ADC Home > Reference Library > Reference > Darwin > Kernel Framework Reference

mac_policy.h

Includes:

Overview

Kernel Interfaces for MAC policy modules

Discussion

This header defines the list of operations that are defined by the TrustedBSD MAC Framwork on Darwin. MAC Policy modules register with the framework to declare interest in a specific set of operations. If interest in an entry point is not declared, then the policy will be ignored when the Framework evaluates that entry point.

Groups

Flags for the mpc_loadtime_flags field

for the mpc_loadtime_flags field

Group members:

MPC_LOADTIME_BASE_POLICY

Flag to indicate a base policy

MPC_LOADTIME_FLAG_LABELMBUFS

Unsupported

MPC_LOADTIME_FLAG_NOTLATE

Flag to indicate registration preference

MPC_LOADTIME_FLAG_UNLOADOK

Flag to indicate unload preference

MPC_RUNTIME_FLAG_REGISTERED

Policy registration flag

Flags for MAC allocator interfaces

These flags are passed to the Darwin kernel allocator routines to indicate whether the allocation is permitted to block or not. Caution should be taken; some operations are not permitted to sleep, and some types of locks cannot be held when sleeping.

Group members:

MAC_NOWAIT

Allocation operations may not block

MAC_WAITOK

Allocation operations may block

Entry Points for Label Management

These are the entry points corresponding to the life cycle events for kernel objects, such as initialization, creation, and destruction.

Most policies (that use labels) will initialize labels by allocating space for policy-specific data. In most cases, it is permitted to sleep during label initialization operations; it will be noted when it is not permitted.

Initialization usually will not require doing more than allocating a generic label for the given object. What follows initialization is creation, where a label is made specific to the object it is associated with. Destruction occurs when the label is no longer needed, such as when the corresponding object is destroyed. All necessary cleanup should be performed in label destroy operations.

Where possible, the label entry points have identical parameters. If the policy module does not require structure-specific label information, the same function may be registered in the policy operation vector. Many policies will implement two such generic allocation calls: one to handle sleepable requests, and one to handle potentially non-sleepable requests.

Group members:

mac_policy_conf

Mac policy configuration

mac_policy_handle_t

MAC policy handle type

mac_policy_ops

mac_policy_register

MAC policy module registration routine

mac_policy_unregister

MAC policy module de-registration routine

mpo_audit_check_postselect_t

Audit event postselection

mpo_audit_check_preselect_t

Audit event preselection

mpo_bpfdesc_check_receive_t

Check whether BPF can read from a network interface

mpo_bpfdesc_label_associate_t

Associate a BPF descriptor with a label

mpo_bpfdesc_label_destroy_t

Destroy BPF descriptor label

mpo_bpfdesc_label_init_t

Initialize BPF descriptor label

mpo_cred_check_label_update_execve_t

Indicate desire to change the process label at exec time

mpo_cred_check_label_update_t

Access control check for relabelling processes

mpo_cred_check_visible_t

Access control check for visibility of other subjects

mpo_cred_label_associate_fork_t

Associate a credential with a new process at fork

mpo_cred_label_associate_kernel_t

Create the first process

mpo_cred_label_associate_t

Create a credential label

mpo_cred_label_associate_user_t

Create the first process

mpo_cred_label_destroy_t

Destroy credential label

mpo_cred_label_externalize_audit_t

Externalize a user credential label for auditing

mpo_cred_label_externalize_t

Externalize a user credential label

mpo_cred_label_init_t

Initialize user credential label

mpo_cred_label_internalize_t

Internalize a user credential label

mpo_cred_label_update_execve_t

Update credential at exec time

mpo_cred_label_update_t

Update a credential label

mpo_devfs_label_associate_device_t

Create a new devfs device

mpo_devfs_label_associate_directory_t

Create a new devfs directory

mpo_devfs_label_copy_t

Copy a devfs label

mpo_devfs_label_destroy_t

Destroy devfs label

mpo_devfs_label_init_t

Initialize devfs label

mpo_devfs_label_update_t

Update a devfs label after relabelling its vnode

mpo_file_check_change_offset_t

Access control for changing the offset of a file descriptor

mpo_file_check_create_t

Access control for creating a file descriptor

mpo_file_check_dup_t

Access control for duplicating a file descriptor

mpo_file_check_fcntl_t

Access control check for fcntl

mpo_file_check_get_offset_t

Access control for getting the offset of a file descriptor

mpo_file_check_get_t

Access control check for mac_get_fd

mpo_file_check_inherit_t

Access control for inheriting a file descriptor

mpo_file_check_ioctl_t

Access control check for file ioctl

mpo_file_check_lock_t

Access control check for file locking

mpo_file_check_mmap_downgrade_t

Downgrade the mmap protections

mpo_file_check_mmap_t

Access control check for mapping a file

mpo_file_check_receive_t

Access control for receiving a file descriptor

mpo_file_check_set_t

Access control check for mac_set_fd

mpo_file_label_associate_t

Create file label

mpo_file_label_destroy_t

Destroy file label

mpo_file_label_init_t

Initialize file label

mpo_ifnet_check_label_update_t

Access control check for relabeling network interfaces

mpo_ifnet_check_transmit_t

Access control check for relabeling network interfaces

mpo_ifnet_label_associate_t

Create a network interface label

mpo_ifnet_label_copy_t

Copy an ifnet label

mpo_ifnet_label_destroy_t

Destroy ifnet label

mpo_ifnet_label_externalize_t

Externalize an ifnet label

mpo_ifnet_label_init_t

Initialize ifnet label

mpo_ifnet_label_internalize_t

Internalize an interface label

mpo_ifnet_label_recycle_t

Recycle up a network interface label

mpo_ifnet_label_update_t

Update a network interface label

mpo_inpcb_check_deliver_t

Access control check for delivering a packet to a socket

mpo_inpcb_label_associate_t

Create an inpcb label

mpo_inpcb_label_destroy_t

Destroy inpcb label

mpo_inpcb_label_init_t

Initialize inpcb label

mpo_inpcb_label_recycle_t

Recycle up an inpcb label

mpo_inpcb_label_update_t

Update an inpcb label from a socket label

mpo_iokit_check_device_t

Device hardware access control

mpo_ipq_label_associate_t

Create an IP reassembly queue label

mpo_ipq_label_compare_t

Compare an mbuf header label to an ipq label

mpo_ipq_label_destroy_t

Destroy IP reassembly queue label

mpo_ipq_label_init_t

Initialize IP reassembly queue label

mpo_ipq_label_update_t

Update the label on an IP fragment reassembly queue

mpo_lctx_check_label_update_t

Access control check for relabelling Login Context

mpo_lctx_label_destroy_t

Destroy Login Context label

mpo_lctx_label_externalize_t

Externalize a Login Context label

mpo_lctx_label_init_t

Initialize Login Context label

mpo_lctx_label_internalize_t

Internalize a Login Context label

mpo_lctx_label_update_t

Update a Login Context label

mpo_lctx_notify_create_t

A process has created a login context

mpo_lctx_notify_join_t

A process has joined a login context

mpo_lctx_notify_leave_t

A process has left a login context

mpo_mbuf_label_associate_bpfdesc_t

Assign a label to a new mbuf

mpo_mbuf_label_associate_ifnet_t

Assign a label to a new mbuf

mpo_mbuf_label_associate_inpcb_t

Assign a label to a new mbuf

mpo_mbuf_label_associate_ipq_t

Set the label on a newly reassembled IP datagram

mpo_mbuf_label_associate_linklayer_t

Assign a label to a new mbuf

mpo_mbuf_label_associate_multicast_encap_t

Assign a label to a new mbuf

mpo_mbuf_label_associate_netlayer_t

Assign a label to a new mbuf

mpo_mbuf_label_associate_socket_t

Assign a label to a new mbuf

mpo_mbuf_label_copy_t

Copy a mbuf label

mpo_mbuf_label_destroy_t

Destroy mbuf label

mpo_mbuf_label_init_t

Initialize mbuf label

mpo_mount_check_fsctl_t

Access control check for fsctl

mpo_mount_check_getattr_t

Access control check for the retrieval of file system attributes

mpo_mount_check_label_update_t

Access control check for mount point relabeling

mpo_mount_check_mount_t

Access control check for mounting a file system

mpo_mount_check_remount_t

Access control check remounting a filesystem

mpo_mount_check_setattr_t

Access control check for the settting of file system attributes

mpo_mount_check_stat_t

Access control check for file system statistics

mpo_mount_check_umount_t

Access control check for unmounting a filesystem

mpo_mount_label_associate_t

Create mount labels

mpo_mount_label_destroy_t

Destroy mount label

mpo_mount_label_externalize_t

Externalize a mount point label

mpo_mount_label_init_t

Initialize mount point label

mpo_mount_label_internalize_t

Internalize a mount point label

mpo_netinet_fragment_t

Set the label on an IPv4 datagram fragment

mpo_netinet_icmp_reply_t

Set the label on an ICMP reply

mpo_netinet_tcp_reply_t

Set the label on a TCP reply

mpo_pipe_check_ioctl_t

Access control check for pipe ioctl

mpo_pipe_check_kqfilter_t

Access control check for pipe kqfilter

mpo_pipe_check_label_update_t

Access control check for pipe relabel

mpo_pipe_check_read_t

Access control check for pipe read

mpo_pipe_check_select_t

Access control check for pipe select

mpo_pipe_check_stat_t

Access control check for pipe stat

mpo_pipe_check_write_t

Access control check for pipe write

mpo_pipe_label_associate_t

Create a pipe label

mpo_pipe_label_copy_t

Copy a pipe label

mpo_pipe_label_destroy_t

Destroy pipe label

mpo_pipe_label_externalize_t

Externalize a pipe label

mpo_pipe_label_init_t

Initialize pipe label

mpo_pipe_label_internalize_t

Internalize a pipe label

mpo_pipe_label_update_t

Update a pipe label

mpo_policy_destroy_t

Policy unload event

mpo_policy_init_t

Policy initialization event

mpo_policy_initbsd_t

Policy BSD initialization event

mpo_policy_syscall_t

Policy extension service

mpo_port_check_copy_send_t

Access control check for copying a send right to another task

mpo_port_check_hold_receive_t

Access control check for obtaining a receive right

mpo_port_check_hold_send_once_t

Access control check for obtaining a send once right

mpo_port_check_hold_send_t

Access control check for obtaining a send right

mpo_port_check_label_update_t

Access control check for relabelling ports

mpo_port_check_make_send_once_t

Access control check for producing a send once right from a receive right

mpo_port_check_make_send_t

Access control check for producing a send right from a receive right

mpo_port_check_method_t

Compute access control check for a Mach message-based service

mpo_port_check_move_receive_t

Access control check for transferring a receive right

mpo_port_check_move_send_once_t

Access control check for transferring a send once right

mpo_port_check_move_send_t

Access control check for transferring a send right

mpo_port_check_receive_t

Access control check for receiving Mach messsages

mpo_port_check_send_t

Access control check for sending Mach messsages

mpo_port_check_service_t

Generic access control check

mpo_port_label_associate_kernel_t

Assign a label to a new Mach port created by the kernel

mpo_port_label_associate_t

Assign a label to a new Mach port

mpo_port_label_compute_t

Request label for new (userspace) object

mpo_port_label_copy_t

Copy a Mach port label

mpo_port_label_destroy_t

Destroy Mach port label

mpo_port_label_init_t

Initialize Mach port label

mpo_port_label_update_cred_t

Update a Mach task port label

mpo_port_label_update_kobject_t

Assign a label to a Mach port connected to a kernel object

mpo_posixsem_check_create_t

Access control check for POSIX semaphore create

mpo_posixsem_check_open_t

Access control check for POSIX semaphore open

mpo_posixsem_check_post_t

Access control check for POSIX semaphore post

mpo_posixsem_check_unlink_t

Access control check for POSIX semaphore unlink

mpo_posixsem_check_wait_t

Access control check for POSIX semaphore wait

mpo_posixsem_label_associate_t

Create a POSIX semaphore label

mpo_posixsem_label_destroy_t

Destroy POSIX semaphore label

mpo_posixsem_label_init_t

Initialize POSIX semaphore label

mpo_posixshm_check_create_t

Access control check for POSIX shared memory region create

mpo_posixshm_check_mmap_t

Access control check for mapping POSIX shared memory

mpo_posixshm_check_open_t

Access control check for POSIX shared memory region open

mpo_posixshm_check_stat_t

Access control check for POSIX shared memory stat

mpo_posixshm_check_truncate_t

Access control check for POSIX shared memory truncate

mpo_posixshm_check_unlink_t

Access control check for POSIX shared memory unlink

mpo_posixshm_label_associate_t

Create a POSIX shared memory region label

mpo_posixshm_label_destroy_t

Destroy POSIX shared memory label

mpo_posixshm_label_init_t

Initialize POSIX Shared Memory region label

mpo_proc_check_debug_t

Access control check for debugging process

mpo_proc_check_fork_t

Access control over fork

mpo_proc_check_get_task_name_t

Access control check for getting a process's task name

mpo_proc_check_get_task_t

Access control check for getting a process's task port

mpo_proc_check_getaudit_t

Access control check for retrieving audit information

mpo_proc_check_getauid_t

Access control check for retrieving audit user ID

mpo_proc_check_getlcid_t

Access control check for retrieving Login Context ID

mpo_proc_check_mprotect_t

Access control check for setting memory protections

mpo_proc_check_sched_t

Access control check for changing scheduling parameters

mpo_proc_check_setaudit_t

Access control check for setting audit information

mpo_proc_check_setauid_t

Access control check for setting audit user ID

mpo_proc_check_setlcid_t

Access control check for setting the Login Context

mpo_proc_check_signal_t

Access control check for delivering signal

mpo_proc_check_wait_t

Access control check for wait

mpo_proc_label_destroy_t

Destroy process label

mpo_proc_label_init_t

Initialize process label

mpo_socket_check_accept_t

Access control check for socket accept

mpo_socket_check_accepted_t

Access control check for a pending socket accept

mpo_socket_check_bind_t

Access control check for socket bind

mpo_socket_check_connect_t

Access control check for socket connect

mpo_socket_check_create_t

Access control check for socket() system call.

mpo_socket_check_deliver_t

Access control check for delivering data to a user's receieve queue

mpo_socket_check_getsockopt_t

Access control check for getting socket options

mpo_socket_check_kqfilter_t

Access control check for socket kqfilter

mpo_socket_check_label_update_t

Access control check for socket relabel

mpo_socket_check_listen_t

Access control check for socket listen

mpo_socket_check_receive_t

Access control check for socket receive

mpo_socket_check_received_t

Access control check for socket receive

mpo_socket_check_select_t

Access control check for socket select

mpo_socket_check_send_t

Access control check for socket send

mpo_socket_check_setsockopt_t

Access control check for setting socket options

mpo_socket_check_stat_t

Access control check for retrieving socket status

mpo_socket_label_associate_accept_t

Label a socket

mpo_socket_label_associate_t

Assign a label to a new socket

mpo_socket_label_copy_t

Copy a socket label

mpo_socket_label_destroy_t

Destroy socket label

mpo_socket_label_externalize_t

Externalize a socket label

mpo_socket_label_init_t

Initialize socket label

mpo_socket_label_internalize_t

Internalize a socket label

mpo_socket_label_update_t

Relabel socket

mpo_socketpeer_label_associate_mbuf_t

Set the peer label on a socket from mbuf

mpo_socketpeer_label_associate_socket_t

Set the peer label on a socket from socket

mpo_socketpeer_label_destroy_t

Destroy socket peer label

mpo_socketpeer_label_externalize_t

Externalize a socket peer label

mpo_socketpeer_label_init_t

Initialize socket peer label

mpo_system_check_acct_t

Access control check for enabling accounting

mpo_system_check_audit_t

Access control check for audit

mpo_system_check_auditctl_t

Access control check for controlling audit

mpo_system_check_auditon_t

Access control check for manipulating auditing

mpo_system_check_host_priv_t

Access control check for obtaining the host control port

mpo_system_check_nfsd_t

Access control check for calling NFS services

mpo_system_check_reboot_t

Access control check for reboot

mpo_system_check_settime_t

Access control check for setting system clock

mpo_system_check_swapoff_t

Access control check for removing swap devices

mpo_system_check_swapon_t

Access control check for adding swap devices

mpo_system_check_sysctl_t

Access control check for sysctl

mpo_sysvmsg_label_associate_t

Create a System V message label

mpo_sysvmsg_label_destroy_t

Destroy System V message label

mpo_sysvmsg_label_init_t

Initialize System V message label

mpo_sysvmsg_label_recycle_t

Clean up a System V message label

mpo_sysvmsq_check_enqueue_t

Access control check for System V message enqueuing

mpo_sysvmsq_check_msgrcv_t

Access control check for System V message reception

mpo_sysvmsq_check_msgrmid_t

Access control check for System V message queue removal

mpo_sysvmsq_check_msqctl_t

Access control check for msgctl()

