
5582 | */ |
5583 | typedef int mpo_vnode_check_write_t( |
5584 | kauth_cred_t active_cred, |
5585 | kauth_cred_t file_cred, /* NULLOK */ |
5586 | struct vnode *vp, |
5587 | struct label *label |
5588 | ); |
5589 | /** |
5590 | @brief Associate a vnode with a devfs entry |
5591 | @param mp Devfs mount point |
5592 | @param mntlabel Devfs mount point label |
5593 | @param de Devfs directory entry |
5594 | @param delabel Label associated with de |
5595 | @param vp vnode associated with de |
5596 | @param vlabel Label associated with vp |
5597 | |
5598 | Fill in the label (vlabel) for a newly created devfs vnode. The |
5599 | label is typically derived from the label on the devfs directory |
5600 | entry or the label on the filesystem, supplied as parameters. |
5601 | */ |
5602 | typedef void mpo_vnode_label_associate_devfs_t( |
5603 | struct mount *mp, |
5604 | struct label *mntlabel, |
5605 | struct devnode *de, |
5606 | struct label *delabel, |
5607 | struct vnode *vp, |
5608 | struct label *vlabel |
5609 | ); |
5610 | /** |
5611 | @brief Associate a label with a vnode |
5612 | @param mp File system mount point |
5613 | @param mntlabel File system mount point label |
5614 | @param vp Vnode to label |
5615 | @param vlabel Label associated with vp |
5616 | |
5617 | Attempt to retrieve label information for the vnode, vp, from the |
5618 | file system extended attribute store. The label should be stored in |
5619 | the supplied vlabel parameter. If a policy cannot retrieve an |
5620 | extended attribute, sometimes it is acceptible to fallback to using |
5621 | the mntlabel. |
5622 | |
5623 | If the policy requires vnodes to have a valid label elsewhere it |
5624 | MUST NOT return other than temporary errors, and must always provide |
5625 | a valid label of some sort. Returning an error will cause vnode |
5626 | labeling to be retried at a later access. Failure to handle policy |
5627 | centric errors internally (corrupt labels etc.) will result in |
5628 | inaccessible files. |
5629 | |
5630 | @return In the event of an error, an appropriate value for errno |
5631 | should be returned, otherwise return 0 upon success. |
5632 | */ |
5633 | typedef int mpo_vnode_label_associate_extattr_t( |
5634 | struct mount *mp, |
5635 | struct label *mntlabel, |
5636 | struct vnode *vp, |
5637 | struct label *vlabel |
5638 | ); |
5639 | /** |
5640 | @brief Associate a file label with a vnode |
5641 | @param cred User credential |
5642 | @param mp Fdesc mount point |
5643 | @param mntlabel Fdesc mount point label |
5644 | @param fg Fileglob structure |
5645 | @param label Policy label for fg |
5646 | @param vp Vnode to label |
5647 | @param vlabel Label associated with vp |
5648 | |
5649 | Associate label information for the vnode, vp, with the label of |
5650 | the open file descriptor described by fg. |
5651 | The label should be stored in the supplied vlabel parameter. |
5652 | */ |
5653 | typedef void mpo_vnode_label_associate_file_t( |
5654 | struct ucred *cred, |
5655 | struct mount *mp, |
5656 | struct label *mntlabel, |
5657 | struct fileglob *fg, |
5658 | struct label *label, |
5659 | struct vnode *vp, |
5660 | struct label *vlabel |
5661 | ); |
5662 | /** |
5663 | @brief Associate a pipe label with a vnode |
5664 | @param cred User credential for the process that opened the pipe |
5665 | @param cpipe Pipe structure |
5666 | @param pipelabel Label associated with pipe |
5667 | @param vp Vnode to label |
5668 | @param vlabel Label associated with vp |
5669 | |
5670 | Associate label information for the vnode, vp, with the label of |
5671 | the pipe described by the pipe structure cpipe. |
5672 | The label should be stored in the supplied vlabel parameter. |
5673 | */ |
5674 | typedef void mpo_vnode_label_associate_pipe_t( |
5675 | struct ucred *cred, |
5676 | struct pipe *cpipe, |
5677 | struct label *pipelabel, |
5678 | struct vnode *vp, |
5679 | struct label *vlabel |
5680 | ); |
5681 | /** |
5682 | @brief Associate a POSIX semaphore label with a vnode |
5683 | @param cred User credential for the process that create psem |
5684 | @param psem POSIX semaphore structure |
5685 | @param psemlabel Label associated with psem |
5686 | @param vp Vnode to label |
5687 | @param vlabel Label associated with vp |
5688 | |
5689 | Associate label information for the vnode, vp, with the label of |
5690 | the POSIX semaphore described by psem. |
5691 | The label should be stored in the supplied vlabel parameter. |
5692 | */ |
5693 | typedef void mpo_vnode_label_associate_posixsem_t( |
5694 | struct ucred *cred, |
5695 | struct pseminfo *psem, |
5696 | struct label *psemlabel, |
5697 | struct vnode *vp, |
5698 | struct label *vlabel |
5699 | ); |
5700 | /** |
5701 | @brief Associate a POSIX shared memory label with a vnode |
5702 | @param cred User credential for the process that created pshm |
5703 | @param pshm POSIX shared memory structure |
5704 | @param pshmlabel Label associated with pshm |
5705 | @param vp Vnode to label |
5706 | @param vlabel Label associated with vp |
5707 | |
5708 | Associate label information for the vnode, vp, with the label of |
5709 | the POSIX shared memory region described by pshm. |
5710 | The label should be stored in the supplied vlabel parameter. |
5711 | */ |
5712 | typedef void mpo_vnode_label_associate_posixshm_t( |
5713 | struct ucred *cred, |
5714 | struct pshminfo *pshm, |
5715 | struct label *pshmlabel, |
5716 | struct vnode *vp, |
5717 | struct label *vlabel |
5718 | ); |
5719 | /** |
5720 | @brief Associate a label with a vnode |
5721 | @param mp File system mount point |
5722 | @param mntlabel File system mount point label |
5723 | @param vp Vnode to label |
5724 | @param vlabel Label associated with vp |
5725 | |
5726 | On non-multilabel file systems, set the label for a vnode. The |
5727 | label will most likely be based on the file system label. |
5728 | */ |
5729 | typedef void mpo_vnode_label_associate_singlelabel_t( |
5730 | struct mount *mp, |
5731 | struct label *mntlabel, |
5732 | struct vnode *vp, |
5733 | struct label *vlabel |
5734 | ); |
5735 | /** |
5736 | @brief Associate a socket label with a vnode |
5737 | @param cred User credential for the process that opened the socket |
5738 | @param so Socket structure |
5739 | @param solabel Label associated with so |
5740 | @param vp Vnode to label |
5741 | @param vlabel Label associated with vp |
5742 | |
5743 | Associate label information for the vnode, vp, with the label of |
5744 | the open socket described by the socket structure so. |
5745 | The label should be stored in the supplied vlabel parameter. |
5746 | */ |
5747 | typedef void mpo_vnode_label_associate_socket_t( |
5748 | kauth_cred_t cred, |
5749 | socket_t so, |
5750 | struct label *solabel, |
5751 | struct vnode *vp, |
5752 | struct label *vlabel |
5753 | ); |
5754 | /** |
5755 | @brief Copy a vnode label |
5756 | @param src Source vnode label |
5757 | @param dest Destination vnode label |
5758 | |
5759 | Copy the vnode label information from src to dest. On Darwin, this |
5760 | is currently only necessary when executing interpreted scripts, but |
5761 | will later be used if vnode label externalization cannot be an |
5762 | atomic operation. |
5763 | */ |
5764 | typedef void mpo_vnode_label_copy_t( |
5765 | struct label *src, |
5766 | struct label *dest |
5767 | ); |
5768 | /** |
5769 | @brief Destroy vnode label |
5770 | @param label The label to be destroyed |
5771 | |
