Mac Dev Center Right arrow

Mac OS X Reference Library Right arrow

Drivers, Kernel, & Hardware: Kernel Device Drivers Right arrow

Kernel Framework Reference

mac_policy.h

Includes:

Overview

Kernel Interfaces for MAC policy modules

Discussion

This header defines the list of operations that are defined by the TrustedBSD MAC Framwork on Darwin. MAC Policy modules register with the framework to declare interest in a specific set of operations. If interest in an entry point is not declared, then the policy will be ignored when the Framework evaluates that entry point.

Groups

Flags for the mpc_loadtime_flags field

Group members:

MPC_LOADTIME_BASE_POLICY: Flag to indicate a base policy
MPC_LOADTIME_FLAG_LABELMBUFS: Unsupported
MPC_LOADTIME_FLAG_NOTLATE: Flag to indicate registration preference
MPC_LOADTIME_FLAG_UNLOADOK: Flag to indicate unload preference
MPC_RUNTIME_FLAG_REGISTERED: Policy registration flag

Flags for MAC allocator interfaces

These flags are passed to the Darwin kernel allocator routines to indicate whether the allocation is permitted to block or not. Caution should be taken; some operations are not permitted to sleep, and some types of locks cannot be held when sleeping.

Group members:

MAC_NOWAIT: Allocation operations may not block
MAC_WAITOK: Allocation operations may block

Entry Points for Label Management

These are the entry points corresponding to the life cycle events for kernel objects, such as initialization, creation, and destruction.

Most policies (that use labels) will initialize labels by allocating space for policy-specific data. In most cases, it is permitted to sleep during label initialization operations; it will be noted when it is not permitted.

Initialization usually will not require doing more than allocating a generic label for the given object. What follows initialization is creation, where a label is made specific to the object it is associated with. Destruction occurs when the label is no longer needed, such as when the corresponding object is destroyed. All necessary cleanup should be performed in label destroy operations.

Where possible, the label entry points have identical parameters. If the policy module does not require structure-specific label information, the same function may be registered in the policy operation vector. Many policies will implement two such generic allocation calls: one to handle sleepable requests, and one to handle potentially non-sleepable requests.

Group members:

mac_policy_conf: Mac policy configuration
mac_policy_handle_t: MAC policy handle type
mac_policy_ops
mac_policy_register: MAC policy module registration routine
mac_policy_unregister: MAC policy module de-registration routine
mac_proc_check_run_cs_invalid_t: Privilege check for a process to run invalid
mpo_audit_check_postselect_t: Audit event postselection
mpo_audit_check_preselect_t: Audit event preselection
mpo_bpfdesc_check_receive_t: Check whether BPF can read from a network interface
mpo_bpfdesc_label_associate_t: Associate a BPF descriptor with a label
mpo_bpfdesc_label_destroy_t: Destroy BPF descriptor label
mpo_bpfdesc_label_init_t: Initialize BPF descriptor label
mpo_cred_check_label_update_execve_t: Indicate desire to change the process label at exec time
mpo_cred_check_label_update_t: Access control check for relabelling processes
mpo_cred_check_visible_t: Access control check for visibility of other subjects
mpo_cred_label_associate_fork_t: Associate a credential with a new process at fork
mpo_cred_label_associate_kernel_t: Create the first process
mpo_cred_label_associate_t: Create a credential label
mpo_cred_label_associate_user_t: Create the first process
mpo_cred_label_destroy_t: Destroy credential label
mpo_cred_label_externalize_audit_t: Externalize a user credential label for auditing
mpo_cred_label_externalize_t: Externalize a user credential label
mpo_cred_label_init_t: Initialize user credential label
mpo_cred_label_internalize_t: Internalize a user credential label
mpo_cred_label_update_execve_t: Update credential at exec time
mpo_cred_label_update_t: Update a credential label
mpo_devfs_label_associate_device_t: Create a new devfs device
mpo_devfs_label_associate_directory_t: Create a new devfs directory
mpo_devfs_label_copy_t: Copy a devfs label
mpo_devfs_label_destroy_t: Destroy devfs label
mpo_devfs_label_init_t: Initialize devfs label
mpo_devfs_label_update_t: Update a devfs label after relabelling its vnode
mpo_file_check_change_offset_t: Access control for changing the offset of a file descriptor
mpo_file_check_create_t: Access control for creating a file descriptor
mpo_file_check_dup_t: Access control for duplicating a file descriptor
mpo_file_check_fcntl_t: Access control check for fcntl
mpo_file_check_get_offset_t: Access control for getting the offset of a file descriptor
mpo_file_check_get_t: Access control check for mac_get_fd
mpo_file_check_inherit_t: Access control for inheriting a file descriptor
mpo_file_check_ioctl_t: Access control check for file ioctl
mpo_file_check_lock_t: Access control check for file locking
mpo_file_check_mmap_downgrade_t: Downgrade the mmap protections
mpo_file_check_mmap_t: Access control check for mapping a file
mpo_file_check_receive_t: Access control for receiving a file descriptor
mpo_file_check_set_t: Access control check for mac_set_fd
mpo_file_label_associate_t: Create file label
mpo_file_label_destroy_t: Destroy file label
mpo_file_label_init_t: Initialize file label
mpo_ifnet_check_label_update_t: Access control check for relabeling network interfaces
mpo_ifnet_check_transmit_t: Access control check for relabeling network interfaces
mpo_ifnet_label_associate_t: Create a network interface label
mpo_ifnet_label_copy_t: Copy an ifnet label
mpo_ifnet_label_destroy_t: Destroy ifnet label
mpo_ifnet_label_externalize_t: Externalize an ifnet label
mpo_ifnet_label_init_t: Initialize ifnet label
mpo_ifnet_label_internalize_t: Internalize an interface label
mpo_ifnet_label_recycle_t: Recycle up a network interface label
mpo_ifnet_label_update_t: Update a network interface label
mpo_inpcb_check_deliver_t: Access control check for delivering a packet to a socket
mpo_inpcb_label_associate_t: Create an inpcb label
mpo_inpcb_label_destroy_t: Destroy inpcb label
mpo_inpcb_label_init_t: Initialize inpcb label
mpo_inpcb_label_recycle_t: Recycle up an inpcb label
mpo_inpcb_label_update_t: Update an inpcb label from a socket label
mpo_iokit_check_device_t: Device hardware access control
mpo_ipq_label_associate_t: Create an IP reassembly queue label
mpo_ipq_label_compare_t: Compare an mbuf header label to an ipq label
mpo_ipq_label_destroy_t: Destroy IP reassembly queue label
mpo_ipq_label_init_t: Initialize IP reassembly queue label
mpo_ipq_label_update_t: Update the label on an IP fragment reassembly queue
mpo_lctx_check_label_update_t: Access control check for relabelling Login Context
mpo_lctx_label_destroy_t: Destroy Login Context label
mpo_lctx_label_externalize_t: Externalize a Login Context label
mpo_lctx_label_init_t: Initialize Login Context label
mpo_lctx_label_internalize_t: Internalize a Login Context label
mpo_lctx_label_update_t: Update a Login Context label
mpo_lctx_notify_create_t: A process has created a login context
mpo_lctx_notify_join_t: A process has joined a login context
mpo_lctx_notify_leave_t: A process has left a login context
mpo_mbuf_label_associate_bpfdesc_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_ifnet_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_inpcb_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_ipq_t: Set the label on a newly reassembled IP datagram
mpo_mbuf_label_associate_linklayer_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_multicast_encap_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_netlayer_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_socket_t: Assign a label to a new mbuf
mpo_mbuf_label_copy_t: Copy a mbuf label
mpo_mbuf_label_destroy_t: Destroy mbuf label
mpo_mbuf_label_init_t: Initialize mbuf label
mpo_mount_check_fsctl_t: Access control check for fsctl
mpo_mount_check_getattr_t: Access control check for the retrieval of file system attributes
mpo_mount_check_label_update_t: Access control check for mount point relabeling
mpo_mount_check_mount_t: Access control check for mounting a file system
mpo_mount_check_remount_t: Access control check remounting a filesystem
mpo_mount_check_setattr_t: Access control check for the settting of file system attributes
mpo_mount_check_stat_t: Access control check for file system statistics
mpo_mount_check_umount_t: Access control check for unmounting a filesystem
mpo_mount_label_associate_t: Create mount labels
mpo_mount_label_destroy_t: Destroy mount label
mpo_mount_label_externalize_t: Externalize a mount point label
mpo_mount_label_init_t: Initialize mount point label
mpo_mount_label_internalize_t: Internalize a mount point label
mpo_netinet_fragment_t: Set the label on an IPv4 datagram fragment
mpo_netinet_icmp_reply_t: Set the label on an ICMP reply
mpo_netinet_tcp_reply_t: Set the label on a TCP reply
mpo_pipe_check_ioctl_t: Access control check for pipe ioctl
mpo_pipe_check_kqfilter_t: Access control check for pipe kqfilter
mpo_pipe_check_label_update_t: Access control check for pipe relabel
mpo_pipe_check_read_t: Access control check for pipe read
mpo_pipe_check_select_t: Access control check for pipe select
mpo_pipe_check_stat_t: Access control check for pipe stat
mpo_pipe_check_write_t: Access control check for pipe write
mpo_pipe_label_associate_t: Create a pipe label
mpo_pipe_label_copy_t: Copy a pipe label
mpo_pipe_label_destroy_t: Destroy pipe label
mpo_pipe_label_externalize_t: Externalize a pipe label
mpo_pipe_label_init_t: Initialize pipe label
mpo_pipe_label_internalize_t: Internalize a pipe label
mpo_pipe_label_update_t: Update a pipe label
mpo_policy_destroy_t: Policy unload event
mpo_policy_init_t: Policy initialization event
mpo_policy_initbsd_t: Policy BSD initialization event
mpo_policy_syscall_t: Policy extension service
mpo_port_check_copy_send_t: Access control check for copying a send right to another task
mpo_port_check_hold_receive_t: Access control check for obtaining a receive right
mpo_port_check_hold_send_once_t: Access control check for obtaining a send once right
mpo_port_check_hold_send_t: Access control check for obtaining a send right
mpo_port_check_label_update_t: Access control check for relabelling ports
mpo_port_check_make_send_once_t: Access control check for producing a send once right from a receive right
mpo_port_check_make_send_t: Access control check for producing a send right from a receive right
mpo_port_check_method_t: Compute access control check for a Mach message-based service
mpo_port_check_move_receive_t: Access control check for transferring a receive right
mpo_port_check_move_send_once_t: Access control check for transferring a send once right
mpo_port_check_move_send_t: Access control check for transferring a send right
mpo_port_check_receive_t: Access control check for receiving Mach messsages
mpo_port_check_send_t: Access control check for sending Mach messsages
mpo_port_check_service_t: Generic access control check
mpo_port_label_associate_kernel_t: Assign a label to a new Mach port created by the kernel
mpo_port_label_associate_t: Assign a label to a new Mach port
mpo_port_label_compute_t: Request label for new (userspace) object
mpo_port_label_copy_t: Copy a Mach port label
mpo_port_label_destroy_t: Destroy Mach port label
mpo_port_label_init_t: Initialize Mach port label
mpo_port_label_update_cred_t: Update a Mach task port label
mpo_port_label_update_kobject_t: Assign a label to a Mach port connected to a kernel object
mpo_posixsem_check_create_t: Access control check for POSIX semaphore create
mpo_posixsem_check_open_t: Access control check for POSIX semaphore open
mpo_posixsem_check_post_t: Access control check for POSIX semaphore post
mpo_posixsem_check_unlink_t: Access control check for POSIX semaphore unlink
mpo_posixsem_check_wait_t: Access control check for POSIX semaphore wait
mpo_posixsem_label_associate_t: Create a POSIX semaphore label
mpo_posixsem_label_destroy_t: Destroy POSIX semaphore label
mpo_posixsem_label_init_t: Initialize POSIX semaphore label
mpo_posixshm_check_create_t: Access control check for POSIX shared memory region create
mpo_posixshm_check_mmap_t: Access control check for mapping POSIX shared memory
mpo_posixshm_check_open_t: Access control check for POSIX shared memory region open
mpo_posixshm_check_stat_t: Access control check for POSIX shared memory stat
mpo_posixshm_check_truncate_t: Access control check for POSIX shared memory truncate
mpo_posixshm_check_unlink_t: Access control check for POSIX shared memory unlink
mpo_posixshm_label_associate_t: Create a POSIX shared memory region label
mpo_posixshm_label_destroy_t: Destroy POSIX shared memory label
mpo_posixshm_label_init_t: Initialize POSIX Shared Memory region label
mpo_proc_check_debug_t: Access control check for debugging process
mpo_proc_check_fork_t: Access control over fork
mpo_proc_check_get_task_name_t: Access control check for getting a process's task name
mpo_proc_check_get_task_t: Access control check for getting a process's task port
mpo_proc_check_getaudit_t: Access control check for retrieving audit information
mpo_proc_check_getauid_t: Access control check for retrieving audit user ID
mpo_proc_check_getlcid_t: Access control check for retrieving Login Context ID
mpo_proc_check_mprotect_t: Access control check for setting memory protections
mpo_proc_check_sched_t: Access control check for changing scheduling parameters
mpo_proc_check_setaudit_t: Access control check for setting audit information
mpo_proc_check_setauid_t: Access control check for setting audit user ID
mpo_proc_check_setlcid_t: Access control check for setting the Login Context
mpo_proc_check_signal_t: Access control check for delivering signal
mpo_proc_check_wait_t: Access control check for wait
mpo_proc_label_destroy_t: Destroy process label
mpo_proc_label_init_t: Initialize process label
mpo_socket_check_accept_t: Access control check for socket accept
mpo_socket_check_accepted_t: Access control check for a pending socket accept
mpo_socket_check_bind_t: Access control check for socket bind
mpo_socket_check_connect_t: Access control check for socket connect
mpo_socket_check_create_t: Access control check for socket() system call.
mpo_socket_check_deliver_t: Access control check for delivering data to a user's receieve queue
mpo_socket_check_getsockopt_t: Access control check for getting socket options
mpo_socket_check_kqfilter_t: Access control check for socket kqfilter
mpo_socket_check_label_update_t: Access control check for socket relabel
mpo_socket_check_listen_t: Access control check for socket listen
mpo_socket_check_receive_t: Access control check for socket receive
mpo_socket_check_received_t: Access control check for socket receive
mpo_socket_check_select_t: Access control check for socket select
mpo_socket_check_send_t: Access control check for socket send
mpo_socket_check_setsockopt_t: Access control check for setting socket options
mpo_socket_check_stat_t: Access control check for retrieving socket status
mpo_socket_label_associate_accept_t: Label a socket
mpo_socket_label_associate_t: Assign a label to a new socket
mpo_socket_label_copy_t: Copy a socket label
mpo_socket_label_destroy_t: Destroy socket label
mpo_socket_label_externalize_t: Externalize a socket label
mpo_socket_label_init_t: Initialize socket label
mpo_socket_label_internalize_t: Internalize a socket label
mpo_socket_label_update_t: Relabel socket
mpo_socketpeer_label_associate_mbuf_t: Set the peer label on a socket from mbuf
mpo_socketpeer_label_associate_socket_t: Set the peer label on a socket from socket
mpo_socketpeer_label_destroy_t: Destroy socket peer label
mpo_socketpeer_label_externalize_t: Externalize a socket peer label
mpo_socketpeer_label_init_t: Initialize socket peer label
mpo_system_check_acct_t: Access control check for enabling accounting
mpo_system_check_audit_t: Access control check for audit
mpo_system_check_auditctl_t: Access control check for controlling audit
mpo_system_check_auditon_t: Access control check for manipulating auditing
mpo_system_check_host_priv_t: Access control check for obtaining the host control port
mpo_system_check_nfsd_t: Access control check for calling NFS services
mpo_system_check_reboot_t: Access control check for reboot
mpo_system_check_settime_t: Access control check for setting system clock
mpo_system_check_swapoff_t: Access control check for removing swap devices
mpo_system_check_swapon_t: Access control check for adding swap devices
mpo_system_check_sysctl_t: Access control check for sysctl
mpo_sysvmsg_label_associate_t: Create a System V message label
mpo_sysvmsg_label_destroy_t: Destroy System V message label
mpo_sysvmsg_label_init_t: Initialize System V message label
mpo_sysvmsg_label_recycle_t: Clean up a System V message label
mpo_sysvmsq_check_enqueue_t: Access control check for System V message enqueuing
mpo_sysvmsq_check_msgrcv_t: Access control check for System V message reception
mpo_sysvmsq_check_msgrmid_t: Access control check for System V message queue removal
mpo_sysvmsq_check_msqctl_t: Access control check for msgctl()
mpo_sysvmsq_check_msqget_t: Access control check to get a System V message queue
mpo_sysvmsq_check_msqrcv_t: Access control check to receive a System V message from the given queue
mpo_sysvmsq_check_msqsnd_t: Access control check to send a System V message to the given queue
mpo_sysvmsq_label_associate_t: Create a System V message queue label
mpo_sysvmsq_label_destroy_t: Destroy System V message queue label
mpo_sysvmsq_label_init_t: Initialize System V message queue label
mpo_sysvmsq_label_recycle_t: Clean up a System V message queue label
mpo_sysvsem_check_semctl_t: Access control check for System V semaphore control operation
mpo_sysvsem_check_semget_t: Access control check for obtaining a System V semaphore
mpo_sysvsem_check_semop_t: Access control check for System V semaphore operations
mpo_sysvsem_label_associate_t: Create a System V semaphore label
mpo_sysvsem_label_destroy_t: Destroy System V semaphore label
mpo_sysvsem_label_init_t: Initialize System V semaphore label
mpo_sysvsem_label_recycle_t: Clean up a System V semaphore label
mpo_sysvshm_check_shmat_t: Access control check for mapping System V shared memory
mpo_sysvshm_check_shmctl_t: Access control check for System V shared memory control operation
mpo_sysvshm_check_shmdt_t: Access control check for unmapping System V shared memory
mpo_sysvshm_check_shmget_t: Access control check obtaining System V shared memory identifier
mpo_sysvshm_label_associate_t: Create a System V shared memory region label
mpo_sysvshm_label_destroy_t: Destroy System V shared memory label
mpo_sysvshm_label_init_t: Initialize System V Shared Memory region label
mpo_sysvshm_label_recycle_t: Clean up a System V Share Memory Region label
mpo_task_label_associate_kernel_t: Assign a label to a new kernelspace Mach task
mpo_task_label_associate_t: Assign a label to a new (userspace) Mach task
mpo_task_label_copy_t: Copy a Mach task label
mpo_task_label_destroy_t: Destroy Mach task label
mpo_task_label_externalize_t: Externalize a task label
mpo_task_label_init_t: Initialize Mach task label
mpo_task_label_internalize_t: Internalize a task label
mpo_task_label_update_t: Update a Mach task label
mpo_thread_userret_t: Perform MAC-related events when a thread returns to user space
mpo_vnode_check_access_t: Check vnode access
mpo_vnode_check_chdir_t: Access control check for changing working directory
mpo_vnode_check_chroot_t: Access control check for changing root directory
mpo_vnode_check_create_t: Access control check for creating vnode
mpo_vnode_check_deleteextattr_t: Access control check for deleting extended attribute
mpo_vnode_check_exchangedata_t: Access control check for exchanging file data
mpo_vnode_check_exec_t: Access control check for executing the vnode
mpo_vnode_check_getattrlist_t: Access control check for retrieving file attributes
mpo_vnode_check_getextattr_t: Access control check for retrieving an extended attribute
mpo_vnode_check_ioctl_t: Access control check for ioctl
mpo_vnode_check_kqfilter_t: Access control check for vnode kqfilter
mpo_vnode_check_label_update_t: Access control check for relabel
mpo_vnode_check_link_t: Access control check for creating link
mpo_vnode_check_listextattr_t: Access control check for listing extended attributes
mpo_vnode_check_lookup_t: Access control check for lookup
mpo_vnode_check_open_t: Access control check for open
mpo_vnode_check_read_t: Access control check for read
mpo_vnode_check_readdir_t: Access control check for read directory
mpo_vnode_check_readlink_t: Access control check for read link
mpo_vnode_check_rename_from_t: Access control check for rename from
mpo_vnode_check_rename_to_t: Access control check for rename to
mpo_vnode_check_revoke_t: Access control check for revoke
mpo_vnode_check_select_t: Access control check for select
mpo_vnode_check_setattrlist_t: Access control check for setting file attributes
mpo_vnode_check_setextattr_t: Access control check for setting extended attribute
mpo_vnode_check_setflags_t: Access control check for setting flags
mpo_vnode_check_setmode_t: Access control check for setting mode
mpo_vnode_check_setowner_t: Access control check for setting uid and gid
mpo_vnode_check_setutimes_t: Access control check for setting timestamps
mpo_vnode_check_signature_t: Access control check after determining the code directory hash
mpo_vnode_check_stat_t: Access control check for stat
mpo_vnode_check_truncate_t: Access control check for truncate/ftruncate
mpo_vnode_check_uipc_bind_t: Access control check for binding UNIX domain socket
mpo_vnode_check_uipc_connect_t: Access control check for connecting UNIX domain socket
mpo_vnode_check_unlink_t: Access control check for deleting vnode
mpo_vnode_check_write_t: Access control check for write
mpo_vnode_label_associate_devfs_t: Associate a vnode with a devfs entry
mpo_vnode_label_associate_extattr_t: Associate a label with a vnode
mpo_vnode_label_associate_file_t: Associate a file label with a vnode
mpo_vnode_label_associate_pipe_t: Associate a pipe label with a vnode
mpo_vnode_label_associate_posixsem_t: Associate a POSIX semaphore label with a vnode
mpo_vnode_label_associate_posixshm_t: Associate a POSIX shared memory label with a vnode
mpo_vnode_label_associate_singlelabel_t: Associate a label with a vnode
mpo_vnode_label_associate_socket_t: Associate a socket label with a vnode
mpo_vnode_label_copy_t: Copy a vnode label
mpo_vnode_label_destroy_t: Destroy vnode label
mpo_vnode_label_externalize_audit_t: Externalize a vnode label for auditing
mpo_vnode_label_externalize_t: Externalize a vnode label
mpo_vnode_label_init_t: Initialize vnode label
mpo_vnode_label_internalize_t: Internalize a vnode label
mpo_vnode_label_recycle_t: Clean up a vnode label
mpo_vnode_label_store_t: Write a label to a extended attribute
mpo_vnode_label_update_extattr_t: Update vnode label from extended attributes
mpo_vnode_label_update_t: Update a vnode label
mpo_vnode_notify_create_t: Create a new vnode, backed by extended attributes

Functions

mac_policy_register: MAC policy module registration routine
mac_policy_unregister: MAC policy module de-registration routine

mac_policy_register

MAC policy module registration routine

int mac_policy_register(
    struct mac_policy_conf *mpc, 
    mac_policy_handle_t *handlep,
    void *xd);

Discussion

This function is called to register a policy with the MAC framework. A policy module will typically call this from the Darwin KEXT registration routine.

mac_policy_unregister

MAC policy module de-registration routine

int mac_policy_unregister(
    mac_policy_handle_t handle);

Discussion

This function is called to de-register a policy with theD MAC framework. A policy module will typically call this from the Darwin KEXT de-registration routine.