mpo_sysvmsq_check_msqget_t

Access control check to get a System V message queue

mpo_sysvmsq_check_msqrcv_t

Access control check to receive a System V message from the given queue

mpo_sysvmsq_check_msqsnd_t

Access control check to send a System V message to the given queue

mpo_sysvmsq_label_associate_t

Create a System V message queue label

mpo_sysvmsq_label_destroy_t

Destroy System V message queue label

mpo_sysvmsq_label_init_t

Initialize System V message queue label

mpo_sysvmsq_label_recycle_t

Clean up a System V message queue label

mpo_sysvsem_check_semctl_t

Access control check for System V semaphore control operation

mpo_sysvsem_check_semget_t

Access control check for obtaining a System V semaphore

mpo_sysvsem_check_semop_t

Access control check for System V semaphore operations

mpo_sysvsem_label_associate_t

Create a System V semaphore label

mpo_sysvsem_label_destroy_t

Destroy System V semaphore label

mpo_sysvsem_label_init_t

Initialize System V semaphore label

mpo_sysvsem_label_recycle_t

Clean up a System V semaphore label

mpo_sysvshm_check_shmat_t

Access control check for mapping System V shared memory

mpo_sysvshm_check_shmctl_t

Access control check for System V shared memory control operation

mpo_sysvshm_check_shmdt_t

Access control check for unmapping System V shared memory

mpo_sysvshm_check_shmget_t

Access control check obtaining System V shared memory identifier

mpo_sysvshm_label_associate_t

Create a System V shared memory region label

mpo_sysvshm_label_destroy_t

Destroy System V shared memory label

mpo_sysvshm_label_init_t

Initialize System V Shared Memory region label

mpo_sysvshm_label_recycle_t

Clean up a System V Share Memory Region label

mpo_task_label_associate_kernel_t

Assign a label to a new kernelspace Mach task

mpo_task_label_associate_t

Assign a label to a new (userspace) Mach task

mpo_task_label_copy_t

Copy a Mach task label

mpo_task_label_destroy_t

Destroy Mach task label

mpo_task_label_externalize_t

Externalize a task label

mpo_task_label_init_t

Initialize Mach task label

mpo_task_label_internalize_t

Internalize a task label

mpo_task_label_update_t

Update a Mach task label

mpo_thread_userret_t

Perform MAC-related events when a thread returns to user space

mpo_vnode_check_access_t

Check vnode access

mpo_vnode_check_chdir_t

Access control check for changing working directory

mpo_vnode_check_chroot_t

Access control check for changing root directory

mpo_vnode_check_create_t

Access control check for creating vnode

mpo_vnode_check_deleteextattr_t

Access control check for deleting extended attribute

mpo_vnode_check_exchangedata_t

Access control check for exchanging file data

mpo_vnode_check_exec_t

Access control check for executing the vnode

mpo_vnode_check_getattrlist_t

Access control check for retrieving file attributes

mpo_vnode_check_getextattr_t

Access control check for retrieving an extended attribute

mpo_vnode_check_ioctl_t

Access control check for ioctl

mpo_vnode_check_kqfilter_t

Access control check for vnode kqfilter

mpo_vnode_check_label_update_t

Access control check for relabel

mpo_vnode_check_link_t

Access control check for creating link

mpo_vnode_check_listextattr_t

Access control check for listing extended attributes

mpo_vnode_check_lookup_t

Access control check for lookup

mpo_vnode_check_open_t

Access control check for open

mpo_vnode_check_read_t

Access control check for read

mpo_vnode_check_readdir_t

Access control check for read directory

mpo_vnode_check_readlink_t

Access control check for read link

mpo_vnode_check_rename_from_t

Access control check for rename from

mpo_vnode_check_rename_to_t

Access control check for rename to

mpo_vnode_check_revoke_t

Access control check for revoke

mpo_vnode_check_select_t

Access control check for select

mpo_vnode_check_setattrlist_t

Access control check for setting file attributes

mpo_vnode_check_setextattr_t

Access control check for setting extended attribute

mpo_vnode_check_setflags_t

Access control check for setting flags

mpo_vnode_check_setmode_t

Access control check for setting mode

mpo_vnode_check_setowner_t

Access control check for setting uid and gid

mpo_vnode_check_setutimes_t

Access control check for setting timestamps

mpo_vnode_check_stat_t

Access control check for stat

mpo_vnode_check_truncate_t

Access control check for truncate/ftruncate

mpo_vnode_check_unlink_t

Access control check for deleting vnode

mpo_vnode_check_write_t

Access control check for write

mpo_vnode_label_associate_devfs_t

Associate a vnode with a devfs entry

mpo_vnode_label_associate_extattr_t

Associate a label with a vnode

mpo_vnode_label_associate_file_t

Associate a file label with a vnode

mpo_vnode_label_associate_pipe_t

Associate a pipe label with a vnode

mpo_vnode_label_associate_posixsem_t

Associate a POSIX semaphore label with a vnode

mpo_vnode_label_associate_posixshm_t

Associate a POSIX shared memory label with a vnode

mpo_vnode_label_associate_singlelabel_t

Associate a label with a vnode

mpo_vnode_label_associate_socket_t

Associate a socket label with a vnode

mpo_vnode_label_copy_t

Copy a vnode label

mpo_vnode_label_destroy_t

Destroy vnode label

mpo_vnode_label_externalize_audit_t

Externalize a vnode label for auditing

mpo_vnode_label_externalize_t

Externalize a vnode label

mpo_vnode_label_init_t

Initialize vnode label

mpo_vnode_label_internalize_t

Internalize a vnode label

mpo_vnode_label_recycle_t

Clean up a vnode label

mpo_vnode_label_store_t

Write a label to a extended attribute

mpo_vnode_label_update_extattr_t

Update vnode label from extended attributes

mpo_vnode_label_update_t

Update a vnode label

mpo_vnode_notify_create_t

Create a new vnode, backed by extended attributes

Functions

mac_policy_register: MAC policy module registration routine
mac_policy_unregister: MAC policy module de-registration routine

mac_policy_register

MAC policy module registration routine

int mac_policy_register(
    struct mac_policy_conf *mpc, 
    mac_policy_handle_t *handlep,
    void *xd);

Discussion

This function is called to register a policy with the MAC framework. A policy module will typically call this from the Darwin KEXT registration routine.

mac_policy_unregister

MAC policy module de-registration routine

int mac_policy_unregister(
    mac_policy_handle_t handle);

Discussion

This function is called to de-register a policy with theD MAC framework. A policy module will typically call this from the Darwin KEXT de-registration routine.

Typedefs

dummy

See Also:

dummy

_KAUTH_CRED_T

kauth_cred_t

typedef struct ucred *kauth_cred_t;

kauth_cred_t

See Also:

dummy

_KAUTH_CRED_T

dummy

typedef struct ucred *kauth_cred_t;

mac_policy_handle_t

MAC policy handle type

typedef unsigned int mac_policy_handle_t;

Discussion

The MAC handle is used to uniquely identify a loaded policy within the MAC Framework.

A variable of this type is set by mac_policy_register().

mpo_audit_check_postselect_t

Audit event postselection

typedef int mpo_audit_check_postselect_t( 
    kauth_cred_t cred, 
    unsigned short syscode, 
    void *args, 
    int error, 
    int retval );

Parameters

cred

Subject credential

syscode

Syscall number

args

Syscall arguments

error

Syscall errno

retval

Syscall return value

This is the MAC Framework audit postselect, which is called before exiting a syscall to determine if an audit event should be committed. A return value of MAC_AUDIT_NO forces the audit record to be suppressed. Any other return value results in the audit record being committed.

WARNING:

The suppression behavior will probably go away in Apple's future version of the audit implementation.

Return Value

Return MAC_AUDIT_NO to force suppression of the audit record. Any other value results in the audit record being committed.

mpo_audit_check_preselect_t

Audit event preselection

typedef int mpo_audit_check_preselect_t( 
    kauth_cred_t cred, 
    unsigned short syscode, 
    void *args );

Parameters

cred

Subject credential

syscode

Syscall number

args

Syscall arguments

This is the MAC Framework audit preselect, which is called before a syscall is entered to determine if an audit event should be created. If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be returned. A return value of MAC_AUDIT_NO causes the audit record to be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants to defer to the system's existing preselection mechanism.

When policies return different preferences, the Framework decides what action to take based on the following policy. If any policy returns MAC_AUDIT_YES, then create an audit record, else if any policy returns MAC_AUDIT_NO, then suppress the creations of an audit record, else defer to the system's existing preselection mechanism.

WARNING:

The audit implementation in Apple's current version is incomplete, so the MAC policies have priority over the system's existing mechanisms. This will probably change in the future version where the audit implementation is more complete.

Return Value

Return MAC_AUDIT_YES to force auditing of the syscall, MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT to allow auditing mechanisms to determine if the syscall is audited.

mpo_bpfdesc_check_receive_t

Check whether BPF can read from a network interface

typedef int mpo_bpfdesc_check_receive_t( 
    struct bpf_d *bpf_d, 
    struct label *bpflabel, 
    struct ifnet *ifp, 
    struct label *ifnetlabel );

Fields

bpf_d

Subject; the BPF descriptor

bpflabel

Policy label for bpf_d

ifp

Object; the network interface

ifnetlabel

Policy label for ifp

Determine whether the MAC framework should permit datagrams from the passed network interface to be delivered to the buffers of the passed BPF descriptor. Return (0) for success, or an errno value for failure. Suggested failure: EACCES for label mismatches, EPERM for lack of privilege.

mpo_bpfdesc_label_associate_t

Associate a BPF descriptor with a label

typedef void mpo_bpfdesc_label_associate_t( 
    kauth_cred_t cred, 
    struct bpf_d *bpf_d, 
    struct label *bpflabel );

Fields

cred

User credential creating the BPF descriptor

bpf_d

The BPF descriptor

bpflabel

The new label

Set the label on a newly created BPF descriptor from the passed subject credential. This call will be made when a BPF device node is opened by a process with the passed subject credential.

mpo_bpfdesc_label_destroy_t

Destroy BPF descriptor label

typedef void mpo_bpfdesc_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a BPF descriptor label. Since the BPF descriptor is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_bpfdesc_label_init_t

Initialize BPF descriptor label

typedef void mpo_bpfdesc_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated BPF descriptor. Sleeping is permitted.

mpo_cred_check_label_update_execve_t

Indicate desire to change the process label at exec time

See:

whether this policy intends to update the label of a newly

credential from the existing subject credential (old). This

occurs when a process executes the passed vnode. If a policy

success from this entry point, the mpo_cred_label_update_execve

point will later be called with the same parameters. Access

already been checked via the mpo_vnode_check_exec entry point,

entry point is necessary to preserve kernel locking constraints

program execution.

supplied vnode and vnodelabel correspond with the file actually

executed; in the case that the file is interpreted (for

a script), the label of the original exec-time vnode has

preserved in scriptvnodelabel.

space application through the use of the mac_execve system call.

to the old credential structure.

/>

Even if a policy returns 0, it should behave correctly in

presence of an invocation of mpo_cred_label_update_execve, as that

typedef int mpo_cred_check_label_update_execve_t( 
    kauth_cred_t old, 
    struct vnode *vp, 
    struct label *vnodelabel, 
    struct label *scriptvnodelabel, 
    struct label *execlabel, 
    struct proc *proc );

Parameters

old: Existing subject credential
vp: File being executed
vnodelabel: Label corresponding to vp
scriptvnodelabel: Script vnode label
execlabel: Userspace provided execution label
proc: Object process

Return Value

Non-zero if a transition is required, 0 otherwise.

mpo_cred_check_label_update_t

Access control check for relabelling processes

See:

whether the subject identified by the credential can relabel

to the supplied new label (newlabel). This access control check

called when the mac_set_proc system call is invoked. A user space

will supply a new value, the value will be internalized

provided in newlabel.

typedef int mpo_cred_check_label_update_t( 
    kauth_cred_t cred, 
    struct label *newlabel );

Parameters

cred: Subject credential
newlabel: New label to apply to the user credential

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_cred_check_visible_t

Access control check for visibility of other subjects

typedef int mpo_cred_check_visible_t( 
    kauth_cred_t u1, 
    kauth_cred_t u2 );

Parameters

u1

Subject credential

u2

Object credential

Determine whether the subject identified by the credential u1 can "see" other subjects with the passed subject credential u2. This call may be made in a number of situations, including inter-process status sysctls used by ps, and in procfs lookups.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility.

mpo_cred_label_associate_fork_t

Associate a credential with a new process at fork

typedef void mpo_cred_label_associate_fork_t( 
    kauth_cred_t cred, 
    proc_t proc );

Fields

cred

credential to inherited by new process

proc

the new process

Allow a process to associate the credential with a new process for reference countng purposes. NOTE: the credential can be dis-associated in ways other than exit - so this strategy is flawed - should just catch label destroy callback.

mpo_cred_label_associate_kernel_t

Create the first process

typedef void mpo_cred_label_associate_kernel_t( 
    kauth_cred_t cred );

Fields

cred

Subject credential to be labeled

Create the subject credential of process 0, the parent of all BSD kernel processes. Policies should update the label in the previously initialized credential structure.

mpo_cred_label_associate_t

Create a credential label

typedef void mpo_cred_label_associate_t( 
    kauth_cred_t parent_cred, 
    kauth_cred_t child_cred );

Fields

parent_cred

Parent credential

child_cred

Child credential

Set the label of a newly created credential, most likely using the information in the supplied parent credential.

WARNING:

This call is made when crcopy or crdup is invoked on a newly created struct ucred, and should not be confused with a process fork or creation event.

mpo_cred_label_associate_user_t

Create the first process

typedef void mpo_cred_label_associate_user_t( 
    kauth_cred_t cred );

Fields

cred

Subject credential to be labeled

Create the subject credential of process 1, the parent of all BSD user processes. Policies should update the label in the previously initialized credential structure. This is the 'init' process.

mpo_cred_label_destroy_t

Destroy credential label

typedef void mpo_cred_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a user credential label. Since the user credential is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_cred_label_externalize_audit_t

Externalize a user credential label for auditing

typedef int mpo_cred_label_externalize_audit_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of the label

Produce an external representation of the label on a user credential for inclusion in an audit record. An externalized label consists of a text representation of the label contents that will be added to the audit record as part of a text token. Policy-agnostic user space tools will display this externalized version.

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

mpo_cred_label_externalize_t

Externalize a user credential label

typedef int mpo_cred_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of the label

Produce an external representation of the label on a user credential. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

mpo_cred_label_init_t

Initialize user credential label

typedef void mpo_cred_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated user credential. Sleeping is permitted.

mpo_cred_label_internalize_t

Internalize a user credential label

typedef int mpo_cred_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label

Label to be internalized

element_name

Name of the label namespace for which the label should be internalized

element_data

Text data to be internalized

Produce a user credential label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

mpo_cred_label_update_execve_t

Update credential at exec time

See:

the label of a newly created credential (new) from the

subject credential (old). This call occurs when a process

the passed vnode and one of the loaded policy modules has

success from the mpo_cred_check_label_update_execve entry point.

has already been checked via the mpo_vnode_check_exec entry

this entry point is only used to update any policy state.

supplied vnode and vnodelabel correspond with the file actually

executed; in the case that the file is interpreted (for

a script), the label of the original exec-time vnode has

preserved in scriptvnodelabel.

space application through the use of the mac_execve system call.

to the old credential structure.

typedef void mpo_cred_label_update_execve_t( 
    kauth_cred_t old_cred, 
    kauth_cred_t new_cred, 
    struct vnode *vp, 
    struct label *vnodelabel, 
    struct label *scriptvnodelabel, 
    struct label *execlabel );

Fields

old_cred: Existing subject credential
new_cred: New subject credential to be labeled
vp: File being executed
vnodelabel: Label corresponding to vp
scriptvnodelabel: Script vnode label
execlabel: Userspace provided execution label

mpo_cred_label_update_t

Update a credential label

See:

the label on a user credential, using the supplied new label.

is called as a result of a process relabel operation. Access

was already confirmed by mpo_cred_check_label_update.

typedef void mpo_cred_label_update_t( 
    kauth_cred_t cred, 
    struct label *newlabel );

Fields

cred: The existing credential
newlabel: A new label to apply to the credential

mpo_devfs_label_associate_device_t

Create a new devfs device

typedef void mpo_devfs_label_associate_device_t( 
    dev_t dev, 
    struct devnode *de, 
    struct label *label, 
    const char *fullpath );

Fields

dev

Major and minor numbers of special file

de

"inode" of new device file

label

Destination label

fullpath

Path relative to mount (e.g. /dev) of new device file

This entry point labels a new devfs device. The label will likely be based on the path to the device, or the major and minor numbers. The policy should store an appropriate label into 'label'.

mpo_devfs_label_associate_directory_t

Create a new devfs directory

typedef void mpo_devfs_label_associate_directory_t( 
    const char *dirname, 
    int dirnamelen, 
    struct devnode *de, 
    struct label *label, 
    const char *fullpath );

Fields

dirname

Name of new directory

dirnamelen

Length of 'dirname'

de

"inode" of new directory

label

Destination label

fullpath

Path relative to mount (e.g. /dev) of new directory

This entry point labels a new devfs directory. The label will likely be based on the path of the new directory. The policy should store an appropriate label into 'label'. The devfs root directory is labelled in this way.

mpo_devfs_label_copy_t

Copy a devfs label

typedef void mpo_devfs_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src

Source devfs label

dest

Destination devfs label

Copy the label information from src to dest. The devfs file system often duplicates (splits) existing device nodes rather than creating new ones.

mpo_devfs_label_destroy_t

Destroy devfs label

typedef void mpo_devfs_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a devfs entry label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_devfs_label_init_t

Initialize devfs label

typedef void mpo_devfs_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated devfs entry. Sleeping is permitted.

mpo_devfs_label_update_t

Update a devfs label after relabelling its vnode

typedef void mpo_devfs_label_update_t( 
    struct mount *mp, 
    struct devnode *de, 
    struct label *delabel, 
    struct vnode *vp, 
    struct label *vnodelabel );

Fields

mp

Devfs mount point

de

Affected devfs directory entry

delabel

Label of devfs directory entry

vp

Vnode associated with de

vnodelabel

New label of vnode

Update a devfs label when its vnode is manually relabelled, for example with setfmac(1). Typically, this will simply copy the vnode label into the devfs label.

mpo_file_check_change_offset_t

Access control for changing the offset of a file descriptor

typedef int mpo_file_check_change_offset_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Parameters

cred

Subject credential

fg

Fileglob structure

label

Policy label for fg

Determine whether the subject identified by the credential can change the offset of the file represented by fg.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_create_t

Access control for creating a file descriptor

typedef int mpo_file_check_create_t( 
    kauth_cred_t cred );

Parameters

cred

Subject credential

Determine whether the subject identified by the credential can allocate a new file descriptor.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_dup_t

Access control for duplicating a file descriptor

typedef int mpo_file_check_dup_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int newfd );

Parameters

cred

Subject credential

fg

Fileglob structure

label

Policy label for fg

newfd

New file descriptor number

Determine whether the subject identified by the credential can duplicate the fileglob structure represented by fg and as file descriptor number newfd.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_fcntl_t

Access control check for fcntl

typedef int mpo_file_check_fcntl_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int cmd, 
    user_long_t arg );

Parameters

cred

Subject credential

fg

Fileglob structure

label

Policy label for fg

cmd

Control operation to be performed; see fcntl(2)

arg

fcnt arguments; see fcntl(2)

Determine whether the subject identified by the credential can perform the file control operation indicated by cmd.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_get_offset_t

Access control for getting the offset of a file descriptor

typedef int mpo_file_check_get_offset_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Parameters

cred

Subject credential

fg

Fileglob structure

label

Policy label for fg

Determine whether the subject identified by the credential can get the offset of the file represented by fg.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_get_t

Access control check for mac_get_fd

typedef int mpo_file_check_get_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    char *elements, 
    int len );

Parameters

cred

Subject credential

fg

Fileglob structure

elements

Element buffer

len

Length of buffer

Determine whether the subject identified by the credential should be allowed to get an externalized version of the label on the object indicated by fd.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_inherit_t

Access control for inheriting a file descriptor

typedef int mpo_file_check_inherit_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Parameters

cred

Subject credential

fg

Fileglob structure

label

Policy label for fg

Determine whether the subject identified by the credential can inherit the fileglob structure represented by fg.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_ioctl_t

Access control check for file ioctl

typedef int mpo_file_check_ioctl_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    unsigned int cmd );

Parameters

cred

Subject credential

fg

Fileglob structure

label

Policy label for fg

cmd

The ioctl command; see ioctl(2)

Determine whether the subject identified by the credential can perform the ioctl operation indicated by cmd.