5772 | Destroy a vnode label. Since the object is going out of scope, |
5773 | policy modules should free any internal storage associated with the |
5774 | label so that it may be destroyed. |
5775 | */ |
5776 | typedef void mpo_vnode_label_destroy_t( |
5777 | struct label *label |
5778 | ); |
5779 | /** |
5780 | @brief Externalize a vnode label for auditing |
5781 | @param label Label to be externalized |
5782 | @param element_name Name of the label namespace for which labels should be |
5783 | externalized |
5784 | @param sb String buffer to be filled with a text representation of the label |
5785 | |
5786 | Produce an external representation of the label on a vnode suitable for |
5787 | inclusion in an audit record. An externalized label consists of a text |
5788 | representation of the label contents that will be added to the audit record |
5789 | as part of a text token. Policy-agnostic user space tools will display |
5790 | this externalized version. |
5791 | |
5792 | @return 0 on success, return non-zero if an error occurs while |
5793 | externalizing the label data. |
5794 | |
5795 | */ |
5796 | typedef int mpo_vnode_label_externalize_audit_t( |
5797 | struct label *label, |
5798 | char *element_name, |
5799 | struct sbuf *sb |
5800 | ); |
5801 | /** |
5802 | @brief Externalize a vnode label |
5803 | @param label Label to be externalized |
5804 | @param element_name Name of the label namespace for which labels should be |
5805 | externalized |
5806 | @param sb String buffer to be filled with a text representation of the label |
5807 | |
5808 | Produce an external representation of the label on a vnode. An |
5809 | externalized label consists of a text representation of the label |
5810 | contents that can be used with user applications. Policy-agnostic |
5811 | user space tools will display this externalized version. |
5812 | |
5813 | @return 0 on success, return non-zero if an error occurs while |
5814 | externalizing the label data. |
5815 | |
5816 | */ |
5817 | typedef int mpo_vnode_label_externalize_t( |
5818 | struct label *label, |
5819 | char *element_name, |
5820 | struct sbuf *sb |
5821 | ); |
5822 | /** |
5823 | @brief Initialize vnode label |
5824 | @param label New label to initialize |
5825 | |
5826 | Initialize label storage for use with a newly instantiated vnode, or |
5827 | for temporary storage associated with the copying in or out of a |
5828 | vnode label. While it is necessary to allocate space for a |
5829 | kernel-resident vnode label, it is not yet necessary to link this vnode |
5830 | with persistent label storage facilities, such as extended attributes. |
5831 | Sleeping is permitted. |
5832 | */ |
5833 | typedef void mpo_vnode_label_init_t( |
5834 | struct label *label |
5835 | ); |
5836 | /** |
5837 | @brief Internalize a vnode label |
5838 | @param label Label to be internalized |
5839 | @param element_name Name of the label namespace for which the label should |
5840 | be internalized |
5841 | @param element_data Text data to be internalized |
5842 | |
5843 | Produce a vnode label from an external representation. An |
5844 | externalized label consists of a text representation of the label |
5845 | contents that can be used with user applications. Policy-agnostic |
5846 | user space tools will forward text version to the kernel for |
5847 | processing by individual policy modules. |
5848 | |
5849 | The policy's internalize entry points will be called only if the |
5850 | policy has registered interest in the label namespace. |
5851 | |
5852 | @return 0 on success, Otherwise, return non-zero if an error occurs |
5853 | while internalizing the label data. |
5854 | */ |
5855 | typedef int mpo_vnode_label_internalize_t( |
5856 | struct label *label, |
5857 | char *element_name, |
5858 | char *element_data |
5859 | ); |
5860 | /** |
5861 | @brief Clean up a vnode label |
5862 | @param label The label to be cleaned for re-use |
5863 | |
5864 | Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but |
5865 | typically never frees them. Before vnodes are placed back on free lists for |
5866 | re-use, policies can cleanup or overwrite any information present in the label. |
5867 | */ |
5868 | typedef void mpo_vnode_label_recycle_t( |
5869 | struct label *label |
5870 | ); |
5871 | /** |
5872 | @brief Write a label to a extended attribute |
5873 | @param cred Subject credential |
5874 | @param vp The vnode for which the label is being stored |
5875 | @param vlabel Label associated with vp |
5876 | @param intlabel The new label to store |
5877 | |
5878 | Store a new label in the extended attribute corresponding to the |
5879 | supplied vnode. The policy has already authorized the operation; |
5880 | this call must be implemented in order to perform the actual |
5881 | operation. |
5882 | |
5883 | @return In the event of an error, an appropriate value for errno |
5884 | should be returned, otherwise return 0 upon success. |
5885 | |
5886 | @warning XXX After examining the extended attribute implementation on |
5887 | Apple's future release, this entry point may be changed. |
5888 | */ |
5889 | typedef int mpo_vnode_label_store_t( |
5890 | kauth_cred_t cred, |
5891 | struct vnode *vp, |
5892 | struct label *vlabel, |
5893 | struct label *intlabel |
5894 | ); |
5895 | /** |
5896 | @brief Update vnode label from extended attributes |
5897 | @param mp File system mount point |
5898 | @param mntlabel Mount point label |
5899 | @param vp Vnode to label |
5900 | @param vlabel Label associated with vp |
5901 | @param name Name of the xattr |
5902 | @see mpo_vnode_check_setextattr_t |
5903 | |
5904 | When an extended attribute is updated via the Vendor attribute management |
5905 | functions, the MAC vnode label might also require an update. |
5906 | Policies should first determine if 'name' matches their xattr label |
5907 | name. If it does, the kernel is has either replaced or removed the |
5908 | named extended attribute that was previously associated with the |
5909 | vnode. Normally labels should only be modified via MAC Framework label |
5910 | management calls, but sometimes the user space components will directly |
5911 | modify extended attributes. For example, 'cp', 'tar', etc. manage |
5912 | extended attributes in userspace, not the kernel. |
5913 | |
5914 | This entry point is called after the label update has occurred, so |
5915 | it cannot return a failure. However, the operation is preceded by |
5916 | the mpo_vnode_check_setextattr() access control check. |
5917 | |
5918 | If the vnode label needs to be updated the policy should return |
5919 | a non-zero value. The vnode label will be marked for re-association |
5920 | by the framework. |
5921 | */ |
5922 | typedef int mpo_vnode_label_update_extattr_t( |
5923 | struct mount *mp, |
5924 | struct label *mntlabel, |
5925 | struct vnode *vp, |
5926 | struct label *vlabel, |
5927 | const char *name |
5928 | ); |
5929 | /** |
5930 | @brief Update a vnode label |
5931 | @param cred Subject credential |
5932 | @param vp The vnode to relabel |
5933 | @param vnodelabel Existing vnode label |
5934 | @param label New label to replace existing label |
5935 | @see mpo_vnode_check_label_update_t |
5936 | |
5937 | The subject identified by the credential has previously requested |
5938 | and was authorized to relabel the vnode; this entry point allows |
5939 | policies to perform the actual relabel operation. Policies should |