Typedefs

dummy
kauth_cred_t
mac_policy_handle_t: MAC policy handle type
mac_proc_check_run_cs_invalid_t: Privilege check for a process to run invalid
mpo_audit_check_postselect_t: Audit event postselection
mpo_audit_check_preselect_t: Audit event preselection
mpo_bpfdesc_check_receive_t: Check whether BPF can read from a network interface
mpo_bpfdesc_label_associate_t: Associate a BPF descriptor with a label
mpo_bpfdesc_label_destroy_t: Destroy BPF descriptor label
mpo_bpfdesc_label_init_t: Initialize BPF descriptor label
mpo_cred_check_label_update_execve_t: Indicate desire to change the process label at exec time
mpo_cred_check_label_update_t: Access control check for relabelling processes
mpo_cred_check_visible_t: Access control check for visibility of other subjects
mpo_cred_label_associate_fork_t: Associate a credential with a new process at fork
mpo_cred_label_associate_kernel_t: Create the first process
mpo_cred_label_associate_t: Create a credential label
mpo_cred_label_associate_user_t: Create the first process
mpo_cred_label_destroy_t: Destroy credential label
mpo_cred_label_externalize_audit_t: Externalize a user credential label for auditing
mpo_cred_label_externalize_t: Externalize a user credential label
mpo_cred_label_init_t: Initialize user credential label
mpo_cred_label_internalize_t: Internalize a user credential label
mpo_cred_label_update_execve_t: Update credential at exec time
mpo_cred_label_update_t: Update a credential label
mpo_devfs_label_associate_device_t: Create a new devfs device
mpo_devfs_label_associate_directory_t: Create a new devfs directory
mpo_devfs_label_copy_t: Copy a devfs label
mpo_devfs_label_destroy_t: Destroy devfs label
mpo_devfs_label_init_t: Initialize devfs label
mpo_devfs_label_update_t: Update a devfs label after relabelling its vnode
mpo_file_check_change_offset_t: Access control for changing the offset of a file descriptor
mpo_file_check_create_t: Access control for creating a file descriptor
mpo_file_check_dup_t: Access control for duplicating a file descriptor
mpo_file_check_fcntl_t: Access control check for fcntl
mpo_file_check_get_offset_t: Access control for getting the offset of a file descriptor
mpo_file_check_get_t: Access control check for mac_get_fd
mpo_file_check_inherit_t: Access control for inheriting a file descriptor
mpo_file_check_ioctl_t: Access control check for file ioctl
mpo_file_check_lock_t: Access control check for file locking
mpo_file_check_mmap_downgrade_t: Downgrade the mmap protections
mpo_file_check_mmap_t: Access control check for mapping a file
mpo_file_check_receive_t: Access control for receiving a file descriptor
mpo_file_check_set_t: Access control check for mac_set_fd
mpo_file_label_associate_t: Create file label
mpo_file_label_destroy_t: Destroy file label
mpo_file_label_init_t: Initialize file label
mpo_ifnet_check_label_update_t: Access control check for relabeling network interfaces
mpo_ifnet_check_transmit_t: Access control check for relabeling network interfaces
mpo_ifnet_label_associate_t: Create a network interface label
mpo_ifnet_label_copy_t: Copy an ifnet label
mpo_ifnet_label_destroy_t: Destroy ifnet label
mpo_ifnet_label_externalize_t: Externalize an ifnet label
mpo_ifnet_label_init_t: Initialize ifnet label
mpo_ifnet_label_internalize_t: Internalize an interface label
mpo_ifnet_label_recycle_t: Recycle up a network interface label
mpo_ifnet_label_update_t: Update a network interface label
mpo_inpcb_check_deliver_t: Access control check for delivering a packet to a socket
mpo_inpcb_label_associate_t: Create an inpcb label
mpo_inpcb_label_destroy_t: Destroy inpcb label
mpo_inpcb_label_init_t: Initialize inpcb label
mpo_inpcb_label_recycle_t: Recycle up an inpcb label
mpo_inpcb_label_update_t: Update an inpcb label from a socket label
mpo_iokit_check_device_t: Device hardware access control
mpo_ipq_label_associate_t: Create an IP reassembly queue label
mpo_ipq_label_compare_t: Compare an mbuf header label to an ipq label
mpo_ipq_label_destroy_t: Destroy IP reassembly queue label
mpo_ipq_label_init_t: Initialize IP reassembly queue label
mpo_ipq_label_update_t: Update the label on an IP fragment reassembly queue
mpo_lctx_check_label_update_t: Access control check for relabelling Login Context
mpo_lctx_label_destroy_t: Destroy Login Context label
mpo_lctx_label_externalize_t: Externalize a Login Context label
mpo_lctx_label_init_t: Initialize Login Context label
mpo_lctx_label_internalize_t: Internalize a Login Context label
mpo_lctx_label_update_t: Update a Login Context label
mpo_lctx_notify_create_t: A process has created a login context
mpo_lctx_notify_join_t: A process has joined a login context
mpo_lctx_notify_leave_t: A process has left a login context
mpo_mbuf_label_associate_bpfdesc_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_ifnet_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_inpcb_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_ipq_t: Set the label on a newly reassembled IP datagram
mpo_mbuf_label_associate_linklayer_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_multicast_encap_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_netlayer_t: Assign a label to a new mbuf
mpo_mbuf_label_associate_socket_t: Assign a label to a new mbuf
mpo_mbuf_label_copy_t: Copy a mbuf label
mpo_mbuf_label_destroy_t: Destroy mbuf label
mpo_mbuf_label_init_t: Initialize mbuf label
mpo_mount_check_fsctl_t: Access control check for fsctl
mpo_mount_check_getattr_t: Access control check for the retrieval of file system attributes
mpo_mount_check_label_update_t: Access control check for mount point relabeling
mpo_mount_check_mount_t: Access control check for mounting a file system
mpo_mount_check_remount_t: Access control check remounting a filesystem
mpo_mount_check_setattr_t: Access control check for the settting of file system attributes
mpo_mount_check_stat_t: Access control check for file system statistics
mpo_mount_check_umount_t: Access control check for unmounting a filesystem
mpo_mount_label_associate_t: Create mount labels
mpo_mount_label_destroy_t: Destroy mount label
mpo_mount_label_externalize_t: Externalize a mount point label
mpo_mount_label_init_t: Initialize mount point label
mpo_mount_label_internalize_t: Internalize a mount point label
mpo_netinet_fragment_t: Set the label on an IPv4 datagram fragment
mpo_netinet_icmp_reply_t: Set the label on an ICMP reply
mpo_netinet_tcp_reply_t: Set the label on a TCP reply
mpo_pipe_check_ioctl_t: Access control check for pipe ioctl
mpo_pipe_check_kqfilter_t: Access control check for pipe kqfilter
mpo_pipe_check_label_update_t: Access control check for pipe relabel
mpo_pipe_check_read_t: Access control check for pipe read
mpo_pipe_check_select_t: Access control check for pipe select
mpo_pipe_check_stat_t: Access control check for pipe stat
mpo_pipe_check_write_t: Access control check for pipe write
mpo_pipe_label_associate_t: Create a pipe label
mpo_pipe_label_copy_t: Copy a pipe label
mpo_pipe_label_destroy_t: Destroy pipe label
mpo_pipe_label_externalize_t: Externalize a pipe label
mpo_pipe_label_init_t: Initialize pipe label
mpo_pipe_label_internalize_t: Internalize a pipe label
mpo_pipe_label_update_t: Update a pipe label
mpo_policy_destroy_t: Policy unload event
mpo_policy_init_t: Policy initialization event
mpo_policy_initbsd_t: Policy BSD initialization event
mpo_policy_syscall_t: Policy extension service
mpo_port_check_copy_send_t: Access control check for copying a send right to another task
mpo_port_check_hold_receive_t: Access control check for obtaining a receive right
mpo_port_check_hold_send_once_t: Access control check for obtaining a send once right
mpo_port_check_hold_send_t: Access control check for obtaining a send right
mpo_port_check_label_update_t: Access control check for relabelling ports
mpo_port_check_make_send_once_t: Access control check for producing a send once right from a receive right
mpo_port_check_make_send_t: Access control check for producing a send right from a receive right
mpo_port_check_method_t: Compute access control check for a Mach message-based service
mpo_port_check_move_receive_t: Access control check for transferring a receive right
mpo_port_check_move_send_once_t: Access control check for transferring a send once right
mpo_port_check_move_send_t: Access control check for transferring a send right
mpo_port_check_receive_t: Access control check for receiving Mach messsages
mpo_port_check_send_t: Access control check for sending Mach messsages
mpo_port_check_service_t: Generic access control check
mpo_port_label_associate_kernel_t: Assign a label to a new Mach port created by the kernel
mpo_port_label_associate_t: Assign a label to a new Mach port
mpo_port_label_compute_t: Request label for new (userspace) object
mpo_port_label_copy_t: Copy a Mach port label
mpo_port_label_destroy_t: Destroy Mach port label
mpo_port_label_init_t: Initialize Mach port label
mpo_port_label_update_cred_t: Update a Mach task port label
mpo_port_label_update_kobject_t: Assign a label to a Mach port connected to a kernel object
mpo_posixsem_check_create_t: Access control check for POSIX semaphore create
mpo_posixsem_check_open_t: Access control check for POSIX semaphore open
mpo_posixsem_check_post_t: Access control check for POSIX semaphore post
mpo_posixsem_check_unlink_t: Access control check for POSIX semaphore unlink
mpo_posixsem_check_wait_t: Access control check for POSIX semaphore wait
mpo_posixsem_label_associate_t: Create a POSIX semaphore label
mpo_posixsem_label_destroy_t: Destroy POSIX semaphore label
mpo_posixsem_label_init_t: Initialize POSIX semaphore label
mpo_posixshm_check_create_t: Access control check for POSIX shared memory region create
mpo_posixshm_check_mmap_t: Access control check for mapping POSIX shared memory
mpo_posixshm_check_open_t: Access control check for POSIX shared memory region open
mpo_posixshm_check_stat_t: Access control check for POSIX shared memory stat
mpo_posixshm_check_truncate_t: Access control check for POSIX shared memory truncate
mpo_posixshm_check_unlink_t: Access control check for POSIX shared memory unlink
mpo_posixshm_label_associate_t: Create a POSIX shared memory region label
mpo_posixshm_label_destroy_t: Destroy POSIX shared memory label
mpo_posixshm_label_init_t: Initialize POSIX Shared Memory region label
mpo_proc_check_debug_t: Access control check for debugging process
mpo_proc_check_fork_t: Access control over fork
mpo_proc_check_get_task_name_t: Access control check for getting a process's task name
mpo_proc_check_get_task_t: Access control check for getting a process's task port
mpo_proc_check_getaudit_t: Access control check for retrieving audit information
mpo_proc_check_getauid_t: Access control check for retrieving audit user ID
mpo_proc_check_getlcid_t: Access control check for retrieving Login Context ID
mpo_proc_check_mprotect_t: Access control check for setting memory protections
mpo_proc_check_sched_t: Access control check for changing scheduling parameters
mpo_proc_check_setaudit_t: Access control check for setting audit information
mpo_proc_check_setauid_t: Access control check for setting audit user ID
mpo_proc_check_setlcid_t: Access control check for setting the Login Context
mpo_proc_check_signal_t: Access control check for delivering signal
mpo_proc_check_wait_t: Access control check for wait
mpo_proc_label_destroy_t: Destroy process label
mpo_proc_label_init_t: Initialize process label
mpo_socket_check_accept_t: Access control check for socket accept
mpo_socket_check_accepted_t: Access control check for a pending socket accept
mpo_socket_check_bind_t: Access control check for socket bind
mpo_socket_check_connect_t: Access control check for socket connect
mpo_socket_check_create_t: Access control check for socket() system call.
mpo_socket_check_deliver_t: Access control check for delivering data to a user's receieve queue
mpo_socket_check_getsockopt_t: Access control check for getting socket options
mpo_socket_check_kqfilter_t: Access control check for socket kqfilter
mpo_socket_check_label_update_t: Access control check for socket relabel
mpo_socket_check_listen_t: Access control check for socket listen
mpo_socket_check_receive_t: Access control check for socket receive
mpo_socket_check_received_t: Access control check for socket receive
mpo_socket_check_select_t: Access control check for socket select
mpo_socket_check_send_t: Access control check for socket send
mpo_socket_check_setsockopt_t: Access control check for setting socket options
mpo_socket_check_stat_t: Access control check for retrieving socket status
mpo_socket_label_associate_accept_t: Label a socket
mpo_socket_label_associate_t: Assign a label to a new socket
mpo_socket_label_copy_t: Copy a socket label
mpo_socket_label_destroy_t: Destroy socket label
mpo_socket_label_externalize_t: Externalize a socket label
mpo_socket_label_init_t: Initialize socket label
mpo_socket_label_internalize_t: Internalize a socket label
mpo_socket_label_update_t: Relabel socket
mpo_socketpeer_label_associate_mbuf_t: Set the peer label on a socket from mbuf
mpo_socketpeer_label_associate_socket_t: Set the peer label on a socket from socket
mpo_socketpeer_label_destroy_t: Destroy socket peer label
mpo_socketpeer_label_externalize_t: Externalize a socket peer label
mpo_socketpeer_label_init_t: Initialize socket peer label
mpo_system_check_acct_t: Access control check for enabling accounting
mpo_system_check_audit_t: Access control check for audit
mpo_system_check_auditctl_t: Access control check for controlling audit
mpo_system_check_auditon_t: Access control check for manipulating auditing
mpo_system_check_host_priv_t: Access control check for obtaining the host control port
mpo_system_check_nfsd_t: Access control check for calling NFS services
mpo_system_check_reboot_t: Access control check for reboot
mpo_system_check_settime_t: Access control check for setting system clock
mpo_system_check_swapoff_t: Access control check for removing swap devices
mpo_system_check_swapon_t: Access control check for adding swap devices
mpo_system_check_sysctl_t: Access control check for sysctl
mpo_sysvmsg_label_associate_t: Create a System V message label
mpo_sysvmsg_label_destroy_t: Destroy System V message label
mpo_sysvmsg_label_init_t: Initialize System V message label
mpo_sysvmsg_label_recycle_t: Clean up a System V message label
mpo_sysvmsq_check_enqueue_t: Access control check for System V message enqueuing
mpo_sysvmsq_check_msgrcv_t: Access control check for System V message reception
mpo_sysvmsq_check_msgrmid_t: Access control check for System V message queue removal
mpo_sysvmsq_check_msqctl_t: Access control check for msgctl()
mpo_sysvmsq_check_msqget_t: Access control check to get a System V message queue
mpo_sysvmsq_check_msqrcv_t: Access control check to receive a System V message from the given queue
mpo_sysvmsq_check_msqsnd_t: Access control check to send a System V message to the given queue
mpo_sysvmsq_label_associate_t: Create a System V message queue label
mpo_sysvmsq_label_destroy_t: Destroy System V message queue label
mpo_sysvmsq_label_init_t: Initialize System V message queue label
mpo_sysvmsq_label_recycle_t: Clean up a System V message queue label
mpo_sysvsem_check_semctl_t: Access control check for System V semaphore control operation
mpo_sysvsem_check_semget_t: Access control check for obtaining a System V semaphore
mpo_sysvsem_check_semop_t: Access control check for System V semaphore operations
mpo_sysvsem_label_associate_t: Create a System V semaphore label
mpo_sysvsem_label_destroy_t: Destroy System V semaphore label
mpo_sysvsem_label_init_t: Initialize System V semaphore label
mpo_sysvsem_label_recycle_t: Clean up a System V semaphore label
mpo_sysvshm_check_shmat_t: Access control check for mapping System V shared memory
mpo_sysvshm_check_shmctl_t: Access control check for System V shared memory control operation
mpo_sysvshm_check_shmdt_t: Access control check for unmapping System V shared memory
mpo_sysvshm_check_shmget_t: Access control check obtaining System V shared memory identifier
mpo_sysvshm_label_associate_t: Create a System V shared memory region label
mpo_sysvshm_label_destroy_t: Destroy System V shared memory label
mpo_sysvshm_label_init_t: Initialize System V Shared Memory region label
mpo_sysvshm_label_recycle_t: Clean up a System V Share Memory Region label
mpo_task_label_associate_kernel_t: Assign a label to a new kernelspace Mach task
mpo_task_label_associate_t: Assign a label to a new (userspace) Mach task
mpo_task_label_copy_t: Copy a Mach task label
mpo_task_label_destroy_t: Destroy Mach task label
mpo_task_label_externalize_t: Externalize a task label
mpo_task_label_init_t: Initialize Mach task label
mpo_task_label_internalize_t: Internalize a task label
mpo_task_label_update_t: Update a Mach task label
mpo_thread_userret_t: Perform MAC-related events when a thread returns to user space
mpo_vnode_check_access_t: Check vnode access
mpo_vnode_check_chdir_t: Access control check for changing working directory
mpo_vnode_check_chroot_t: Access control check for changing root directory
mpo_vnode_check_create_t: Access control check for creating vnode
mpo_vnode_check_deleteextattr_t: Access control check for deleting extended attribute
mpo_vnode_check_exchangedata_t: Access control check for exchanging file data
mpo_vnode_check_exec_t: Access control check for executing the vnode
mpo_vnode_check_getattrlist_t: Access control check for retrieving file attributes
mpo_vnode_check_getextattr_t: Access control check for retrieving an extended attribute
mpo_vnode_check_ioctl_t: Access control check for ioctl
mpo_vnode_check_kqfilter_t: Access control check for vnode kqfilter
mpo_vnode_check_label_update_t: Access control check for relabel
mpo_vnode_check_link_t: Access control check for creating link
mpo_vnode_check_listextattr_t: Access control check for listing extended attributes
mpo_vnode_check_lookup_t: Access control check for lookup
mpo_vnode_check_open_t: Access control check for open
mpo_vnode_check_read_t: Access control check for read
mpo_vnode_check_readdir_t: Access control check for read directory
mpo_vnode_check_readlink_t: Access control check for read link
mpo_vnode_check_rename_from_t: Access control check for rename from
mpo_vnode_check_rename_to_t: Access control check for rename to
mpo_vnode_check_revoke_t: Access control check for revoke
mpo_vnode_check_select_t: Access control check for select
mpo_vnode_check_setattrlist_t: Access control check for setting file attributes
mpo_vnode_check_setextattr_t: Access control check for setting extended attribute
mpo_vnode_check_setflags_t: Access control check for setting flags
mpo_vnode_check_setmode_t: Access control check for setting mode
mpo_vnode_check_setowner_t: Access control check for setting uid and gid
mpo_vnode_check_setutimes_t: Access control check for setting timestamps
mpo_vnode_check_signature_t: Access control check after determining the code directory hash
mpo_vnode_check_stat_t: Access control check for stat
mpo_vnode_check_truncate_t: Access control check for truncate/ftruncate
mpo_vnode_check_uipc_bind_t: Access control check for binding UNIX domain socket
mpo_vnode_check_uipc_connect_t: Access control check for connecting UNIX domain socket
mpo_vnode_check_unlink_t: Access control check for deleting vnode
mpo_vnode_check_write_t: Access control check for write
mpo_vnode_label_associate_devfs_t: Associate a vnode with a devfs entry
mpo_vnode_label_associate_extattr_t: Associate a label with a vnode
mpo_vnode_label_associate_file_t: Associate a file label with a vnode
mpo_vnode_label_associate_pipe_t: Associate a pipe label with a vnode
mpo_vnode_label_associate_posixsem_t: Associate a POSIX semaphore label with a vnode
mpo_vnode_label_associate_posixshm_t: Associate a POSIX shared memory label with a vnode
mpo_vnode_label_associate_singlelabel_t: Associate a label with a vnode
mpo_vnode_label_associate_socket_t: Associate a socket label with a vnode
mpo_vnode_label_copy_t: Copy a vnode label
mpo_vnode_label_destroy_t: Destroy vnode label
mpo_vnode_label_externalize_audit_t: Externalize a vnode label for auditing
mpo_vnode_label_externalize_t: Externalize a vnode label
mpo_vnode_label_init_t: Initialize vnode label
mpo_vnode_label_internalize_t: Internalize a vnode label
mpo_vnode_label_recycle_t: Clean up a vnode label
mpo_vnode_label_store_t: Write a label to a extended attribute
mpo_vnode_label_update_extattr_t: Update vnode label from extended attributes
mpo_vnode_label_update_t: Update a vnode label
mpo_vnode_notify_create_t: Create a new vnode, backed by extended attributes

dummy

See Also:

dummy
_KAUTH_CRED_T
kauth_cred_t

typedef struct ucred *kauth_cred_t;

kauth_cred_t

See Also:

dummy
_KAUTH_CRED_T
dummy

typedef struct ucred *kauth_cred_t;

mac_policy_handle_t

MAC policy handle type

typedef unsigned int mac_policy_handle_t;

Discussion

The MAC handle is used to uniquely identify a loaded policy within the MAC Framework.