WARNING:

Since ioctl data is opaque from the standpoint of the MAC framework, policies must exercise extreme care when implementing access control checks.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_lock_t

Access control check for file locking

typedef int mpo_file_check_lock_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int op, 
    struct flock *fl );

Parameters

cred

Subject credential

fg

Fileglob structure

label

Policy label for fg

op

The lock operation (F_GETLK, F_SETLK, F_UNLK)

fl

The flock structure

Determine whether the subject identified by the credential can perform the lock operation indicated by op and fl on the file represented by fg.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_mmap_downgrade_t

Downgrade the mmap protections

typedef void mpo_file_check_mmap_downgrade_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int *prot );

Fields

cred

Subject credential

fg

file to map

label

Policy label associated with vp

prot

mmap protections to be downgraded

Downgrade the mmap protections based on the subject and object labels.

mpo_file_check_mmap_t

Access control check for mapping a file

typedef int mpo_file_check_mmap_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int prot, 
    int flags, 
    int *maxprot );

Parameters

cred

Subject credential

fg

fileglob representing file to map

label

Policy label associated with vp

prot

mmap protections; see mmap(2)

flags

Type of mapped object; see mmap(2)

maxprot

Maximum rights

Determine whether the subject identified by the credential should be allowed to map the file represented by fg with the protections specified in prot. The maxprot field holds the maximum permissions on the new mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. To avoid overriding prior access control checks, a policy should only remove flags from maxprot.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_file_check_receive_t

Access control for receiving a file descriptor

typedef int mpo_file_check_receive_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Parameters

cred

Subject credential

fg

Fileglob structure

label

Policy label for fg

Determine whether the subject identified by the credential can receive the fileglob structure represented by fg.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_file_check_set_t

Access control check for mac_set_fd

typedef int mpo_file_check_set_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    char *elements, 
    int len );

Parameters

cred

Subject credential

fg

Fileglob structure

elements

Elements buffer

len

Length of elements buffer

Determine whether the subject identified by the credential can perform the mac_set_fd operation. The mac_set_fd operation is used to associate a MAC label with a file.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_file_label_associate_t

Create file label

typedef void mpo_file_label_associate_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Fields

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg

mpo_file_label_destroy_t

Destroy file label

typedef void mpo_file_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy the label on a file descriptor. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

mpo_file_label_init_t

Initialize file label

typedef void mpo_file_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

mpo_ifnet_check_label_update_t

Access control check for relabeling network interfaces

See:

whether the subject identified by the credential can

the network interface represented by ifp to the supplied

label (newlabel).

typedef int mpo_ifnet_check_label_update_t( 
    kauth_cred_t cred, 
    struct ifnet *ifp, 
    struct label *ifnetlabel, 
    struct label *newlabel );

Parameters

cred: Subject credential
ifp: network interface being relabeled
ifnetlabel: Current label of the network interfaces
newlabel: New label to apply to the network interfaces

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_ifnet_check_transmit_t

Access control check for relabeling network interfaces

typedef int mpo_ifnet_check_transmit_t( 
    struct ifnet *ifp, 
    struct label *ifnetlabel, 
    struct mbuf *m, 
    struct label *mbuflabel, 
    int family, 
    int type );

Parameters

ifp

Network interface mbuf will be transmitted through

ifnetlabel

Label of the network interfaces

m

The mbuf to be transmitted

mbuflabel

Label of the mbuf to be transmitted

family

Address Family, AF_*

type

Type of socket, SOCK_{STREAM,DGRAM,RAW}

Determine whether the mbuf with label mbuflabel may be transmitted through the network interface represented by ifp that has the label ifnetlabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_ifnet_label_associate_t

Create a network interface label

typedef void mpo_ifnet_label_associate_t( 
    struct ifnet *ifp, 
    struct label *ifnetlabel );

Fields

ifp

Network interface labeled

ifnetlabel

Label for the network interface

Set the label of a newly created network interface, most likely using the information in the supplied network interface struct.

mpo_ifnet_label_copy_t

Copy an ifnet label

typedef void mpo_ifnet_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src

Source ifnet label

dest

Destination ifnet label

Copy the label information from src to dest.

mpo_ifnet_label_destroy_t

Destroy ifnet label

typedef void mpo_ifnet_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy the label on an ifnet label. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

mpo_ifnet_label_externalize_t

Externalize an ifnet label

typedef int mpo_ifnet_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of the label

Produce an external representation of the label on an interface. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

mpo_ifnet_label_init_t

Initialize ifnet label

typedef void mpo_ifnet_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

mpo_ifnet_label_internalize_t

Internalize an interface label

typedef int mpo_ifnet_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label

Label to be internalized

element_name

Name of the label namespace for which the label should be internalized

element_data

Text data to be internalized

Produce an interface label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

mpo_ifnet_label_recycle_t

Recycle up a network interface label

typedef void mpo_ifnet_label_recycle_t( 
    struct label *label );

Fields

label

The label to be recycled

Recycle a network interface label. Darwin caches the struct ifnet of detached ifnets in a "free pool". Before ifnets are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_ifnet_label_update_t

Update a network interface label

See:

the label on a network interface, using the supplied new label.

typedef void mpo_ifnet_label_update_t( 
    kauth_cred_t cred, 
    struct ifnet *ifp, 
    struct label *ifnetlabel, 
    struct label *newlabel );

Fields

cred: Subject credential
ifp: The network interface to be relabeled
ifnetlabel: The current label of the network interface
newlabel: A new label to apply to the network interface

mpo_inpcb_check_deliver_t

Access control check for delivering a packet to a socket

typedef int mpo_inpcb_check_deliver_t( 
    struct inpcb *inp, 
    struct label *inplabel, 
    struct mbuf *m, 
    struct label *mbuflabel, 
    int family, 
    int type );

Parameters

inp

inpcb the socket is associated with

inplabel

Label of the inpcb

m

The mbuf being received

mbuflabel

Label of the mbuf being received

family

Address family, AF_*

type

Type of socket, SOCK_{STREAM,DGRAM,RAW}

Determine whether the mbuf with label mbuflabel may be received by the socket associated with inpcb that has the label inplabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_inpcb_label_associate_t

Create an inpcb label

typedef void mpo_inpcb_label_associate_t( 
    struct socket *so, 
    struct label *solabel, 
    struct inpcb *inp, 
    struct label *inplabel );

Fields

so

Socket containing the inpcb to be labeled

solabel

Label of the socket

inp

inpcb to be labeled

inplabel

Label for the inpcb

Set the label of a newly created inpcb, most likely using the information in the socket and/or socket label.

mpo_inpcb_label_destroy_t

Destroy inpcb label

typedef void mpo_inpcb_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy the label on an inpcb label. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

mpo_inpcb_label_init_t

Initialize inpcb label

typedef int mpo_inpcb_label_init_t( 
    struct label *label, 
    int flag );

Fields

label: New label to initialize
flag: M_WAITOK or M_NOWAIT

mpo_inpcb_label_recycle_t

Recycle up an inpcb label

typedef void mpo_inpcb_label_recycle_t( 
    struct label *label );

Fields

label

The label to be recycled

Recycle an inpcb label. Darwin allocates the inpcb as part of the socket structure in some cases. For this case we must recycle rather than destroy the inpcb as it will be reused later.

mpo_inpcb_label_update_t

Update an inpcb label from a socket label

typedef void mpo_inpcb_label_update_t( 
    struct socket *so, 
    struct label *solabel, 
    struct inpcb *inp, 
    struct label *inplabel );

Fields

so

Socket containing the inpcb to be relabeled

solabel

New label of the socket

inp

inpcb to be labeled

inplabel

Label for the inpcb

Set the label of a newly created inpcb due to a change in the underlying socket label.

mpo_iokit_check_device_t

Device hardware access control

typedef int mpo_iokit_check_device_t( 
    char *devtype, 
    struct mac_module_data *mdata );

Parameters

devtype

Type of device connected

properties

XML-formatted property list

proplen

Length of the property list

This is the MAC Framework device access control, which is called by the I/O Kit when a new device is connected to the system to determine whether that device should be trusted. A list of properties associated with the device is passed as an XML-formatted string. The routine should examine these properties to determine the trustworthiness of the device. A return value of EPERM forces the device to be claimed by a special device driver that will prevent its operation.

WARNING:

This is an experimental interface and may change in the future.

Return Value

Return EPERM to indicate that the device is untrusted and should not be allowed to operate. Return zero to indicate that the device is trusted and should be allowed to operate normally.

mpo_ipq_label_associate_t

Create an IP reassembly queue label

typedef void mpo_ipq_label_associate_t( 
    struct mbuf *fragment, 
    struct label *fragmentlabel, 
    struct ipq *ipq, 
    struct label *ipqlabel );

Fields

fragment

First received IP fragment

fragmentlabel

Policy label for fragment

ipq

IP reassembly queue to be labeled

ipqlabel

Policy label to be filled in for ipq

Set the label on a newly created IP reassembly queue from the mbuf header of the first received fragment.

mpo_ipq_label_compare_t

Compare an mbuf header label to an ipq label

typedef int mpo_ipq_label_compare_t( 
    struct mbuf *fragment, 
    struct label *fragmentlabel, 
    struct ipq *ipq, 
    struct label *ipqlabel );

Fields

fragment

IP datagram fragment

fragmentlabel

Policy label for fragment

ipq

IP fragment reassembly queue

ipqlabel

Policy label for ipq

Compare the label of the mbuf header containing an IP datagram (fragment) fragment with the label of the passed IP fragment reassembly queue (ipq). Return (1) for a successful match, or (0) for no match. This call is made when the IP stack attempts to find an existing fragment reassembly queue for a newly received fragment; if this fails, a new fragment reassembly queue may be instantiated for the fragment. Policies may use this entry point to prevent the reassembly of otherwise matching IP fragments if policy does not permit them to be reassembled based on the label or other information.

mpo_ipq_label_destroy_t

Destroy IP reassembly queue label

typedef void mpo_ipq_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy the label on an IP fragment queue. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

mpo_ipq_label_init_t

Initialize IP reassembly queue label

typedef int mpo_ipq_label_init_t( 
    struct label *label, 
    int flag );

Fields

label

New label to initialize

flag

M_WAITOK or M_NOWAIT

Initialize the label on a newly instantiated IP fragment reassembly queue. The flag field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. IP fragment reassembly queue allocation frequently occurs in performance sensitive environments, and the implementation should be careful to avoid sleeping or long-lived operations. This entry point is permitted to fail resulting in the failure to allocate the IP fragment reassembly queue.

mpo_ipq_label_update_t

Update the label on an IP fragment reassembly queue

typedef void mpo_ipq_label_update_t( 
    struct mbuf *fragment, 
    struct label *fragmentlabel, 
    struct ipq *ipq, 
    struct label *ipqlabel );

Fields

fragment

IP fragment

fragmentlabel

Policy label for fragment

ipq

IP fragment reassembly queue

ipqlabel

Policy label to be updated for ipq

Update the label on an IP fragment reassembly queue (ipq) based on the acceptance of the passed IP fragment mbuf header (fragment).

mpo_lctx_check_label_update_t

Access control check for relabelling Login Context

See:

whether the subject identified by the credential can relabel

to the supplied new label (newlabel). This access control check

called when the mac_set_lctx/lcid system call is invoked. A user space

will supply a new value, the value will be internalized

provided in newlabel.

typedef int mpo_lctx_check_label_update_t( 
    struct lctx *l, 
    struct label *newlabel );

Parameters

l: Subject credential
newlabel: New label to apply to the Login Context

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_lctx_label_destroy_t

Destroy Login Context label

typedef void mpo_lctx_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

mpo_lctx_label_externalize_t

Externalize a Login Context label

typedef int mpo_lctx_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of the label

Produce an external representation of the label on a Login Context. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

mpo_lctx_label_init_t

Initialize Login Context label

typedef void mpo_lctx_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

mpo_lctx_label_internalize_t

Internalize a Login Context label

typedef int mpo_lctx_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label

Label to be internalized

element_name

Name of the label namespace for which the label should be internalized

element_data

Text data to be internalized

Produce a Login Context label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

mpo_lctx_label_update_t

Update a Login Context label

See:

the label on a login context, using the supplied new label.

is called as a result of a login context relabel operation. Access

was already confirmed by mpo_lctx_check_label_update.

typedef void mpo_lctx_label_update_t( 
    struct lctx *l, 
    struct label *newlabel );

Fields

l
newlabel: A new label to apply to the Login Context

mpo_lctx_notify_create_t

A process has created a login context

typedef void mpo_lctx_notify_create_t( 
    struct proc *p, 
    struct lctx *l );

Fields

p

Subject

l

When a process creates a login context (via setlcid()) this entrypoint is called to notify the policy that the process 'p' has created login context 'l'.

mpo_lctx_notify_join_t

A process has joined a login context

typedef void mpo_lctx_notify_join_t( 
    struct proc *p, 
    struct lctx *l );

Fields

p

Subject

l

When a process joins a login context, either via setlcid() or via fork() this entrypoint is called to notify the policy that process 'p' is now a member of login context 'l'.

mpo_lctx_notify_leave_t

A process has left a login context

typedef void mpo_lctx_notify_leave_t( 
    struct proc *p, 
    struct lctx *l );

Fields

p

Subject

l

When a process leaves a login context either via setlcid() or as a result of the process exiting this entrypoint is called to notify the policy that the process 'p' is no longer a member of login context 'l'.

mpo_mbuf_label_associate_bpfdesc_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_bpfdesc_t( 
    struct bpf_d *bpf_d, 
    struct label *b_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

bpf_d

BPF descriptor

b_label

Policy label for bpf_d

m

Object; mbuf

m_label

Policy label to fill in for m

Set the label on the mbuf header of a newly created datagram generated using the passed BPF descriptor. This call is made when a write is performed to the BPF device associated with the passed BPF descriptor.

mpo_mbuf_label_associate_ifnet_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_ifnet_t( 
    struct ifnet *ifp, 
    struct label *i_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

ifp

Interface descriptor

i_label

Existing label of ifp

m

Object; mbuf

m_label

Policy label to fill in for m

Label an mbuf based on the interface from which it was received.

mpo_mbuf_label_associate_inpcb_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_inpcb_t( 
    struct inpcb *inp, 
    struct label *i_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

inp

inpcb structure

i_label

Existing label of inp

m

Object; mbuf

m_label

Policy label to fill in for m

Label an mbuf based on the inpcb from which it was derived.

mpo_mbuf_label_associate_ipq_t

Set the label on a newly reassembled IP datagram

typedef void mpo_mbuf_label_associate_ipq_t( 
    struct ipq *ipq, 
    struct label *ipqlabel, 
    struct mbuf *mbuf, 
    struct label *mbuflabel );

Fields

ipq

IP fragment reassembly queue

ipqlabel

Policy label for ipq

mbuf

IP datagram to be labeled

mbuflabel

Policy label to be filled in for mbuf

Set the label on a newly reassembled IP datagram (mbuf) from the IP fragment reassembly queue (ipq) from which it was generated.

mpo_mbuf_label_associate_linklayer_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_linklayer_t( 
    struct ifnet *ifp, 
    struct label *i_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

ifp

Subject; network interface

i_label

Existing label of ifp

m

Object; mbuf

m_label

Policy label to fill in for m

Set the label on the mbuf header of a newly created datagram generated for the purposes of a link layer response for the passed interface. This call may be made in a number of situations, including for ARP or ND6 responses in the IPv4 and IPv6 stacks.

mpo_mbuf_label_associate_multicast_encap_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_multicast_encap_t( 
    struct mbuf *oldmbuf, 
    struct label *oldmbuflabel, 
    struct ifnet *ifp, 
    struct label *ifplabel, 
    struct mbuf *newmbuf, 
    struct label *newmbuflabel );

Fields

oldmbuf

mbuf headerder for existing datagram for existing datagram

oldmbuflabel

Policy label for oldmbuf

ifp

Network interface

ifplabel

Policy label for ifp

newmbuf

mbuf header to be labeled for new datagram

newmbuflabel

Policy label for newmbuf

Set the label on the mbuf header of a newly created datagram generated from the existing passed datagram when it is processed by the passed multicast encapsulation interface. This call is made when an mbuf is to be delivered using the virtual interface.

mpo_mbuf_label_associate_netlayer_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_netlayer_t( 
    struct mbuf *oldmbuf, 
    struct label *oldmbuflabel, 
    struct mbuf *newmbuf, 
    struct label *newmbuflabel );

Fields

oldmbuf

Received datagram

oldmbuflabel

Policy label for oldmbuf

newmbuf

Newly created datagram

newmbuflabel

Policy label for newmbuf

Set the label on the mbuf header of a newly created datagram generated by the IP stack in response to an existing received datagram (oldmbuf). This call may be made in a number of situations, including when responding to ICMP request datagrams.

mpo_mbuf_label_associate_socket_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_socket_t( 
    socket_t so, 
    struct label *so_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

so

Socket to label

so_label

Policy label for socket

m

Object; mbuf

m_label

Policy label to fill in for m

An mbuf structure is used to store network traffic in transit. When an application sends data to a socket or a pipe, it is wrapped in an mbuf first. This function sets the label on a newly created mbuf header based on the socket sending the data. The contents of the label should be suitable for performing an access check on the receiving side of the communication.

Only labeled MBUFs will be presented to the policy via this entrypoint.

mpo_mbuf_label_copy_t

Copy a mbuf label

typedef void mpo_mbuf_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src

Source label

dest

Destination label

Copy the mbuf label information in src into dest.

Only called when both source and destination mbufs have labels.

mpo_mbuf_label_destroy_t

Destroy mbuf label

typedef void mpo_mbuf_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a mbuf label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_mbuf_label_init_t

Initialize mbuf label

typedef int mpo_mbuf_label_init_t( 
    struct label *label, 
    int flag );

Parameters

label

New label to initialize

flag

Malloc flags

Initialize the label for a newly instantiated mbuf.

WARNING:

Since it is possible for the flags to be set to M_NOWAIT, the malloc operation may fail.

Return Value

On success, 0, otherwise, an appropriate errno return value.

mpo_mount_check_fsctl_t

Access control check for fsctl

typedef int mpo_mount_check_fsctl_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *label, 
    unsigned int cmd );

Parameters

cred

Subject credential

mp

The mount point

label

Label associated with the mount point

com

Filesystem-dependent request code; see fsctl(2)

Determine whether the subject identified by the credential can perform the volume operation indicated by com.