5940 | update vnodelabel using the label stored in the label parameter. |
5941 | */ |
5942 | typedef void mpo_vnode_label_update_t( |
5943 | kauth_cred_t cred, |
5944 | struct vnode *vp, |
5945 | struct label *vnodelabel, |
5946 | struct label *label |
5947 | ); |
5948 | /** |
5949 | @brief Find deatched signatures for a shared library |
5950 | @param p file trying to find the signature |
5951 | @param vp The vnode to relabel |
5952 | @param offset offset in the macho that the signature is requested for (for fat binaries) |
5953 | @param label Existing vnode label |
5954 | |
5955 | */ |
5956 | typedef int mpo_vnode_find_sigs_t( |
5957 | struct proc *p, |
5958 | struct vnode *vp, |
5959 | off_t offset, |
5960 | struct label *label |
5961 | ); |
5962 | /** |
5963 | @brief Create a new vnode, backed by extended attributes |
5964 | @param cred User credential for the creating process |
5965 | @param mp File system mount point |
5966 | @param mntlabel File system mount point label |
5967 | @param dvp Parent directory vnode |
5968 | @param dlabel Parent directory vnode label |
5969 | @param vp Newly created vnode |
5970 | @param vlabel Label to associate with the new vnode |
5971 | @param cnp Component name for vp |
5972 | |
5973 | Write out the label for the newly created vnode, most likely storing |
5974 | the results in a file system extended attribute. Most policies will |
5975 | derive the new vnode label using information from a combination |
5976 | of the subject (user) credential, the file system label, the parent |
5977 | directory label, and potentially the path name component. |
5978 | |
5979 | @return If the operation succeeds, store the new label in vlabel and |
5980 | return 0. Otherwise, return an appropriate errno value. |
5981 | */ |
5982 | typedef int mpo_vnode_notify_create_t( |
5983 | kauth_cred_t cred, |
5984 | struct mount *mp, |
5985 | struct label *mntlabel, |
5986 | struct vnode *dvp, |
5987 | struct label *dlabel, |
5988 | struct vnode *vp, |
5989 | struct label *vlabel, |
5990 | struct componentname *cnp |
5991 | ); |
5992 | |
5993 | /** |
5994 | @brief Inform MAC policies that a vnode has been opened |
5995 | @param cred User credential for the creating process |
5996 | @param vp vnode opened |
5997 | @param label Policy label for the vp |
5998 | @param acc_mode open(2) access mode used |
5999 | |
6000 | Inform Mac policies that a vnode have been successfully opened |
6001 | (passing all MAC polices and DAC). |
6002 | */ |
6003 | typedef void mpo_vnode_notify_open_t( |
6004 | kauth_cred_t cred, |
6005 | struct vnode *vp, |
6006 | struct label *label, |
6007 | int acc_mode |
6008 | ); |
6009 | |
6010 | /** |
6011 | @brief Inform MAC policies that a vnode has been renamed |
6012 | @param cred User credential for the renaming process |
6013 | @param vp Vnode that's being renamed |
6014 | @param label Policy label for vp |
6015 | @param dvp Parent directory for the destination |
6016 | @param dlabel Policy label for dvp |
6017 | @param cnp Component name for the destination |
6018 | |
6019 | Inform MAC policies that a vnode has been renamed. |
6020 | */ |
6021 | typedef void mpo_vnode_notify_rename_t( |
6022 | kauth_cred_t cred, |
6023 | struct vnode *vp, |
6024 | struct label *label, |
6025 | struct vnode *dvp, |
6026 | struct label *dlabel, |
6027 | struct componentname *cnp |
6028 | ); |
6029 | |
6030 | /** |
6031 | @brief Inform MAC policies that a vnode has been linked |
6032 | @param cred User credential for the renaming process |
6033 | @param dvp Parent directory for the destination |
6034 | @param dlabel Policy label for dvp |
6035 | @param vp Vnode that's being linked |
6036 | @param vlabel Policy label for vp |
6037 | @param cnp Component name for the destination |
6038 | |
6039 | Inform MAC policies that a vnode has been linked. |
6040 | */ |
6041 | typedef void mpo_vnode_notify_link_t( |
6042 | kauth_cred_t cred, |
6043 | struct vnode *dvp, |
6044 | struct label *dlabel, |
6045 | struct vnode *vp, |
6046 | struct label *vlabel, |
6047 | struct componentname *cnp |
6048 | ); |
6049 | |
6050 | /** |
6051 | @brief Inform MAC policies that an extended attribute has been removed from a vnode |
6052 | @param cred Subject credential |
6053 | @param vp Object node |
6054 | @param label Policy label for vp |
6055 | @param name Extended attribute name |
6056 | |
6057 | Inform MAC policies that an extended attribute has been removed from a vnode. |
6058 | */ |
6059 | typedef void mpo_vnode_notify_deleteextattr_t( |
6060 | kauth_cred_t cred, |
6061 | struct vnode *vp, |
6062 | struct label *label, |
6063 | const char *name |
6064 | ); |
6065 | |
6066 | |
6067 | /** |
6068 | @brief Inform MAC policies that an ACL has been set on a vnode |
6069 | @param cred Subject credential |
6070 | @param vp Object node |
6071 | @param label Policy label for vp |
6072 | @param acl ACL structure pointer |
6073 | |
6074 | Inform MAC policies that an ACL has been set on a vnode. |
6075 | */ |
6076 | typedef void mpo_vnode_notify_setacl_t( |
6077 | kauth_cred_t cred, |
6078 | struct vnode *vp, |
6079 | struct label *label, |
6080 | struct kauth_acl *acl |
6081 | ); |
6082 | |
6083 | /** |
6084 | @brief Inform MAC policies that an attributes have been set on a vnode |
6085 | @param cred Subject credential |
6086 | @param vp Object vnode |
6087 | @param label Policy label for vp |
6088 | @param alist List of attributes to set |
6089 | |
6090 | Inform MAC policies that an attributes have been set on a vnode. |
6091 | */ |
6092 | typedef void mpo_vnode_notify_setattrlist_t( |
6093 | kauth_cred_t cred, |
6094 | struct vnode *vp, |
6095 | struct label *label, |
6096 | struct attrlist *alist |
6097 | ); |
6098 | |
6099 | /** |
6100 | @brief Inform MAC policies that an extended attribute has been set on a vnode |
6101 | @param cred Subject credential |
6102 | @param vp Object vnode |
6103 | @param label Policy label for vp |
6104 | @param name Extended attribute name |
6105 | @param uio I/O structure pointer |
6106 | |
6107 | Inform MAC policies that an extended attribute has been set on a vnode. |
6108 | */ |
6109 | typedef void mpo_vnode_notify_setextattr_t( |
6110 | kauth_cred_t cred, |
6111 | struct vnode *vp, |
6112 | struct label *label, |
6113 | const char *name, |
6114 | struct uio *uio |
6115 | ); |
6116 | |
6117 | /** |
6118 | @brief Inform MAC policies that flags have been set on a vnode |
6119 | @param cred Subject credential |
6120 | @param vp Object vnode |
6121 | @param label Policy label for vp |
6122 | @param flags File flags; see chflags(2) |
6123 | |
6124 | Inform MAC policies that flags have been set on a vnode. |
6125 | */ |
6126 | typedef void mpo_vnode_notify_setflags_t( |
6127 | kauth_cred_t cred, |
6128 | struct vnode *vp, |
6129 | struct label *label, |
6130 | u_long flags |
6131 | ); |
6132 | |
6133 | /** |
6134 | @brief Inform MAC policies that a new mode has been set on a vnode |
6135 | @param cred Subject credential |
6136 | @param vp Object vnode |
6137 | @param label Policy label for vp |
6138 | @param mode File mode; see chmod(2) |
6139 | |
6140 | Inform MAC policies that a new mode has been set on a vnode. |
6141 | */ |
6142 | typedef void mpo_vnode_notify_setmode_t( |
6143 | kauth_cred_t cred, |
6144 | struct vnode *vp, |
6145 | struct label *label, |
6146 | mode_t mode |
6147 | ); |
6148 | |
6149 | /** |
6150 | @brief Inform MAC policies that new uid/gid have been set on a vnode |
6151 | @param cred Subject credential |