A variable of this type is set by mac_policy_register().

mac_proc_check_run_cs_invalid_t

Privilege check for a process to run invalid

typedef int mac_proc_check_run_cs_invalid_t( 
    struct proc *p );

Parameters

proc: Object process

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the process may execute even though the system determined that it is untrusted (eg unidentified / modified code).

mpo_audit_check_postselect_t

Audit event postselection

typedef int mpo_audit_check_postselect_t( 
    kauth_cred_t cred, 
    unsigned short syscode, 
    void *args, 
    int error, 
    int retval );

Parameters

cred: Subject credential
syscode: Syscall number
args: Syscall arguments
error: Syscall errno
retval: Syscall return value

Return Value

Return MAC_AUDIT_NO to force suppression of the audit record. Any other value results in the audit record being committed.

Discussion

This is the MAC Framework audit postselect, which is called before exiting a syscall to determine if an audit event should be committed. A return value of MAC_AUDIT_NO forces the audit record to be suppressed. Any other return value results in the audit record being committed.

WARNING:

The suppression behavior will probably go away in Apple's future version of the audit implementation.

mpo_audit_check_preselect_t

Audit event preselection

typedef int mpo_audit_check_preselect_t( 
    kauth_cred_t cred, 
    unsigned short syscode, 
    void *args );

Parameters

cred: Subject credential
syscode: Syscall number
args: Syscall arguments

Return Value

Return MAC_AUDIT_YES to force auditing of the syscall, MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT to allow auditing mechanisms to determine if the syscall is audited.

Discussion

This is the MAC Framework audit preselect, which is called before a syscall is entered to determine if an audit event should be created. If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be returned. A return value of MAC_AUDIT_NO causes the audit record to be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants to defer to the system's existing preselection mechanism.

When policies return different preferences, the Framework decides what action to take based on the following policy. If any policy returns MAC_AUDIT_YES, then create an audit record, else if any policy returns MAC_AUDIT_NO, then suppress the creations of an audit record, else defer to the system's existing preselection mechanism.

WARNING:

The audit implementation in Apple's current version is incomplete, so the MAC policies have priority over the system's existing mechanisms. This will probably change in the future version where the audit implementation is more complete.

mpo_bpfdesc_check_receive_t

Check whether BPF can read from a network interface

typedef int mpo_bpfdesc_check_receive_t( 
    struct bpf_d *bpf_d, 
    struct label *bpflabel, 
    struct ifnet *ifp, 
    struct label *ifnetlabel );

Fields

bpf_d: Subject; the BPF descriptor
bpflabel: Policy label for bpf_d
ifp: Object; the network interface
ifnetlabel: Policy label for ifp

Discussion

Determine whether the MAC framework should permit datagrams from the passed network interface to be delivered to the buffers of the passed BPF descriptor. Return (0) for success, or an errno value for failure. Suggested failure: EACCES for label mismatches, EPERM for lack of privilege.

mpo_bpfdesc_label_associate_t

Associate a BPF descriptor with a label

typedef void mpo_bpfdesc_label_associate_t( 
    kauth_cred_t cred, 
    struct bpf_d *bpf_d, 
    struct label *bpflabel );

Fields

cred: User credential creating the BPF descriptor
bpf_d: The BPF descriptor
bpflabel: The new label

Discussion

Set the label on a newly created BPF descriptor from the passed subject credential. This call will be made when a BPF device node is opened by a process with the passed subject credential.

mpo_bpfdesc_label_destroy_t

Destroy BPF descriptor label

typedef void mpo_bpfdesc_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a BPF descriptor label. Since the BPF descriptor is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_bpfdesc_label_init_t

Initialize BPF descriptor label

typedef void mpo_bpfdesc_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated BPF descriptor. Sleeping is permitted.

mpo_cred_check_label_update_execve_t

Indicate desire to change the process label at exec time

See:

mac_execve
mpo_cred_label_update_execve_t
mpo_vnode_check_exec_t

typedef int mpo_cred_check_label_update_execve_t( 
    kauth_cred_t old, 
    struct vnode *vp, 
    struct label *vnodelabel, 
    struct label *scriptvnodelabel, 
    struct label *execlabel, 
    struct proc *proc );

Parameters

old: Existing subject credential
vp: File being executed
vnodelabel: Label corresponding to vp
scriptvnodelabel: Script vnode label
execlabel: Userspace provided execution label
proc: Object process

Return Value

Non-zero if a transition is required, 0 otherwise.

Discussion

Indicate whether this policy intends to update the label of a newly created credential from the existing subject credential (old). This call occurs when a process executes the passed vnode. If a policy returns success from this entry point, the mpo_cred_label_update_execve entry point will later be called with the same parameters. Access has already been checked via the mpo_vnode_check_exec entry point, this entry point is necessary to preserve kernel locking constraints during program execution.

The supplied vnode and vnodelabel correspond with the file actually being executed; in the case that the file is interpreted (for example, a script), the label of the original exec-time vnode has been preserved in scriptvnodelabel.

The final label, execlabel, corresponds to a label supplied by a user space application through the use of the mac_execve system call.

The vnode lock is held during this operation. No changes should be made to the old credential structure.

WARNING:

Even if a policy returns 0, it should behave correctly in the presence of an invocation of mpo_cred_label_update_execve, as that call may happen as a result of another policy requesting a transition.

mpo_cred_check_label_update_t

Access control check for relabelling processes

See:

mpo_cred_label_update_t
mac_set_proc

typedef int mpo_cred_check_label_update_t( 
    kauth_cred_t cred, 
    struct label *newlabel );

Parameters

cred: Subject credential
newlabel: New label to apply to the user credential

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can relabel itself to the supplied new label (newlabel). This access control check is called when the mac_set_proc system call is invoked. A user space application will supply a new value, the value will be internalized and provided in newlabel.

mpo_cred_check_visible_t

Access control check for visibility of other subjects

typedef int mpo_cred_check_visible_t( 
    kauth_cred_t u1, 
    kauth_cred_t u2 );

Parameters

u1: Subject credential
u2: Object credential

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility.

Discussion

Determine whether the subject identified by the credential u1 can "see" other subjects with the passed subject credential u2. This call may be made in a number of situations, including inter-process status sysctls used by ps, and in procfs lookups.

mpo_cred_label_associate_fork_t

Associate a credential with a new process at fork

typedef void mpo_cred_label_associate_fork_t( 
    kauth_cred_t cred, 
    proc_t proc );

Fields

cred: credential to inherited by new process
proc: the new process

Discussion

Allow a process to associate the credential with a new process for reference countng purposes. NOTE: the credential can be dis-associated in ways other than exit - so this strategy is flawed - should just catch label destroy callback.

mpo_cred_label_associate_kernel_t

Create the first process

typedef void mpo_cred_label_associate_kernel_t( 
    kauth_cred_t cred );

Fields

cred: Subject credential to be labeled

Discussion

Create the subject credential of process 0, the parent of all BSD kernel processes. Policies should update the label in the previously initialized credential structure.

mpo_cred_label_associate_t

Create a credential label

typedef void mpo_cred_label_associate_t( 
    kauth_cred_t parent_cred, 
    kauth_cred_t child_cred );

Fields

parent_cred: Parent credential
child_cred: Child credential

Discussion

Set the label of a newly created credential, most likely using the information in the supplied parent credential.

WARNING:

This call is made when crcopy or crdup is invoked on a newly created struct ucred, and should not be confused with a process fork or creation event.

mpo_cred_label_associate_user_t

Create the first process

typedef void mpo_cred_label_associate_user_t( 
    kauth_cred_t cred );

Fields

cred: Subject credential to be labeled

Discussion

Create the subject credential of process 1, the parent of all BSD user processes. Policies should update the label in the previously initialized credential structure. This is the 'init' process.

mpo_cred_label_destroy_t

Destroy credential label

typedef void mpo_cred_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a user credential label. Since the user credential is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_cred_label_externalize_audit_t

Externalize a user credential label for auditing

typedef int mpo_cred_label_externalize_audit_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of the label

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

Discussion

Produce an external representation of the label on a user credential for inclusion in an audit record. An externalized label consists of a text representation of the label contents that will be added to the audit record as part of a text token. Policy-agnostic user space tools will display this externalized version.

mpo_cred_label_externalize_t

Externalize a user credential label

typedef int mpo_cred_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of the label

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

Discussion

Produce an external representation of the label on a user credential. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

mpo_cred_label_init_t

Initialize user credential label

typedef void mpo_cred_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated user credential. Sleeping is permitted.

mpo_cred_label_internalize_t

Internalize a user credential label

typedef int mpo_cred_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label: Label to be internalized
element_name: Name of the label namespace for which the label should be internalized
element_data: Text data to be internalized

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

Discussion

Produce a user credential label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_cred_label_update_execve_t

Update credential at exec time

See:

mac_execve
mpo_cred_check_label_update_execve_t
mpo_vnode_check_exec_t

typedef void mpo_cred_label_update_execve_t( 
    kauth_cred_t old_cred, 
    kauth_cred_t new_cred, 
    struct vnode *vp, 
    struct label *vnodelabel, 
    struct label *scriptvnodelabel, 
    struct label *execlabel, 
    int *disjointp );

Fields

old_cred: Existing subject credential
new_cred: New subject credential to be labeled
vp: File being executed
vnodelabel: Label corresponding to vp
scriptvnodelabel: Script vnode label
execlabel: Userspace provided execution label

Discussion

Update the label of a newly created credential (new) from the existing subject credential (old). This call occurs when a process executes the passed vnode and one of the loaded policy modules has returned success from the mpo_cred_check_label_update_execve entry point. Access has already been checked via the mpo_vnode_check_exec entry point, this entry point is only used to update any policy state.

The final label, execlabel, corresponds to a label supplied by a user space application through the use of the mac_execve system call.

If non-NULL, the value pointed to by disjointp will be set to 0 to indicate that the old and new credentials are not disjoint, or 1 to indicate that they are.

The vnode lock is held during this operation. No changes should be made to the old credential structure.

mpo_cred_label_update_t

Update a credential label

See:

mpo_cred_check_label_update_t
mac_set_proc

typedef void mpo_cred_label_update_t( 
    kauth_cred_t cred, 
    struct label *newlabel );

Fields

cred: The existing credential
newlabel: A new label to apply to the credential

Discussion

Update the label on a user credential, using the supplied new label. This is called as a result of a process relabel operation. Access control was already confirmed by mpo_cred_check_label_update.

mpo_devfs_label_associate_device_t

Create a new devfs device

typedef void mpo_devfs_label_associate_device_t( 
    dev_t dev, 
    struct devnode *de, 
    struct label *label, 
    const char *fullpath );

Fields

dev: Major and minor numbers of special file
de: "inode" of new device file
label: Destination label
fullpath: Path relative to mount (e.g. /dev) of new device file

Discussion

This entry point labels a new devfs device. The label will likely be based on the path to the device, or the major and minor numbers. The policy should store an appropriate label into 'label'.

mpo_devfs_label_associate_directory_t

Create a new devfs directory

typedef void mpo_devfs_label_associate_directory_t( 
    const char *dirname, 
    int dirnamelen, 
    struct devnode *de, 
    struct label *label, 
    const char *fullpath );

Fields

dirname: Name of new directory
dirnamelen: Length of 'dirname'
de: "inode" of new directory
label: Destination label
fullpath: Path relative to mount (e.g. /dev) of new directory

Discussion

This entry point labels a new devfs directory. The label will likely be based on the path of the new directory. The policy should store an appropriate label into 'label'. The devfs root directory is labelled in this way.

mpo_devfs_label_copy_t

Copy a devfs label

typedef void mpo_devfs_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src: Source devfs label
dest: Destination devfs label

Discussion

Copy the label information from src to dest. The devfs file system often duplicates (splits) existing device nodes rather than creating new ones.

mpo_devfs_label_destroy_t

Destroy devfs label

typedef void mpo_devfs_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a devfs entry label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_devfs_label_init_t

Initialize devfs label

typedef void mpo_devfs_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated devfs entry. Sleeping is permitted.

mpo_devfs_label_update_t

Update a devfs label after relabelling its vnode

typedef void mpo_devfs_label_update_t( 
    struct mount *mp, 
    struct devnode *de, 
    struct label *delabel, 
    struct vnode *vp, 
    struct label *vnodelabel );

Fields

mp: Devfs mount point
de: Affected devfs directory entry
delabel: Label of devfs directory entry
vp: Vnode associated with de
vnodelabel: New label of vnode

Discussion

Update a devfs label when its vnode is manually relabelled, for example with setfmac(1). Typically, this will simply copy the vnode label into the devfs label.

mpo_file_check_change_offset_t

Access control for changing the offset of a file descriptor

typedef int mpo_file_check_change_offset_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Parameters

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can change the offset of the file represented by fg.

mpo_file_check_create_t

Access control for creating a file descriptor

typedef int mpo_file_check_create_t( 
    kauth_cred_t cred );

Parameters

cred: Subject credential

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can allocate a new file descriptor.

mpo_file_check_dup_t

Access control for duplicating a file descriptor

typedef int mpo_file_check_dup_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int newfd );

Parameters

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg
newfd: New file descriptor number

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can duplicate the fileglob structure represented by fg and as file descriptor number newfd.

mpo_file_check_fcntl_t

Access control check for fcntl

typedef int mpo_file_check_fcntl_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int cmd, 
    user_long_t arg );

Parameters

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg
cmd: Control operation to be performed; see fcntl(2)
arg: fcnt arguments; see fcntl(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the file control operation indicated by cmd.

mpo_file_check_get_offset_t

Access control for getting the offset of a file descriptor

typedef int mpo_file_check_get_offset_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Parameters

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can get the offset of the file represented by fg.

mpo_file_check_get_t

Access control check for mac_get_fd

typedef int mpo_file_check_get_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    char *elements, 
    int len );

Parameters

cred: Subject credential
fg: Fileglob structure
elements: Element buffer
len: Length of buffer

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to get an externalized version of the label on the object indicated by fd.

mpo_file_check_inherit_t

Access control for inheriting a file descriptor

typedef int mpo_file_check_inherit_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Parameters

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can inherit the fileglob structure represented by fg.

mpo_file_check_ioctl_t

Access control check for file ioctl

typedef int mpo_file_check_ioctl_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    unsigned int cmd );

Parameters

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg
cmd: The ioctl command; see ioctl(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the ioctl operation indicated by cmd.

WARNING:

Since ioctl data is opaque from the standpoint of the MAC framework, policies must exercise extreme care when implementing access control checks.

mpo_file_check_lock_t

Access control check for file locking

typedef int mpo_file_check_lock_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int op, 
    struct flock *fl );

Parameters

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg
op: The lock operation (F_GETLK, F_SETLK, F_UNLK)
fl: The flock structure

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the lock operation indicated by op and fl on the file represented by fg.

mpo_file_check_mmap_downgrade_t

Downgrade the mmap protections

typedef void mpo_file_check_mmap_downgrade_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int *prot );

Fields

cred: Subject credential
fg: file to map
label: Policy label associated with vp
prot: mmap protections to be downgraded

Discussion

Downgrade the mmap protections based on the subject and object labels.

mpo_file_check_mmap_t

Access control check for mapping a file

typedef int mpo_file_check_mmap_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label, 
    int prot, 
    int flags, 
    int *maxprot );

Parameters

cred: Subject credential
fg: fileglob representing file to map
label: Policy label associated with vp
prot: mmap protections; see mmap(2)
flags: Type of mapped object; see mmap(2)
maxprot: Maximum rights

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential should be allowed to map the file represented by fg with the protections specified in prot. The maxprot field holds the maximum permissions on the new mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. To avoid overriding prior access control checks, a policy should only remove flags from maxprot.

mpo_file_check_receive_t

Access control for receiving a file descriptor

typedef int mpo_file_check_receive_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Parameters

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can receive the fileglob structure represented by fg.

mpo_file_check_set_t

Access control check for mac_set_fd

typedef int mpo_file_check_set_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    char *elements, 
    int len );

Parameters

cred: Subject credential
fg: Fileglob structure
elements: Elements buffer
len: Length of elements buffer

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the mac_set_fd operation. The mac_set_fd operation is used to associate a MAC label with a file.

mpo_file_label_associate_t

Create file label

typedef void mpo_file_label_associate_t( 
    kauth_cred_t cred, 
    struct fileglob *fg, 
    struct label *label );

Fields

cred: Subject credential
fg: Fileglob structure
label: Policy label for fg

mpo_file_label_destroy_t

Destroy file label

typedef void mpo_file_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy the label on a file descriptor. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

mpo_file_label_init_t

Initialize file label

typedef void mpo_file_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

mpo_ifnet_check_label_update_t

Access control check for relabeling network interfaces

See:

mpo_ifnet_label_update_t

typedef int mpo_ifnet_check_label_update_t( 
    kauth_cred_t cred, 
    struct ifnet *ifp, 
    struct label *ifnetlabel, 
    struct label *newlabel );

Parameters

cred: Subject credential
ifp: network interface being relabeled
ifnetlabel: Current label of the network interfaces
newlabel: New label to apply to the network interfaces

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can relabel the network interface represented by ifp to the supplied new label (newlabel).

mpo_ifnet_check_transmit_t

Access control check for relabeling network interfaces

typedef int mpo_ifnet_check_transmit_t( 
    struct ifnet *ifp, 
    struct label *ifnetlabel, 
    struct mbuf *m, 
    struct label *mbuflabel, 
    int family, 
    int type );

Parameters

ifp: Network interface mbuf will be transmitted through
ifnetlabel: Label of the network interfaces
m: The mbuf to be transmitted
mbuflabel: Label of the mbuf to be transmitted
family: Address Family, AF_*
type: Type of socket, SOCK_{STREAM,DGRAM,RAW}

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the mbuf with label mbuflabel may be transmitted through the network interface represented by ifp that has the label ifnetlabel.

mpo_ifnet_label_associate_t

Create a network interface label

typedef void mpo_ifnet_label_associate_t( 
    struct ifnet *ifp, 
    struct label *ifnetlabel );

Fields

ifp: Network interface labeled
ifnetlabel: Label for the network interface

Discussion

Set the label of a newly created network interface, most likely using the information in the supplied network interface struct.

mpo_ifnet_label_copy_t

Copy an ifnet label

typedef void mpo_ifnet_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src: Source ifnet label
dest: Destination ifnet label

Discussion

Copy the label information from src to dest.

mpo_ifnet_label_destroy_t

Destroy ifnet label

typedef void mpo_ifnet_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy the label on an ifnet label. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

mpo_ifnet_label_externalize_t

Externalize an ifnet label

typedef int mpo_ifnet_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of the label

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

Discussion

Produce an external representation of the label on an interface. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

mpo_ifnet_label_init_t

Initialize ifnet label

typedef void mpo_ifnet_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

mpo_ifnet_label_internalize_t

Internalize an interface label

typedef int mpo_ifnet_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label: Label to be internalized
element_name: Name of the label namespace for which the label should be internalized
element_data: Text data to be internalized

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

Discussion

Produce an interface label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_ifnet_label_recycle_t

Recycle up a network interface label

typedef void mpo_ifnet_label_recycle_t( 
    struct label *label );

Fields

label: The label to be recycled

Discussion

Recycle a network interface label. Darwin caches the struct ifnet of detached ifnets in a "free pool". Before ifnets are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_ifnet_label_update_t

Update a network interface label

See:

mpo_ifnet_check_label_update_t

typedef void mpo_ifnet_label_update_t( 
    kauth_cred_t cred, 
    struct ifnet *ifp, 
    struct label *ifnetlabel, 
    struct label *newlabel );

Fields

cred: Subject credential
ifp: The network interface to be relabeled
ifnetlabel: The current label of the network interface
newlabel: A new label to apply to the network interface

Discussion

Update the label on a network interface, using the supplied new label.

mpo_inpcb_check_deliver_t

Access control check for delivering a packet to a socket

typedef int mpo_inpcb_check_deliver_t( 
    struct inpcb *inp, 
    struct label *inplabel, 
    struct mbuf *m, 
    struct label *mbuflabel, 
    int family, 
    int type );

Parameters

inp: inpcb the socket is associated with
inplabel: Label of the inpcb
m: The mbuf being received
mbuflabel: Label of the mbuf being received
family: Address family, AF_*
type: Type of socket, SOCK_{STREAM,DGRAM,RAW}

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the mbuf with label mbuflabel may be received by the socket associated with inpcb that has the label inplabel.

mpo_inpcb_label_associate_t

Create an inpcb label

typedef void mpo_inpcb_label_associate_t( 
    struct socket *so, 
    struct label *solabel, 
    struct inpcb *inp, 
    struct label *inplabel );

Fields

so: Socket containing the inpcb to be labeled
solabel: Label of the socket
inp: inpcb to be labeled
inplabel: Label for the inpcb

Discussion

Set the label of a newly created inpcb, most likely using the information in the socket and/or socket label.

mpo_inpcb_label_destroy_t

Destroy inpcb label

typedef void mpo_inpcb_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy the label on an inpcb label. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

mpo_inpcb_label_init_t

Initialize inpcb label

typedef int mpo_inpcb_label_init_t( 
    struct label *label, 
    int flag );

Fields

label: New label to initialize
flag: M_WAITOK or M_NOWAIT

mpo_inpcb_label_recycle_t

Recycle up an inpcb label

typedef void mpo_inpcb_label_recycle_t( 
    struct label *label );

Fields

label: The label to be recycled

Discussion

Recycle an inpcb label. Darwin allocates the inpcb as part of the socket structure in some cases. For this case we must recycle rather than destroy the inpcb as it will be reused later.

mpo_inpcb_label_update_t

Update an inpcb label from a socket label

typedef void mpo_inpcb_label_update_t( 
    struct socket *so, 
    struct label *solabel, 
    struct inpcb *inp, 
    struct label *inplabel );

Fields

so: Socket containing the inpcb to be relabeled
solabel: New label of the socket
inp: inpcb to be labeled
inplabel: Label for the inpcb

Discussion

Set the label of a newly created inpcb due to a change in the underlying socket label.

mpo_iokit_check_device_t

Device hardware access control

typedef int mpo_iokit_check_device_t( 
    char *devtype, 
    struct mac_module_data *mdata );

Parameters

devtype: Type of device connected
properties: XML-formatted property list
proplen: Length of the property list

Return Value

Return EPERM to indicate that the device is untrusted and should not be allowed to operate. Return zero to indicate that the device is trusted and should be allowed to operate normally.