WARNING:

The fsctl() system call is directly analogous to ioctl(); since the associated data is opaque from the standpoint of the MAC framework and since these operations can affect many aspects of system operation, policies must exercise extreme care when implementing access control checks.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_mount_check_getattr_t

Access control check for the retrieval of file system attributes

typedef int mpo_mount_check_getattr_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mp_label, 
    struct vfs_attr *vfa );

Parameters

cred

Subject credential

mp

The mount structure of the file system

vfa

The attributes requested

This entry point determines whether given subject can get information about the given file system. This check happens during statfs() syscalls, but is also used by other parts within the kernel such as the audit system.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_mount_check_label_update_t

Access control check for mount point relabeling

typedef int mpo_mount_check_label_update_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mntlabel );

Parameters

cred

Subject credential

mp

Object file system mount point

mntlabel

Policy label for fle system mount point

Determine whether the subject identified by the credential can relabel the mount point. This call is made when a file system mount is updated.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_mount_check_mount_t

Access control check for mounting a file system

typedef int mpo_mount_check_mount_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct componentname *cnp, 
    const char *vfc_name );

Parameters

cred

Subject credential

vp

Vnode that is to be the mount point

vlabel

Label associated with the vnode

cnp

Component name for vp

vfc_name

Filesystem type name

Determine whether the subject identified by the credential can perform the mount operation on the target vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_mount_check_remount_t

Access control check remounting a filesystem

typedef int mpo_mount_check_remount_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mlabel );

Parameters

cred

Subject credential

mp

The mount point

mlabel

Label currently associated with the mount point

Determine whether the subject identified by the credential can perform the remount operation on the target vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_mount_check_setattr_t

Access control check for the settting of file system attributes

typedef int mpo_mount_check_setattr_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mp_label, 
    struct vfs_attr *vfa );

Parameters

cred

Subject credential

mp

The mount structure of the file system

vfa

The attributes requested

This entry point determines whether given subject can set information about the given file system, for example the volume name.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_mount_check_stat_t

Access control check for file system statistics

typedef int mpo_mount_check_stat_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mntlabel );

Parameters

cred

Subject credential

mp

Object file system mount

mntlabel

Policy label for mp

Determine whether the subject identified by the credential can see the results of a statfs performed on the file system. This call may be made in a number of situations, including during invocations of statfs(2) and related calls, as well as to determine what file systems to exclude from listings of file systems, such as when getfsstat(2) is invoked.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_mount_check_umount_t

Access control check for unmounting a filesystem

typedef int mpo_mount_check_umount_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mlabel );

Parameters

cred

Subject credential

mp

The mount point

mlabel

Label associated with the mount point

Determine whether the subject identified by the credential can perform the unmount operation on the target vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_mount_label_associate_t

Create mount labels

See:

out the labels on the mount point being created by the supplied

credential. This call is made when file systems are first mounted.

typedef void mpo_mount_label_associate_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mntlabel );

Fields

cred: Subject credential
mp: Mount point of file system being mounted
mntlabel: Label to associate with the new mount point

mpo_mount_label_destroy_t

Destroy mount label

typedef void mpo_mount_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a file system mount label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_mount_label_externalize_t

Externalize a mount point label

typedef int mpo_mount_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of the label

Produce an external representation of the mount point label. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

The policy's externalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

mpo_mount_label_init_t

Initialize mount point label

typedef void mpo_mount_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated mount structure. This label is typically used to store a default label in the case that the file system has been mounted singlelabel. Since some file systems do not support persistent labels (extended attributes) or are read-only (such as CD-ROMs), it is often necessary to store a default label separately from the label of the mount point itself. Sleeping is permitted.

mpo_mount_label_internalize_t

Internalize a mount point label

typedef int mpo_mount_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label

Label to be internalized

element_name

Name of the label namespace for which the label should be internalized

element_data

Text data to be internalized

Produce a mount point file system label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

mpo_netinet_fragment_t

Set the label on an IPv4 datagram fragment

typedef void mpo_netinet_fragment_t( 
    struct mbuf *datagram, 
    struct label *datagramlabel, 
    struct mbuf *fragment, 
    struct label *fragmentlabel );

Fields

datagram

Datagram being fragmented

datagramlabel

Policy label for datagram

fragment

New fragment

fragmentlabel

Policy label for fragment

Called when an IPv4 datagram is fragmented into several smaller datagrams. Policies implementing mbuf labels will typically copy the label from the source datagram to the new fragment.

mpo_netinet_icmp_reply_t

Set the label on an ICMP reply

typedef void mpo_netinet_icmp_reply_t( 
    struct mbuf *m, 
    struct label *mlabel );

Fields

m

mbuf containing the ICMP reply

mlabel

Policy label for m

A policy may wish to update the label of an mbuf that refers to an ICMP packet being sent in response to an IP packet. This may be called in response to a bad packet or an ICMP request.

mpo_netinet_tcp_reply_t

Set the label on a TCP reply

typedef void mpo_netinet_tcp_reply_t( 
    struct mbuf *m, 
    struct label *mlabel );

Fields

m

mbuf containing the TCP reply

mlabel

Policy label for m

Called for outgoing TCP packets not associated with an actual socket.

mpo_pipe_check_ioctl_t

Access control check for pipe ioctl

typedef int mpo_pipe_check_ioctl_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel, 
    unsigned int cmd );

Parameters

cred

Subject credential

cpipe

Object to be accessed

pipelabel

The label on the pipe

cmd

The ioctl command; see ioctl(2)

Determine whether the subject identified by the credential can perform the ioctl operation indicated by cmd.

WARNING:

Since ioctl data is opaque from the standpoint of the MAC framework, policies must exercise extreme care when implementing access control checks.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_pipe_check_kqfilter_t

Access control check for pipe kqfilter

typedef int mpo_pipe_check_kqfilter_t( 
    kauth_cred_t cred, 
    struct knote *kn, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Parameters

cred

Subject credential

kn

Object knote

cpipe

Object to be accessed

pipelabel

Policy label for the pipe

Determine whether the subject identified by the credential can receive the knote on the passed pipe.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_pipe_check_label_update_t

Access control check for pipe relabel

typedef int mpo_pipe_check_label_update_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel, 
    struct label *newlabel );

Parameters

cred

Subject credential

cpipe

Object to be accessed

pipelabel

The current label on the pipe

newlabel

The new label to be used

Determine whether the subject identified by the credential can perform a relabel operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_pipe_check_read_t

Access control check for pipe read

typedef int mpo_pipe_check_read_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Parameters

cred

Subject credential

cpipe

Object to be accessed

pipelabel

The label on the pipe

Determine whether the subject identified by the credential can perform a read operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_pipe_check_select_t

Access control check for pipe select

typedef int mpo_pipe_check_select_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel, 
    int which );

Parameters

cred

Subject credential

cpipe

Object to be accessed

pipelabel

The label on the pipe

which

The operation selected on: FREAD or FWRITE

Determine whether the subject identified by the credential can perform a select operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_pipe_check_stat_t

Access control check for pipe stat

typedef int mpo_pipe_check_stat_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Parameters

cred

Subject credential

cpipe

Object to be accessed

pipelabel

The label on the pipe

Determine whether the subject identified by the credential can perform a stat operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_pipe_check_write_t

Access control check for pipe write

typedef int mpo_pipe_check_write_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Parameters

cred

Subject credential

cpipe

Object to be accessed

pipelabel

The label on the pipe

Determine whether the subject identified by the credential can perform a write operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_pipe_label_associate_t

Create a pipe label

typedef void mpo_pipe_label_associate_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Fields

cred

Subject credential

cpipe

object to be labeled

label

Label for the pipe object

Create a label for the pipe object being created by the supplied user credential. This call is made when the pipe is being created XXXPIPE(for one or both sides of the pipe?).

mpo_pipe_label_copy_t

Copy a pipe label

typedef void mpo_pipe_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src

Source pipe label

dest

Destination pipe label

Copy the pipe label associated with src to dest. XXXPIPE Describe when this is used: most likely during pipe creation to copy from rpipe to wpipe.

mpo_pipe_label_destroy_t

Destroy pipe label

typedef void mpo_pipe_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a pipe label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_pipe_label_externalize_t

Externalize a pipe label

typedef int mpo_pipe_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of the label

Produce an external representation of the label on a pipe. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

The policy's externalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

mpo_pipe_label_init_t

Initialize pipe label

typedef void mpo_pipe_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize label storage for use with a newly instantiated pipe object. Sleeping is permitted.

mpo_pipe_label_internalize_t

Internalize a pipe label

typedef int mpo_pipe_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label

Label to be internalized

element_name

Name of the label namespace for which the label should be internalized

element_data

Text data to be internalized

Produce a pipe label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

mpo_pipe_label_update_t

Update a pipe label

See:

subject identified by the credential has previously requested

was authorized to relabel the pipe; this entry point allows

to perform the actual relabel operation. Policies should

oldlabel using the label stored in the newlabel parameter.

typedef void mpo_pipe_label_update_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *oldlabel, 
    struct label *newlabel );

Fields

cred: Subject credential
cpipe: Object to be labeled
oldlabel: Existing pipe label
newlabel: New label to replace existing label

mpo_policy_destroy_t

Policy unload event

See:

typedef void mpo_policy_destroy_t( 
    struct mac_policy_conf *mpc );

Fields

mpc

MAC policy configuration

This is the MAC Framework policy unload event. This entry point will only be called if the module's policy configuration allows unload (if the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't want to be unloaded; they should set their flags to prevent this entry point from being called.

WARNING:

During this call, the mac policy list mutex is held, so sleep operations cannot be performed, and calls out to other kernel subsystems must be made with caution.

mpo_policy_init_t

Policy initialization event

See:

is the MAC Framework policy initialization event. This entry

is called during mac_policy_register, when the policy module

first registered with the MAC Framework. This is often done very

in the boot process, after the kernel Mach subsystem has been

but prior to the BSD subsystem being initialized.

the kernel BSD services are not yet available, it is possible

some initialization must occur later, possibly in the

(sysctls). Policy modules loaded at boot time will be

and initialized before labeled Mach objects are created.

/>

During this call, the mac policy list mutex is held, so

operations cannot be performed, and calls out to other kernel

must be made with caution.

typedef void mpo_policy_init_t( 
    struct mac_policy_conf *mpc );

Fields

mpc: MAC policy configuration

mpo_policy_initbsd_t

Policy BSD initialization event

See:

entry point is called after the kernel BSD subsystem has been

By this point, the module should already be loaded,

and initialized. Since policy modules are initialized

kernel BSD services are available, this second initialization

is necessary. At this point, BSD services (memory management,

primitives, vfs, etc.) are available, but the first

has not yet been created. Mach-related objects and tasks

already be fully initialized and may be in use--policies requiring

labeling may also want to implement mpo_policy_init_t.

/>

During this call, the mac policy list mutex is held, so

operations cannot be performed, and calls out to other kernel

must be made with caution.

typedef void mpo_policy_initbsd_t( 
    struct mac_policy_conf *mpc );

Fields

mpc: MAC policy configuration

mpo_policy_syscall_t

Policy extension service

typedef int mpo_policy_syscall_t( 
    struct proc *p, 
    int call, 
    user_addr_t arg );

Parameters

p

Calling process

call

Policy-specific syscall number

arg

Pointer to syscall arguments

This entry point provides a policy-multiplexed system call so that policies may provide additional services to user processes without registering specific system calls. The policy name provided during registration is used to demux calls from userland, and the arguments will be forwarded to this entry point. When implementing new services, security modules should be sure to invoke appropriate access control checks from the MAC framework as needed. For example, if a policy implements an augmented signal functionality, it should call the necessary signal access control checks to invoke the MAC framework and other registered policies.

WARNING:

Since the format and contents of the policy-specific arguments are unknown to the MAC Framework, modules must perform the required copyin() of the syscall data on their own. No policy mediation is performed, so policies must perform any necessary access control checks themselves. If multiple policies are loaded, they will currently be unable to mediate calls to other policies.

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

mpo_port_check_copy_send_t

Access control check for copying a send right to another task

typedef int mpo_port_check_copy_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the sender task

port

Label of the affected port

Access control check for copying send rights to the port from the specified task. A complementary entry point, mpo_port_check_hold_send, handles the receiving task. port_check_copy_send is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_hold_receive_t

Access control check for obtaining a receive right

typedef int mpo_port_check_hold_receive_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the receiving task

port

Label of the affected port

Access control check for a task obtaining receive rights to a port. Usually, these are port rights that were obtained with a call to mach_port_allocate. This entry point is called as part of a group of policy invocations when messages with port rights are received. All of these access control checks must succeed in order to receive the message.

The task label and the port are locked. Sleeping is permitted.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_hold_send_once_t

Access control check for obtaining a send once right

typedef int mpo_port_check_hold_send_once_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the receiving task

port

Label of the affected port

Access control check for a task obtaining send once rights to a port. Usually, these are port rights that were part of a message sent by another userspace task. port_check_hold_send_once is called as part of a group of policy invocations when messages with port rights are received. All of these access control checks must succeed in order to receive the message.

The task label and the port are locked. Sleeping is permitted.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_hold_send_t

Access control check for obtaining a send right

typedef int mpo_port_check_hold_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the receiving task

port

Label of the affected port

Access control check for a task obtaining send rights to a port. Usually, these are port rights that were part of a message sent by another userspace task. port_check_hold_send is called as part of a group of policy invocations when messages with port rights are received. All of these access control checks must succeed in order to receive the message.

The task label and the port are locked. Sleeping is permitted.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_label_update_t

Access control check for relabelling ports

typedef int mpo_port_check_label_update_t( 
    struct label *task, 
    struct label *oldlabel, 
    struct label *newlabel );

Parameters

task

Subject's task label

oldlabel

Original label of port

newlabel

New label for port

Access control check for relabelling ports. The policy should indicate whether the subject is permitted to change the label of a port from oldlabel to newlabel. The port is locked, but the subject's task label is not locked.

WARNING:

XXX In future releases, the task label lock will likely also be held.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_make_send_once_t

Access control check for producing a send once right from a receive right

typedef int mpo_port_check_make_send_once_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the sender task

port

Label of the affected port

Access control check for obtaining send once rights from receive rights. The new send once right may be destined for the calling task, or a different task. In either case the mpo_port_check_hold_send_once entry point handles the receiving task. port_check_make_send_once may be called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_make_send_t

Access control check for producing a send right from a receive right

typedef int mpo_port_check_make_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the sender task

port

Label of the affected port

Access control check for obtaining send rights from receive rights. The new send right may be destined for the calling task, or a different task. In either case the mpo_port_check_hold_send entry point handles the receiving task. port_check_make_send may be called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_method_t

Compute access control check for a Mach message-based service

typedef int mpo_port_check_method_t( 
    struct proc *proc, 
    struct label *task, 
    struct label *port, 
    int msgid );

Parameters

proc

Sender's process structure (may be NULL)

task

Sender's task label

port

Destination port label

msgid

Message id

Access control computation for message-based services. This entry point computes permission to the service requested by the specified port and message id, for example a single MiG server routine, and is unrelated to the access check for sending messages to ports (but that check must succeed for the message to be sent to the destination). The result of this access computation is stored in the message trailer field msgh_ad (only if requested by the recipient); it does not actually inhibit the message from being sent or received.

Return Value

0 for access granted, nonzero for access denied.

mpo_port_check_move_receive_t

Access control check for transferring a receive right

typedef int mpo_port_check_move_receive_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the sender task

port

Label of the affected port

Access control check for transferring the receive right to a port out of the specified task. A complementary entry point, mpo_port_check_hold_receive, handles the receiving task. port_check_move_receive is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_move_send_once_t

Access control check for transferring a send once right

typedef int mpo_port_check_move_send_once_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the sender task

port

Label of the affected port

Access control check for transferring a send once right from one task to the task listening to the specified port. A complementary entry point, mpo_port_check_hold_send_once, handles the receiving task. port_check_move_send_once is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_move_send_t

Access control check for transferring a send right

typedef int mpo_port_check_move_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the sender task

port

Label of the affected port

Access control check for transferring a send right from one task to the task listening to the specified port. A complementary entry point, mpo_port_check_hold_send, handles the receiving task. port_check_move_send is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_receive_t

Access control check for receiving Mach messsages

typedef int mpo_port_check_receive_t( 
    struct label *task, 
    struct label *sender );

Parameters

task

Label of the receiving task

sender

Label of the sending task

Access control check for receiving messages. The two labels are locked.

WARNING:

This entry point can be invoked from many places inside the kernel, with arbitrary other locks held. The implementation of this entry point must not cause page faults, as those are handled by mach messages.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_send_t

Access control check for sending Mach messsages

typedef int mpo_port_check_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task

Label of the sender task

port

Label of the destination port

Access control check for sending messages. The task label and the port are locked.

WARNING:

This entry point can be invoked from many places inside the kernel, with arbitrary other locks held. The implementation of this entry point must not cause page faults, as those are handled by mach messages.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_check_service_t

Generic access control check

typedef int mpo_port_check_service_t( 
    struct label *subj, 
    struct label *obj, 
    const char *serv, 
    const char *perm );

Parameters

subj

Caller-provided subject label

obj

Caller-provided object label

serv

Service or object class name

perm

Permission, or method, within the specified service

This function provides a general way for a user process to query an arbitrary access control decision from the system's security policies. Currently, there are no standards for the format of the service and permission names. Labels may be either cred or port labels; the policy must accept either. The userspace interfaces to this entry point allow label strings or label handles (ports) to be provided.

Return Value

Return 0 if access is granted, non-zero otherwise.

mpo_port_label_associate_kernel_t

Assign a label to a new Mach port created by the kernel

typedef void mpo_port_label_associate_kernel_t( 
    struct label *portlabel, 
    int isreply );

Fields

portlabel

Label for the new port

isreply

True if the port is for a reply message from the kernel

Assign a label to a new port created by the kernel. If the port is being used to reply to a message, isreply is 1 (0 otherwise). The port is locked.

mpo_port_label_associate_t

Assign a label to a new Mach port

typedef void mpo_port_label_associate_t( 
    struct label *it, 
    struct label *st, 
    struct label *portlabel );

Fields

it

Task label of issuer

st

Task label of target

portlabel

Label for the new port

Assign a label to a new port. The policy can base this label on the label of the calling task, as well as the label of the target task. The target task is the one which recieves the first right for this port. Both task labels and the port are locked.

mpo_port_label_compute_t

Request label for new (userspace) object

typedef int mpo_port_label_compute_t( 
    struct label *subj, 
    struct label *obj, 
    const char *serv, 
    struct label *out );

Parameters

subj

Subject label

obj

Parent or existing object label

serv

Name of service

out

Computed label

Ask the loaded policies to compute a label based on the two input labels and the service name. There is currently no standard for the service name, or even what the input labels represent (Subject and parent object are only a suggestion). If successful, the computed label is stored in out. All labels must be port (or task) labels. The userspace interfaces to this entry point allow label handles (ports) to be provided.