6152 | @param vp Object vnode |
6153 | @param label Policy label for vp |
6154 | @param uid User ID |
6155 | @param gid Group ID |
6156 | |
6157 | Inform MAC policies that new uid/gid have been set on a vnode. |
6158 | */ |
6159 | typedef void mpo_vnode_notify_setowner_t( |
6160 | kauth_cred_t cred, |
6161 | struct vnode *vp, |
6162 | struct label *label, |
6163 | uid_t uid, |
6164 | gid_t gid |
6165 | ); |
6166 | |
6167 | /** |
6168 | @brief Inform MAC policies that new timestamps have been set on a vnode |
6169 | @param cred Subject credential |
6170 | @param vp Object vnode |
6171 | @param label Policy label for vp |
6172 | @param atime Access time; see utimes(2) |
6173 | @param mtime Modification time; see utimes(2) |
6174 | |
6175 | Inform MAC policies that new timestamps have been set on a vnode. |
6176 | */ |
6177 | typedef void mpo_vnode_notify_setutimes_t( |
6178 | kauth_cred_t cred, |
6179 | struct vnode *vp, |
6180 | struct label *label, |
6181 | struct timespec atime, |
6182 | struct timespec mtime |
6183 | ); |
6184 | |
6185 | /** |
6186 | @brief Inform MAC policies that a vnode has been truncated |
6187 | @param cred Subject credential |
6188 | @param file_cred Credential associated with the struct fileproc |
6189 | @param vp Object vnode |
6190 | @param label Policy label for vp |
6191 | |
6192 | Inform MAC policies that a vnode has been truncated. |
6193 | */ |
6194 | typedef void mpo_vnode_notify_truncate_t( |
6195 | kauth_cred_t cred, |
6196 | kauth_cred_t file_cred, |
6197 | struct vnode *vp, |
6198 | struct label *label |
6199 | ); |
6200 | |
6201 | |
6202 | /** |
6203 | @brief Inform MAC policies that a pty slave has been granted |
6204 | @param p Responsible process |
6205 | @param tp tty data structure |
6206 | @param dev Major and minor numbers of device |
6207 | @param label Policy label for tp |
6208 | |
6209 | Inform MAC policies that a pty slave has been granted. |
6210 | */ |
6211 | typedef void mpo_pty_notify_grant_t( |
6212 | proc_t p, |
6213 | struct tty *tp, |
6214 | dev_t dev, |
6215 | struct label *label |
6216 | ); |
6217 | |
6218 | /** |
6219 | @brief Inform MAC policies that a pty master has been closed |
6220 | @param p Responsible process |
6221 | @param tp tty data structure |
6222 | @param dev Major and minor numbers of device |
6223 | @param label Policy label for tp |
6224 | |
6225 | Inform MAC policies that a pty master has been closed. |
6226 | */ |
6227 | typedef void mpo_pty_notify_close_t( |
6228 | proc_t p, |
6229 | struct tty *tp, |
6230 | dev_t dev, |
6231 | struct label *label |
6232 | ); |
6233 | |
6234 | /** |
6235 | @brief Access control check for kext loading |
6236 | @param cred Subject credential |
6237 | @param identifier Kext identifier |
6238 | |
6239 | Determine whether the subject identified by the credential can load the |
6240 | specified kext. |
6241 | |
6242 | @return Return 0 if access is granted, otherwise an appropriate value for |
6243 | errno should be returned. Suggested failure: EPERM for lack of privilege. |
6244 | */ |
6245 | typedef int mpo_kext_check_load_t( |
6246 | kauth_cred_t cred, |
6247 | const char *identifier |
6248 | ); |
6249 | |
6250 | /** |
6251 | @brief Access control check for kext unloading |
6252 | @param cred Subject credential |
6253 | @param identifier Kext identifier |
6254 | |
6255 | Determine whether the subject identified by the credential can unload the |
6256 | specified kext. |
6257 | |
6258 | @return Return 0 if access is granted, otherwise an appropriate value for |
6259 | errno should be returned. Suggested failure: EPERM for lack of privilege. |
6260 | */ |
6261 | typedef int mpo_kext_check_unload_t( |
6262 | kauth_cred_t cred, |
6263 | const char *identifier |
6264 | ); |
6265 | |
6266 | /** |
6267 | @brief Access control check for querying information about loaded kexts |
6268 | @param cred Subject credential |
6269 | |
6270 | Determine whether the subject identified by the credential can query |
6271 | information about loaded kexts. |
6272 | |
6273 | @return Return 0 if access is granted, otherwise an appropriate value for |
6274 | errno should be returned. Suggested failure: EPERM for lack of privilege. |
6275 | */ |
6276 | typedef int mpo_kext_check_query_t( |
6277 | kauth_cred_t cred |
6278 | ); |
6279 | |
6280 | /* |
6281 | * Placeholder for future events that may need mac hooks. |
6282 | */ |
6283 | typedef void mpo_reserved_hook_t(void); |
6284 | |
6285 | /* |
6286 | * Policy module operations. |
6287 | * |
6288 | * Please note that this should be kept in sync with the check assumptions |
6289 | * policy in bsd/kern/policy_check.c (policy_ops struct). |
6290 | */ |
6291 | #define MAC_POLICY_OPS_VERSION 55 /* inc when new reserved slots are taken */ |
6292 | struct mac_policy_ops { |
6293 | mpo_audit_check_postselect_t *mpo_audit_check_postselect; |
6294 | mpo_audit_check_preselect_t *mpo_audit_check_preselect; |
6295 | |
6296 | mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate; |
6297 | mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy; |
6298 | mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init; |
6299 | mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive; |
6300 | |
6301 | mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; |
6302 | mpo_cred_check_label_update_t *mpo_cred_check_label_update; |
6303 | mpo_cred_check_visible_t *mpo_cred_check_visible; |
6304 | mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; |
6305 | mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; |
6306 | mpo_cred_label_associate_t *mpo_cred_label_associate; |
6307 | mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; |
6308 | mpo_cred_label_destroy_t *mpo_cred_label_destroy; |
6309 | mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; |
6310 | mpo_cred_label_externalize_t *mpo_cred_label_externalize; |
6311 | mpo_cred_label_init_t *mpo_cred_label_init; |
6312 | mpo_cred_label_internalize_t *mpo_cred_label_internalize; |
6313 | mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; |
6314 | mpo_cred_label_update_t *mpo_cred_label_update; |
6315 | |
6316 | mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; |
6317 | mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; |
6318 | mpo_devfs_label_copy_t *mpo_devfs_label_copy; |
6319 | mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; |
6320 | mpo_devfs_label_init_t *mpo_devfs_label_init; |
6321 | mpo_devfs_label_update_t *mpo_devfs_label_update; |
6322 | |
6323 | mpo_file_check_change_offset_t *mpo_file_check_change_offset; |
6324 | mpo_file_check_create_t *mpo_file_check_create; |
6325 | mpo_file_check_dup_t *mpo_file_check_dup; |
6326 | mpo_file_check_fcntl_t *mpo_file_check_fcntl; |
6327 | mpo_file_check_get_offset_t *mpo_file_check_get_offset; |
6328 | mpo_file_check_get_t *mpo_file_check_get; |
6329 | mpo_file_check_inherit_t *mpo_file_check_inherit; |
6330 | mpo_file_check_ioctl_t *mpo_file_check_ioctl; |
6331 | mpo_file_check_lock_t *mpo_file_check_lock; |
6332 | mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; |
6333 | mpo_file_check_mmap_t *mpo_file_check_mmap; |
6334 | mpo_file_check_receive_t *mpo_file_check_receive; |
6335 | mpo_file_check_set_t *mpo_file_check_set; |
6336 | mpo_file_label_init_t *mpo_file_label_init; |
6337 | mpo_file_label_destroy_t *mpo_file_label_destroy; |
6338 | mpo_file_label_associate_t *mpo_file_label_associate; |
6339 | |
6340 | mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update; |