Discussion

This is the MAC Framework device access control, which is called by the I/O Kit when a new device is connected to the system to determine whether that device should be trusted. A list of properties associated with the device is passed as an XML-formatted string. The routine should examine these properties to determine the trustworthiness of the device. A return value of EPERM forces the device to be claimed by a special device driver that will prevent its operation.

WARNING:

This is an experimental interface and may change in the future.

mpo_ipq_label_associate_t

Create an IP reassembly queue label

typedef void mpo_ipq_label_associate_t( 
    struct mbuf *fragment, 
    struct label *fragmentlabel, 
    struct ipq *ipq, 
    struct label *ipqlabel );

Fields

fragment: First received IP fragment
fragmentlabel: Policy label for fragment
ipq: IP reassembly queue to be labeled
ipqlabel: Policy label to be filled in for ipq

Discussion

Set the label on a newly created IP reassembly queue from the mbuf header of the first received fragment.

mpo_ipq_label_compare_t

Compare an mbuf header label to an ipq label

typedef int mpo_ipq_label_compare_t( 
    struct mbuf *fragment, 
    struct label *fragmentlabel, 
    struct ipq *ipq, 
    struct label *ipqlabel );

Fields

fragment: IP datagram fragment
fragmentlabel: Policy label for fragment
ipq: IP fragment reassembly queue
ipqlabel: Policy label for ipq

Discussion

Compare the label of the mbuf header containing an IP datagram (fragment) fragment with the label of the passed IP fragment reassembly queue (ipq). Return (1) for a successful match, or (0) for no match. This call is made when the IP stack attempts to find an existing fragment reassembly queue for a newly received fragment; if this fails, a new fragment reassembly queue may be instantiated for the fragment. Policies may use this entry point to prevent the reassembly of otherwise matching IP fragments if policy does not permit them to be reassembled based on the label or other information.

mpo_ipq_label_destroy_t

Destroy IP reassembly queue label

typedef void mpo_ipq_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy the label on an IP fragment queue. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

mpo_ipq_label_init_t

Initialize IP reassembly queue label

typedef int mpo_ipq_label_init_t( 
    struct label *label, 
    int flag );

Fields

label: New label to initialize
flag: M_WAITOK or M_NOWAIT

Discussion

Initialize the label on a newly instantiated IP fragment reassembly queue. The flag field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. IP fragment reassembly queue allocation frequently occurs in performance sensitive environments, and the implementation should be careful to avoid sleeping or long-lived operations. This entry point is permitted to fail resulting in the failure to allocate the IP fragment reassembly queue.

mpo_ipq_label_update_t

Update the label on an IP fragment reassembly queue

typedef void mpo_ipq_label_update_t( 
    struct mbuf *fragment, 
    struct label *fragmentlabel, 
    struct ipq *ipq, 
    struct label *ipqlabel );

Fields

fragment: IP fragment
fragmentlabel: Policy label for fragment
ipq: IP fragment reassembly queue
ipqlabel: Policy label to be updated for ipq

Discussion

Update the label on an IP fragment reassembly queue (ipq) based on the acceptance of the passed IP fragment mbuf header (fragment).

mpo_lctx_check_label_update_t

Access control check for relabelling Login Context

See:

mpo_lctx_label_update_t
mac_set_lcid
mac_set_lctx

typedef int mpo_lctx_check_label_update_t( 
    struct lctx *l, 
    struct label *newlabel );

Parameters

l: Subject credential
newlabel: New label to apply to the Login Context

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can relabel itself to the supplied new label (newlabel). This access control check is called when the mac_set_lctx/lcid system call is invoked. A user space application will supply a new value, the value will be internalized and provided in newlabel.

mpo_lctx_label_destroy_t

Destroy Login Context label

typedef void mpo_lctx_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

mpo_lctx_label_externalize_t

Externalize a Login Context label

typedef int mpo_lctx_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of the label

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

Discussion

Produce an external representation of the label on a Login Context. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

mpo_lctx_label_init_t

Initialize Login Context label

typedef void mpo_lctx_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

mpo_lctx_label_internalize_t

Internalize a Login Context label

typedef int mpo_lctx_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label: Label to be internalized
element_name: Name of the label namespace for which the label should be internalized
element_data: Text data to be internalized

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

Discussion

Produce a Login Context label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_lctx_label_update_t

Update a Login Context label

See:

mpo_lctx_check_label_update_t
mac_set_lcid
mac_set_lctx

typedef void mpo_lctx_label_update_t( 
    struct lctx *l, 
    struct label *newlabel );

Fields

l
newlabel: A new label to apply to the Login Context

Discussion

Update the label on a login context, using the supplied new label. This is called as a result of a login context relabel operation. Access control was already confirmed by mpo_lctx_check_label_update.

mpo_lctx_notify_create_t

A process has created a login context

typedef void mpo_lctx_notify_create_t( 
    struct proc *p, 
    struct lctx *l );

Fields

p: Subject
l: Login Context

Discussion

When a process creates a login context (via setlcid()) this entrypoint is called to notify the policy that the process 'p' has created login context 'l'.

mpo_lctx_notify_join_t

A process has joined a login context

typedef void mpo_lctx_notify_join_t( 
    struct proc *p, 
    struct lctx *l );

Fields

p: Subject
l: Login Context

Discussion

When a process joins a login context, either via setlcid() or via fork() this entrypoint is called to notify the policy that process 'p' is now a member of login context 'l'.

mpo_lctx_notify_leave_t

A process has left a login context

typedef void mpo_lctx_notify_leave_t( 
    struct proc *p, 
    struct lctx *l );

Fields

p: Subject
l: Login Context

Discussion

When a process leaves a login context either via setlcid() or as a result of the process exiting this entrypoint is called to notify the policy that the process 'p' is no longer a member of login context 'l'.

mpo_mbuf_label_associate_bpfdesc_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_bpfdesc_t( 
    struct bpf_d *bpf_d, 
    struct label *b_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

bpf_d: BPF descriptor
b_label: Policy label for bpf_d
m: Object; mbuf
m_label: Policy label to fill in for m

Discussion

Set the label on the mbuf header of a newly created datagram generated using the passed BPF descriptor. This call is made when a write is performed to the BPF device associated with the passed BPF descriptor.

mpo_mbuf_label_associate_ifnet_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_ifnet_t( 
    struct ifnet *ifp, 
    struct label *i_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

ifp: Interface descriptor
i_label: Existing label of ifp
m: Object; mbuf
m_label: Policy label to fill in for m

Discussion

Label an mbuf based on the interface from which it was received.

mpo_mbuf_label_associate_inpcb_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_inpcb_t( 
    struct inpcb *inp, 
    struct label *i_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

inp: inpcb structure
i_label: Existing label of inp
m: Object; mbuf
m_label: Policy label to fill in for m

Discussion

Label an mbuf based on the inpcb from which it was derived.

mpo_mbuf_label_associate_ipq_t

Set the label on a newly reassembled IP datagram

typedef void mpo_mbuf_label_associate_ipq_t( 
    struct ipq *ipq, 
    struct label *ipqlabel, 
    struct mbuf *mbuf, 
    struct label *mbuflabel );

Fields

ipq: IP fragment reassembly queue
ipqlabel: Policy label for ipq
mbuf: IP datagram to be labeled
mbuflabel: Policy label to be filled in for mbuf

Discussion

Set the label on a newly reassembled IP datagram (mbuf) from the IP fragment reassembly queue (ipq) from which it was generated.

mpo_mbuf_label_associate_linklayer_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_linklayer_t( 
    struct ifnet *ifp, 
    struct label *i_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

ifp: Subject; network interface
i_label: Existing label of ifp
m: Object; mbuf
m_label: Policy label to fill in for m

Discussion

Set the label on the mbuf header of a newly created datagram generated for the purposes of a link layer response for the passed interface. This call may be made in a number of situations, including for ARP or ND6 responses in the IPv4 and IPv6 stacks.

mpo_mbuf_label_associate_multicast_encap_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_multicast_encap_t( 
    struct mbuf *oldmbuf, 
    struct label *oldmbuflabel, 
    struct ifnet *ifp, 
    struct label *ifplabel, 
    struct mbuf *newmbuf, 
    struct label *newmbuflabel );

Fields

oldmbuf: mbuf headerder for existing datagram for existing datagram
oldmbuflabel: Policy label for oldmbuf
ifp: Network interface
ifplabel: Policy label for ifp
newmbuf: mbuf header to be labeled for new datagram
newmbuflabel: Policy label for newmbuf

Discussion

Set the label on the mbuf header of a newly created datagram generated from the existing passed datagram when it is processed by the passed multicast encapsulation interface. This call is made when an mbuf is to be delivered using the virtual interface.

mpo_mbuf_label_associate_netlayer_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_netlayer_t( 
    struct mbuf *oldmbuf, 
    struct label *oldmbuflabel, 
    struct mbuf *newmbuf, 
    struct label *newmbuflabel );

Fields

oldmbuf: Received datagram
oldmbuflabel: Policy label for oldmbuf
newmbuf: Newly created datagram
newmbuflabel: Policy label for newmbuf

Discussion

Set the label on the mbuf header of a newly created datagram generated by the IP stack in response to an existing received datagram (oldmbuf). This call may be made in a number of situations, including when responding to ICMP request datagrams.

mpo_mbuf_label_associate_socket_t

Assign a label to a new mbuf

typedef void mpo_mbuf_label_associate_socket_t( 
    socket_t so, 
    struct label *so_label, 
    struct mbuf *m, 
    struct label *m_label );

Fields

so: Socket to label
so_label: Policy label for socket
m: Object; mbuf
m_label: Policy label to fill in for m

Discussion

An mbuf structure is used to store network traffic in transit. When an application sends data to a socket or a pipe, it is wrapped in an mbuf first. This function sets the label on a newly created mbuf header based on the socket sending the data. The contents of the label should be suitable for performing an access check on the receiving side of the communication.

Only labeled MBUFs will be presented to the policy via this entrypoint.

mpo_mbuf_label_copy_t

Copy a mbuf label

typedef void mpo_mbuf_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src: Source label
dest: Destination label

Discussion

Copy the mbuf label information in src into dest.

Only called when both source and destination mbufs have labels.

mpo_mbuf_label_destroy_t

Destroy mbuf label

typedef void mpo_mbuf_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a mbuf label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_mbuf_label_init_t

Initialize mbuf label

typedef int mpo_mbuf_label_init_t( 
    struct label *label, 
    int flag );

Parameters

label: New label to initialize
flag: Malloc flags

Return Value

On success, 0, otherwise, an appropriate errno return value.

Discussion

Initialize the label for a newly instantiated mbuf.

WARNING:

Since it is possible for the flags to be set to M_NOWAIT, the malloc operation may fail.

mpo_mount_check_fsctl_t

Access control check for fsctl

typedef int mpo_mount_check_fsctl_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *label, 
    unsigned int cmd );

Parameters

cred: Subject credential
mp: The mount point
label: Label associated with the mount point
com: Filesystem-dependent request code; see fsctl(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the volume operation indicated by com.

WARNING:

The fsctl() system call is directly analogous to ioctl(); since the associated data is opaque from the standpoint of the MAC framework and since these operations can affect many aspects of system operation, policies must exercise extreme care when implementing access control checks.

mpo_mount_check_getattr_t

Access control check for the retrieval of file system attributes

typedef int mpo_mount_check_getattr_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mp_label, 
    struct vfs_attr *vfa );

Parameters

cred: Subject credential
mp: The mount structure of the file system
vfa: The attributes requested

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

This entry point determines whether given subject can get information about the given file system. This check happens during statfs() syscalls, but is also used by other parts within the kernel such as the audit system.

mpo_mount_check_label_update_t

Access control check for mount point relabeling

typedef int mpo_mount_check_label_update_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mntlabel );

Parameters

cred: Subject credential
mp: Object file system mount point
mntlabel: Policy label for fle system mount point

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can relabel the mount point. This call is made when a file system mount is updated.

mpo_mount_check_mount_t

Access control check for mounting a file system

typedef int mpo_mount_check_mount_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct componentname *cnp, 
    const char *vfc_name );

Parameters

cred: Subject credential
vp: Vnode that is to be the mount point
vlabel: Label associated with the vnode
cnp: Component name for vp
vfc_name: Filesystem type name

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the mount operation on the target vnode.

mpo_mount_check_remount_t

Access control check remounting a filesystem

typedef int mpo_mount_check_remount_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mlabel );

Parameters

cred: Subject credential
mp: The mount point
mlabel: Label currently associated with the mount point

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the remount operation on the target vnode.

mpo_mount_check_setattr_t

Access control check for the settting of file system attributes

typedef int mpo_mount_check_setattr_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mp_label, 
    struct vfs_attr *vfa );

Parameters

cred: Subject credential
mp: The mount structure of the file system
vfa: The attributes requested

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

This entry point determines whether given subject can set information about the given file system, for example the volume name.

mpo_mount_check_stat_t

Access control check for file system statistics

typedef int mpo_mount_check_stat_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mntlabel );

Parameters

cred: Subject credential
mp: Object file system mount
mntlabel: Policy label for mp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can see the results of a statfs performed on the file system. This call may be made in a number of situations, including during invocations of statfs(2) and related calls, as well as to determine what file systems to exclude from listings of file systems, such as when getfsstat(2) is invoked.

mpo_mount_check_umount_t

Access control check for unmounting a filesystem

typedef int mpo_mount_check_umount_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mlabel );

Parameters

cred: Subject credential
mp: The mount point
mlabel: Label associated with the mount point

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the unmount operation on the target vnode.

mpo_mount_label_associate_t

Create mount labels

See:

mpo_mount_label_init_t

typedef void mpo_mount_label_associate_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mntlabel );

Fields

cred: Subject credential
mp: Mount point of file system being mounted
mntlabel: Label to associate with the new mount point

Discussion

Fill out the labels on the mount point being created by the supplied user credential. This call is made when file systems are first mounted.

mpo_mount_label_destroy_t

Destroy mount label

typedef void mpo_mount_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a file system mount label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_mount_label_externalize_t

Externalize a mount point label

typedef int mpo_mount_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of the label

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

Discussion

Produce an external representation of the mount point label. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

The policy's externalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_mount_label_init_t

Initialize mount point label

typedef void mpo_mount_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated mount structure. This label is typically used to store a default label in the case that the file system has been mounted singlelabel. Since some file systems do not support persistent labels (extended attributes) or are read-only (such as CD-ROMs), it is often necessary to store a default label separately from the label of the mount point itself. Sleeping is permitted.

mpo_mount_label_internalize_t

Internalize a mount point label

typedef int mpo_mount_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label: Label to be internalized
element_name: Name of the label namespace for which the label should be internalized
element_data: Text data to be internalized

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

Discussion

Produce a mount point file system label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_netinet_fragment_t

Set the label on an IPv4 datagram fragment

typedef void mpo_netinet_fragment_t( 
    struct mbuf *datagram, 
    struct label *datagramlabel, 
    struct mbuf *fragment, 
    struct label *fragmentlabel );

Fields

datagram: Datagram being fragmented
datagramlabel: Policy label for datagram
fragment: New fragment
fragmentlabel: Policy label for fragment

Discussion

Called when an IPv4 datagram is fragmented into several smaller datagrams. Policies implementing mbuf labels will typically copy the label from the source datagram to the new fragment.

mpo_netinet_icmp_reply_t

Set the label on an ICMP reply

typedef void mpo_netinet_icmp_reply_t( 
    struct mbuf *m, 
    struct label *mlabel );

Fields

m: mbuf containing the ICMP reply
mlabel: Policy label for m

Discussion

A policy may wish to update the label of an mbuf that refers to an ICMP packet being sent in response to an IP packet. This may be called in response to a bad packet or an ICMP request.

mpo_netinet_tcp_reply_t

Set the label on a TCP reply

typedef void mpo_netinet_tcp_reply_t( 
    struct mbuf *m, 
    struct label *mlabel );

Fields

m: mbuf containing the TCP reply
mlabel: Policy label for m

Discussion

Called for outgoing TCP packets not associated with an actual socket.

mpo_pipe_check_ioctl_t

Access control check for pipe ioctl

typedef int mpo_pipe_check_ioctl_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel, 
    unsigned int cmd );

Parameters

cred: Subject credential
cpipe: Object to be accessed
pipelabel: The label on the pipe
cmd: The ioctl command; see ioctl(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the ioctl operation indicated by cmd.