Return Value

0 on success, or an errno value for failure.

mpo_port_label_copy_t

Copy a Mach port label

typedef void mpo_port_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src

Source port label

dest

Destination port label

Copy the Mach port label information from src to dest. This is used to copy user-suplied labels into an existing port.

mpo_port_label_destroy_t

Destroy Mach port label

typedef void mpo_port_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a Mach port label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_port_label_init_t

Initialize Mach port label

typedef void mpo_port_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated Mach port. Sleeping is permitted.

mpo_port_label_update_cred_t

Update a Mach task port label

See:

the label on a Mach task port, using the supplied user

label. When a mac_cred_label_update_execve or a mac_cred_label_update

causes the label on a user credential to change, the Mach

port label also needs to be updated to reflect the change.

labels are already valid (initialized and created).

typedef void mpo_port_label_update_cred_t( 
    struct label *cred, 
    struct label *task );

Fields

cred: User credential label to be used as the source
task: Mach port label to be used as the destination

mpo_port_label_update_kobject_t

Assign a label to a Mach port connected to a kernel object

typedef void mpo_port_label_update_kobject_t( 
    struct label *portlabel, 
    int kotype );

Fields

portlabel

Label for the port

kotype

Type of kernel object

Label a kernel port based on the type of object behind it. The kotype parameter is one of the IKOT constants in . The port already has a valid label from either mpo_port_label_associate_kernel, or because it is a task port and has a label derived from the process and task labels. The port is locked.

mpo_posixsem_check_create_t

Access control check for POSIX semaphore create

typedef int mpo_posixsem_check_create_t( 
    kauth_cred_t cred, 
    const char *name );

Parameters

cred

Subject credential

name

String name of the semaphore

Determine whether the subject identified by the credential can create a POSIX semaphore specified by name.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixsem_check_open_t

Access control check for POSIX semaphore open

typedef int mpo_posixsem_check_open_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel );

Parameters

cred

Subject credential

ps

Pointer to semaphore information structure

semlabel

Label associated with the semaphore

Determine whether the subject identified by the credential can open the named POSIX semaphore with label semlabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixsem_check_post_t

Access control check for POSIX semaphore post

typedef int mpo_posixsem_check_post_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel );

Parameters

cred

Subject credential

ps

Pointer to semaphore information structure

semlabel

Label associated with the semaphore

Determine whether the subject identified by the credential can unlock the named POSIX semaphore with label semlabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixsem_check_unlink_t

Access control check for POSIX semaphore unlink

typedef int mpo_posixsem_check_unlink_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel, 
    const char *name );

Parameters

cred

Subject credential

ps

Pointer to semaphore information structure

semlabel

Label associated with the semaphore

name

String name of the semaphore

Determine whether the subject identified by the credential can remove the named POSIX semaphore with label semlabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixsem_check_wait_t

Access control check for POSIX semaphore wait

typedef int mpo_posixsem_check_wait_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel );

Parameters

cred

Subject credential

ps

Pointer to semaphore information structure

semlabel

Label associated with the semaphore

Determine whether the subject identified by the credential can lock the named POSIX semaphore with label semlabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixsem_label_associate_t

Create a POSIX semaphore label

typedef void mpo_posixsem_label_associate_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel, 
    const char *name );

Fields

cred

Subject credential

ps

Pointer to semaphore information structure

semlabel

Label to associate with the new semaphore

name

String name of the semaphore

Label a new POSIX semaphore. The label was previously initialized and associated with the semaphore. At this time, an appropriate initial label value should be assigned to the object and stored in semalabel.

mpo_posixsem_label_destroy_t

Destroy POSIX semaphore label

typedef void mpo_posixsem_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a POSIX semaphore label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_posixsem_label_init_t

Initialize POSIX semaphore label

typedef void mpo_posixsem_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated POSIX semaphore. Sleeping is permitted.

mpo_posixshm_check_create_t

Access control check for POSIX shared memory region create

typedef int mpo_posixshm_check_create_t( 
    kauth_cred_t cred, 
    const char *name );

Parameters

cred

Subject credential

name

String name of the shared memory region

Determine whether the subject identified by the credential can create the POSIX shared memory region referenced by name.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixshm_check_mmap_t

Access control check for mapping POSIX shared memory

typedef int mpo_posixshm_check_mmap_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel, 
    int prot, 
    int flags );

Parameters

cred

Subject credential

ps

Pointer to shared memory information structure

shmlabel

Label associated with the shared memory region

prot

mmap protections; see mmap(2)

flags

shmat flags; see shmat(2)

Determine whether the subject identified by the credential can map the POSIX shared memory segment associated with shmlabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixshm_check_open_t

Access control check for POSIX shared memory region open

typedef int mpo_posixshm_check_open_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel );

Parameters

cred

Subject credential

ps

Pointer to shared memory information structure

shmlabel

Label associated with the shared memory region

Determine whether the subject identified by the credential can open the POSIX shared memory region.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixshm_check_stat_t

Access control check for POSIX shared memory stat

typedef int mpo_posixshm_check_stat_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel );

Parameters

cred

Subject credential

ps

Pointer to shared memory information structure

shmlabel

Label associated with the shared memory region

Determine whether the subject identified by the credential can obtain status for the POSIX shared memory segment associated with shmlabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixshm_check_truncate_t

Access control check for POSIX shared memory truncate

typedef int mpo_posixshm_check_truncate_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel, 
    size_t len );

Parameters

cred

Subject credential

ps

Pointer to shared memory information structure

shmlabel

Label associated with the shared memory region

len

Length to truncate or extend shared memory segment

Determine whether the subject identified by the credential can truncate or extend (to len) the POSIX shared memory segment associated with shmlabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixshm_check_unlink_t

Access control check for POSIX shared memory unlink

typedef int mpo_posixshm_check_unlink_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel, 
    const char *name );

Parameters

cred

Subject credential

ps

Pointer to shared memory information structure

shmlabel

Label associated with the shared memory region

name

String name of the shared memory region

Determine whether the subject identified by the credential can delete the POSIX shared memory segment associated with shmlabel.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_posixshm_label_associate_t

Create a POSIX shared memory region label

typedef void mpo_posixshm_label_associate_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel, 
    const char *name );

Fields

cred

Subject credential

ps

Pointer to shared memory information structure

shmlabel

Label to associate with the new shared memory region

name

String name of the shared memory region

Label a new POSIX shared memory region. The label was previously initialized and associated with the shared memory region. At this time, an appropriate initial label value should be assigned to the object and stored in shmlabel.

mpo_posixshm_label_destroy_t

Destroy POSIX shared memory label

typedef void mpo_posixshm_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a POSIX shared memory region label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_posixshm_label_init_t

Initialize POSIX Shared Memory region label

typedef void mpo_posixshm_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for newly a instantiated POSIX Shared Memory region. Sleeping is permitted.

mpo_proc_check_debug_t

Access control check for debugging process

typedef int mpo_proc_check_debug_t( 
    kauth_cred_t cred, 
    struct proc *proc );

Parameters

cred

Subject credential

proc

Object process

Determine whether the subject identified by the credential can debug the passed process. This call may be made in a number of situations, including use of the ptrace(2) and ktrace(2) APIs, as well as for some types of procfs operations.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility of the target.

mpo_proc_check_fork_t

Access control over fork

typedef int mpo_proc_check_fork_t( 
    kauth_cred_t cred, 
    struct proc *proc );

Parameters

cred

Subject credential

proc

Subject process trying to fork

Determine whether the subject identified is allowed to fork.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_proc_check_get_task_name_t

Access control check for getting a process's task name

typedef int mpo_proc_check_get_task_name_t( 
    kauth_cred_t cred, 
    struct proc *p );

Parameters

cred

Subject credential

proc

Object process

Determine whether the subject identified by the credential can get the passed process's task name port. This call is used by the task_name_for_pid(2) API.

Return Value

mpo_proc_check_get_task_t

Access control check for getting a process's task port

typedef int mpo_proc_check_get_task_t( 
    kauth_cred_t cred, 
    struct proc *p );

Parameters

cred

Subject credential

proc

Object process

Determine whether the subject identified by the credential can get the passed process's task control port. This call is used by the task_for_pid(2) API.

Return Value

mpo_proc_check_getaudit_t

Access control check for retrieving audit information

typedef int mpo_proc_check_getaudit_t( 
    kauth_cred_t cred );

Parameters

cred

Subject credential

Determine whether the subject identified by the credential can get audit information such as the audit user ID, the preselection mask, the terminal ID and the audit session ID, using the getaudit() system call.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_proc_check_getauid_t

Access control check for retrieving audit user ID

typedef int mpo_proc_check_getauid_t( 
    kauth_cred_t cred );

Parameters

cred

Subject credential

Determine whether the subject identified by the credential can get the user identity being used by the auditing system, using the getauid() system call.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_proc_check_getlcid_t

Access control check for retrieving Login Context ID

typedef int mpo_proc_check_getlcid_t( 
    struct proc *p0, 
    struct proc *p, 
    pid_t pid );

Parameters

p0

Calling process

p

Effected process

pid

syscall PID argument

Determine if getlcid(2) system call is permitted.

Information returned by this system call is similar to that returned via process listings etc.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_proc_check_mprotect_t

Access control check for setting memory protections

typedef int mpo_proc_check_mprotect_t( 
    kauth_cred_t cred, 
    struct proc *proc, 
    user_addr_t addr, 
    user_size_t size, 
    int prot );

Parameters

cred

Subject credential

proc

User process requesting the change

addr

Start address of the memory range

size

Length address of the memory range

prot

Memory protections, see mmap(2)

Determine whether the subject identified by the credential should be allowed to set the specified memory protections on memory mapped in the process proc.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_proc_check_sched_t

Access control check for changing scheduling parameters

typedef int mpo_proc_check_sched_t( 
    kauth_cred_t cred, 
    struct proc *proc );

Parameters

cred

Subject credential

proc

Object process

Determine whether the subject identified by the credential can change the scheduling parameters of the passed process.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.

mpo_proc_check_setaudit_t

Access control check for setting audit information

typedef int mpo_proc_check_setaudit_t( 
    kauth_cred_t cred, 
    struct auditinfo *ai );

Parameters

cred

Subject credential

ai

Audit information

Determine whether the subject identified by the credential can set audit information such as the the preselection mask, the terminal ID and the audit session ID, using the setaudit() system call.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_proc_check_setauid_t

Access control check for setting audit user ID

typedef int mpo_proc_check_setauid_t( 
    kauth_cred_t cred, 
    uid_t auid );

Parameters

cred

Subject credential

auid

Audit user ID

Determine whether the subject identified by the credential can set the user identity used by the auditing system, using the setauid() system call.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_proc_check_setlcid_t

Access control check for setting the Login Context

typedef int mpo_proc_check_setlcid_t( 
    struct proc *p0, 
    struct proc *p, 
    pid_t pid, 
    pid_t lcid );

Parameters

p0

Calling process

p

Effected process

pid

syscall PID argument

lcid

syscall LCID argument

Determine if setlcid(2) system call is permitted.

See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of decoding syscall arguments to determine action desired by caller.

Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_proc_check_signal_t

Access control check for delivering signal

typedef int mpo_proc_check_signal_t( 
    kauth_cred_t cred, 
    struct proc *proc, 
    int signum );

Parameters

cred

Subject credential

proc

Object process

signum

Signal number; see kill(2)

Determine whether the subject identified by the credential can deliver the passed signal to the passed process.

WARNING:

Programs typically expect to be able to send and receive signals as part or their normal process lifecycle; caution should be exercised when implementing access controls over signal events.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.

mpo_proc_check_wait_t

Access control check for wait

typedef int mpo_proc_check_wait_t( 
    kauth_cred_t cred, 
    struct proc *proc );

Parameters

cred

Subject credential

proc

Object process

Determine whether the subject identified by the credential can wait for process termination.

WARNING:

Caution should be exercised when implementing access controls for wait, since programs often wait for child processes to exit. Failure to be notified of a child process terminating may cause the parent process to hang, or may produce zombie processes.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_proc_label_destroy_t

Destroy process label

typedef void mpo_proc_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a process label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_proc_label_init_t

Initialize process label

See:

the label for a newly instantiated BSD process structure.

security policies will store the process label in the user

rather than here in the process structure. However,

are some floating label policies that may need to temporarily

a label in the process structure until it is safe to update

user credential label. Sleeping is permitted.

typedef void mpo_proc_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

mpo_socket_check_accept_t

Access control check for socket accept

typedef int mpo_socket_check_accept_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred

Subject credential

socket

Object socket

socklabel

Policy label for socket

Determine whether the subject identified by the credential can accept() a new connection on the socket from the host specified by addr.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_accepted_t

Access control check for a pending socket accept

typedef int mpo_socket_check_accepted_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockaddr *addr );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for socket

addr

Address of the listening socket (coming soon)

Determine whether the subject identified by the credential can accept() a pending connection on the socket from the host specified by addr.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_bind_t

Access control check for socket bind

typedef int mpo_socket_check_bind_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockaddr *addr );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for socket

addr

Name to assign to the socket

Determine whether the subject identified by the credential can bind() the name (addr) to the socket.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_connect_t

Access control check for socket connect

typedef int mpo_socket_check_connect_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockaddr *addr );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for socket

addr

Name to assign to the socket

Determine whether the subject identified by the credential can connect() the passed socket to the remote host specified by addr.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_create_t

Access control check for socket() system call.

typedef int mpo_socket_check_create_t( 
    kauth_cred_t cred, 
    int domain, 
    int type, 
    int protocol );

Parameters

cred

Subject credential

domain

communication domain

type

socket type

protocol

socket protocol

Determine whether the subject identified by the credential can make the socket() call.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_deliver_t

Access control check for delivering data to a user's receieve queue

typedef int mpo_socket_check_deliver_t( 
    socket_t so, 
    struct label *so_label, 
    struct mbuf *m, 
    struct label *m_label );

Parameters

so

The socket data is being delivered to

so_label

The label of so

m

The mbuf whose data will be deposited into the receive queue

m_label

The label of the sender of the data.

A socket has a queue for receiving incoming data. When a packet arrives on the wire, it eventually gets deposited into this queue, which the owner of the socket drains when they read from the socket's file descriptor.

This function determines whether the socket can receive data from the sender specified by m_label.

WARNING:

There is an outstanding design issue surrounding the placement of this function. The check must be placed either before or after the TCP sequence and ACK counters are updated. Placing the check before the counters are updated causes the incoming packet to be resent by the remote if the check rejects it. Placing the check after the counters are updated results in a completely silent drop. As far as each TCP stack is concerned the packet was received, however, the data will not be in the socket's receive queue. Another consideration is that the current design requires using the "failed label" occasionally. In that case, on rejection, we want the remote TCP to resend the data. Because of this, we chose to place this check before the counters are updated, so rejected packets will be resent by the remote host. If a policy keeps rejecting the same packet, eventually the connection will be dropped. Policies have several options if this design causes problems. For example, one options is to sanitize the mbuf such that it is acceptable, then accept it. That may require negotiation between policies as the Framework will not know to re-check the packet. The policy must handle NULL MBUF labels. This will likely be the case for non-local TCP sockets for example.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_getsockopt_t

Access control check for getting socket options

typedef int mpo_socket_check_getsockopt_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockopt *sopt );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for so

sopt

The options to get

Determine whether the subject identified by the credential can execute the getsockopt system call on the given socket.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_kqfilter_t

Access control check for socket kqfilter

typedef int mpo_socket_check_kqfilter_t( 
    kauth_cred_t cred, 
    struct knote *kn, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred

Subject credential

kn

Object knote

so

Object socket

socklabel

Policy label for socket

Determine whether the subject identified by the credential can receive the knote on the passed socket.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_label_update_t

Access control check for socket relabel

typedef int mpo_socket_check_label_update_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *so_label, 
    struct label *newlabel );

Parameters

cred

Subject credential

so

Object socket

so_label

The current label of so

newlabel

The label to be assigned to so

Determine whether the subject identified by the credential can change the label on the socket.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_listen_t

Access control check for socket listen

typedef int mpo_socket_check_listen_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for socket

Determine whether the subject identified by the credential can listen() on the passed socket.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_receive_t

Access control check for socket receive

typedef int mpo_socket_check_receive_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for socket

Determine whether the subject identified by the credential can receive data from the socket.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_received_t

Access control check for socket receive

typedef int mpo_socket_check_received_t( 
    kauth_cred_t cred, 
    struct socket *sock, 
    struct label *socklabel, 
    struct sockaddr *saddr );

Parameters

cred

Subject credential

socket

Object socket

socklabel

Policy label for socket

addr

Name of the remote socket

Determine whether the subject identified by the credential can receive data from the remote host specified by addr.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_select_t

Access control check for socket select

typedef int mpo_socket_check_select_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    int which );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for socket

which

The operation selected on: FREAD or FWRITE

Determine whether the subject identified by the credential can use the socket in a call to select().

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_send_t

Access control check for socket send

typedef int mpo_socket_check_send_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockaddr *addr );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for socket

addr

Address being sent to

Determine whether the subject identified by the credential can send data to the socket.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_setsockopt_t

Access control check for setting socket options

typedef int mpo_socket_check_setsockopt_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockopt *sopt );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for so

sopt

The options being set

Determine whether the subject identified by the credential can execute the setsockopt system call on the given socket.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_check_stat_t

Access control check for retrieving socket status

typedef int mpo_socket_check_stat_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred

Subject credential

so

Object socket

socklabel

Policy label for so

Determine whether the subject identified by the credential can execute the stat() system call on the given socket.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_socket_label_associate_accept_t

Label a socket

typedef void mpo_socket_label_associate_accept_t( 
    socket_t oldsock, 
    struct label *oldlabel, 
    socket_t newsock, 
    struct label *newlabel );

Fields

oldsock

Listening socket

oldlabel

Policy label associated with oldsock

newsock

New socket

newlabel

Policy label associated with newsock

A new socket is created when a connection is accept(2)ed. This function labels the new socket based on the existing listen(2)ing socket.

mpo_socket_label_associate_t

Assign a label to a new socket

typedef void mpo_socket_label_associate_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *solabel );

Fields

cred

Credential of the owning process

so

The socket being labeled

solabel

The label

WARNING:

cred can be NULL Set the label on a newly created socket from the passed subject credential. This call is made when a socket is created. The credentials may be null if the socket is being created by the kernel.

mpo_socket_label_copy_t

Copy a socket label

typedef void mpo_socket_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src

Source label

dest

Destination label

Copy the socket label information in src into dest.

mpo_socket_label_destroy_t

Destroy socket label

typedef void mpo_socket_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a socket label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_socket_label_externalize_t

Externalize a socket label

typedef int mpo_socket_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of label

Produce an externalized socket label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. If element_name does not match a namespace managed by the policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data.

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

mpo_socket_label_init_t

Initialize socket label

typedef int mpo_socket_label_init_t( 
    struct label *label, 
    int waitok );

Parameters

label

New label to initialize

waitok

Malloc flags

Initialize the label of a newly instantiated socket. The waitok field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. It it not always safe to sleep during this entry point.

WARNING:

Since it is possible for the waitok flags to be set to M_NOWAIT, the malloc operation may fail.

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

mpo_socket_label_internalize_t

Internalize a socket label

typedef int mpo_socket_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label

Label to be filled in

element_name

Name of the label namespace for which the label should be internalized

element_data

Text data to be internalized

Produce an internal socket label structure based on externalized label data in text format.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

mpo_socket_label_update_t

Relabel socket

typedef void mpo_socket_label_update_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *so_label, 
    struct label *newlabel );

Fields

cred

Subject credential

so

Object; socket

so_label

Current label of the socket

newlabel

The label to be assigned to so

The subject identified by the credential has previously requested and was authorized to relabel the socket; this entry point allows policies to perform the actual label update operation.

WARNING:

XXX This entry point will likely change in future versions.

mpo_socketpeer_label_associate_mbuf_t

Set the peer label on a socket from mbuf

typedef void mpo_socketpeer_label_associate_mbuf_t( 
    struct mbuf *m, 
    struct label *m_label, 
    socket_t so, 
    struct label *so_label );

Fields

m

Mbuf chain received on socket so

m_label

Label for m

so

Current label for the socket

so_label

Policy label to be filled out for the socket

Set the peer label of a socket based on the label of the sender of the mbuf.

This is called for every TCP/IP packet received. The first call for a given socket operates on a newly initialized label, and subsequent calls operate on existing label data.

WARNING:

Because this can affect performance significantly, it has different sematics than other 'set' operations. Typically, 'set' operations operate on newly initialzed labels and policies do not need to worry about clobbering existing values. In this case, it is too inefficient to initialize and destroy a label every time data is received for the socket. Instead, it is up to the policies to determine how to replace the label data. Most policies should be able to replace the data inline.

mpo_socketpeer_label_associate_socket_t

Set the peer label on a socket from socket

typedef void mpo_socketpeer_label_associate_socket_t( 
    socket_t source, 
    struct label *sourcelabel, 
    socket_t target, 
    struct label *targetlabel );

Fields

source

Local socket

sourcelabel

Policy label for source

target

Peer socket

targetlabel

Policy label to fill in for target

Set the peer label on a stream UNIX domain socket from the passed remote socket endpoint. This call will be made when the socket pair is connected, and will be made for both endpoints.

Note that this call is only made on connection; it is currently not updated during communication.

mpo_socketpeer_label_destroy_t

Destroy socket peer label

typedef void mpo_socketpeer_label_destroy_t( 
    struct label *label );

Fields

label

The peer label to be destroyed

Destroy a socket peer label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_socketpeer_label_externalize_t

Externalize a socket peer label

typedef int mpo_socketpeer_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of label

Produce an externalized socket peer label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. If element_name does not match a namespace managed by the policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data.