6341 | mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit; |
6342 | mpo_ifnet_label_associate_t *mpo_ifnet_label_associate; |
6343 | mpo_ifnet_label_copy_t *mpo_ifnet_label_copy; |
6344 | mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy; |
6345 | mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize; |
6346 | mpo_ifnet_label_init_t *mpo_ifnet_label_init; |
6347 | mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize; |
6348 | mpo_ifnet_label_update_t *mpo_ifnet_label_update; |
6349 | mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle; |
6350 | |
6351 | mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver; |
6352 | mpo_inpcb_label_associate_t *mpo_inpcb_label_associate; |
6353 | mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy; |
6354 | mpo_inpcb_label_init_t *mpo_inpcb_label_init; |
6355 | mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle; |
6356 | mpo_inpcb_label_update_t *mpo_inpcb_label_update; |
6357 | |
6358 | mpo_iokit_check_device_t *mpo_iokit_check_device; |
6359 | |
6360 | mpo_ipq_label_associate_t *mpo_ipq_label_associate; |
6361 | mpo_ipq_label_compare_t *mpo_ipq_label_compare; |
6362 | mpo_ipq_label_destroy_t *mpo_ipq_label_destroy; |
6363 | mpo_ipq_label_init_t *mpo_ipq_label_init; |
6364 | mpo_ipq_label_update_t *mpo_ipq_label_update; |
6365 | |
6366 | mpo_file_check_library_validation_t *mpo_file_check_library_validation; |
6367 | mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl; |
6368 | mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist; |
6369 | mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr; |
6370 | mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags; |
6371 | mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode; |
6372 | mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner; |
6373 | mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes; |
6374 | mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate; |
6375 | |
6376 | mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; |
6377 | mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; |
6378 | mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb; |
6379 | mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq; |
6380 | mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer; |
6381 | mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap; |
6382 | mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer; |
6383 | mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket; |
6384 | mpo_mbuf_label_copy_t *mpo_mbuf_label_copy; |
6385 | mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy; |
6386 | mpo_mbuf_label_init_t *mpo_mbuf_label_init; |
6387 | |
6388 | mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; |
6389 | mpo_mount_check_getattr_t *mpo_mount_check_getattr; |
6390 | mpo_mount_check_label_update_t *mpo_mount_check_label_update; |
6391 | mpo_mount_check_mount_t *mpo_mount_check_mount; |
6392 | mpo_mount_check_remount_t *mpo_mount_check_remount; |
6393 | mpo_mount_check_setattr_t *mpo_mount_check_setattr; |
6394 | mpo_mount_check_stat_t *mpo_mount_check_stat; |
6395 | mpo_mount_check_umount_t *mpo_mount_check_umount; |
6396 | mpo_mount_label_associate_t *mpo_mount_label_associate; |
6397 | mpo_mount_label_destroy_t *mpo_mount_label_destroy; |
6398 | mpo_mount_label_externalize_t *mpo_mount_label_externalize; |
6399 | mpo_mount_label_init_t *mpo_mount_label_init; |
6400 | mpo_mount_label_internalize_t *mpo_mount_label_internalize; |
6401 | |
6402 | mpo_netinet_fragment_t *mpo_netinet_fragment; |
6403 | mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply; |
6404 | mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply; |
6405 | |
6406 | mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; |
6407 | mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; |
6408 | mpo_pipe_check_label_update_t *mpo_pipe_check_label_update; |
6409 | mpo_pipe_check_read_t *mpo_pipe_check_read; |
6410 | mpo_pipe_check_select_t *mpo_pipe_check_select; |
6411 | mpo_pipe_check_stat_t *mpo_pipe_check_stat; |
6412 | mpo_pipe_check_write_t *mpo_pipe_check_write; |
6413 | mpo_pipe_label_associate_t *mpo_pipe_label_associate; |
6414 | mpo_pipe_label_copy_t *mpo_pipe_label_copy; |
6415 | mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; |
6416 | mpo_pipe_label_externalize_t *mpo_pipe_label_externalize; |
6417 | mpo_pipe_label_init_t *mpo_pipe_label_init; |
6418 | mpo_pipe_label_internalize_t *mpo_pipe_label_internalize; |
6419 | mpo_pipe_label_update_t *mpo_pipe_label_update; |
6420 | |
6421 | mpo_policy_destroy_t *mpo_policy_destroy; |
6422 | mpo_policy_init_t *mpo_policy_init; |
6423 | mpo_policy_initbsd_t *mpo_policy_initbsd; |
6424 | mpo_policy_syscall_t *mpo_policy_syscall; |
6425 | |
6426 | mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; |
6427 | mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; |
6428 | mpo_vnode_check_rename_t *mpo_vnode_check_rename; |
6429 | mpo_kext_check_query_t *mpo_kext_check_query; |
6430 | mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete; |
6431 | mpo_reserved_hook_t *mpo_reserved5; |
6432 | mpo_reserved_hook_t *mpo_reserved6; |
6433 | mpo_proc_check_expose_task_t *mpo_proc_check_expose_task; |
6434 | mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port; |
6435 | mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port; |
6436 | mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send; |
6437 | mpo_exc_action_label_associate_t *mpo_exc_action_label_associate; |
6438 | mpo_exc_action_label_populate_t *mpo_exc_action_label_populate; |
6439 | mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy; |
6440 | mpo_exc_action_label_init_t *mpo_exc_action_label_init; |
6441 | mpo_exc_action_label_update_t *mpo_exc_action_label_update; |
6442 | |
6443 | mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve; |
6444 | mpo_reserved_hook_t *mpo_reserved1; |
6445 | mpo_reserved_hook_t *mpo_reserved2; |
6446 | mpo_reserved_hook_t *mpo_reserved3; |
6447 | mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect; |
6448 | mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen; |
6449 | |
6450 | mpo_posixsem_check_create_t *mpo_posixsem_check_create; |
6451 | mpo_posixsem_check_open_t *mpo_posixsem_check_open; |
6452 | mpo_posixsem_check_post_t *mpo_posixsem_check_post; |
6453 | mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; |
6454 | mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; |
6455 | mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; |
6456 | mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; |
6457 | mpo_posixsem_label_init_t *mpo_posixsem_label_init; |
6458 | mpo_posixshm_check_create_t *mpo_posixshm_check_create; |
6459 | mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; |
6460 | mpo_posixshm_check_open_t *mpo_posixshm_check_open; |
6461 | mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; |
6462 | mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; |
6463 | mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; |
6464 | mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; |
6465 | mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; |
6466 | mpo_posixshm_label_init_t *mpo_posixshm_label_init; |
6467 | |
6468 | mpo_proc_check_debug_t *mpo_proc_check_debug; |
6469 | mpo_proc_check_fork_t *mpo_proc_check_fork; |
6470 | mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name; |
6471 | mpo_proc_check_get_task_t *mpo_proc_check_get_task; |