WARNING:

Since ioctl data is opaque from the standpoint of the MAC framework, policies must exercise extreme care when implementing access control checks.

mpo_pipe_check_kqfilter_t

Access control check for pipe kqfilter

typedef int mpo_pipe_check_kqfilter_t( 
    kauth_cred_t cred, 
    struct knote *kn, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Parameters

cred: Subject credential
kn: Object knote
cpipe: Object to be accessed
pipelabel: Policy label for the pipe

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can receive the knote on the passed pipe.

mpo_pipe_check_label_update_t

Access control check for pipe relabel

typedef int mpo_pipe_check_label_update_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel, 
    struct label *newlabel );

Parameters

cred: Subject credential
cpipe: Object to be accessed
pipelabel: The current label on the pipe
newlabel: The new label to be used

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform a relabel operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

mpo_pipe_check_read_t

Access control check for pipe read

typedef int mpo_pipe_check_read_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Parameters

cred: Subject credential
cpipe: Object to be accessed
pipelabel: The label on the pipe

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform a read operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

mpo_pipe_check_select_t

Access control check for pipe select

typedef int mpo_pipe_check_select_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel, 
    int which );

Parameters

cred: Subject credential
cpipe: Object to be accessed
pipelabel: The label on the pipe
which: The operation selected on: FREAD or FWRITE

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform a select operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

mpo_pipe_check_stat_t

Access control check for pipe stat

typedef int mpo_pipe_check_stat_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Parameters

cred: Subject credential
cpipe: Object to be accessed
pipelabel: The label on the pipe

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform a stat operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

mpo_pipe_check_write_t

Access control check for pipe write

typedef int mpo_pipe_check_write_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Parameters

cred: Subject credential
cpipe: Object to be accessed
pipelabel: The label on the pipe

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform a write operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

mpo_pipe_label_associate_t

Create a pipe label

typedef void mpo_pipe_label_associate_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *pipelabel );

Fields

cred: Subject credential
cpipe: object to be labeled
label: Label for the pipe object

Discussion

Create a label for the pipe object being created by the supplied user credential. This call is made when the pipe is being created XXXPIPE(for one or both sides of the pipe?).

mpo_pipe_label_copy_t

Copy a pipe label

typedef void mpo_pipe_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src: Source pipe label
dest: Destination pipe label

Discussion

Copy the pipe label associated with src to dest. XXXPIPE Describe when this is used: most likely during pipe creation to copy from rpipe to wpipe.

mpo_pipe_label_destroy_t

Destroy pipe label

typedef void mpo_pipe_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a pipe label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_pipe_label_externalize_t

Externalize a pipe label

typedef int mpo_pipe_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of the label

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

Discussion

Produce an external representation of the label on a pipe. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

The policy's externalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_pipe_label_init_t

Initialize pipe label

typedef void mpo_pipe_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize label storage for use with a newly instantiated pipe object. Sleeping is permitted.

mpo_pipe_label_internalize_t

Internalize a pipe label

typedef int mpo_pipe_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label: Label to be internalized
element_name: Name of the label namespace for which the label should be internalized
element_data: Text data to be internalized

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

Discussion

Produce a pipe label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_pipe_label_update_t

Update a pipe label

See:

mpo_pipe_check_label_update_t

typedef void mpo_pipe_label_update_t( 
    kauth_cred_t cred, 
    struct pipe *cpipe, 
    struct label *oldlabel, 
    struct label *newlabel );

Fields

cred: Subject credential
cpipe: Object to be labeled
oldlabel: Existing pipe label
newlabel: New label to replace existing label

Discussion

The subject identified by the credential has previously requested and was authorized to relabel the pipe; this entry point allows policies to perform the actual relabel operation. Policies should update oldlabel using the label stored in the newlabel parameter.

mpo_policy_destroy_t

Policy unload event

See:

MPC_LOADTIME_FLAG_UNLOADOK

typedef void mpo_policy_destroy_t( 
    struct mac_policy_conf *mpc );

Fields

mpc: MAC policy configuration

Discussion

This is the MAC Framework policy unload event. This entry point will only be called if the module's policy configuration allows unload (if the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't want to be unloaded; they should set their flags to prevent this entry point from being called.

WARNING:

During this call, the mac policy list mutex is held, so sleep operations cannot be performed, and calls out to other kernel subsystems must be made with caution.

mpo_policy_init_t

Policy initialization event

See:

mac_policy_register
mpo_policy_initbsd_t

typedef void mpo_policy_init_t( 
    struct mac_policy_conf *mpc );

Fields

mpc: MAC policy configuration

Discussion

This is the MAC Framework policy initialization event. This entry point is called during mac_policy_register, when the policy module is first registered with the MAC Framework. This is often done very early in the boot process, after the kernel Mach subsystem has been initialized, but prior to the BSD subsystem being initialized. Since the kernel BSD services are not yet available, it is possible that some initialization must occur later, possibly in the mpo_policy_initbsd_t policy entry point, such as registering BSD system controls (sysctls). Policy modules loaded at boot time will be registered and initialized before labeled Mach objects are created.

WARNING:

During this call, the mac policy list mutex is held, so sleep operations cannot be performed, and calls out to other kernel subsystems must be made with caution.

mpo_policy_initbsd_t

Policy BSD initialization event

See:

mpo_policy_init_t

typedef void mpo_policy_initbsd_t( 
    struct mac_policy_conf *mpc );

Fields

mpc: MAC policy configuration

Discussion

This entry point is called after the kernel BSD subsystem has been initialized. By this point, the module should already be loaded, registered, and initialized. Since policy modules are initialized before kernel BSD services are available, this second initialization phase is necessary. At this point, BSD services (memory management, synchronization primitives, vfs, etc.) are available, but the first process has not yet been created. Mach-related objects and tasks will already be fully initialized and may be in use--policies requiring ubiquitous labeling may also want to implement mpo_policy_init_t.

WARNING:

During this call, the mac policy list mutex is held, so sleep operations cannot be performed, and calls out to other kernel subsystems must be made with caution.

mpo_policy_syscall_t

Policy extension service

typedef int mpo_policy_syscall_t( 
    struct proc *p, 
    int call, 
    user_addr_t arg );

Parameters

p: Calling process
call: Policy-specific syscall number
arg: Pointer to syscall arguments

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

Discussion

This entry point provides a policy-multiplexed system call so that policies may provide additional services to user processes without registering specific system calls. The policy name provided during registration is used to demux calls from userland, and the arguments will be forwarded to this entry point. When implementing new services, security modules should be sure to invoke appropriate access control checks from the MAC framework as needed. For example, if a policy implements an augmented signal functionality, it should call the necessary signal access control checks to invoke the MAC framework and other registered policies.

WARNING:

Since the format and contents of the policy-specific arguments are unknown to the MAC Framework, modules must perform the required copyin() of the syscall data on their own. No policy mediation is performed, so policies must perform any necessary access control checks themselves. If multiple policies are loaded, they will currently be unable to mediate calls to other policies.

mpo_port_check_copy_send_t

Access control check for copying a send right to another task

typedef int mpo_port_check_copy_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the sender task
port: Label of the affected port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for copying send rights to the port from the specified task. A complementary entry point, mpo_port_check_hold_send, handles the receiving task. port_check_copy_send is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

mpo_port_check_hold_receive_t

Access control check for obtaining a receive right

typedef int mpo_port_check_hold_receive_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the receiving task
port: Label of the affected port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for a task obtaining receive rights to a port. Usually, these are port rights that were obtained with a call to mach_port_allocate. This entry point is called as part of a group of policy invocations when messages with port rights are received. All of these access control checks must succeed in order to receive the message.

The task label and the port are locked. Sleeping is permitted.

mpo_port_check_hold_send_once_t

Access control check for obtaining a send once right

typedef int mpo_port_check_hold_send_once_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the receiving task
port: Label of the affected port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for a task obtaining send once rights to a port. Usually, these are port rights that were part of a message sent by another userspace task. port_check_hold_send_once is called as part of a group of policy invocations when messages with port rights are received. All of these access control checks must succeed in order to receive the message.

The task label and the port are locked. Sleeping is permitted.

mpo_port_check_hold_send_t

Access control check for obtaining a send right

typedef int mpo_port_check_hold_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the receiving task
port: Label of the affected port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for a task obtaining send rights to a port. Usually, these are port rights that were part of a message sent by another userspace task. port_check_hold_send is called as part of a group of policy invocations when messages with port rights are received. All of these access control checks must succeed in order to receive the message.

The task label and the port are locked. Sleeping is permitted.

mpo_port_check_label_update_t

Access control check for relabelling ports

typedef int mpo_port_check_label_update_t( 
    struct label *task, 
    struct label *oldlabel, 
    struct label *newlabel );

Parameters

task: Subject's task label
oldlabel: Original label of port
newlabel: New label for port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for relabelling ports. The policy should indicate whether the subject is permitted to change the label of a port from oldlabel to newlabel. The port is locked, but the subject's task label is not locked.

WARNING:

XXX In future releases, the task label lock will likely also be held.

mpo_port_check_make_send_once_t

Access control check for producing a send once right from a receive right

typedef int mpo_port_check_make_send_once_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the sender task
port: Label of the affected port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for obtaining send once rights from receive rights. The new send once right may be destined for the calling task, or a different task. In either case the mpo_port_check_hold_send_once entry point handles the receiving task. port_check_make_send_once may be called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

mpo_port_check_make_send_t

Access control check for producing a send right from a receive right

typedef int mpo_port_check_make_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the sender task
port: Label of the affected port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for obtaining send rights from receive rights. The new send right may be destined for the calling task, or a different task. In either case the mpo_port_check_hold_send entry point handles the receiving task. port_check_make_send may be called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

mpo_port_check_method_t

Compute access control check for a Mach message-based service

typedef int mpo_port_check_method_t( 
    struct proc *proc, 
    struct label *task, 
    struct label *port, 
    int msgid );

Parameters

proc: Sender's process structure (may be NULL)
task: Sender's task label
port: Destination port label
msgid: Message id

Return Value

0 for access granted, nonzero for access denied.

Discussion

Access control computation for message-based services. This entry point computes permission to the service requested by the specified port and message id, for example a single MiG server routine, and is unrelated to the access check for sending messages to ports (but that check must succeed for the message to be sent to the destination). The result of this access computation is stored in the message trailer field msgh_ad (only if requested by the recipient); it does not actually inhibit the message from being sent or received.

mpo_port_check_move_receive_t

Access control check for transferring a receive right

typedef int mpo_port_check_move_receive_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the sender task
port: Label of the affected port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for transferring the receive right to a port out of the specified task. A complementary entry point, mpo_port_check_hold_receive, handles the receiving task. port_check_move_receive is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

mpo_port_check_move_send_once_t

Access control check for transferring a send once right

typedef int mpo_port_check_move_send_once_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the sender task
port: Label of the affected port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for transferring a send once right from one task to the task listening to the specified port. A complementary entry point, mpo_port_check_hold_send_once, handles the receiving task. port_check_move_send_once is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

mpo_port_check_move_send_t

Access control check for transferring a send right

typedef int mpo_port_check_move_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the sender task
port: Label of the affected port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for transferring a send right from one task to the task listening to the specified port. A complementary entry point, mpo_port_check_hold_send, handles the receiving task. port_check_move_send is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

The task label and the port are locked. Sleeping is permitted.

mpo_port_check_receive_t

Access control check for receiving Mach messsages

typedef int mpo_port_check_receive_t( 
    struct label *task, 
    struct label *sender );

Parameters

task: Label of the receiving task
sender: Label of the sending task

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for receiving messages. The two labels are locked.

WARNING:

This entry point can be invoked from many places inside the kernel, with arbitrary other locks held. The implementation of this entry point must not cause page faults, as those are handled by mach messages.

mpo_port_check_send_t

Access control check for sending Mach messsages

typedef int mpo_port_check_send_t( 
    struct label *task, 
    struct label *port );

Parameters

task: Label of the sender task
port: Label of the destination port

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

Access control check for sending messages. The task label and the port are locked.

WARNING:

mpo_port_check_service_t

Generic access control check

typedef int mpo_port_check_service_t( 
    struct label *subj, 
    struct label *obj, 
    const char *serv, 
    const char *perm );

Parameters

subj: Caller-provided subject label
obj: Caller-provided object label
serv: Service or object class name
perm: Permission, or method, within the specified service

Return Value

Return 0 if access is granted, non-zero otherwise.

Discussion

This function provides a general way for a user process to query an arbitrary access control decision from the system's security policies. Currently, there are no standards for the format of the service and permission names. Labels may be either cred or port labels; the policy must accept either. The userspace interfaces to this entry point allow label strings or label handles (ports) to be provided.

mpo_port_label_associate_kernel_t

Assign a label to a new Mach port created by the kernel

typedef void mpo_port_label_associate_kernel_t( 
    struct label *portlabel, 
    int isreply );

Fields

portlabel: Label for the new port
isreply: True if the port is for a reply message from the kernel

Discussion

Assign a label to a new port created by the kernel. If the port is being used to reply to a message, isreply is 1 (0 otherwise). The port is locked.

mpo_port_label_associate_t

Assign a label to a new Mach port

typedef void mpo_port_label_associate_t( 
    struct label *it, 
    struct label *st, 
    struct label *portlabel );

Fields

it: Task label of issuer
st: Task label of target
portlabel: Label for the new port

Discussion

Assign a label to a new port. The policy can base this label on the label of the calling task, as well as the label of the target task. The target task is the one which recieves the first right for this port. Both task labels and the port are locked.

mpo_port_label_compute_t

Request label for new (userspace) object

typedef int mpo_port_label_compute_t( 
    struct label *subj, 
    struct label *obj, 
    const char *serv, 
    struct label *out );

Parameters

subj: Subject label
obj: Parent or existing object label
serv: Name of service
out: Computed label

Return Value

0 on success, or an errno value for failure.

Discussion

Ask the loaded policies to compute a label based on the two input labels and the service name. There is currently no standard for the service name, or even what the input labels represent (Subject and parent object are only a suggestion). If successful, the computed label is stored in out. All labels must be port (or task) labels. The userspace interfaces to this entry point allow label handles (ports) to be provided.

mpo_port_label_copy_t

Copy a Mach port label

typedef void mpo_port_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src: Source port label
dest: Destination port label

Discussion

Copy the Mach port label information from src to dest. This is used to copy user-suplied labels into an existing port.

mpo_port_label_destroy_t

Destroy Mach port label

typedef void mpo_port_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a Mach port label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_port_label_init_t

Initialize Mach port label

typedef void mpo_port_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated Mach port. Sleeping is permitted.

mpo_port_label_update_cred_t

Update a Mach task port label

See:

mpo_cred_label_update_t
mpo_cred_label_update_execve_t

typedef void mpo_port_label_update_cred_t( 
    struct label *cred, 
    struct label *task );

Fields

cred: User credential label to be used as the source
task: Mach port label to be used as the destination

Discussion

Update the label on a Mach task port, using the supplied user credential label. When a mac_cred_label_update_execve or a mac_cred_label_update operation causes the label on a user credential to change, the Mach task port label also needs to be updated to reflect the change. Both labels are already valid (initialized and created).

mpo_port_label_update_kobject_t

Assign a label to a Mach port connected to a kernel object

typedef void mpo_port_label_update_kobject_t( 
    struct label *portlabel, 
    int kotype );

Fields

portlabel: Label for the port
kotype: Type of kernel object

Discussion

Label a kernel port based on the type of object behind it. The kotype parameter is one of the IKOT constants in . The port already has a valid label from either mpo_port_label_associate_kernel, or because it is a task port and has a label derived from the process and task labels. The port is locked.

mpo_posixsem_check_create_t

Access control check for POSIX semaphore create

typedef int mpo_posixsem_check_create_t( 
    kauth_cred_t cred, 
    const char *name );

Parameters

cred: Subject credential
name: String name of the semaphore

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can create a POSIX semaphore specified by name.

mpo_posixsem_check_open_t

Access control check for POSIX semaphore open

typedef int mpo_posixsem_check_open_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel );

Parameters

cred: Subject credential
ps: Pointer to semaphore information structure
semlabel: Label associated with the semaphore

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can open the named POSIX semaphore with label semlabel.

mpo_posixsem_check_post_t

Access control check for POSIX semaphore post

typedef int mpo_posixsem_check_post_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel );

Parameters

cred: Subject credential
ps: Pointer to semaphore information structure
semlabel: Label associated with the semaphore

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can unlock the named POSIX semaphore with label semlabel.

mpo_posixsem_check_unlink_t

Access control check for POSIX semaphore unlink

typedef int mpo_posixsem_check_unlink_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel, 
    const char *name );

Parameters

cred: Subject credential
ps: Pointer to semaphore information structure
semlabel: Label associated with the semaphore
name: String name of the semaphore

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can remove the named POSIX semaphore with label semlabel.

mpo_posixsem_check_wait_t

Access control check for POSIX semaphore wait

typedef int mpo_posixsem_check_wait_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel );

Parameters

cred: Subject credential
ps: Pointer to semaphore information structure
semlabel: Label associated with the semaphore

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can lock the named POSIX semaphore with label semlabel.

mpo_posixsem_label_associate_t

Create a POSIX semaphore label

typedef void mpo_posixsem_label_associate_t( 
    kauth_cred_t cred, 
    struct pseminfo *ps, 
    struct label *semlabel, 
    const char *name );

Fields

cred: Subject credential
ps: Pointer to semaphore information structure
semlabel: Label to associate with the new semaphore
name: String name of the semaphore

Discussion

Label a new POSIX semaphore. The label was previously initialized and associated with the semaphore. At this time, an appropriate initial label value should be assigned to the object and stored in semalabel.

mpo_posixsem_label_destroy_t

Destroy POSIX semaphore label

typedef void mpo_posixsem_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a POSIX semaphore label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_posixsem_label_init_t

Initialize POSIX semaphore label

typedef void mpo_posixsem_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated POSIX semaphore. Sleeping is permitted.

mpo_posixshm_check_create_t

Access control check for POSIX shared memory region create

typedef int mpo_posixshm_check_create_t( 
    kauth_cred_t cred, 
    const char *name );

Parameters

cred: Subject credential
name: String name of the shared memory region

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can create the POSIX shared memory region referenced by name.

mpo_posixshm_check_mmap_t

Access control check for mapping POSIX shared memory

typedef int mpo_posixshm_check_mmap_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel, 
    int prot, 
    int flags );

Parameters

cred: Subject credential
ps: Pointer to shared memory information structure
shmlabel: Label associated with the shared memory region
prot: mmap protections; see mmap(2)
flags: shmat flags; see shmat(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can map the POSIX shared memory segment associated with shmlabel.

mpo_posixshm_check_open_t

Access control check for POSIX shared memory region open

typedef int mpo_posixshm_check_open_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel );

Parameters

cred: Subject credential
ps: Pointer to shared memory information structure
shmlabel: Label associated with the shared memory region

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can open the POSIX shared memory region.

mpo_posixshm_check_stat_t

Access control check for POSIX shared memory stat

typedef int mpo_posixshm_check_stat_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel );

Parameters

cred: Subject credential
ps: Pointer to shared memory information structure
shmlabel: Label associated with the shared memory region

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can obtain status for the POSIX shared memory segment associated with shmlabel.

mpo_posixshm_check_truncate_t

Access control check for POSIX shared memory truncate

typedef int mpo_posixshm_check_truncate_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel, 
    size_t len );

Parameters

cred: Subject credential
ps: Pointer to shared memory information structure
shmlabel: Label associated with the shared memory region
len: Length to truncate or extend shared memory segment

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can truncate or extend (to len) the POSIX shared memory segment associated with shmlabel.

mpo_posixshm_check_unlink_t

Access control check for POSIX shared memory unlink

typedef int mpo_posixshm_check_unlink_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel, 
    const char *name );

Parameters

cred: Subject credential
ps: Pointer to shared memory information structure
shmlabel: Label associated with the shared memory region
name: String name of the shared memory region

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can delete the POSIX shared memory segment associated with shmlabel.

mpo_posixshm_label_associate_t

Create a POSIX shared memory region label

typedef void mpo_posixshm_label_associate_t( 
    kauth_cred_t cred, 
    struct pshminfo *ps, 
    struct label *shmlabel, 
    const char *name );

Fields

cred: Subject credential
ps: Pointer to shared memory information structure
shmlabel: Label to associate with the new shared memory region
name: String name of the shared memory region

Discussion

Label a new POSIX shared memory region. The label was previously initialized and associated with the shared memory region. At this time, an appropriate initial label value should be assigned to the object and stored in shmlabel.

mpo_posixshm_label_destroy_t

Destroy POSIX shared memory label

typedef void mpo_posixshm_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a POSIX shared memory region label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_posixshm_label_init_t

Initialize POSIX Shared Memory region label

typedef void mpo_posixshm_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for newly a instantiated POSIX Shared Memory region. Sleeping is permitted.

mpo_proc_check_debug_t

Access control check for debugging process

typedef int mpo_proc_check_debug_t( 
    kauth_cred_t cred, 
    struct proc *proc );

Parameters

cred: Subject credential
proc: Object process

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility of the target.

Discussion

Determine whether the subject identified by the credential can debug the passed process. This call may be made in a number of situations, including use of the ptrace(2) and ktrace(2) APIs, as well as for some types of procfs operations.

mpo_proc_check_fork_t

Access control over fork

typedef int mpo_proc_check_fork_t( 
    kauth_cred_t cred, 
    struct proc *proc );

Parameters

cred: Subject credential
proc: Subject process trying to fork

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified is allowed to fork.

mpo_proc_check_get_task_name_t

Access control check for getting a process's task name

typedef int mpo_proc_check_get_task_name_t( 
    kauth_cred_t cred, 
    struct proc *p );

Parameters

cred: Subject credential
proc: Object process

Return Value

Discussion

Determine whether the subject identified by the credential can get the passed process's task name port. This call is used by the task_name_for_pid(2) API.

mpo_proc_check_get_task_t

Access control check for getting a process's task port

typedef int mpo_proc_check_get_task_t( 
    kauth_cred_t cred, 
    struct proc *p );

Parameters

cred: Subject credential
proc: Object process

Return Value

Discussion

Determine whether the subject identified by the credential can get the passed process's task control port. This call is used by the task_for_pid(2) API.

mpo_proc_check_getaudit_t

Access control check for retrieving audit information

typedef int mpo_proc_check_getaudit_t( 
    kauth_cred_t cred );

Parameters

cred: Subject credential

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can get audit information such as the audit user ID, the preselection mask, the terminal ID and the audit session ID, using the getaudit() system call.

mpo_proc_check_getauid_t

Access control check for retrieving audit user ID

typedef int mpo_proc_check_getauid_t( 
    kauth_cred_t cred );

Parameters

cred: Subject credential

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can get the user identity being used by the auditing system, using the getauid() system call.

mpo_proc_check_getlcid_t

Access control check for retrieving Login Context ID

typedef int mpo_proc_check_getlcid_t( 
    struct proc *p0, 
    struct proc *p, 
    pid_t pid );

Parameters

p0: Calling process
p: Effected process
pid: syscall PID argument

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine if getlcid(2) system call is permitted.