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

mpo_socketpeer_label_init_t

Initialize socket peer label

typedef int mpo_socketpeer_label_init_t( 
    struct label *label, 
    int waitok );

Parameters

label

New label to initialize

waitok

Malloc flags

Initialize the peer label of a newly instantiated socket. The waitok field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. It it not always safe to sleep during this entry point.

WARNING:

Since it is possible for the waitok flags to be set to M_NOWAIT, the malloc operation may fail.

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

mpo_system_check_acct_t

Access control check for enabling accounting

typedef int mpo_system_check_acct_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel );

Parameters

cred

Subject credential

vp

Accounting file

vlabel

Label associated with vp

Determine whether the subject should be allowed to enable accounting, based on its label and the label of the accounting log file. See acct(5) for more information.

As accounting is disabled by passing NULL to the acct(2) system call, the policy should be prepared for both 'vp' and 'vlabel' to be NULL.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_system_check_audit_t

Access control check for audit

typedef int mpo_system_check_audit_t( 
    kauth_cred_t cred, 
    void *record, 
    int length );

Parameters

cred

Subject credential

record

Audit record

length

Audit record length

Determine whether the subject identified by the credential can submit an audit record for inclusion in the audit log via the audit() system call.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_system_check_auditctl_t

Access control check for controlling audit

typedef int mpo_system_check_auditctl_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vl );

Parameters

cred

Subject credential

vp

Audit file

vl

Label associated with vp

Determine whether the subject should be allowed to enable auditing using the auditctl() system call, based on its label and the label of the proposed audit file.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_system_check_auditon_t

Access control check for manipulating auditing

typedef int mpo_system_check_auditon_t( 
    kauth_cred_t cred, 
    int cmd );

Parameters

cred

Subject credential

cmd

Audit control command

Determine whether the subject identified by the credential can perform the audit subsystem control operation cmd via the auditon() system call.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_system_check_host_priv_t

Access control check for obtaining the host control port

typedef int mpo_system_check_host_priv_t( 
    kauth_cred_t cred );

Parameters

cred

Subject credential

Determine whether the subject identified by the credential can obtain the host control port.

Return Value

Return 0 if access is granted, or non-zero otherwise.

mpo_system_check_nfsd_t

Access control check for calling NFS services

typedef int mpo_system_check_nfsd_t( 
    kauth_cred_t cred );

Parameters

cred

Subject credential

Determine whether the subject identified by the credential should be allowed to call nfssrv(2).

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_system_check_reboot_t

Access control check for reboot

typedef int mpo_system_check_reboot_t( 
    kauth_cred_t cred, 
    int howto );

Parameters

cred

Subject credential

howto

howto parameter from reboot(2)

Determine whether the subject identified by the credential should be allowed to reboot the system in the specified manner.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_system_check_settime_t

Access control check for setting system clock

typedef int mpo_system_check_settime_t( 
    kauth_cred_t cred );

Parameters

cred

Subject credential

Determine whether the subject identified by the credential should be allowed to set the system clock.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_system_check_swapoff_t

Access control check for removing swap devices

typedef int mpo_system_check_swapoff_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred

Subject credential

vp

Swap device

label

Label associated with vp

Determine whether the subject identified by the credential should be allowed to remove vp as a swap device.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_system_check_swapon_t

Access control check for adding swap devices

typedef int mpo_system_check_swapon_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred

Subject credential

vp

Swap device

label

Label associated with vp

Determine whether the subject identified by the credential should be allowed to add vp as a swap device.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_system_check_sysctl_t

Access control check for sysctl

typedef int mpo_system_check_sysctl_t( 
    kauth_cred_t cred, 
    int *name, 
    u_int namelen, 
    user_addr_t old, /* NULLOK */
    user_addr_t oldlenp, /* NULLOK */
    int inkernel, 
    user_addr_t newvalue, /* NULLOK */
    size_t newlen );

Parameters

cred

Subject credential

name

Integer name; see sysctl(3)

namelen

Length of name array of integers; see sysctl(3)

old

0 or address where to store old value; see sysctl(3)

oldlenp

Pointer to length of old buffer; see sysctl(3)

inkernel

Boolean; 1 if called from kernel

newvalue

0 or address of new value; see sysctl(3)

newlen

Length of new buffer; see sysctl(3)

Determine whether the subject identified by the credential should be allowed to make the specified sysctl(3) transaction.

The sysctl(3) call specifies that if the old value is not desired, oldp and oldlenp should be set to NULL. Likewise, if a new value is not to be set, newp should be set to NULL and newlen set to 0.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvmsg_label_associate_t

Create a System V message label

typedef void mpo_sysvmsg_label_associate_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel, 
    struct msg *msgptr, 
    struct label *msglabel );

Fields

cred

Subject credential

msqkptr

The message queue the message will be placed in

msqlabel

The label of the message queue

msgptr

The message

msglabel

The label of the message

Label the message as its placed in the message queue.

mpo_sysvmsg_label_destroy_t

Destroy System V message label

typedef void mpo_sysvmsg_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a System V message label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_sysvmsg_label_init_t

Initialize System V message label

typedef void mpo_sysvmsg_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated System V message.

mpo_sysvmsg_label_recycle_t

Clean up a System V message label

typedef void mpo_sysvmsg_label_recycle_t( 
    struct label *label );

Fields

label

The label to be destroyed

Clean up a System V message label. Darwin pre-allocates messages at system boot time and re-uses them rather than allocating new ones. Before messages are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_sysvmsq_check_enqueue_t

Access control check for System V message enqueuing

typedef int mpo_sysvmsq_check_enqueue_t( 
    kauth_cred_t cred, 
    struct msg *msgptr, 
    struct label *msglabel, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Parameters

cred

Subject credential

msgptr

The message

msglabel

The message's label

msqkptr

The message queue

msqlabel

The message queue's label

Determine whether the subject identified by the credential can add the given message to the given message queue.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvmsq_check_msgrcv_t

Access control check for System V message reception

typedef int mpo_sysvmsq_check_msgrcv_t( 
    kauth_cred_t cred, 
    struct msg *msgptr, 
    struct label *msglabel );

Parameters

cred

The credential of the intended recipient

msgptr

The message

msglabel

The message's label

Determine whether the subject identified by the credential can receive the given message.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvmsq_check_msgrmid_t

Access control check for System V message queue removal

typedef int mpo_sysvmsq_check_msgrmid_t( 
    kauth_cred_t cred, 
    struct msg *msgptr, 
    struct label *msglabel );

Parameters

cred

The credential of the caller

msgptr

The message

msglabel

The message's label

System V message queues are removed using the msgctl() system call. The system will iterate over each messsage in the queue, calling this function for each, to determine whether the caller has the appropriate credentials.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvmsq_check_msqctl_t

Access control check for msgctl()

typedef int mpo_sysvmsq_check_msqctl_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel, 
    int cmd );

Parameters

cred

The credential of the caller

msqptr

The message queue

msqlabel

The message queue's label

This access check is performed to validate calls to msgctl().

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvmsq_check_msqget_t

Access control check to get a System V message queue

typedef int mpo_sysvmsq_check_msqget_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Parameters

cred

The credential of the caller

msqptr

The message queue requested

msqlabel

The message queue's label

On a call to msgget(), if the queue requested already exists, and it is a public queue, this check will be performed before the queue's ID is returned to the user.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvmsq_check_msqrcv_t

Access control check to receive a System V message from the given queue

typedef int mpo_sysvmsq_check_msqrcv_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Parameters

cred

The credential of the caller

msqptr

The message queue to receive from

msqlabel

The message queue's label

On a call to msgrcv(), this check is performed to determine whether the caller has receive rights on the given queue.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvmsq_check_msqsnd_t

Access control check to send a System V message to the given queue

typedef int mpo_sysvmsq_check_msqsnd_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Parameters

cred

The credential of the caller

msqptr

The message queue to send to

msqlabel

The message queue's label

On a call to msgsnd(), this check is performed to determine whether the caller has send rights on the given queue.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvmsq_label_associate_t

Create a System V message queue label

typedef void mpo_sysvmsq_label_associate_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Fields

cred: Subject credential
msqkptr: The message queue
msqlabel: The label of the message queue

mpo_sysvmsq_label_destroy_t

Destroy System V message queue label

typedef void mpo_sysvmsq_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a System V message queue label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_sysvmsq_label_init_t

Initialize System V message queue label

typedef void mpo_sysvmsq_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated System V message queue.

mpo_sysvmsq_label_recycle_t

Clean up a System V message queue label

typedef void mpo_sysvmsq_label_recycle_t( 
    struct label *label );

Fields

label

The label to be destroyed

Clean up a System V message queue label. Darwin pre-allocates message queues at system boot time and re-uses them rather than allocating new ones. Before message queues are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_sysvsem_check_semctl_t

Access control check for System V semaphore control operation

typedef int mpo_sysvsem_check_semctl_t( 
    kauth_cred_t cred, 
    struct semid_kernel *semakptr, 
    struct label *semaklabel, 
    int cmd );

Parameters

cred

Subject credential

semakptr

Pointer to semaphore identifier

semaklabel

Label associated with semaphore

cmd

Control operation to be performed; see semctl(2)

Determine whether the subject identified by the credential can perform the operation indicated by cmd on the System V semaphore semakptr.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvsem_check_semget_t

Access control check for obtaining a System V semaphore

typedef int mpo_sysvsem_check_semget_t( 
    kauth_cred_t cred, 
    struct semid_kernel *semakptr, 
    struct label *semaklabel );

Parameters

cred

Subject credential

semakptr

Pointer to semaphore identifier

semaklabel

Label to associate with the semaphore

Determine whether the subject identified by the credential can obtain a System V semaphore.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvsem_check_semop_t

Access control check for System V semaphore operations

typedef int mpo_sysvsem_check_semop_t( 
    kauth_cred_t cred, 
    struct semid_kernel *semakptr, 
    struct label *semaklabel, 
    size_t accesstype );

Parameters

cred

Subject credential

semakptr

Pointer to semaphore identifier

semaklabel

Label associated with the semaphore

accesstype

Flags to indicate access (read and/or write)

Determine whether the subject identified by the credential can perform the operations on the System V semaphore indicated by semakptr. The accesstype flags hold the maximum set of permissions from the sem_op array passed to the semop system call. It may contain SEM_R for read-only operations or SEM_A for read/write operations.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvsem_label_associate_t

Create a System V semaphore label

typedef void mpo_sysvsem_label_associate_t( 
    kauth_cred_t cred, 
    struct semid_kernel *semakptr, 
    struct label *semalabel );

Fields

cred

Subject credential

semakptr

The semaphore being created

semalabel

Label to associate with the new semaphore

Label a new System V semaphore. The label was previously initialized and associated with the semaphore. At this time, an appropriate initial label value should be assigned to the object and stored in semalabel.

mpo_sysvsem_label_destroy_t

Destroy System V semaphore label

typedef void mpo_sysvsem_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a System V semaphore label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_sysvsem_label_init_t

Initialize System V semaphore label

typedef void mpo_sysvsem_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated System V semaphore. Sleeping is permitted.

mpo_sysvsem_label_recycle_t

Clean up a System V semaphore label

typedef void mpo_sysvsem_label_recycle_t( 
    struct label *label );

Fields

label

The label to be cleaned

Clean up a System V semaphore label. Darwin pre-allocates semaphores at system boot time and re-uses them rather than allocating new ones. Before semaphores are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_sysvshm_check_shmat_t

Access control check for mapping System V shared memory

typedef int mpo_sysvshm_check_shmat_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmseglabel, 
    int shmflg );

Parameters

cred

Subject credential

shmsegptr

Pointer to shared memory segment identifier

shmseglabel

Label associated with the shared memory segment

shmflg

shmat flags; see shmat(2)

Determine whether the subject identified by the credential can map the System V shared memory segment associated with shmsegptr.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvshm_check_shmctl_t

Access control check for System V shared memory control operation

typedef int mpo_sysvshm_check_shmctl_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmseglabel, 
    int cmd );

Parameters

cred

Subject credential

shmsegptr

Pointer to shared memory segment identifier

shmseglabel

Label associated with the shared memory segment

cmd

Control operation to be performed; see shmctl(2)

Determine whether the subject identified by the credential can perform the operation indicated by cmd on the System V shared memory segment shmsegptr.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvshm_check_shmdt_t

Access control check for unmapping System V shared memory

typedef int mpo_sysvshm_check_shmdt_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmseglabel );

Parameters

cred

Subject credential

shmsegptr

Pointer to shared memory segment identifier

shmseglabel

Label associated with the shared memory segment

Determine whether the subject identified by the credential can unmap the System V shared memory segment associated with shmsegptr.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvshm_check_shmget_t

Access control check obtaining System V shared memory identifier

typedef int mpo_sysvshm_check_shmget_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmseglabel, 
    int shmflg );

Parameters

cred

Subject credential

shmsegptr

Pointer to shared memory segment identifier

shmseglabel

Label associated with the shared memory segment

shmflg

shmget flags; see shmget(2)

Determine whether the subject identified by the credential can get the System V shared memory segment address.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_sysvshm_label_associate_t

Create a System V shared memory region label

typedef void mpo_sysvshm_label_associate_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmlabel );

Fields

cred

Subject credential

shmsegptr

The shared memory region being created

shmlabel

Label to associate with the new shared memory region

Label a new System V shared memory region. The label was previously initialized and associated with the shared memory region. At this time, an appropriate initial label value should be assigned to the object and stored in shmlabel.

mpo_sysvshm_label_destroy_t

Destroy System V shared memory label

typedef void mpo_sysvshm_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a System V shared memory region label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_sysvshm_label_init_t

Initialize System V Shared Memory region label

typedef void mpo_sysvshm_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated System V Shared Memory region. Sleeping is permitted.

mpo_sysvshm_label_recycle_t

Clean up a System V Share Memory Region label

typedef void mpo_sysvshm_label_recycle_t( 
    struct label *shmlabel );

Fields

shmlabel

The label to be cleaned

Clean up a System V Shared Memory Region label. Darwin pre-allocates these objects at system boot time and re-uses them rather than allocating new ones. Before the memory regions are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_task_label_associate_kernel_t

Assign a label to a new kernelspace Mach task

See:

labels to a new kernel task and its task port. Both the task and

port labels should be specified. Both new labels are initialized.

there is an associated BSD process structure, it will be labelled

calls to mpo_cred_label_associate_kernel.

typedef void mpo_task_label_associate_kernel_t( 
    struct task *kproc, 
    struct label *tasklabel, 
    struct label *portlabel );

Fields

kproc: New task
tasklabel: Label for new task
portlabel: Label for new task port

mpo_task_label_associate_t

Assign a label to a new (userspace) Mach task

typedef void mpo_task_label_associate_t( 
    struct task *parent, 
    struct task *child, 
    struct label *parentlabel, 
    struct label *childlabel, 
    struct label *childportlabel );

Fields

parent

Parent task

child

New (child) task

parentlabel

Label of parent task

childlabel

Label for new task

childportlabel

Label for new task's task port

Assign labels to a new task and its task port. Both the task and task port labels should be specified. Both new labels are initialized. If the task will have an associated BSD process, that information will be made available by the task_label_update and port_label_update_cred entry points.

mpo_task_label_copy_t

Copy a Mach task label

typedef void mpo_task_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src

Source task label

dest

Destination task label

Copy the Mach task label information from src to dest. This is used when duplicating label handles to implement copy-on-write semantics.

mpo_task_label_destroy_t

Destroy Mach task label

typedef void mpo_task_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a Mach task label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_task_label_externalize_t

Externalize a task label

typedef int mpo_task_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of the label

Produce an external representation of the label on a task. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

mpo_task_label_init_t

Initialize Mach task label

typedef void mpo_task_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize the label for a newly instantiated Mach task. Sleeping is permitted.

mpo_task_label_internalize_t

Internalize a task label

typedef int mpo_task_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label

Label to be internalized

element_name

Name of the label namespace for which the label should be internalized

element_data

Text data to be internalized

Produce a task label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

mpo_task_label_update_t

Update a Mach task label

See:

the label on a Mach task, using the supplied user credential

When a mac_cred_label_update_execve or a mac_cred_label_update operation

the label on a user credential to change, the Mach task label

needs to be updated to reflect the change. Both labels are

valid (initialized and created).

/>

XXX We may change the name of this entry point in a future

of the MAC framework.

typedef void mpo_task_label_update_t( 
    struct label *cred, 
    struct label *task );

Fields

cred: User credential label to be used as the source
task: Mach task label to be used as the destination

mpo_thread_userret_t

Perform MAC-related events when a thread returns to user space

typedef void mpo_thread_userret_t( 
    int code, 
    int error, 
    struct thread *thread );

Fields

code

The number of the syscall/trap that has finished

error

The error code that will be returned to user space

thread

Mach (not BSD) thread that is returning

This entry point permits policy modules to perform MAC-related events when a thread returns to user space, via a system call return, trap return, or otherwise.

mpo_vnode_check_access_t

Check vnode access

typedef int mpo_vnode_check_access_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    int acc_mode );

Parameters

cred

Subject credential

vp

Object vnode

label

Label for vp

acc_mode

access(2) flags

Determine how invocations of access(2) and related calls by the subject identified by the credential should return when performed on the passed vnode using the passed access flags. This should generally be implemented using the same semantics used in mpo_vnode_check_open.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_chdir_t

Access control check for changing working directory

typedef int mpo_vnode_check_chdir_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel );

Parameters

cred

Subject credential

dvp

Object; vnode to chdir(2) into

dlabel

Policy label for dvp

Determine whether the subject identified by the credential can change the process working directory to the passed vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_chroot_t

Access control check for changing root directory

typedef int mpo_vnode_check_chroot_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct componentname *cnp );

Parameters

cred

Subject credential

dvp

Directory vnode

dlabel

Policy label associated with dvp

cnp

Component name for dvp

Determine whether the subject identified by the credential should be allowed to chroot(2) into the specified directory (dvp).

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

mpo_vnode_check_create_t

Access control check for creating vnode

typedef int mpo_vnode_check_create_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct componentname *cnp, 
    struct vnode_attr *vap );

Parameters

cred

Subject credential

dvp

Directory vnode

dlabel

Policy label for dvp

cnp

Component name for dvp

vap

vnode attributes for vap

Determine whether the subject identified by the credential can create a vnode with the passed parent directory, passed name information, and passed attribute information. This call may be made in a number of situations, including as a result of calls to open(2) with O_CREAT, mknod(2), mkfifo(2), and others.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_deleteextattr_t

Access control check for deleting extended attribute

typedef int mpo_vnode_check_deleteextattr_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    const char *name );

Parameters

cred

Subject credential

vp

Object vnode

vlabel

Label associated with vp

name

Extended attribute name

Determine whether the subject identified by the credential can delete the extended attribute from the passed vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_exchangedata_t

Access control check for exchanging file data

typedef int mpo_vnode_check_exchangedata_t( 
    kauth_cred_t cred, 
    struct vnode *v1, 
    struct label *vl1, 
    struct vnode *v2, 
    struct label *vl2 );

Parameters

cred

Subject credential

v1

vnode 1 to swap

vl1

Policy label for v1

v2

vnode 2 to swap

vl2

Policy label for v2

Determine whether the subject identified by the credential can swap the data in the two supplied vnodes.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_exec_t

Access control check for executing the vnode

typedef int mpo_vnode_check_exec_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    struct label *execlabel, /* NULLOK */
    struct componentname *cnp, 
    u_int *csflags );

Parameters

cred

Subject credential

vp

Object vnode to execute

label

Policy label for vp

execlabel

Userspace provided execution label

cnp

Component name for file being executed

Determine whether the subject identified by the credential can execute the passed vnode. Determination of execute privilege is made separately from decisions about any process label transitioning event.