6472 | mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; |
6473 | mpo_proc_check_getauid_t *mpo_proc_check_getauid; |
6474 | mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; |
6475 | mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; |
6476 | mpo_proc_check_sched_t *mpo_proc_check_sched; |
6477 | mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; |
6478 | mpo_proc_check_setauid_t *mpo_proc_check_setauid; |
6479 | mpo_proc_check_setlcid_t *mpo_proc_check_setlcid; |
6480 | mpo_proc_check_signal_t *mpo_proc_check_signal; |
6481 | mpo_proc_check_wait_t *mpo_proc_check_wait; |
6482 | mpo_proc_label_destroy_t *mpo_proc_label_destroy; |
6483 | mpo_proc_label_init_t *mpo_proc_label_init; |
6484 | |
6485 | mpo_socket_check_accept_t *mpo_socket_check_accept; |
6486 | mpo_socket_check_accepted_t *mpo_socket_check_accepted; |
6487 | mpo_socket_check_bind_t *mpo_socket_check_bind; |
6488 | mpo_socket_check_connect_t *mpo_socket_check_connect; |
6489 | mpo_socket_check_create_t *mpo_socket_check_create; |
6490 | mpo_socket_check_deliver_t *mpo_socket_check_deliver; |
6491 | mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter; |
6492 | mpo_socket_check_label_update_t *mpo_socket_check_label_update; |
6493 | mpo_socket_check_listen_t *mpo_socket_check_listen; |
6494 | mpo_socket_check_receive_t *mpo_socket_check_receive; |
6495 | mpo_socket_check_received_t *mpo_socket_check_received; |
6496 | mpo_socket_check_select_t *mpo_socket_check_select; |
6497 | mpo_socket_check_send_t *mpo_socket_check_send; |
6498 | mpo_socket_check_stat_t *mpo_socket_check_stat; |
6499 | mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; |
6500 | mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; |
6501 | mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept; |
6502 | mpo_socket_label_associate_t *mpo_socket_label_associate; |
6503 | mpo_socket_label_copy_t *mpo_socket_label_copy; |
6504 | mpo_socket_label_destroy_t *mpo_socket_label_destroy; |
6505 | mpo_socket_label_externalize_t *mpo_socket_label_externalize; |
6506 | mpo_socket_label_init_t *mpo_socket_label_init; |
6507 | mpo_socket_label_internalize_t *mpo_socket_label_internalize; |
6508 | mpo_socket_label_update_t *mpo_socket_label_update; |
6509 | |
6510 | mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf; |
6511 | mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket; |
6512 | mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy; |
6513 | mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize; |
6514 | mpo_socketpeer_label_init_t *mpo_socketpeer_label_init; |
6515 | |
6516 | mpo_system_check_acct_t *mpo_system_check_acct; |
6517 | mpo_system_check_audit_t *mpo_system_check_audit; |
6518 | mpo_system_check_auditctl_t *mpo_system_check_auditctl; |
6519 | mpo_system_check_auditon_t *mpo_system_check_auditon; |
6520 | mpo_system_check_host_priv_t *mpo_system_check_host_priv; |
6521 | mpo_system_check_nfsd_t *mpo_system_check_nfsd; |
6522 | mpo_system_check_reboot_t *mpo_system_check_reboot; |
6523 | mpo_system_check_settime_t *mpo_system_check_settime; |
6524 | mpo_system_check_swapoff_t *mpo_system_check_swapoff; |
6525 | mpo_system_check_swapon_t *mpo_system_check_swapon; |
6526 | mpo_socket_check_ioctl_t *mpo_socket_check_ioctl; |
6527 | |
6528 | mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; |
6529 | mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; |
6530 | mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; |
6531 | mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; |
6532 | mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; |
6533 | mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; |
6534 | mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; |
6535 | mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; |
6536 | mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; |
6537 | mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; |
6538 | mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; |
6539 | mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; |
6540 | mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; |
6541 | mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; |
6542 | mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; |
6543 | mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; |
6544 | mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; |
6545 | mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; |
6546 | mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; |
6547 | mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; |
6548 | mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; |
6549 | mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; |
6550 | mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; |
6551 | mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; |
6552 | mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; |
6553 | mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; |
6554 | mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; |
6555 | mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; |
6556 | mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; |
6557 | mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; |
6558 | |
6559 | mpo_proc_notify_exit_t *mpo_proc_notify_exit; |
6560 | mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert; |
6561 | mpo_vnode_check_getattr_t *mpo_vnode_check_getattr; |
6562 | mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create; |
6563 | mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete; |
6564 | mpo_vnode_check_clone_t *mpo_vnode_check_clone; |
6565 | mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info; |
6566 | mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info; |
6567 | |
6568 | mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; |
6569 | |
6570 | mpo_vnode_check_access_t *mpo_vnode_check_access; |
6571 | mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; |
6572 | mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; |
6573 | mpo_vnode_check_create_t *mpo_vnode_check_create; |
6574 | mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; |
6575 | mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; |
6576 | mpo_vnode_check_exec_t *mpo_vnode_check_exec; |
6577 | mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; |
6578 | mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; |
6579 | mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; |
6580 | mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; |
6581 | mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; |
6582 | mpo_vnode_check_link_t *mpo_vnode_check_link; |
6583 | mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; |
6584 | mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; |
6585 | mpo_vnode_check_open_t *mpo_vnode_check_open; |
6586 | mpo_vnode_check_read_t *mpo_vnode_check_read; |
6587 | mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; |
6588 | mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; |
6589 | mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; |
6590 | mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; |
6591 | mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; |
6592 | mpo_vnode_check_select_t *mpo_vnode_check_select; |
6593 | mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; |
6594 | mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; |