Information returned by this system call is similar to that returned via process listings etc.

mpo_proc_check_mprotect_t

Access control check for setting memory protections

typedef int mpo_proc_check_mprotect_t( 
    kauth_cred_t cred, 
    struct proc *proc, 
    user_addr_t addr, 
    user_size_t size, 
    int prot );

Parameters

cred: Subject credential
proc: User process requesting the change
addr: Start address of the memory range
size: Length address of the memory range
prot: Memory protections, see mmap(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to set the specified memory protections on memory mapped in the process proc.

mpo_proc_check_sched_t

Access control check for changing scheduling parameters

typedef int mpo_proc_check_sched_t( 
    kauth_cred_t cred, 
    struct proc *proc );

Parameters

cred: Subject credential
proc: Object process

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.

Discussion

Determine whether the subject identified by the credential can change the scheduling parameters of the passed process.

mpo_proc_check_setaudit_t

Access control check for setting audit information

typedef int mpo_proc_check_setaudit_t( 
    kauth_cred_t cred, 
    struct auditinfo_addr *ai );

Parameters

cred: Subject credential
ai: Audit information

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can set audit information such as the the preselection mask, the terminal ID and the audit session ID, using the setaudit() system call.

mpo_proc_check_setauid_t

Access control check for setting audit user ID

typedef int mpo_proc_check_setauid_t( 
    kauth_cred_t cred, 
    uid_t auid );

Parameters

cred: Subject credential
auid: Audit user ID

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can set the user identity used by the auditing system, using the setauid() system call.

mpo_proc_check_setlcid_t

Access control check for setting the Login Context

typedef int mpo_proc_check_setlcid_t( 
    struct proc *p0, 
    struct proc *p, 
    pid_t pid, 
    pid_t lcid );

Parameters

p0: Calling process
p: Effected process
pid: syscall PID argument
lcid: syscall LCID argument

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine if setlcid(2) system call is permitted.

See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of decoding syscall arguments to determine action desired by caller.

Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN

mpo_proc_check_signal_t

Access control check for delivering signal

typedef int mpo_proc_check_signal_t( 
    kauth_cred_t cred, 
    struct proc *proc, 
    int signum );

Parameters

cred: Subject credential
proc: Object process
signum: Signal number; see kill(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.

Discussion

Determine whether the subject identified by the credential can deliver the passed signal to the passed process.

WARNING:

Programs typically expect to be able to send and receive signals as part or their normal process lifecycle; caution should be exercised when implementing access controls over signal events.

mpo_proc_check_wait_t

Access control check for wait

typedef int mpo_proc_check_wait_t( 
    kauth_cred_t cred, 
    struct proc *proc );

Parameters

cred: Subject credential
proc: Object process

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can wait for process termination.

WARNING:

Caution should be exercised when implementing access controls for wait, since programs often wait for child processes to exit. Failure to be notified of a child process terminating may cause the parent process to hang, or may produce zombie processes.

mpo_proc_label_destroy_t

Destroy process label

typedef void mpo_proc_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a process label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_proc_label_init_t

Initialize process label

See:

mpo_cred_label_init_t

typedef void mpo_proc_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated BSD process structure. Normally, security policies will store the process label in the user credential rather than here in the process structure. However, there are some floating label policies that may need to temporarily store a label in the process structure until it is safe to update the user credential label. Sleeping is permitted.

mpo_socket_check_accept_t

Access control check for socket accept

typedef int mpo_socket_check_accept_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred: Subject credential
socket: Object socket
socklabel: Policy label for socket

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can accept() a new connection on the socket from the host specified by addr.

mpo_socket_check_accepted_t

Access control check for a pending socket accept

typedef int mpo_socket_check_accepted_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockaddr *addr );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for socket
addr: Address of the listening socket (coming soon)

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can accept() a pending connection on the socket from the host specified by addr.

mpo_socket_check_bind_t

Access control check for socket bind

typedef int mpo_socket_check_bind_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockaddr *addr );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for socket
addr: Name to assign to the socket

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can bind() the name (addr) to the socket.

mpo_socket_check_connect_t

Access control check for socket connect

typedef int mpo_socket_check_connect_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockaddr *addr );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for socket
addr: Name to assign to the socket

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can connect() the passed socket to the remote host specified by addr.

mpo_socket_check_create_t

Access control check for socket() system call.

typedef int mpo_socket_check_create_t( 
    kauth_cred_t cred, 
    int domain, 
    int type, 
    int protocol );

Parameters

cred: Subject credential
domain: communication domain
type: socket type
protocol: socket protocol

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can make the socket() call.

mpo_socket_check_deliver_t

Access control check for delivering data to a user's receieve queue

typedef int mpo_socket_check_deliver_t( 
    socket_t so, 
    struct label *so_label, 
    struct mbuf *m, 
    struct label *m_label );

Parameters

so: The socket data is being delivered to
so_label: The label of so
m: The mbuf whose data will be deposited into the receive queue
m_label: The label of the sender of the data.

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

A socket has a queue for receiving incoming data. When a packet arrives on the wire, it eventually gets deposited into this queue, which the owner of the socket drains when they read from the socket's file descriptor.

This function determines whether the socket can receive data from the sender specified by m_label.

WARNING:

There is an outstanding design issue surrounding the placement of this function. The check must be placed either before or after the TCP sequence and ACK counters are updated. Placing the check before the counters are updated causes the incoming packet to be resent by the remote if the check rejects it. Placing the check after the counters are updated results in a completely silent drop. As far as each TCP stack is concerned the packet was received, however, the data will not be in the socket's receive queue. Another consideration is that the current design requires using the "failed label" occasionally. In that case, on rejection, we want the remote TCP to resend the data. Because of this, we chose to place this check before the counters are updated, so rejected packets will be resent by the remote host.

If a policy keeps rejecting the same packet, eventually the connection will be dropped. Policies have several options if this design causes problems. For example, one options is to sanitize the mbuf such that it is acceptable, then accept it. That may require negotiation between policies as the Framework will not know to re-check the packet.

The policy must handle NULL MBUF labels. This will likely be the case for non-local TCP sockets for example.

mpo_socket_check_getsockopt_t

Access control check for getting socket options

typedef int mpo_socket_check_getsockopt_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockopt *sopt );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for so
sopt: The options to get

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can execute the getsockopt system call on the given socket.

mpo_socket_check_kqfilter_t

Access control check for socket kqfilter

typedef int mpo_socket_check_kqfilter_t( 
    kauth_cred_t cred, 
    struct knote *kn, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred: Subject credential
kn: Object knote
so: Object socket
socklabel: Policy label for socket

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can receive the knote on the passed socket.

mpo_socket_check_label_update_t

Access control check for socket relabel

typedef int mpo_socket_check_label_update_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *so_label, 
    struct label *newlabel );

Parameters

cred: Subject credential
so: Object socket
so_label: The current label of so
newlabel: The label to be assigned to so

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can change the label on the socket.

mpo_socket_check_listen_t

Access control check for socket listen

typedef int mpo_socket_check_listen_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for socket

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can listen() on the passed socket.

mpo_socket_check_receive_t

Access control check for socket receive

typedef int mpo_socket_check_receive_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for socket

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can receive data from the socket.

mpo_socket_check_received_t

Access control check for socket receive

typedef int mpo_socket_check_received_t( 
    kauth_cred_t cred, 
    struct socket *sock, 
    struct label *socklabel, 
    struct sockaddr *saddr );

Parameters

cred: Subject credential
socket: Object socket
socklabel: Policy label for socket
addr: Name of the remote socket

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can receive data from the remote host specified by addr.

mpo_socket_check_select_t

Access control check for socket select

typedef int mpo_socket_check_select_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    int which );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for socket
which: The operation selected on: FREAD or FWRITE

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can use the socket in a call to select().

mpo_socket_check_send_t

Access control check for socket send

typedef int mpo_socket_check_send_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockaddr *addr );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for socket
addr: Address being sent to

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can send data to the socket.

mpo_socket_check_setsockopt_t

Access control check for setting socket options

typedef int mpo_socket_check_setsockopt_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel, 
    struct sockopt *sopt );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for so
sopt: The options being set

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can execute the setsockopt system call on the given socket.

mpo_socket_check_stat_t

Access control check for retrieving socket status

typedef int mpo_socket_check_stat_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *socklabel );

Parameters

cred: Subject credential
so: Object socket
socklabel: Policy label for so

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can execute the stat() system call on the given socket.

mpo_socket_label_associate_accept_t

Label a socket

typedef void mpo_socket_label_associate_accept_t( 
    socket_t oldsock, 
    struct label *oldlabel, 
    socket_t newsock, 
    struct label *newlabel );

Fields

oldsock: Listening socket
oldlabel: Policy label associated with oldsock
newsock: New socket
newlabel: Policy label associated with newsock

Discussion

A new socket is created when a connection is accept(2)ed. This function labels the new socket based on the existing listen(2)ing socket.

mpo_socket_label_associate_t

Assign a label to a new socket

typedef void mpo_socket_label_associate_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *solabel );

Fields

cred

Credential of the owning process

so

The socket being labeled

solabel

The label

WARNING:

cred can be NULL

Discussion

Set the label on a newly created socket from the passed subject credential. This call is made when a socket is created. The credentials may be null if the socket is being created by the kernel.

mpo_socket_label_copy_t

Copy a socket label

typedef void mpo_socket_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src: Source label
dest: Destination label

Discussion

Copy the socket label information in src into dest.

mpo_socket_label_destroy_t

Destroy socket label

typedef void mpo_socket_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a socket label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_socket_label_externalize_t

Externalize a socket label

typedef int mpo_socket_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of label

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

Discussion

Produce an externalized socket label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. If element_name does not match a namespace managed by the policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data.

mpo_socket_label_init_t

Initialize socket label

typedef int mpo_socket_label_init_t( 
    struct label *label, 
    int waitok );

Parameters

label: New label to initialize
waitok: Malloc flags

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

Discussion

Initialize the label of a newly instantiated socket. The waitok field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. It it not always safe to sleep during this entry point.

WARNING:

Since it is possible for the waitok flags to be set to M_NOWAIT, the malloc operation may fail.

mpo_socket_label_internalize_t

Internalize a socket label

typedef int mpo_socket_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label: Label to be filled in
element_name: Name of the label namespace for which the label should be internalized
element_data: Text data to be internalized

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

Discussion

Produce an internal socket label structure based on externalized label data in text format.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_socket_label_update_t

Relabel socket

typedef void mpo_socket_label_update_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *so_label, 
    struct label *newlabel );

Fields

cred: Subject credential
so: Object; socket
so_label: Current label of the socket
newlabel: The label to be assigned to so

Discussion

The subject identified by the credential has previously requested and was authorized to relabel the socket; this entry point allows policies to perform the actual label update operation.

WARNING:

XXX This entry point will likely change in future versions.

mpo_socketpeer_label_associate_mbuf_t

Set the peer label on a socket from mbuf

typedef void mpo_socketpeer_label_associate_mbuf_t( 
    struct mbuf *m, 
    struct label *m_label, 
    socket_t so, 
    struct label *so_label );

Fields

m: Mbuf chain received on socket so
m_label: Label for m
so: Current label for the socket
so_label: Policy label to be filled out for the socket

Discussion

Set the peer label of a socket based on the label of the sender of the mbuf.

This is called for every TCP/IP packet received. The first call for a given socket operates on a newly initialized label, and subsequent calls operate on existing label data.

WARNING:

Because this can affect performance significantly, it has different sematics than other 'set' operations. Typically, 'set' operations operate on newly initialzed labels and policies do not need to worry about clobbering existing values. In this case, it is too inefficient to initialize and destroy a label every time data is received for the socket. Instead, it is up to the policies to determine how to replace the label data. Most policies should be able to replace the data inline.

mpo_socketpeer_label_associate_socket_t

Set the peer label on a socket from socket

typedef void mpo_socketpeer_label_associate_socket_t( 
    socket_t source, 
    struct label *sourcelabel, 
    socket_t target, 
    struct label *targetlabel );

Fields

source: Local socket
sourcelabel: Policy label for source
target: Peer socket
targetlabel: Policy label to fill in for target

Discussion

Set the peer label on a stream UNIX domain socket from the passed remote socket endpoint. This call will be made when the socket pair is connected, and will be made for both endpoints.

Note that this call is only made on connection; it is currently not updated during communication.

mpo_socketpeer_label_destroy_t

Destroy socket peer label

typedef void mpo_socketpeer_label_destroy_t( 
    struct label *label );

Fields

label: The peer label to be destroyed

Discussion

Destroy a socket peer label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_socketpeer_label_externalize_t

Externalize a socket peer label

typedef int mpo_socketpeer_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of label

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

Discussion

Produce an externalized socket peer label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. If element_name does not match a namespace managed by the policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data.

mpo_socketpeer_label_init_t

Initialize socket peer label

typedef int mpo_socketpeer_label_init_t( 
    struct label *label, 
    int waitok );

Parameters

label: New label to initialize
waitok: Malloc flags

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

Discussion

Initialize the peer label of a newly instantiated socket. The waitok field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. It it not always safe to sleep during this entry point.

WARNING:

Since it is possible for the waitok flags to be set to M_NOWAIT, the malloc operation may fail.

mpo_system_check_acct_t

Access control check for enabling accounting

typedef int mpo_system_check_acct_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel );

Parameters

cred: Subject credential
vp: Accounting file
vlabel: Label associated with vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject should be allowed to enable accounting, based on its label and the label of the accounting log file. See acct(5) for more information.

As accounting is disabled by passing NULL to the acct(2) system call, the policy should be prepared for both 'vp' and 'vlabel' to be NULL.

mpo_system_check_audit_t

Access control check for audit

typedef int mpo_system_check_audit_t( 
    kauth_cred_t cred, 
    void *record, 
    int length );

Parameters

cred: Subject credential
record: Audit record
length: Audit record length

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can submit an audit record for inclusion in the audit log via the audit() system call.

mpo_system_check_auditctl_t

Access control check for controlling audit

typedef int mpo_system_check_auditctl_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vl );

Parameters

cred: Subject credential
vp: Audit file
vl: Label associated with vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject should be allowed to enable auditing using the auditctl() system call, based on its label and the label of the proposed audit file.

mpo_system_check_auditon_t

Access control check for manipulating auditing

typedef int mpo_system_check_auditon_t( 
    kauth_cred_t cred, 
    int cmd );

Parameters

cred: Subject credential
cmd: Audit control command

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the audit subsystem control operation cmd via the auditon() system call.

mpo_system_check_host_priv_t

Access control check for obtaining the host control port

typedef int mpo_system_check_host_priv_t( 
    kauth_cred_t cred );

Parameters

cred: Subject credential

Return Value

Return 0 if access is granted, or non-zero otherwise.

Discussion

Determine whether the subject identified by the credential can obtain the host control port.

mpo_system_check_nfsd_t

Access control check for calling NFS services

typedef int mpo_system_check_nfsd_t( 
    kauth_cred_t cred );

Parameters

cred: Subject credential

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to call nfssrv(2).

mpo_system_check_reboot_t

Access control check for reboot

typedef int mpo_system_check_reboot_t( 
    kauth_cred_t cred, 
    int howto );

Parameters

cred: Subject credential
howto: howto parameter from reboot(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to reboot the system in the specified manner.

mpo_system_check_settime_t

Access control check for setting system clock

typedef int mpo_system_check_settime_t( 
    kauth_cred_t cred );

Parameters

cred: Subject credential

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to set the system clock.

mpo_system_check_swapoff_t

Access control check for removing swap devices

typedef int mpo_system_check_swapoff_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred: Subject credential
vp: Swap device
label: Label associated with vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to remove vp as a swap device.

mpo_system_check_swapon_t

Access control check for adding swap devices

typedef int mpo_system_check_swapon_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred: Subject credential
vp: Swap device
label: Label associated with vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to add vp as a swap device.

mpo_system_check_sysctl_t

Access control check for sysctl

typedef int mpo_system_check_sysctl_t( 
    kauth_cred_t cred, 
    int *name, 
    u_int namelen, 
    user_addr_t old, /* NULLOK */
    user_addr_t oldlenp, /* NULLOK */
    int inkernel, 
    user_addr_t newvalue, /* NULLOK */
    size_t newlen );

Parameters

cred: Subject credential
name: Integer name; see sysctl(3)
namelen: Length of name array of integers; see sysctl(3)
old: 0 or address where to store old value; see sysctl(3)
oldlenp: Pointer to length of old buffer; see sysctl(3)
inkernel: Boolean; 1 if called from kernel
newvalue: 0 or address of new value; see sysctl(3)
newlen: Length of new buffer; see sysctl(3)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to make the specified sysctl(3) transaction.

The sysctl(3) call specifies that if the old value is not desired, oldp and oldlenp should be set to NULL. Likewise, if a new value is not to be set, newp should be set to NULL and newlen set to 0.

mpo_sysvmsg_label_associate_t

Create a System V message label

typedef void mpo_sysvmsg_label_associate_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel, 
    struct msg *msgptr, 
    struct label *msglabel );

Fields

cred: Subject credential
msqkptr: The message queue the message will be placed in
msqlabel: The label of the message queue
msgptr: The message
msglabel: The label of the message

Discussion

Label the message as its placed in the message queue.

mpo_sysvmsg_label_destroy_t

Destroy System V message label

typedef void mpo_sysvmsg_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a System V message label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_sysvmsg_label_init_t

Initialize System V message label

typedef void mpo_sysvmsg_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated System V message.

mpo_sysvmsg_label_recycle_t

Clean up a System V message label

typedef void mpo_sysvmsg_label_recycle_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Clean up a System V message label. Darwin pre-allocates messages at system boot time and re-uses them rather than allocating new ones. Before messages are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_sysvmsq_check_enqueue_t

Access control check for System V message enqueuing

typedef int mpo_sysvmsq_check_enqueue_t( 
    kauth_cred_t cred, 
    struct msg *msgptr, 
    struct label *msglabel, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Parameters

cred: Subject credential
msgptr: The message
msglabel: The message's label
msqkptr: The message queue
msqlabel: The message queue's label

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can add the given message to the given message queue.

mpo_sysvmsq_check_msgrcv_t

Access control check for System V message reception

typedef int mpo_sysvmsq_check_msgrcv_t( 
    kauth_cred_t cred, 
    struct msg *msgptr, 
    struct label *msglabel );

Parameters

cred: The credential of the intended recipient
msgptr: The message
msglabel: The message's label

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can receive the given message.

mpo_sysvmsq_check_msgrmid_t

Access control check for System V message queue removal

typedef int mpo_sysvmsq_check_msgrmid_t( 
    kauth_cred_t cred, 
    struct msg *msgptr, 
    struct label *msglabel );

Parameters

cred: The credential of the caller
msgptr: The message
msglabel: The message's label

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

System V message queues are removed using the msgctl() system call. The system will iterate over each messsage in the queue, calling this function for each, to determine whether the caller has the appropriate credentials.

mpo_sysvmsq_check_msqctl_t

Access control check for msgctl()

typedef int mpo_sysvmsq_check_msqctl_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel, 
    int cmd );

Parameters

cred: The credential of the caller
msqptr: The message queue
msqlabel: The message queue's label

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

This access check is performed to validate calls to msgctl().

mpo_sysvmsq_check_msqget_t

Access control check to get a System V message queue

typedef int mpo_sysvmsq_check_msqget_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Parameters

cred: The credential of the caller
msqptr: The message queue requested
msqlabel: The message queue's label

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

On a call to msgget(), if the queue requested already exists, and it is a public queue, this check will be performed before the queue's ID is returned to the user.

mpo_sysvmsq_check_msqrcv_t

Access control check to receive a System V message from the given queue

typedef int mpo_sysvmsq_check_msqrcv_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Parameters

cred: The credential of the caller
msqptr: The message queue to receive from
msqlabel: The message queue's label

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

On a call to msgrcv(), this check is performed to determine whether the caller has receive rights on the given queue.

mpo_sysvmsq_check_msqsnd_t

Access control check to send a System V message to the given queue

typedef int mpo_sysvmsq_check_msqsnd_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Parameters

cred: The credential of the caller
msqptr: The message queue to send to
msqlabel: The message queue's label

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

On a call to msgsnd(), this check is performed to determine whether the caller has send rights on the given queue.

mpo_sysvmsq_label_associate_t

Create a System V message queue label

typedef void mpo_sysvmsq_label_associate_t( 
    kauth_cred_t cred, 
    struct msqid_kernel *msqptr, 
    struct label *msqlabel );

Fields

cred: Subject credential
msqkptr: The message queue
msqlabel: The label of the message queue

mpo_sysvmsq_label_destroy_t

Destroy System V message queue label

typedef void mpo_sysvmsq_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a System V message queue label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_sysvmsq_label_init_t

Initialize System V message queue label

typedef void mpo_sysvmsq_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated System V message queue.

mpo_sysvmsq_label_recycle_t

Clean up a System V message queue label

typedef void mpo_sysvmsq_label_recycle_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Clean up a System V message queue label. Darwin pre-allocates message queues at system boot time and re-uses them rather than allocating new ones. Before message queues are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_sysvsem_check_semctl_t

Access control check for System V semaphore control operation

typedef int mpo_sysvsem_check_semctl_t( 
    kauth_cred_t cred, 
    struct semid_kernel *semakptr, 
    struct label *semaklabel, 
    int cmd );