The final label, execlabel, corresponds to a label supplied by a user space application through the use of the mac_execve system call. This label will be NULL if the user application uses the the vendor execve(2) call instead of the MAC Framework mac_execve() call.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_getattrlist_t

Access control check for retrieving file attributes

typedef int mpo_vnode_check_getattrlist_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct attrlist *alist );

Parameters

cred

Subject credential

vp

Object vnode

vlabel

Policy label for vp

alist

List of attributes to retrieve

Determine whether the subject identified by the credential can read various attributes of the specified vnode, or the filesystem or volume on which that vnode resides. See for definitions of the attributes.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege. Access control covers all attributes requested with this call; the security policy is not permitted to change the set of attributes requested.

mpo_vnode_check_getextattr_t

Access control check for retrieving an extended attribute

typedef int mpo_vnode_check_getextattr_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, /* NULLOK */
    const char *name, 
    struct uio *uio /* NULLOK */
    );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

name

Extended attribute name

uio

I/O structure pointer

Determine whether the subject identified by the credential can retrieve the extended attribute from the passed vnode. The uio parameter will be NULL when the getxattr(2) call has been made with a NULL data value; this is done to request the size of the data only.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_ioctl_t

Access control check for ioctl

typedef int mpo_vnode_check_ioctl_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    unsigned int cmd );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

com

Device-dependent request code; see ioctl(2)

Determine whether the subject identified by the credential can perform the ioctl operation indicated by com.

WARNING:

Since ioctl data is opaque from the standpoint of the MAC framework, and since ioctls can affect many aspects of system operation, policies must exercise extreme care when implementing access control checks.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_vnode_check_kqfilter_t

Access control check for vnode kqfilter

typedef int mpo_vnode_check_kqfilter_t( 
    kauth_cred_t active_cred, 
    kauth_cred_t file_cred, /* NULLOK */
    struct knote *kn, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred

Subject credential

kn

Object knote

vp

Object vnode

label

Policy label for vp

Determine whether the subject identified by the credential can receive the knote on the passed vnode.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

mpo_vnode_check_label_update_t

Access control check for relabel

See:

whether the subject identified by the credential can relabel

passed vnode to the passed label update. If all policies permit

follow.

typedef int mpo_vnode_check_label_update_t( 
    struct ucred *cred, 
    struct vnode *vp, 
    struct label *vnodelabel, 
    struct label *newlabel );

Parameters

cred: Subject credential
vp: Object vnode
vnodelabel: Existing policy label for vp
newlabel: Policy label update to later be applied to vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_vnode_check_link_t

Access control check for creating link

typedef int mpo_vnode_check_link_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, 
    struct label *label, 
    struct componentname *cnp );

Parameters

cred

Subject credential

dvp

Directory vnode

dlabel

Policy label associated with dvp

vp

Link destination vnode

label

Policy label associated with vp

cnp

Component name for the link being created

Determine whether the subject identified by the credential should be allowed to create a link to the vnode vp with the name specified by cnp.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_vnode_check_listextattr_t

Access control check for listing extended attributes

typedef int mpo_vnode_check_listextattr_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel );

Parameters

cred

Subject credential

vp

Object vnode

vlabel

Policy label associated with vp

Determine whether the subject identified by the credential can retrieve a list of named extended attributes from a vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_vnode_check_lookup_t

Access control check for lookup

typedef int mpo_vnode_check_lookup_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct componentname *cnp );

Parameters

cred

Subject credential

dvp

Object vnode

dlabel

Policy label for dvp

cnp

Component name being looked up

Determine whether the subject identified by the credential can perform a lookup in the passed directory vnode for the passed name (cnp).

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_open_t

Access control check for open

typedef int mpo_vnode_check_open_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    int acc_mode );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label associated with vp

acc_mode

open(2) access mode

Determine whether the subject identified by the credential can perform an open operation on the passed vnode with the passed access mode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_read_t

Access control check for read

typedef int mpo_vnode_check_read_t( 
    kauth_cred_t active_cred, /* SUBJECT */
    kauth_cred_t file_cred, /* NULLOK */
    struct vnode *vp, /* OBJECT */
    struct label *label /* LABEL */
    );

Parameters

active_cred

Subject credential

file_cred

Credential associated with the struct fileproc

vp

Object vnode

label

Policy label for vp

Determine whether the subject identified by the credential can perform a read operation on the passed vnode. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_readdir_t

Access control check for read directory

typedef int mpo_vnode_check_readdir_t( 
    kauth_cred_t cred, /* SUBJECT */
    struct vnode *dvp, /* OBJECT */
    struct label *dlabel /* LABEL */
    );

Parameters

cred

Subject credential

dvp

Object directory vnode

dlabel

Policy label for dvp

Determine whether the subject identified by the credential can perform a readdir operation on the passed directory vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_readlink_t

Access control check for read link

typedef int mpo_vnode_check_readlink_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

Determine whether the subject identified by the credential can perform a readlink operation on the passed symlink vnode. This call can be made in a number of situations, including an explicit readlink call by the user process, or as a result of an implicit readlink during a name lookup by the process.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_rename_from_t

Access control check for rename from

See:

whether the subject identified by the credential should be

to rename the vnode vp to something else.

to VFS locking constraints (to make sure proper vnode locks are

during this entry point), the vnode relabel checks had to be

into two parts: relabel_from and relabel to.

typedef int mpo_vnode_check_rename_from_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, 
    struct label *label, 
    struct componentname *cnp );

Parameters

cred: Subject credential
dvp: Directory vnode
dlabel: Policy label associated with dvp
vp: vnode to be renamed
label: Policy label associated with vp
cnp: Component name for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_vnode_check_rename_to_t

Access control check for rename to

See:

whether the subject identified by the credential should be

to rename to the vnode vp, into the directory dvp, or to the

represented by cnp. If there is no existing file to overwrite,

and label will be NULL.

to VFS locking constraints (to make sure proper vnode locks are

during this entry point), the vnode relabel checks had to be

into two parts: relabel_from and relabel to.

typedef int mpo_vnode_check_rename_to_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, /* NULLOK */
    struct label *label, /* NULLOK */
    int samedir, 
    struct componentname *cnp );

Parameters

cred: Subject credential
dvp: Directory vnode
dlabel: Policy label associated with dvp
vp: Overwritten vnode
label: Policy label associated with vp
samedir: Boolean; 1 if the source and destination directories are the same
cnp: Destination component name

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_vnode_check_revoke_t

Access control check for revoke

typedef int mpo_vnode_check_revoke_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

Determine whether the subject identified by the credential can revoke access to the passed vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_select_t

Access control check for select

typedef int mpo_vnode_check_select_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    int which );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

which

The operation selected on: FREAD or FWRITE

Determine whether the subject identified by the credential can select the vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

mpo_vnode_check_setattrlist_t

Access control check for setting file attributes

typedef int mpo_vnode_check_setattrlist_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct attrlist *alist );

Parameters

cred

Subject credential

vp

Object vnode

vlabel

Policy label for vp

alist

List of attributes to set

Determine whether the subject identified by the credential can set various attributes of the specified vnode, or the filesystem or volume on which that vnode resides. See for definitions of the attributes.

Return Value

mpo_vnode_check_setextattr_t

Access control check for setting extended attribute

typedef int mpo_vnode_check_setextattr_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    const char *name, 
    struct uio *uio );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

name

Extended attribute name

uio

I/O structure pointer

Determine whether the subject identified by the credential can set the extended attribute of passed name and passed namespace on the passed vnode. Policies implementing security labels backed into extended attributes may want to provide additional protections for those attributes. Additionally, policies should avoid making decisions based on the data referenced from uio, as there is a potential race condition between this check and the actual operation. The uio may also be NULL if a delete operation is being performed.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_setflags_t

Access control check for setting flags

typedef int mpo_vnode_check_setflags_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    u_long flags );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

flags

File flags; see chflags(2)

Determine whether the subject identified by the credential can set the passed flags on the passed vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_setmode_t

Access control check for setting mode

typedef int mpo_vnode_check_setmode_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    mode_t mode );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

mode

File mode; see chmod(2)

Determine whether the subject identified by the credential can set the passed mode on the passed vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_setowner_t

Access control check for setting uid and gid

typedef int mpo_vnode_check_setowner_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    uid_t uid, 
    gid_t gid );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

uid

User ID

gid

Group ID

Determine whether the subject identified by the credential can set the passed uid and passed gid as file uid and file gid on the passed vnode. The IDs may be set to (-1) to request no update.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_setutimes_t

Access control check for setting timestamps

typedef int mpo_vnode_check_setutimes_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    struct timespec atime, 
    struct timespec mtime );

Parameters

cred

Subject credential

vp

Object vnode

label

Policy label for vp

atime

Access time; see utimes(2)

mtime

Modification time; see utimes(2)

Determine whether the subject identified by the credential can set the passed access timestamps on the passed vnode.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_stat_t

Access control check for stat

typedef int mpo_vnode_check_stat_t( 
    struct ucred *active_cred, 
    struct ucred *file_cred, /* NULLOK */
    struct vnode *vp, 
    struct label *label );

Parameters

active_cred

Subject credential

file_cred

Credential associated with the struct fileproc

vp

Object vnode

label

Policy label for vp

Determine whether the subject identified by the credential can stat the passed vnode. See stat(2) for more information. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_truncate_t

Access control check for truncate/ftruncate

typedef int mpo_vnode_check_truncate_t( 
    kauth_cred_t active_cred, 
    kauth_cred_t file_cred, /* NULLOK */
    struct vnode *vp, 
    struct label *label );

Parameters

active_cred

Subject credential

file_cred

Credential associated with the struct fileproc

vp

Object vnode

label

Policy label for vp

Determine whether the subject identified by the credential can perform a truncate operation on the passed vnode. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_unlink_t

Access control check for deleting vnode

See:

whether the subject identified by the credential can delete

vnode from the passed parent directory and passed name information.

call may be made in a number of situations, including as a

of calls to unlink(2) and rmdir(2). Policies implementing

entry point should also implement mpo_check_rename_to to

deletion of objects as a result of being the target of a rename.

typedef int mpo_vnode_check_unlink_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, 
    struct label *label, 
    struct componentname *cnp );

Parameters

cred: Subject credential
dvp: Parent directory vnode
dlabel: Policy label for dvp
vp: Object vnode to delete
label: Policy label for vp
cnp: Component name for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_check_write_t

Access control check for write

typedef int mpo_vnode_check_write_t( 
    kauth_cred_t active_cred, 
    kauth_cred_t file_cred, /* NULLOK */
    struct vnode *vp, 
    struct label *label );

Parameters

active_cred

Subject credential

file_cred

Credential associated with the struct fileproc

vp

Object vnode

label

Policy label for vp

Determine whether the subject identified by the credential can perform a write operation on the passed vnode. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

mpo_vnode_label_associate_devfs_t

Associate a vnode with a devfs entry

typedef void mpo_vnode_label_associate_devfs_t( 
    struct mount *mp, 
    struct label *mntlabel, 
    struct devnode *de, 
    struct label *delabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

mp

Devfs mount point

mntlabel

Devfs mount point label

de

Devfs directory entry

delabel

Label associated with de

vp

vnode associated with de

vlabel

Label associated with vp

Fill in the label (vlabel) for a newly created devfs vnode. The label is typically derived from the label on the devfs directory entry or the label on the filesystem, supplied as parameters.

mpo_vnode_label_associate_extattr_t

Associate a label with a vnode

typedef int mpo_vnode_label_associate_extattr_t( 
    struct mount *mp, 
    struct label *mntlabel, 
    struct vnode *vp, 
    struct label *vlabel );

Parameters

mp

File system mount point

mntlabel

File system mount point label

vp

Vnode to label

vlabel

Label associated with vp

Attempt to retrieve label information for the vnode, vp, from the file system extended attribute store. The label should be stored in the supplied vlabel parameter. If a policy cannot retrieve an extended attribute, sometimes it is acceptible to fallback to using the mntlabel.

If the policy requires vnodes to have a valid label elsewhere it MUST NOT return other than temporary errors, and must always provide a valid label of some sort. Returning an error will cause vnode labeling to be retried at a later access. Failure to handle policy centric errors internally (corrupt labels etc.) will result in inaccessible files.

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

mpo_vnode_label_associate_file_t

Associate a file label with a vnode

typedef void mpo_vnode_label_associate_file_t( 
    struct ucred *cred, 
    struct mount *mp, 
    struct label *mntlabel, 
    struct fileglob *fg, 
    struct label *label, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred

User credential

mp

Fdesc mount point

mntlabel

Fdesc mount point label

fg

Fileglob structure

label

Policy label for fg

vp

Vnode to label

vlabel

Label associated with vp

Associate label information for the vnode, vp, with the label of the open file descriptor described by fg. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_associate_pipe_t

Associate a pipe label with a vnode

typedef void mpo_vnode_label_associate_pipe_t( 
    struct ucred *cred, 
    struct pipe *cpipe, 
    struct label *pipelabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred

User credential for the process that opened the pipe

cpipe

Pipe structure

pipelabel

Label associated with pipe

vp

Vnode to label

vlabel

Label associated with vp

Associate label information for the vnode, vp, with the label of the pipe described by the pipe structure cpipe. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_associate_posixsem_t

Associate a POSIX semaphore label with a vnode

typedef void mpo_vnode_label_associate_posixsem_t( 
    struct ucred *cred, 
    struct pseminfo *psem, 
    struct label *psemlabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred

User credential for the process that create psem

psem

POSIX semaphore structure

psemlabel

Label associated with psem

vp

Vnode to label

vlabel

Label associated with vp

Associate label information for the vnode, vp, with the label of the POSIX semaphore described by psem. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_associate_posixshm_t

Associate a POSIX shared memory label with a vnode

typedef void mpo_vnode_label_associate_posixshm_t( 
    struct ucred *cred, 
    struct pshminfo *pshm, 
    struct label *pshmlabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred

User credential for the process that created pshm

pshm

POSIX shared memory structure

pshmlabel

Label associated with pshm

vp

Vnode to label

vlabel

Label associated with vp

Associate label information for the vnode, vp, with the label of the POSIX shared memory region described by pshm. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_associate_singlelabel_t

Associate a label with a vnode

typedef void mpo_vnode_label_associate_singlelabel_t( 
    struct mount *mp, 
    struct label *mntlabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

mp

File system mount point

mntlabel

File system mount point label

vp

Vnode to label

vlabel

Label associated with vp

On non-multilabel file systems, set the label for a vnode. The label will most likely be based on the file system label.

mpo_vnode_label_associate_socket_t

Associate a socket label with a vnode

typedef void mpo_vnode_label_associate_socket_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *solabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred

User credential for the process that opened the socket

so

Socket structure

solabel

Label associated with so

vp

Vnode to label

vlabel

Label associated with vp

Associate label information for the vnode, vp, with the label of the open socket described by the socket structure so. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_copy_t

Copy a vnode label

typedef void mpo_vnode_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src

Source vnode label

dest

Destination vnode label

Copy the vnode label information from src to dest. On Darwin, this is currently only necessary when executing interpreted scripts, but will later be used if vnode label externalization cannot be an atomic operation.

mpo_vnode_label_destroy_t

Destroy vnode label

typedef void mpo_vnode_label_destroy_t( 
    struct label *label );

Fields

label

The label to be destroyed

Destroy a vnode label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_vnode_label_externalize_audit_t

Externalize a vnode label for auditing

typedef int mpo_vnode_label_externalize_audit_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of the label

Produce an external representation of the label on a vnode suitable for inclusion in an audit record. An externalized label consists of a text representation of the label contents that will be added to the audit record as part of a text token. Policy-agnostic user space tools will display this externalized version.

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

mpo_vnode_label_externalize_t

Externalize a vnode label

typedef int mpo_vnode_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label

Label to be externalized

element_name

Name of the label namespace for which labels should be externalized

sb

String buffer to be filled with a text representation of the label

Produce an external representation of the label on a vnode. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

mpo_vnode_label_init_t

Initialize vnode label

typedef void mpo_vnode_label_init_t( 
    struct label *label );

Fields

label

New label to initialize

Initialize label storage for use with a newly instantiated vnode, or for temporary storage associated with the copying in or out of a vnode label. While it is necessary to allocate space for a kernel-resident vnode label, it is not yet necessary to link this vnode with persistent label storage facilities, such as extended attributes. Sleeping is permitted.

mpo_vnode_label_internalize_t

Internalize a vnode label

typedef int mpo_vnode_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label

Label to be internalized

element_name

Name of the label namespace for which the label should be internalized

element_data

Text data to be internalized

Produce a vnode label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

mpo_vnode_label_recycle_t

Clean up a vnode label

typedef void mpo_vnode_label_recycle_t( 
    struct label *label );

Fields

label

The label to be cleaned for re-use

Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but typically never frees them. Before vnodes are placed back on free lists for re-use, policies can cleanup or overwrite any information present in the label.

mpo_vnode_label_store_t

Write a label to a extended attribute

typedef int mpo_vnode_label_store_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct label *intlabel );

Parameters

cred

Subject credential

vp

The vnode for which the label is being stored

vlabel

Label associated with vp

intlabel

The new label to store

Store a new label in the extended attribute corresponding to the supplied vnode. The policy has already authorized the operation; this call must be implemented in order to perform the actual operation.

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

WARNING:

XXX After examining the extended attribute implementation on Apple's future release, this entry point may be changed.

mpo_vnode_label_update_extattr_t

Update vnode label from extended attributes

See:

an extended attribute is updated via the Vendor attribute management

the MAC vnode label might also require an update.

should first determine if 'name' matches their xattr label

If it does, the kernel is has either replaced or removed the

extended attribute that was previously associated with the

Normally labels should only be modified via MAC Framework label

calls, but sometimes the user space components will directly

extended attributes. For example, 'cp', 'tar', etc. manage

attributes in userspace, not the kernel.

entry point is called after the label update has occurred, so

cannot return a failure. However, the operation is preceded by

mpo_vnode_check_setextattr() access control check.

the vnode label needs to be updated the policy should return

non-zero value. The vnode label will be marked for re-association

the framework.

typedef int mpo_vnode_label_update_extattr_t( 
    struct mount *mp, 
    struct label *mntlabel, 
    struct vnode *vp, 
    struct label *vlabel, 
    const char *name );

Fields

mp: File system mount point
mntlabel: Mount point label
vp: Vnode to label
vlabel: Label associated with vp
name: Name of the xattr

mpo_vnode_label_update_t

Update a vnode label

See:

subject identified by the credential has previously requested

was authorized to relabel the vnode; this entry point allows

to perform the actual relabel operation. Policies should

vnodelabel using the label stored in the label parameter.

typedef void mpo_vnode_label_update_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vnodelabel, 
    struct label *label );

Fields

cred: Subject credential
vp: The vnode to relabel
vnodelabel: Existing vnode label
label: New label to replace existing label

mpo_vnode_notify_create_t

Create a new vnode, backed by extended attributes

typedef int mpo_vnode_notify_create_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mntlabel, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct componentname *cnp );

Parameters

cred

User credential for the creating process

mp

File system mount point

mntlabel

File system mount point label

dvp

Parent directory vnode

dlabel

Parent directory vnode label

vp

Newly created vnode

vlabel

Label to associate with the new vnode

cnp

Component name for vp

Write out the label for the newly created vnode, most likely storing the results in a file system extended attribute. Most policies will derive the new vnode label using information from a combination of the subject (user) credential, the file system label, the parent directory label, and potentially the path name component.