6595 | mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; |
6596 | mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; |
6597 | mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; |
6598 | mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; |
6599 | mpo_vnode_check_stat_t *mpo_vnode_check_stat; |
6600 | mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; |
6601 | mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; |
6602 | mpo_vnode_check_write_t *mpo_vnode_check_write; |
6603 | mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; |
6604 | mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; |
6605 | mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; |
6606 | mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; |
6607 | mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; |
6608 | mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; |
6609 | mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; |
6610 | mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; |
6611 | mpo_vnode_label_copy_t *mpo_vnode_label_copy; |
6612 | mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; |
6613 | mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; |
6614 | mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; |
6615 | mpo_vnode_label_init_t *mpo_vnode_label_init; |
6616 | mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; |
6617 | mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; |
6618 | mpo_vnode_label_store_t *mpo_vnode_label_store; |
6619 | mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; |
6620 | mpo_vnode_label_update_t *mpo_vnode_label_update; |
6621 | mpo_vnode_notify_create_t *mpo_vnode_notify_create; |
6622 | mpo_vnode_check_signature_t *mpo_vnode_check_signature; |
6623 | mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; |
6624 | mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; |
6625 | |
6626 | mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; |
6627 | mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; |
6628 | |
6629 | mpo_thread_userret_t *mpo_thread_userret; |
6630 | |
6631 | mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; |
6632 | |
6633 | mpo_system_check_chud_t *mpo_system_check_chud; |
6634 | |
6635 | mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; |
6636 | |
6637 | mpo_priv_check_t *mpo_priv_check; |
6638 | mpo_priv_grant_t *mpo_priv_grant; |
6639 | |
6640 | mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; |
6641 | |
6642 | mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; |
6643 | |
6644 | mpo_iokit_check_open_t *mpo_iokit_check_open; |
6645 | |
6646 | mpo_proc_check_ledger_t *mpo_proc_check_ledger; |
6647 | |
6648 | mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; |
6649 | |
6650 | mpo_vnode_check_setacl_t *mpo_vnode_check_setacl; |
6651 | |
6652 | mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr; |
6653 | |
6654 | mpo_system_check_kas_info_t *mpo_system_check_kas_info; |
6655 | |
6656 | mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight; |
6657 | |
6658 | mpo_vnode_notify_open_t *mpo_vnode_notify_open; |
6659 | |
6660 | mpo_system_check_info_t *mpo_system_check_info; |
6661 | |
6662 | mpo_pty_notify_grant_t *mpo_pty_notify_grant; |
6663 | mpo_pty_notify_close_t *mpo_pty_notify_close; |
6664 | |
6665 | mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; |
6666 | |
6667 | mpo_kext_check_load_t *mpo_kext_check_load; |
6668 | mpo_kext_check_unload_t *mpo_kext_check_unload; |
6669 | |
6670 | mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; |
6671 | mpo_vnode_notify_link_t *mpo_vnode_notify_link; |
6672 | mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; |
6673 | mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; |
6674 | }; |
6675 | |
6676 | /** |
6677 | @brief MAC policy handle type |
6678 | |
6679 | The MAC handle is used to uniquely identify a loaded policy within |
6680 | the MAC Framework. |
6681 | |
6682 | A variable of this type is set by mac_policy_register(). |
6683 | */ |
6684 | typedef unsigned int mac_policy_handle_t; |
6685 | |
6686 | #define mpc_t struct mac_policy_conf * |
6687 | |
6688 | /** |
6689 | @brief Mac policy configuration |
6690 | |
6691 | This structure specifies the configuration information for a |
6692 | MAC policy module. A policy module developer must supply |
6693 | a short unique policy name, a more descriptive full name, a list of label |
6694 | namespaces and count, a pointer to the registered enty point operations, |
6695 | any load time flags, and optionally, a pointer to a label slot identifier. |
6696 | |
6697 | The Framework will update the runtime flags (mpc_runtime_flags) to |
6698 | indicate that the module has been registered. |
6699 | |
6700 | If the label slot identifier (mpc_field_off) is NULL, the Framework |
6701 | will not provide label storage for the policy. Otherwise, the |
6702 | Framework will store the label location (slot) in this field. |
6703 | |
6704 | The mpc_list field is used by the Framework and should not be |
6705 | modified by policies. |
6706 | */ |
6707 | /* XXX - reorder these for better aligment on 64bit platforms */ |
6708 | struct mac_policy_conf { |
6709 | const char *mpc_name; /** policy name */ |
6710 | const char *mpc_fullname; /** full name */ |
6711 | char const * const *mpc_labelnames; /** managed label namespaces */ |
6712 | unsigned int mpc_labelname_count; /** number of managed label namespaces */ |
6713 | const struct mac_policy_ops *mpc_ops; /** operation vector */ |
6714 | int mpc_loadtime_flags; /** load time flags */ |
6715 | int *mpc_field_off; /** label slot */ |
6716 | int mpc_runtime_flags; /** run time flags */ |
6717 | mpc_t mpc_list; /** List reference */ |
6718 | void *mpc_data; /** module data */ |
6719 | }; |
6720 | |
6721 | /** |
6722 | @brief MAC policy module registration routine |
6723 | |
6724 | This function is called to register a policy with the |
6725 | MAC framework. A policy module will typically call this from the |
6726 | Darwin KEXT registration routine. |
6727 | */ |
6728 | int mac_policy_register(struct mac_policy_conf *mpc, |
6729 | mac_policy_handle_t *handlep, void *xd); |
6730 | |
6731 | /** |
6732 | @brief MAC policy module de-registration routine |
6733 | |
6734 | This function is called to de-register a policy with theD |
6735 | MAC framework. A policy module will typically call this from the |
6736 | Darwin KEXT de-registration routine. |
6737 | */ |
6738 | int mac_policy_unregister(mac_policy_handle_t handle); |
6739 | |
6740 | /* |
6741 | * Framework entry points for the policies to add audit data. |
6742 | */ |
6743 | int mac_audit_text(char *text, mac_policy_handle_t handle); |
6744 | |
6745 | /* |
6746 | * Calls to assist with use of Apple XATTRs within policy modules. |
6747 | */ |
6748 | int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); |
6749 | int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, |
6750 | size_t *); |
6751 | int mac_vnop_removexattr(struct vnode *, const char *); |
6752 | |
6753 | /** |
6754 | @brief Set an extended attribute on a vnode-based fileglob. |
6755 | @param fg fileglob representing file to attach the extended attribute |
6756 | @param name extended attribute name |
6757 | @param buf buffer of data to use as the extended attribute value |
6758 | @param len size of buffer |
6759 | |
6760 | Sets the value of an extended attribute on a file. |
6761 | |
6762 | Caller must hold an iocount on the vnode represented by the fileglob. |