Parameters

cred: Subject credential
semakptr: Pointer to semaphore identifier
semaklabel: Label associated with semaphore
cmd: Control operation to be performed; see semctl(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the operation indicated by cmd on the System V semaphore semakptr.

mpo_sysvsem_check_semget_t

Access control check for obtaining a System V semaphore

typedef int mpo_sysvsem_check_semget_t( 
    kauth_cred_t cred, 
    struct semid_kernel *semakptr, 
    struct label *semaklabel );

Parameters

cred: Subject credential
semakptr: Pointer to semaphore identifier
semaklabel: Label to associate with the semaphore

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can obtain a System V semaphore.

mpo_sysvsem_check_semop_t

Access control check for System V semaphore operations

typedef int mpo_sysvsem_check_semop_t( 
    kauth_cred_t cred, 
    struct semid_kernel *semakptr, 
    struct label *semaklabel, 
    size_t accesstype );

Parameters

cred: Subject credential
semakptr: Pointer to semaphore identifier
semaklabel: Label associated with the semaphore
accesstype: Flags to indicate access (read and/or write)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the operations on the System V semaphore indicated by semakptr. The accesstype flags hold the maximum set of permissions from the sem_op array passed to the semop system call. It may contain SEM_R for read-only operations or SEM_A for read/write operations.

mpo_sysvsem_label_associate_t

Create a System V semaphore label

typedef void mpo_sysvsem_label_associate_t( 
    kauth_cred_t cred, 
    struct semid_kernel *semakptr, 
    struct label *semalabel );

Fields

cred: Subject credential
semakptr: The semaphore being created
semalabel: Label to associate with the new semaphore

Discussion

Label a new System V semaphore. The label was previously initialized and associated with the semaphore. At this time, an appropriate initial label value should be assigned to the object and stored in semalabel.

mpo_sysvsem_label_destroy_t

Destroy System V semaphore label

typedef void mpo_sysvsem_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a System V semaphore label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_sysvsem_label_init_t

Initialize System V semaphore label

typedef void mpo_sysvsem_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated System V semaphore. Sleeping is permitted.

mpo_sysvsem_label_recycle_t

Clean up a System V semaphore label

typedef void mpo_sysvsem_label_recycle_t( 
    struct label *label );

Fields

label: The label to be cleaned

Discussion

Clean up a System V semaphore label. Darwin pre-allocates semaphores at system boot time and re-uses them rather than allocating new ones. Before semaphores are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_sysvshm_check_shmat_t

Access control check for mapping System V shared memory

typedef int mpo_sysvshm_check_shmat_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmseglabel, 
    int shmflg );

Parameters

cred: Subject credential
shmsegptr: Pointer to shared memory segment identifier
shmseglabel: Label associated with the shared memory segment
shmflg: shmat flags; see shmat(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can map the System V shared memory segment associated with shmsegptr.

mpo_sysvshm_check_shmctl_t

Access control check for System V shared memory control operation

typedef int mpo_sysvshm_check_shmctl_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmseglabel, 
    int cmd );

Parameters

cred: Subject credential
shmsegptr: Pointer to shared memory segment identifier
shmseglabel: Label associated with the shared memory segment
cmd: Control operation to be performed; see shmctl(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the operation indicated by cmd on the System V shared memory segment shmsegptr.

mpo_sysvshm_check_shmdt_t

Access control check for unmapping System V shared memory

typedef int mpo_sysvshm_check_shmdt_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmseglabel );

Parameters

cred: Subject credential
shmsegptr: Pointer to shared memory segment identifier
shmseglabel: Label associated with the shared memory segment

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can unmap the System V shared memory segment associated with shmsegptr.

mpo_sysvshm_check_shmget_t

Access control check obtaining System V shared memory identifier

typedef int mpo_sysvshm_check_shmget_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmseglabel, 
    int shmflg );

Parameters

cred: Subject credential
shmsegptr: Pointer to shared memory segment identifier
shmseglabel: Label associated with the shared memory segment
shmflg: shmget flags; see shmget(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can get the System V shared memory segment address.

mpo_sysvshm_label_associate_t

Create a System V shared memory region label

typedef void mpo_sysvshm_label_associate_t( 
    kauth_cred_t cred, 
    struct shmid_kernel *shmsegptr, 
    struct label *shmlabel );

Fields

cred: Subject credential
shmsegptr: The shared memory region being created
shmlabel: Label to associate with the new shared memory region

Discussion

Label a new System V shared memory region. The label was previously initialized and associated with the shared memory region. At this time, an appropriate initial label value should be assigned to the object and stored in shmlabel.

mpo_sysvshm_label_destroy_t

Destroy System V shared memory label

typedef void mpo_sysvshm_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a System V shared memory region label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_sysvshm_label_init_t

Initialize System V Shared Memory region label

typedef void mpo_sysvshm_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated System V Shared Memory region. Sleeping is permitted.

mpo_sysvshm_label_recycle_t

Clean up a System V Share Memory Region label

typedef void mpo_sysvshm_label_recycle_t( 
    struct label *shmlabel );

Fields

shmlabel: The label to be cleaned

Discussion

Clean up a System V Shared Memory Region label. Darwin pre-allocates these objects at system boot time and re-uses them rather than allocating new ones. Before the memory regions are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

mpo_task_label_associate_kernel_t

Assign a label to a new kernelspace Mach task

See:

mpo_cred_label_associate_kernel_t

typedef void mpo_task_label_associate_kernel_t( 
    struct task *kproc, 
    struct label *tasklabel, 
    struct label *portlabel );

Fields

kproc: New task
tasklabel: Label for new task
portlabel: Label for new task port

Discussion

Assign labels to a new kernel task and its task port. Both the task and task port labels should be specified. Both new labels are initialized. If there is an associated BSD process structure, it will be labelled with calls to mpo_cred_label_associate_kernel.

mpo_task_label_associate_t

Assign a label to a new (userspace) Mach task

typedef void mpo_task_label_associate_t( 
    struct task *parent, 
    struct task *child, 
    struct label *parentlabel, 
    struct label *childlabel, 
    struct label *childportlabel );

Fields

parent: Parent task
child: New (child) task
parentlabel: Label of parent task
childlabel: Label for new task
childportlabel: Label for new task's task port

Discussion

Assign labels to a new task and its task port. Both the task and task port labels should be specified. Both new labels are initialized. If the task will have an associated BSD process, that information will be made available by the task_label_update and port_label_update_cred entry points.

mpo_task_label_copy_t

Copy a Mach task label

typedef void mpo_task_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src: Source task label
dest: Destination task label

Discussion

Copy the Mach task label information from src to dest. This is used when duplicating label handles to implement copy-on-write semantics.

mpo_task_label_destroy_t

Destroy Mach task label

typedef void mpo_task_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a Mach task label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_task_label_externalize_t

Externalize a task label

typedef int mpo_task_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of the label

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

Discussion

Produce an external representation of the label on a task. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

mpo_task_label_init_t

Initialize Mach task label

typedef void mpo_task_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize the label for a newly instantiated Mach task. Sleeping is permitted.

mpo_task_label_internalize_t

Internalize a task label

typedef int mpo_task_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label: Label to be internalized
element_name: Name of the label namespace for which the label should be internalized
element_data: Text data to be internalized

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

Discussion

Produce a task label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_task_label_update_t

Update a Mach task label

See:

mpo_cred_label_update_t
mpo_cred_label_update_execve_t

typedef void mpo_task_label_update_t( 
    struct label *cred, 
    struct label *task );

Fields

cred: User credential label to be used as the source
task: Mach task label to be used as the destination

Discussion

Update the label on a Mach task, using the supplied user credential label. When a mac_cred_label_update_execve or a mac_cred_label_update operation causes the label on a user credential to change, the Mach task label also needs to be updated to reflect the change. Both labels are already valid (initialized and created).

WARNING:

XXX We may change the name of this entry point in a future version of the MAC framework.

mpo_thread_userret_t

Perform MAC-related events when a thread returns to user space

typedef void mpo_thread_userret_t( 
    int code, 
    int error, 
    struct thread *thread );

Fields

code: The number of the syscall/trap that has finished
error: The error code that will be returned to user space
thread: Mach (not BSD) thread that is returning

Discussion

This entry point permits policy modules to perform MAC-related events when a thread returns to user space, via a system call return, trap return, or otherwise.

mpo_vnode_check_access_t

Check vnode access

typedef int mpo_vnode_check_access_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    int acc_mode );

Parameters

cred: Subject credential
vp: Object vnode
label: Label for vp
acc_mode: access(2) flags

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine how invocations of access(2) and related calls by the subject identified by the credential should return when performed on the passed vnode using the passed access flags. This should generally be implemented using the same semantics used in mpo_vnode_check_open.

mpo_vnode_check_chdir_t

Access control check for changing working directory

typedef int mpo_vnode_check_chdir_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel );

Parameters

cred: Subject credential
dvp: Object; vnode to chdir(2) into
dlabel: Policy label for dvp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can change the process working directory to the passed vnode.

mpo_vnode_check_chroot_t

Access control check for changing root directory

typedef int mpo_vnode_check_chroot_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct componentname *cnp );

Parameters

cred: Subject credential
dvp: Directory vnode
dlabel: Policy label associated with dvp
cnp: Component name for dvp

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

Discussion

Determine whether the subject identified by the credential should be allowed to chroot(2) into the specified directory (dvp).

mpo_vnode_check_create_t

Access control check for creating vnode

typedef int mpo_vnode_check_create_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct componentname *cnp, 
    struct vnode_attr *vap );

Parameters

cred: Subject credential
dvp: Directory vnode
dlabel: Policy label for dvp
cnp: Component name for dvp
vap: vnode attributes for vap

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can create a vnode with the passed parent directory, passed name information, and passed attribute information. This call may be made in a number of situations, including as a result of calls to open(2) with O_CREAT, mknod(2), mkfifo(2), and others.

mpo_vnode_check_deleteextattr_t

Access control check for deleting extended attribute

typedef int mpo_vnode_check_deleteextattr_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    const char *name );

Parameters

cred: Subject credential
vp: Object vnode
vlabel: Label associated with vp
name: Extended attribute name

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can delete the extended attribute from the passed vnode.

mpo_vnode_check_exchangedata_t

Access control check for exchanging file data

typedef int mpo_vnode_check_exchangedata_t( 
    kauth_cred_t cred, 
    struct vnode *v1, 
    struct label *vl1, 
    struct vnode *v2, 
    struct label *vl2 );

Parameters

cred: Subject credential
v1: vnode 1 to swap
vl1: Policy label for v1
v2: vnode 2 to swap
vl2: Policy label for v2

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can swap the data in the two supplied vnodes.

mpo_vnode_check_exec_t

Access control check for executing the vnode

typedef int mpo_vnode_check_exec_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    struct label *execlabel, /* NULLOK */
    struct componentname *cnp, 
    u_int *csflags );

Parameters

cred: Subject credential
vp: Object vnode to execute
label: Policy label for vp
execlabel: Userspace provided execution label
cnp: Component name for file being executed

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can execute the passed vnode. Determination of execute privilege is made separately from decisions about any process label transitioning event.

The final label, execlabel, corresponds to a label supplied by a user space application through the use of the mac_execve system call. This label will be NULL if the user application uses the the vendor execve(2) call instead of the MAC Framework mac_execve() call.

mpo_vnode_check_getattrlist_t

Access control check for retrieving file attributes

typedef int mpo_vnode_check_getattrlist_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct attrlist *alist );

Parameters

cred: Subject credential
vp: Object vnode
vlabel: Policy label for vp
alist: List of attributes to retrieve

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege. Access control covers all attributes requested with this call; the security policy is not permitted to change the set of attributes requested.

Discussion

Determine whether the subject identified by the credential can read various attributes of the specified vnode, or the filesystem or volume on which that vnode resides. See for definitions of the attributes.

mpo_vnode_check_getextattr_t

Access control check for retrieving an extended attribute

typedef int mpo_vnode_check_getextattr_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, /* NULLOK */
    const char *name, 
    struct uio *uio /* NULLOK */
    );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp
name: Extended attribute name
uio: I/O structure pointer

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can retrieve the extended attribute from the passed vnode. The uio parameter will be NULL when the getxattr(2) call has been made with a NULL data value; this is done to request the size of the data only.

mpo_vnode_check_ioctl_t

Access control check for ioctl

typedef int mpo_vnode_check_ioctl_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    unsigned int cmd );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp
com: Device-dependent request code; see ioctl(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can perform the ioctl operation indicated by com.

WARNING:

Since ioctl data is opaque from the standpoint of the MAC framework, and since ioctls can affect many aspects of system operation, policies must exercise extreme care when implementing access control checks.

mpo_vnode_check_kqfilter_t

Access control check for vnode kqfilter

typedef int mpo_vnode_check_kqfilter_t( 
    kauth_cred_t active_cred, 
    kauth_cred_t file_cred, /* NULLOK */
    struct knote *kn, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred: Subject credential
kn: Object knote
vp: Object vnode
label: Policy label for vp

Return Value

Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can receive the knote on the passed vnode.

mpo_vnode_check_label_update_t

Access control check for relabel

See:

mpo_relable_vnode_t

typedef int mpo_vnode_check_label_update_t( 
    struct ucred *cred, 
    struct vnode *vp, 
    struct label *vnodelabel, 
    struct label *newlabel );

Parameters

cred: Subject credential
vp: Object vnode
vnodelabel: Existing policy label for vp
newlabel: Policy label update to later be applied to vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can relabel the passed vnode to the passed label update. If all policies permit the label change, the actual relabel entry point (mpo_vnode_label_update) will follow.

mpo_vnode_check_link_t

Access control check for creating link

typedef int mpo_vnode_check_link_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, 
    struct label *label, 
    struct componentname *cnp );

Parameters

cred: Subject credential
dvp: Directory vnode
dlabel: Policy label associated with dvp
vp: Link destination vnode
label: Policy label associated with vp
cnp: Component name for the link being created

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to create a link to the vnode vp with the name specified by cnp.

mpo_vnode_check_listextattr_t

Access control check for listing extended attributes

typedef int mpo_vnode_check_listextattr_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel );

Parameters

cred: Subject credential
vp: Object vnode
vlabel: Policy label associated with vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can retrieve a list of named extended attributes from a vnode.

mpo_vnode_check_lookup_t

Access control check for lookup

typedef int mpo_vnode_check_lookup_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct componentname *cnp );

Parameters

cred: Subject credential
dvp: Object vnode
dlabel: Policy label for dvp
cnp: Component name being looked up

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can perform a lookup in the passed directory vnode for the passed name (cnp).

mpo_vnode_check_open_t

Access control check for open

typedef int mpo_vnode_check_open_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    int acc_mode );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label associated with vp
acc_mode: open(2) access mode

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can perform an open operation on the passed vnode with the passed access mode.

mpo_vnode_check_read_t

Access control check for read

typedef int mpo_vnode_check_read_t( 
    kauth_cred_t active_cred, /* SUBJECT */
    kauth_cred_t file_cred, /* NULLOK */
    struct vnode *vp, /* OBJECT */
    struct label *label /* LABEL */
    );

Parameters

active_cred: Subject credential
file_cred: Credential associated with the struct fileproc
vp: Object vnode
label: Policy label for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can perform a read operation on the passed vnode. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

mpo_vnode_check_readdir_t

Access control check for read directory

typedef int mpo_vnode_check_readdir_t( 
    kauth_cred_t cred, /* SUBJECT */
    struct vnode *dvp, /* OBJECT */
    struct label *dlabel /* LABEL */
    );

Parameters

cred: Subject credential
dvp: Object directory vnode
dlabel: Policy label for dvp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can perform a readdir operation on the passed directory vnode.

mpo_vnode_check_readlink_t

Access control check for read link

typedef int mpo_vnode_check_readlink_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can perform a readlink operation on the passed symlink vnode. This call can be made in a number of situations, including an explicit readlink call by the user process, or as a result of an implicit readlink during a name lookup by the process.

mpo_vnode_check_rename_from_t

Access control check for rename from

See:

mpo_vnode_check_rename_to_t

typedef int mpo_vnode_check_rename_from_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, 
    struct label *label, 
    struct componentname *cnp );

Parameters

cred: Subject credential
dvp: Directory vnode
dlabel: Policy label associated with dvp
vp: vnode to be renamed
label: Policy label associated with vp
cnp: Component name for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to rename the vnode vp to something else.

Due to VFS locking constraints (to make sure proper vnode locks are held during this entry point), the vnode relabel checks had to be split into two parts: relabel_from and relabel to.

mpo_vnode_check_rename_to_t

Access control check for rename to

See:

mpo_vnode_check_rename_from_t

typedef int mpo_vnode_check_rename_to_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, /* NULLOK */
    struct label *label, /* NULLOK */
    int samedir, 
    struct componentname *cnp );

Parameters

cred: Subject credential
dvp: Directory vnode
dlabel: Policy label associated with dvp
vp: Overwritten vnode
label: Policy label associated with vp
samedir: Boolean; 1 if the source and destination directories are the same
cnp: Destination component name

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential should be allowed to rename to the vnode vp, into the directory dvp, or to the name represented by cnp. If there is no existing file to overwrite, vp and label will be NULL.

Due to VFS locking constraints (to make sure proper vnode locks are held during this entry point), the vnode relabel checks had to be split into two parts: relabel_from and relabel to.

mpo_vnode_check_revoke_t

Access control check for revoke

typedef int mpo_vnode_check_revoke_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can revoke access to the passed vnode.

mpo_vnode_check_select_t

Access control check for select

typedef int mpo_vnode_check_select_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    int which );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp
which: The operation selected on: FREAD or FWRITE

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

Discussion

Determine whether the subject identified by the credential can select the vnode.

mpo_vnode_check_setattrlist_t

Access control check for setting file attributes

typedef int mpo_vnode_check_setattrlist_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct attrlist *alist );

Parameters

cred: Subject credential
vp: Object vnode
vlabel: Policy label for vp
alist: List of attributes to set

Return Value

Discussion

Determine whether the subject identified by the credential can set various attributes of the specified vnode, or the filesystem or volume on which that vnode resides. See for definitions of the attributes.

mpo_vnode_check_setextattr_t

Access control check for setting extended attribute

typedef int mpo_vnode_check_setextattr_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    const char *name, 
    struct uio *uio );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp
name: Extended attribute name
uio: I/O structure pointer

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can set the extended attribute of passed name and passed namespace on the passed vnode. Policies implementing security labels backed into extended attributes may want to provide additional protections for those attributes. Additionally, policies should avoid making decisions based on the data referenced from uio, as there is a potential race condition between this check and the actual operation. The uio may also be NULL if a delete operation is being performed.

mpo_vnode_check_setflags_t

Access control check for setting flags

typedef int mpo_vnode_check_setflags_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    u_long flags );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp
flags: File flags; see chflags(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can set the passed flags on the passed vnode.

mpo_vnode_check_setmode_t

Access control check for setting mode

typedef int mpo_vnode_check_setmode_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    mode_t mode );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp
mode: File mode; see chmod(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can set the passed mode on the passed vnode.

mpo_vnode_check_setowner_t

Access control check for setting uid and gid

typedef int mpo_vnode_check_setowner_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    uid_t uid, 
    gid_t gid );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp
uid: User ID
gid: Group ID

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can set the passed uid and passed gid as file uid and file gid on the passed vnode. The IDs may be set to (-1) to request no update.

mpo_vnode_check_setutimes_t

Access control check for setting timestamps

typedef int mpo_vnode_check_setutimes_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label, 
    struct timespec atime, 
    struct timespec mtime );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label for vp
atime: Access time; see utimes(2)
mtime: Modification time; see utimes(2)

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can set the passed access timestamps on the passed vnode.

mpo_vnode_check_signature_t

Access control check after determining the code directory hash

typedef int mpo_vnode_check_signature_t(
    struct vnode *vp,
    struct label *label, 
    unsigned char *sha1,
    void *signature, 
    int size);

mpo_vnode_check_stat_t

Access control check for stat

typedef int mpo_vnode_check_stat_t( 
    struct ucred *active_cred, 
    struct ucred *file_cred, /* NULLOK */
    struct vnode *vp, 
    struct label *label );

Parameters

active_cred: Subject credential
file_cred: Credential associated with the struct fileproc
vp: Object vnode
label: Policy label for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can stat the passed vnode. See stat(2) for more information. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

mpo_vnode_check_truncate_t

Access control check for truncate/ftruncate

typedef int mpo_vnode_check_truncate_t( 
    kauth_cred_t active_cred, 
    kauth_cred_t file_cred, /* NULLOK */
    struct vnode *vp, 
    struct label *label );

Parameters

active_cred: Subject credential
file_cred: Credential associated with the struct fileproc
vp: Object vnode
label: Policy label for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can perform a truncate operation on the passed vnode. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

mpo_vnode_check_uipc_bind_t

Access control check for binding UNIX domain socket

typedef int mpo_vnode_check_uipc_bind_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct componentname *cnp, 
    struct vnode_attr *vap );

Parameters

cred: Subject credential
dvp: Directory vnode
dlabel: Policy label for dvp
cnp: Component name for dvp
vap: vnode attributes for vap

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can perform a bind operation on a UNIX domain socket with the passed parent directory, passed name information, and passed attribute information.

mpo_vnode_check_uipc_connect_t

Access control check for connecting UNIX domain socket

typedef int mpo_vnode_check_uipc_connect_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *label );

Parameters

cred: Subject credential
vp: Object vnode
label: Policy label associated with vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can perform a connect operation on the passed UNIX domain socket vnode.

mpo_vnode_check_unlink_t

Access control check for deleting vnode

See:

mpo_check_rename_to_t

typedef int mpo_vnode_check_unlink_t( 
    kauth_cred_t cred, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, 
    struct label *label, 
    struct componentname *cnp );

Parameters

cred: Subject credential
dvp: Parent directory vnode
dlabel: Policy label for dvp
vp: Object vnode to delete
label: Policy label for vp
cnp: Component name for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can delete a vnode from the passed parent directory and passed name information. This call may be made in a number of situations, including as a results of calls to unlink(2) and rmdir(2). Policies implementing this entry point should also implement mpo_check_rename_to to authorize deletion of objects as a result of being the target of a rename.

mpo_vnode_check_write_t

Access control check for write

typedef int mpo_vnode_check_write_t( 
    kauth_cred_t active_cred, 
    kauth_cred_t file_cred, /* NULLOK */
    struct vnode *vp, 
    struct label *label );

Parameters

active_cred: Subject credential
file_cred: Credential associated with the struct fileproc
vp: Object vnode
label: Policy label for vp

Return Value

Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

Discussion

Determine whether the subject identified by the credential can perform a write operation on the passed vnode. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

mpo_vnode_label_associate_devfs_t

Associate a vnode with a devfs entry

typedef void mpo_vnode_label_associate_devfs_t( 
    struct mount *mp, 
    struct label *mntlabel, 
    struct devnode *de, 
    struct label *delabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

mp: Devfs mount point
mntlabel: Devfs mount point label
de: Devfs directory entry
delabel: Label associated with de
vp: vnode associated with de
vlabel: Label associated with vp

Discussion

Fill in the label (vlabel) for a newly created devfs vnode. The label is typically derived from the label on the devfs directory entry or the label on the filesystem, supplied as parameters.

mpo_vnode_label_associate_extattr_t

Associate a label with a vnode

typedef int mpo_vnode_label_associate_extattr_t( 
    struct mount *mp, 
    struct label *mntlabel, 
    struct vnode *vp, 
    struct label *vlabel );

Parameters

mp: File system mount point
mntlabel: File system mount point label
vp: Vnode to label
vlabel: Label associated with vp

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

Discussion

Attempt to retrieve label information for the vnode, vp, from the file system extended attribute store. The label should be stored in the supplied vlabel parameter. If a policy cannot retrieve an extended attribute, sometimes it is acceptible to fallback to using the mntlabel.