Return Value

If the operation succeeds, store the new label in vlabel and return 0. Otherwise, return an appropriate errno value.

Structs and Unions

mac_policy_conf

Mac policy configuration

/* XXX - reorder these for better aligment on 64bit platforms */
struct mac_policy_conf { 
    const char *mpc_name; /** policy name */
    const char *mpc_fullname; /** full name */
    const char **mpc_labelnames; /** managed label namespaces */
    unsigned int mpc_labelname_count; /** number of managed label namespaces 
        */
    struct mac_policy_ops *mpc_ops; /** operation vector */
    int mpc_loadtime_flags; /** load time flags */
    int *mpc_field_off; /** label slot */
    int mpc_runtime_flags; /** run time flags */
    mpc_t mpc_list; /** List reference */
    void *mpc_data; /** module data */
};

Discussion

This structure specifies the configuration information for a MAC policy module. A policy module developer must supply a short unique policy name, a more descriptive full name, a list of label namespaces and count, a pointer to the registered enty point operations, any load time flags, and optionally, a pointer to a label slot identifier.

The Framework will update the runtime flags (mpc_runtime_flags) to indicate that the module has been registered.

If the label slot identifier (mpc_field_off) is NULL, the Framework will not provide label storage for the policy. Otherwise, the Framework will store the label location (slot) in this field.

The mpc_list field is used by the Framework and should not be modified by policies.

mac_policy_ops

struct mac_policy_ops { 
    mpo_audit_check_postselect_t *mpo_audit_check_postselect; 
    mpo_audit_check_preselect_t *mpo_audit_check_preselect; 
    mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate; 
    mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy; 
    mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init; 
    mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive; 
    mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 
    mpo_cred_check_label_update_t *mpo_cred_check_label_update; 
    mpo_cred_check_visible_t *mpo_cred_check_visible; 
    mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 
    mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 
    mpo_cred_label_associate_t *mpo_cred_label_associate; 
    mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 
    mpo_cred_label_destroy_t *mpo_cred_label_destroy; 
    mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 
    mpo_cred_label_externalize_t *mpo_cred_label_externalize; 
    mpo_cred_label_init_t *mpo_cred_label_init; 
    mpo_cred_label_internalize_t *mpo_cred_label_internalize; 
    mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 
    mpo_cred_label_update_t *mpo_cred_label_update; 
    mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 
    mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 
    mpo_devfs_label_copy_t *mpo_devfs_label_copy; 
    mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 
    mpo_devfs_label_init_t *mpo_devfs_label_init; 
    mpo_devfs_label_update_t *mpo_devfs_label_update; 
    mpo_file_check_change_offset_t *mpo_file_check_change_offset; 
    mpo_file_check_create_t *mpo_file_check_create; 
    mpo_file_check_dup_t *mpo_file_check_dup; 
    mpo_file_check_fcntl_t *mpo_file_check_fcntl; 
    mpo_file_check_get_offset_t *mpo_file_check_get_offset; 
    mpo_file_check_get_t *mpo_file_check_get; 
    mpo_file_check_inherit_t *mpo_file_check_inherit; 
    mpo_file_check_ioctl_t *mpo_file_check_ioctl; 
    mpo_file_check_lock_t *mpo_file_check_lock; 
    mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 
    mpo_file_check_mmap_t *mpo_file_check_mmap; 
    mpo_file_check_receive_t *mpo_file_check_receive; 
    mpo_file_check_set_t *mpo_file_check_set; 
    mpo_file_label_init_t *mpo_file_label_init; 
    mpo_file_label_destroy_t *mpo_file_label_destroy; 
    mpo_file_label_associate_t *mpo_file_label_associate; 
    mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update; 
    mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit; 
    mpo_ifnet_label_associate_t *mpo_ifnet_label_associate; 
    mpo_ifnet_label_copy_t *mpo_ifnet_label_copy; 
    mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy; 
    mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize; 
    mpo_ifnet_label_init_t *mpo_ifnet_label_init; 
    mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize; 
    mpo_ifnet_label_update_t *mpo_ifnet_label_update; 
    mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle; 
    mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver; 
    mpo_inpcb_label_associate_t *mpo_inpcb_label_associate; 
    mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy; 
    mpo_inpcb_label_init_t *mpo_inpcb_label_init; 
    mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle; 
    mpo_inpcb_label_update_t *mpo_inpcb_label_update; 
    mpo_iokit_check_device_t *mpo_iokit_check_device; 
    mpo_ipq_label_associate_t *mpo_ipq_label_associate; 
    mpo_ipq_label_compare_t *mpo_ipq_label_compare; 
    mpo_ipq_label_destroy_t *mpo_ipq_label_destroy; 
    mpo_ipq_label_init_t *mpo_ipq_label_init; 
    mpo_ipq_label_update_t *mpo_ipq_label_update; 
    mpo_lctx_check_label_update_t *mpo_lctx_check_label_update; 
    mpo_lctx_label_destroy_t *mpo_lctx_label_destroy; 
    mpo_lctx_label_externalize_t *mpo_lctx_label_externalize; 
    mpo_lctx_label_init_t *mpo_lctx_label_init; 
    mpo_lctx_label_internalize_t *mpo_lctx_label_internalize; 
    mpo_lctx_label_update_t *mpo_lctx_label_update; 
    mpo_lctx_notify_create_t *mpo_lctx_notify_create; 
    mpo_lctx_notify_join_t *mpo_lctx_notify_join; 
    mpo_lctx_notify_leave_t *mpo_lctx_notify_leave; 
    mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; 
    mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; 
    mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb; 
    mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq; 
    mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer; 
    mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap; 
    mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer; 
    mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket; 
    mpo_mbuf_label_copy_t *mpo_mbuf_label_copy; 
    mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy; 
    mpo_mbuf_label_init_t *mpo_mbuf_label_init; 
    mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 
    mpo_mount_check_getattr_t *mpo_mount_check_getattr; 
    mpo_mount_check_label_update_t *mpo_mount_check_label_update; 
    mpo_mount_check_mount_t *mpo_mount_check_mount; 
    mpo_mount_check_remount_t *mpo_mount_check_remount; 
    mpo_mount_check_setattr_t *mpo_mount_check_setattr; 
    mpo_mount_check_stat_t *mpo_mount_check_stat; 
    mpo_mount_check_umount_t *mpo_mount_check_umount; 
    mpo_mount_label_associate_t *mpo_mount_label_associate; 
    mpo_mount_label_destroy_t *mpo_mount_label_destroy; 
    mpo_mount_label_externalize_t *mpo_mount_label_externalize; 
    mpo_mount_label_init_t *mpo_mount_label_init; 
    mpo_mount_label_internalize_t *mpo_mount_label_internalize; 
    mpo_netinet_fragment_t *mpo_netinet_fragment; 
    mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply; 
    mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply; 
    mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 
    mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 
    mpo_pipe_check_label_update_t *mpo_pipe_check_label_update; 
    mpo_pipe_check_read_t *mpo_pipe_check_read; 
    mpo_pipe_check_select_t *mpo_pipe_check_select; 
    mpo_pipe_check_stat_t *mpo_pipe_check_stat; 
    mpo_pipe_check_write_t *mpo_pipe_check_write; 
    mpo_pipe_label_associate_t *mpo_pipe_label_associate; 
    mpo_pipe_label_copy_t *mpo_pipe_label_copy; 
    mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 
    mpo_pipe_label_externalize_t *mpo_pipe_label_externalize; 
    mpo_pipe_label_init_t *mpo_pipe_label_init; 
    mpo_pipe_label_internalize_t *mpo_pipe_label_internalize; 
    mpo_pipe_label_update_t *mpo_pipe_label_update; 
    mpo_policy_destroy_t *mpo_policy_destroy; 
    mpo_policy_init_t *mpo_policy_init; 
    mpo_policy_initbsd_t *mpo_policy_initbsd; 
    mpo_policy_syscall_t *mpo_policy_syscall; 
    mpo_port_check_copy_send_t *mpo_port_check_copy_send; 
    mpo_port_check_hold_receive_t *mpo_port_check_hold_receive; 
    mpo_port_check_hold_send_once_t *mpo_port_check_hold_send_once; 
    mpo_port_check_hold_send_t *mpo_port_check_hold_send; 
    mpo_port_check_label_update_t *mpo_port_check_label_update; 
    mpo_port_check_make_send_once_t *mpo_port_check_make_send_once; 
    mpo_port_check_make_send_t *mpo_port_check_make_send; 
    mpo_port_check_method_t *mpo_port_check_method; 
    mpo_port_check_move_receive_t *mpo_port_check_move_receive; 
    mpo_port_check_move_send_once_t *mpo_port_check_move_send_once; 
    mpo_port_check_move_send_t *mpo_port_check_move_send; 
    mpo_port_check_receive_t *mpo_port_check_receive; 
    mpo_port_check_send_t *mpo_port_check_send; 
    mpo_port_check_service_t *mpo_port_check_service; 
    mpo_port_label_associate_kernel_t *mpo_port_label_associate_kernel; 
    mpo_port_label_associate_t *mpo_port_label_associate; 
    mpo_port_label_compute_t *mpo_port_label_compute; 
    mpo_port_label_copy_t *mpo_port_label_copy; 
    mpo_port_label_destroy_t *mpo_port_label_destroy; 
    mpo_port_label_init_t *mpo_port_label_init; 
    mpo_port_label_update_cred_t *mpo_port_label_update_cred; 
    mpo_port_label_update_kobject_t *mpo_port_label_update_kobject; 
    mpo_posixsem_check_create_t *mpo_posixsem_check_create; 
    mpo_posixsem_check_open_t *mpo_posixsem_check_open; 
    mpo_posixsem_check_post_t *mpo_posixsem_check_post; 
    mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 
    mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 
    mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 
    mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 
    mpo_posixsem_label_init_t *mpo_posixsem_label_init; 
    mpo_posixshm_check_create_t *mpo_posixshm_check_create; 
    mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 
    mpo_posixshm_check_open_t *mpo_posixshm_check_open; 
    mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 
    mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 
    mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 
    mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 
    mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 
    mpo_posixshm_label_init_t *mpo_posixshm_label_init; 
    mpo_proc_check_debug_t *mpo_proc_check_debug; 
    mpo_proc_check_fork_t *mpo_proc_check_fork; 
    mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name; 
    mpo_proc_check_get_task_t *mpo_proc_check_get_task; 
    mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 
    mpo_proc_check_getauid_t *mpo_proc_check_getauid; 
    mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; 
    mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 
    mpo_proc_check_sched_t *mpo_proc_check_sched; 
    mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 
    mpo_proc_check_setauid_t *mpo_proc_check_setauid; 
    mpo_proc_check_setlcid_t *mpo_proc_check_setlcid; 
    mpo_proc_check_signal_t *mpo_proc_check_signal; 
    mpo_proc_check_wait_t *mpo_proc_check_wait; 
    mpo_proc_label_destroy_t *mpo_proc_label_destroy; 
    mpo_proc_label_init_t *mpo_proc_label_init; 
    mpo_socket_check_accept_t *mpo_socket_check_accept; 
    mpo_socket_check_accepted_t *mpo_socket_check_accepted; 
    mpo_socket_check_bind_t *mpo_socket_check_bind; 
    mpo_socket_check_connect_t *mpo_socket_check_connect; 
    mpo_socket_check_create_t *mpo_socket_check_create; 
    mpo_socket_check_deliver_t *mpo_socket_check_deliver; 
    mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter; 
    mpo_socket_check_label_update_t *mpo_socket_check_label_update; 
    mpo_socket_check_listen_t *mpo_socket_check_listen; 
    mpo_socket_check_receive_t *mpo_socket_check_receive; 
    mpo_socket_check_received_t *mpo_socket_check_received; 
    mpo_socket_check_select_t *mpo_socket_check_select; 
    mpo_socket_check_send_t *mpo_socket_check_send; 
    mpo_socket_check_stat_t *mpo_socket_check_stat; 
    mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 
    mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 
    mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept; 
    mpo_socket_label_associate_t *mpo_socket_label_associate; 
    mpo_socket_label_copy_t *mpo_socket_label_copy; 
    mpo_socket_label_destroy_t *mpo_socket_label_destroy; 
    mpo_socket_label_externalize_t *mpo_socket_label_externalize; 
    mpo_socket_label_init_t *mpo_socket_label_init; 
    mpo_socket_label_internalize_t *mpo_socket_label_internalize; 
    mpo_socket_label_update_t *mpo_socket_label_update; 
    mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf; 
    mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket; 
    mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy; 
    mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize; 
    mpo_socketpeer_label_init_t *mpo_socketpeer_label_init; 
    mpo_system_check_acct_t *mpo_system_check_acct; 
    mpo_system_check_audit_t *mpo_system_check_audit; 
    mpo_system_check_auditctl_t *mpo_system_check_auditctl; 
    mpo_system_check_auditon_t *mpo_system_check_auditon; 
    mpo_system_check_host_priv_t *mpo_system_check_host_priv; 
    mpo_system_check_nfsd_t *mpo_system_check_nfsd; 
    mpo_system_check_reboot_t *mpo_system_check_reboot; 
    mpo_system_check_settime_t *mpo_system_check_settime; 
    mpo_system_check_swapoff_t *mpo_system_check_swapoff; 
    mpo_system_check_swapon_t *mpo_system_check_swapon; 
    mpo_system_check_sysctl_t *mpo_system_check_sysctl; 
    mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 
    mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 
    mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 
    mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 
    mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 
    mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 
    mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 
    mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 
    mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 
    mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 
    mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 
    mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 
    mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 
    mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 
    mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 
    mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 
    mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 
    mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 
    mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 
    mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 
    mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 
    mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 
    mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 
    mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 
    mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 
    mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 
    mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 
    mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 
    mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 
    mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 
    mpo_task_label_associate_kernel_t *mpo_task_label_associate_kernel; 
    mpo_task_label_associate_t *mpo_task_label_associate; 
    mpo_task_label_copy_t *mpo_task_label_copy; 
    mpo_task_label_destroy_t *mpo_task_label_destroy; 
    mpo_task_label_externalize_t *mpo_task_label_externalize; 
    mpo_task_label_init_t *mpo_task_label_init; 
    mpo_task_label_internalize_t *mpo_task_label_internalize; 
    mpo_task_label_update_t *mpo_task_label_update; 
    mpo_thread_userret_t *mpo_thread_userret; 
    mpo_vnode_check_access_t *mpo_vnode_check_access; 
    mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 
    mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 
    mpo_vnode_check_create_t *mpo_vnode_check_create; 
    mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 
    mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 
    mpo_vnode_check_exec_t *mpo_vnode_check_exec; 
    mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 
    mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 
    mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 
    mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 
    mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 
    mpo_vnode_check_link_t *mpo_vnode_check_link; 
    mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 
    mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 
    mpo_vnode_check_open_t *mpo_vnode_check_open; 
    mpo_vnode_check_read_t *mpo_vnode_check_read; 
    mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 
    mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 
    mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 
    mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 
    mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 
    mpo_vnode_check_select_t *mpo_vnode_check_select; 
    mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 
    mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 
    mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 
    mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 
    mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 
    mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 
    mpo_vnode_check_stat_t *mpo_vnode_check_stat; 
    mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 
    mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 
    mpo_vnode_check_write_t *mpo_vnode_check_write; 
    mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 
    mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 
    mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 
    mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 
    mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 
    mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 
    mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 
    mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 
    mpo_vnode_label_copy_t *mpo_vnode_label_copy; 
    mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 
    mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 
    mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 
    mpo_vnode_label_init_t *mpo_vnode_label_init; 
    mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 
    mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 
    mpo_vnode_label_store_t *mpo_vnode_label_store; 
    mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 
    mpo_vnode_label_update_t *mpo_vnode_label_update; 
    mpo_vnode_notify_create_t *mpo_vnode_notify_create; 
    mpo_reserved_hook_t *mpo_reserved0; 
    mpo_reserved_hook_t *mpo_reserved1; 
    mpo_reserved_hook_t *mpo_reserved2; 
    mpo_reserved_hook_t *mpo_reserved3; 
    mpo_reserved_hook_t *mpo_reserved4; 
    mpo_reserved_hook_t *mpo_reserved5; 
    mpo_reserved_hook_t *mpo_reserved6; 
    mpo_reserved_hook_t *mpo_reserved7; 
    mpo_reserved_hook_t *mpo_reserved8; 
    mpo_reserved_hook_t *mpo_reserved9; 
};

Discussion

\struct mac_policy_ops

#defines

_KAUTH_CRED_T

See Also:

dummy

dummy

kauth_cred_t

#define _KAUTH_CRED_T

dummy

See Also:

_KAUTH_CRED_T

dummy

kauth_cred_t

#define _KAUTH_CRED_T

MAC_NOWAIT

Allocation operations may not block

#define MAC_NOWAIT 1

Discussion

Rather than blocking, the allocator may return an error if memory is not immediately available. This type of allocation will not sleep, preserving locking semantics.

MAC_WAITOK

Allocation operations may block

#define MAC_WAITOK 0

Discussion

If memory is not immediately available, the allocation routine will block (typically sleeping) until memory is available.

WARNING:

Inappropriate use of this flag may cause kernel panics.

MPC_LOADTIME_BASE_POLICY

Flag to indicate a base policy

#define MPC_LOADTIME_BASE_POLICY 0x00000008

Discussion

This flag indicates that the policy module is a base policy. Only one module can declare itself as base, otherwise the boot process will be halted.

MPC_LOADTIME_FLAG_LABELMBUFS

Unsupported

#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004

Discussion

XXX This flag is not yet supported.

MPC_LOADTIME_FLAG_NOTLATE

Flag to indicate registration preference

#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001

Discussion

This flag indicates that the policy module must be loaded and initialized early in the boot process. If the flag is specified, attempts to register the module following boot will be rejected. The flag may be used by policies that require pervasive labeling of all system objects, and cannot handle objects that have not been properly initialized by the policy.

MPC_LOADTIME_FLAG_UNLOADOK

Flag to indicate unload preference

#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002

Discussion

This flag indicates that the policy module may be unloaded. If this flag is not set, then the policy framework will reject requests to unload the module. This flag might be used by modules that allocate label state and are unable to free that state at runtime, or for modules that simply do not want to permit unload operations.

MPC_RUNTIME_FLAG_REGISTERED

Policy registration flag

See:

flag indicates that the policy module has been successfully

with the TrustedBSD MAC Framework. The Framework will

this flag in the mpc_runtime_flags field of the policy's

#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001

Did this document help you?

Yes: Tell us what works for you.

It’s good, but: Report typos, inaccuracies, and so forth.

It wasn’t helpful: Tell us what would have helped.

Last Updated: 2008-12-19