6763 | */ |
6764 | int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len); |
6765 | |
6766 | /** |
6767 | @brief Get an extended attribute from a vnode-based fileglob. |
6768 | @param fg fileglob representing file to read the extended attribute |
6769 | @param name extended attribute name |
6770 | @param buf buffer of data to hold the extended attribute value |
6771 | @param len size of buffer |
6772 | @param attrlen size of full extended attribute value |
6773 | |
6774 | Gets the value of an extended attribute on a file. |
6775 | |
6776 | Caller must hold an iocount on the vnode represented by the fileglob. |
6777 | */ |
6778 | int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len, |
6779 | size_t *attrlen); |
6780 | |
6781 | /** |
6782 | @brief Remove an extended attribute from a vnode-based fileglob. |
6783 | @param fg fileglob representing file to remove the extended attribute |
6784 | @param name extended attribute name |
6785 | |
6786 | Removes the named extended attribute from the file. |
6787 | |
6788 | Caller must hold an iocount on the vnode represented by the fileglob. |
6789 | */ |
6790 | int mac_file_removexattr(struct fileglob *fg, const char *name); |
6791 | |
6792 | |
6793 | /* |
6794 | * Arbitrary limit on how much data will be logged by the audit |
6795 | * entry points above. |
6796 | */ |
6797 | #define MAC_AUDIT_DATA_LIMIT 1024 |
6798 | |
6799 | /* |
6800 | * Values returned by mac_audit_{pre,post}select. To combine the responses |
6801 | * of the security policies into a single decision, |
6802 | * mac_audit_{pre,post}select() choose the greatest value returned. |
6803 | */ |
6804 | #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ |
6805 | #define MAC_AUDIT_NO 1 /* force not auditing this event */ |
6806 | #define MAC_AUDIT_YES 2 /* force auditing this event */ |
6807 | |
6808 | // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field |
6809 | |
6810 | /** |
6811 | @name Flags for the mpc_loadtime_flags field |
6812 | @see mac_policy_conf |
6813 | |
6814 | This is the complete list of flags that are supported by the |
6815 | mpc_loadtime_flags field of the mac_policy_conf structure. These |
6816 | flags specify the load time behavior of MAC Framework policy |
6817 | modules. |
6818 | */ |
6819 | |
6820 | /*@{*/ |
6821 | |
6822 | /** |
6823 | @brief Flag to indicate registration preference |
6824 | |
6825 | This flag indicates that the policy module must be loaded and |
6826 | initialized early in the boot process. If the flag is specified, |
6827 | attempts to register the module following boot will be rejected. The |
6828 | flag may be used by policies that require pervasive labeling of all |
6829 | system objects, and cannot handle objects that have not been |
6830 | properly initialized by the policy. |
6831 | */ |
6832 | #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 |
6833 | |
6834 | /** |
6835 | @brief Flag to indicate unload preference |
6836 | |
6837 | This flag indicates that the policy module may be unloaded. If this |
6838 | flag is not set, then the policy framework will reject requests to |
6839 | unload the module. This flag might be used by modules that allocate |
6840 | label state and are unable to free that state at runtime, or for |
6841 | modules that simply do not want to permit unload operations. |
6842 | */ |
6843 | #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 |
6844 | |
6845 | /** |
6846 | @brief Unsupported |
6847 | |
6848 | XXX This flag is not yet supported. |
6849 | */ |
6850 | #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 |
6851 | |
6852 | /** |
6853 | @brief Flag to indicate a base policy |
6854 | |
6855 | This flag indicates that the policy module is a base policy. Only |
6856 | one module can declare itself as base, otherwise the boot process |
6857 | will be halted. |
6858 | */ |
6859 | #define MPC_LOADTIME_BASE_POLICY 0x00000008 |
6860 | |
6861 | /*@}*/ |
6862 | |
6863 | /** |
6864 | @brief Policy registration flag |
6865 | @see mac_policy_conf |
6866 | |
6867 | This flag indicates that the policy module has been successfully |
6868 | registered with the TrustedBSD MAC Framework. The Framework will |
6869 | set this flag in the mpc_runtime_flags field of the policy's |
6870 | mac_policy_conf structure after registering the policy. |
6871 | */ |
6872 | #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 |
6873 | |
6874 | /* |
6875 | * Depends on POLICY_VER |
6876 | */ |
6877 | |
6878 | #ifndef POLICY_VER |
6879 | #define POLICY_VER 1.0 |
6880 | #endif |
6881 | |
6882 | #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ |
6883 | static struct mac_policy_conf mpname##_mac_policy_conf = { \ |
6884 | .mpc_name = #mpname, \ |
6885 | .mpc_fullname = mpfullname, \ |
6886 | .mpc_labelnames = lnames, \ |
6887 | .mpc_labelname_count = lcount, \ |
6888 | .mpc_ops = mpops, \ |
6889 | .mpc_loadtime_flags = lflags, \ |
6890 | .mpc_field_off = slot, \ |
6891 | .mpc_runtime_flags = rflags \ |
6892 | }; \ |
6893 | \ |
6894 | static kern_return_t \ |
6895 | kmod_start(kmod_info_t *ki, void *xd) \ |
6896 | { \ |
6897 | return mac_policy_register(&mpname##_mac_policy_conf, \ |
6898 | &handle, xd); \ |
6899 | } \ |
6900 | \ |
6901 | static kern_return_t \ |
6902 | kmod_stop(kmod_info_t *ki, void *xd) \ |
6903 | { \ |
6904 | return mac_policy_unregister(handle); \ |
6905 | } \ |
6906 | \ |
6907 | extern kern_return_t _start(kmod_info_t *ki, void *data); \ |
6908 | extern kern_return_t _stop(kmod_info_t *ki, void *data); \ |
6909 | \ |
6910 | KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ |
6911 | kmod_start_func_t *_realmain = kmod_start; \ |
6912 | kmod_stop_func_t *_antimain = kmod_stop; \ |
6913 | int _kext_apple_cc = __APPLE_CC__ |
6914 | |
6915 | |
6916 | #define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s] |
6917 | |
6918 | /* |
6919 | * Policy interface to map a struct label pointer to per-policy data. |
6920 | * Typically, policies wrap this in their own accessor macro that casts an |
6921 | * intptr_t to a policy-specific data type. |
6922 | */ |
6923 | intptr_t mac_label_get(struct label *l, int slot); |
6924 | void mac_label_set(struct label *l, int slot, intptr_t v); |
6925 | |
6926 | #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) |
6927 | |
6928 | /** |
6929 | @name Flags for MAC allocator interfaces |
6930 | |
6931 | These flags are passed to the Darwin kernel allocator routines to |
6932 | indicate whether the allocation is permitted to block or not. |
6933 | Caution should be taken; some operations are not permitted to sleep, |
6934 | and some types of locks cannot be held when sleeping. |
6935 | */ |
6936 | |
6937 | /*@{*/ |
6938 | |
6939 | /** |
6940 | @brief Allocation operations may block |
6941 | |
6942 | If memory is not immediately available, the allocation routine |
6943 | will block (typically sleeping) until memory is available. |
6944 | |
6945 | @warning Inappropriate use of this flag may cause kernel panics. |
6946 | */ |
6947 | #define MAC_WAITOK 0 |
6948 | |
6949 | /** |
6950 | @brief Allocation operations may not block |
6951 | |
6952 | Rather than blocking, the allocator may return an error if memory |
6953 | is not immediately available. This type of allocation will not |
6954 | sleep, preserving locking semantics. |
6955 | */ |
6956 | #define MAC_NOWAIT 1 |
6957 | |
6958 | /*@}*/ |
6959 | |
6960 | #endif /* !_SECURITY_MAC_POLICY_H_ */ |
6961 | |