If the policy requires vnodes to have a valid label elsewhere it MUST NOT return other than temporary errors, and must always provide a valid label of some sort. Returning an error will cause vnode labeling to be retried at a later access. Failure to handle policy centric errors internally (corrupt labels etc.) will result in inaccessible files.

mpo_vnode_label_associate_file_t

Associate a file label with a vnode

typedef void mpo_vnode_label_associate_file_t( 
    struct ucred *cred, 
    struct mount *mp, 
    struct label *mntlabel, 
    struct fileglob *fg, 
    struct label *label, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred: User credential
mp: Fdesc mount point
mntlabel: Fdesc mount point label
fg: Fileglob structure
label: Policy label for fg
vp: Vnode to label
vlabel: Label associated with vp

Discussion

Associate label information for the vnode, vp, with the label of the open file descriptor described by fg. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_associate_pipe_t

Associate a pipe label with a vnode

typedef void mpo_vnode_label_associate_pipe_t( 
    struct ucred *cred, 
    struct pipe *cpipe, 
    struct label *pipelabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred: User credential for the process that opened the pipe
cpipe: Pipe structure
pipelabel: Label associated with pipe
vp: Vnode to label
vlabel: Label associated with vp

Discussion

Associate label information for the vnode, vp, with the label of the pipe described by the pipe structure cpipe. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_associate_posixsem_t

Associate a POSIX semaphore label with a vnode

typedef void mpo_vnode_label_associate_posixsem_t( 
    struct ucred *cred, 
    struct pseminfo *psem, 
    struct label *psemlabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred: User credential for the process that create psem
psem: POSIX semaphore structure
psemlabel: Label associated with psem
vp: Vnode to label
vlabel: Label associated with vp

Discussion

Associate label information for the vnode, vp, with the label of the POSIX semaphore described by psem. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_associate_posixshm_t

Associate a POSIX shared memory label with a vnode

typedef void mpo_vnode_label_associate_posixshm_t( 
    struct ucred *cred, 
    struct pshminfo *pshm, 
    struct label *pshmlabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred: User credential for the process that created pshm
pshm: POSIX shared memory structure
pshmlabel: Label associated with pshm
vp: Vnode to label
vlabel: Label associated with vp

Discussion

Associate label information for the vnode, vp, with the label of the POSIX shared memory region described by pshm. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_associate_singlelabel_t

Associate a label with a vnode

typedef void mpo_vnode_label_associate_singlelabel_t( 
    struct mount *mp, 
    struct label *mntlabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

mp: File system mount point
mntlabel: File system mount point label
vp: Vnode to label
vlabel: Label associated with vp

Discussion

On non-multilabel file systems, set the label for a vnode. The label will most likely be based on the file system label.

mpo_vnode_label_associate_socket_t

Associate a socket label with a vnode

typedef void mpo_vnode_label_associate_socket_t( 
    kauth_cred_t cred, 
    socket_t so, 
    struct label *solabel, 
    struct vnode *vp, 
    struct label *vlabel );

Fields

cred: User credential for the process that opened the socket
so: Socket structure
solabel: Label associated with so
vp: Vnode to label
vlabel: Label associated with vp

Discussion

Associate label information for the vnode, vp, with the label of the open socket described by the socket structure so. The label should be stored in the supplied vlabel parameter.

mpo_vnode_label_copy_t

Copy a vnode label

typedef void mpo_vnode_label_copy_t( 
    struct label *src, 
    struct label *dest );

Fields

src: Source vnode label
dest: Destination vnode label

Discussion

Copy the vnode label information from src to dest. On Darwin, this is currently only necessary when executing interpreted scripts, but will later be used if vnode label externalization cannot be an atomic operation.

mpo_vnode_label_destroy_t

Destroy vnode label

typedef void mpo_vnode_label_destroy_t( 
    struct label *label );

Fields

label: The label to be destroyed

Discussion

Destroy a vnode label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

mpo_vnode_label_externalize_audit_t

Externalize a vnode label for auditing

typedef int mpo_vnode_label_externalize_audit_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of the label

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

Discussion

Produce an external representation of the label on a vnode suitable for inclusion in an audit record. An externalized label consists of a text representation of the label contents that will be added to the audit record as part of a text token. Policy-agnostic user space tools will display this externalized version.

mpo_vnode_label_externalize_t

Externalize a vnode label

typedef int mpo_vnode_label_externalize_t( 
    struct label *label, 
    char *element_name, 
    struct sbuf *sb );

Parameters

label: Label to be externalized
element_name: Name of the label namespace for which labels should be externalized
sb: String buffer to be filled with a text representation of the label

Return Value

0 on success, return non-zero if an error occurs while externalizing the label data.

Discussion

Produce an external representation of the label on a vnode. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

mpo_vnode_label_init_t

Initialize vnode label

typedef void mpo_vnode_label_init_t( 
    struct label *label );

Fields

label: New label to initialize

Discussion

Initialize label storage for use with a newly instantiated vnode, or for temporary storage associated with the copying in or out of a vnode label. While it is necessary to allocate space for a kernel-resident vnode label, it is not yet necessary to link this vnode with persistent label storage facilities, such as extended attributes. Sleeping is permitted.

mpo_vnode_label_internalize_t

Internalize a vnode label

typedef int mpo_vnode_label_internalize_t( 
    struct label *label, 
    char *element_name, 
    char *element_data );

Parameters

label: Label to be internalized
element_name: Name of the label namespace for which the label should be internalized
element_data: Text data to be internalized

Return Value

0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

Discussion

Produce a vnode label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

mpo_vnode_label_recycle_t

Clean up a vnode label

typedef void mpo_vnode_label_recycle_t( 
    struct label *label );

Fields

label: The label to be cleaned for re-use

Discussion

Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but typically never frees them. Before vnodes are placed back on free lists for re-use, policies can cleanup or overwrite any information present in the label.

mpo_vnode_label_store_t

Write a label to a extended attribute

typedef int mpo_vnode_label_store_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct label *intlabel );

Parameters

cred: Subject credential
vp: The vnode for which the label is being stored
vlabel: Label associated with vp
intlabel: The new label to store

Return Value

In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

WARNING:

XXX After examining the extended attribute implementation on Apple's future release, this entry point may be changed.

Discussion

Store a new label in the extended attribute corresponding to the supplied vnode. The policy has already authorized the operation; this call must be implemented in order to perform the actual operation.

mpo_vnode_label_update_extattr_t

Update vnode label from extended attributes

See:

mpo_vnode_check_setextattr_t

typedef int mpo_vnode_label_update_extattr_t( 
    struct mount *mp, 
    struct label *mntlabel, 
    struct vnode *vp, 
    struct label *vlabel, 
    const char *name );

Fields

mp: File system mount point
mntlabel: Mount point label
vp: Vnode to label
vlabel: Label associated with vp
name: Name of the xattr

Discussion

When an extended attribute is updated via the Vendor attribute management functions, the MAC vnode label might also require an update. Policies should first determine if 'name' matches their xattr label name. If it does, the kernel is has either replaced or removed the named extended attribute that was previously associated with the vnode. Normally labels should only be modified via MAC Framework label management calls, but sometimes the user space components will directly modify extended attributes. For example, 'cp', 'tar', etc. manage extended attributes in userspace, not the kernel.

This entry point is called after the label update has occurred, so it cannot return a failure. However, the operation is preceded by the mpo_vnode_check_setextattr() access control check.

If the vnode label needs to be updated the policy should return a non-zero value. The vnode label will be marked for re-association by the framework.

mpo_vnode_label_update_t

Update a vnode label

See:

mpo_vnode_check_label_update_t

typedef void mpo_vnode_label_update_t( 
    kauth_cred_t cred, 
    struct vnode *vp, 
    struct label *vnodelabel, 
    struct label *label );

Fields

cred: Subject credential
vp: The vnode to relabel
vnodelabel: Existing vnode label
label: New label to replace existing label

Discussion

The subject identified by the credential has previously requested and was authorized to relabel the vnode; this entry point allows policies to perform the actual relabel operation. Policies should update vnodelabel using the label stored in the label parameter.

mpo_vnode_notify_create_t

Create a new vnode, backed by extended attributes

typedef int mpo_vnode_notify_create_t( 
    kauth_cred_t cred, 
    struct mount *mp, 
    struct label *mntlabel, 
    struct vnode *dvp, 
    struct label *dlabel, 
    struct vnode *vp, 
    struct label *vlabel, 
    struct componentname *cnp );

Parameters

cred: User credential for the creating process
mp: File system mount point
mntlabel: File system mount point label
dvp: Parent directory vnode
dlabel: Parent directory vnode label
vp: Newly created vnode
vlabel: Label to associate with the new vnode
cnp: Component name for vp

Return Value

If the operation succeeds, store the new label in vlabel and return 0. Otherwise, return an appropriate errno value.

Discussion

Write out the label for the newly created vnode, most likely storing the results in a file system extended attribute. Most policies will derive the new vnode label using information from a combination of the subject (user) credential, the file system label, the parent directory label, and potentially the path name component.

Structs and Unions

mac_policy_conf: Mac policy configuration
mac_policy_ops

mac_policy_conf

Mac policy configuration

/* XXX - reorder these for better aligment on 64bit platforms */
struct mac_policy_conf { 
    const char *mpc_name; /** policy name */
    const char *mpc_fullname; /** full name */
    const char **mpc_labelnames; /** managed label namespaces */
    unsigned int mpc_labelname_count; /** number of managed label namespaces 
        */
    struct mac_policy_ops *mpc_ops; /** operation vector */
    int mpc_loadtime_flags; /** load time flags */
    int *mpc_field_off; /** label slot */
    int mpc_runtime_flags; /** run time flags */
    mpc_t mpc_list; /** List reference */
    void *mpc_data; /** module data */
};

Discussion

This structure specifies the configuration information for a MAC policy module. A policy module developer must supply a short unique policy name, a more descriptive full name, a list of label namespaces and count, a pointer to the registered enty point operations, any load time flags, and optionally, a pointer to a label slot identifier.

The Framework will update the runtime flags (mpc_runtime_flags) to indicate that the module has been registered.

If the label slot identifier (mpc_field_off) is NULL, the Framework will not provide label storage for the policy. Otherwise, the Framework will store the label location (slot) in this field.

The mpc_list field is used by the Framework and should not be modified by policies.

mac_policy_ops

struct mac_policy_ops { 
    mpo_audit_check_postselect_t *mpo_audit_check_postselect; 
    mpo_audit_check_preselect_t *mpo_audit_check_preselect; 
    mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate; 
    mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy; 
    mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init; 
    mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive; 
    mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 
    mpo_cred_check_label_update_t *mpo_cred_check_label_update; 
    mpo_cred_check_visible_t *mpo_cred_check_visible; 
    mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 
    mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 
    mpo_cred_label_associate_t *mpo_cred_label_associate; 
    mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 
    mpo_cred_label_destroy_t *mpo_cred_label_destroy; 
    mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 
    mpo_cred_label_externalize_t *mpo_cred_label_externalize; 
    mpo_cred_label_init_t *mpo_cred_label_init; 
    mpo_cred_label_internalize_t *mpo_cred_label_internalize; 
    mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 
    mpo_cred_label_update_t *mpo_cred_label_update; 
    mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 
    mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 
    mpo_devfs_label_copy_t *mpo_devfs_label_copy; 
    mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 
    mpo_devfs_label_init_t *mpo_devfs_label_init; 
    mpo_devfs_label_update_t *mpo_devfs_label_update; 
    mpo_file_check_change_offset_t *mpo_file_check_change_offset; 
    mpo_file_check_create_t *mpo_file_check_create; 
    mpo_file_check_dup_t *mpo_file_check_dup; 
    mpo_file_check_fcntl_t *mpo_file_check_fcntl; 
    mpo_file_check_get_offset_t *mpo_file_check_get_offset; 
    mpo_file_check_get_t *mpo_file_check_get; 
    mpo_file_check_inherit_t *mpo_file_check_inherit; 
    mpo_file_check_ioctl_t *mpo_file_check_ioctl; 
    mpo_file_check_lock_t *mpo_file_check_lock; 
    mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 
    mpo_file_check_mmap_t *mpo_file_check_mmap; 
    mpo_file_check_receive_t *mpo_file_check_receive; 
    mpo_file_check_set_t *mpo_file_check_set; 
    mpo_file_label_init_t *mpo_file_label_init; 
    mpo_file_label_destroy_t *mpo_file_label_destroy; 
    mpo_file_label_associate_t *mpo_file_label_associate; 
    mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update; 
    mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit; 
    mpo_ifnet_label_associate_t *mpo_ifnet_label_associate; 
    mpo_ifnet_label_copy_t *mpo_ifnet_label_copy; 
    mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy; 
    mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize; 
    mpo_ifnet_label_init_t *mpo_ifnet_label_init; 
    mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize; 
    mpo_ifnet_label_update_t *mpo_ifnet_label_update; 
    mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle; 
    mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver; 
    mpo_inpcb_label_associate_t *mpo_inpcb_label_associate; 
    mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy; 
    mpo_inpcb_label_init_t *mpo_inpcb_label_init; 
    mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle; 
    mpo_inpcb_label_update_t *mpo_inpcb_label_update; 
    mpo_iokit_check_device_t *mpo_iokit_check_device; 
    mpo_ipq_label_associate_t *mpo_ipq_label_associate; 
    mpo_ipq_label_compare_t *mpo_ipq_label_compare; 
    mpo_ipq_label_destroy_t *mpo_ipq_label_destroy; 
    mpo_ipq_label_init_t *mpo_ipq_label_init; 
    mpo_ipq_label_update_t *mpo_ipq_label_update; 
    mpo_lctx_check_label_update_t *mpo_lctx_check_label_update; 
    mpo_lctx_label_destroy_t *mpo_lctx_label_destroy; 
    mpo_lctx_label_externalize_t *mpo_lctx_label_externalize; 
    mpo_lctx_label_init_t *mpo_lctx_label_init; 
    mpo_lctx_label_internalize_t *mpo_lctx_label_internalize; 
    mpo_lctx_label_update_t *mpo_lctx_label_update; 
    mpo_lctx_notify_create_t *mpo_lctx_notify_create; 
    mpo_lctx_notify_join_t *mpo_lctx_notify_join; 
    mpo_lctx_notify_leave_t *mpo_lctx_notify_leave; 
    mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; 
    mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; 
    mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb; 
    mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq; 
    mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer; 
    mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap; 
    mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer; 
    mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket; 
    mpo_mbuf_label_copy_t *mpo_mbuf_label_copy; 
    mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy; 
    mpo_mbuf_label_init_t *mpo_mbuf_label_init; 
    mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 
    mpo_mount_check_getattr_t *mpo_mount_check_getattr; 
    mpo_mount_check_label_update_t *mpo_mount_check_label_update; 
    mpo_mount_check_mount_t *mpo_mount_check_mount; 
    mpo_mount_check_remount_t *mpo_mount_check_remount; 
    mpo_mount_check_setattr_t *mpo_mount_check_setattr; 
    mpo_mount_check_stat_t *mpo_mount_check_stat; 
    mpo_mount_check_umount_t *mpo_mount_check_umount; 
    mpo_mount_label_associate_t *mpo_mount_label_associate; 
    mpo_mount_label_destroy_t *mpo_mount_label_destroy; 
    mpo_mount_label_externalize_t *mpo_mount_label_externalize; 
    mpo_mount_label_init_t *mpo_mount_label_init; 
    mpo_mount_label_internalize_t *mpo_mount_label_internalize; 
    mpo_netinet_fragment_t *mpo_netinet_fragment; 
    mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply; 
    mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply; 
    mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 
    mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 
    mpo_pipe_check_label_update_t *mpo_pipe_check_label_update; 
    mpo_pipe_check_read_t *mpo_pipe_check_read; 
    mpo_pipe_check_select_t *mpo_pipe_check_select; 
    mpo_pipe_check_stat_t *mpo_pipe_check_stat; 
    mpo_pipe_check_write_t *mpo_pipe_check_write; 
    mpo_pipe_label_associate_t *mpo_pipe_label_associate; 
    mpo_pipe_label_copy_t *mpo_pipe_label_copy; 
    mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 
    mpo_pipe_label_externalize_t *mpo_pipe_label_externalize; 
    mpo_pipe_label_init_t *mpo_pipe_label_init; 
    mpo_pipe_label_internalize_t *mpo_pipe_label_internalize; 
    mpo_pipe_label_update_t *mpo_pipe_label_update; 
    mpo_policy_destroy_t *mpo_policy_destroy; 
    mpo_policy_init_t *mpo_policy_init; 
    mpo_policy_initbsd_t *mpo_policy_initbsd; 
    mpo_policy_syscall_t *mpo_policy_syscall; 
    mpo_port_check_copy_send_t *mpo_port_check_copy_send; 
    mpo_port_check_hold_receive_t *mpo_port_check_hold_receive; 
    mpo_port_check_hold_send_once_t *mpo_port_check_hold_send_once; 
    mpo_port_check_hold_send_t *mpo_port_check_hold_send; 
    mpo_port_check_label_update_t *mpo_port_check_label_update; 
    mpo_port_check_make_send_once_t *mpo_port_check_make_send_once; 
    mpo_port_check_make_send_t *mpo_port_check_make_send; 
    mpo_port_check_method_t *mpo_port_check_method; 
    mpo_port_check_move_receive_t *mpo_port_check_move_receive; 
    mpo_port_check_move_send_once_t *mpo_port_check_move_send_once; 
    mpo_port_check_move_send_t *mpo_port_check_move_send; 
    mpo_port_check_receive_t *mpo_port_check_receive; 
    mpo_port_check_send_t *mpo_port_check_send; 
    mpo_port_check_service_t *mpo_port_check_service; 
    mpo_port_label_associate_kernel_t *mpo_port_label_associate_kernel; 
    mpo_port_label_associate_t *mpo_port_label_associate; 
    mpo_port_label_compute_t *mpo_port_label_compute; 
    mpo_port_label_copy_t *mpo_port_label_copy; 
    mpo_port_label_destroy_t *mpo_port_label_destroy; 
    mpo_port_label_init_t *mpo_port_label_init; 
    mpo_port_label_update_cred_t *mpo_port_label_update_cred; 
    mpo_port_label_update_kobject_t *mpo_port_label_update_kobject; 
    mpo_posixsem_check_create_t *mpo_posixsem_check_create; 
    mpo_posixsem_check_open_t *mpo_posixsem_check_open; 
    mpo_posixsem_check_post_t *mpo_posixsem_check_post; 
    mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 
    mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 
    mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 
    mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 
    mpo_posixsem_label_init_t *mpo_posixsem_label_init; 
    mpo_posixshm_check_create_t *mpo_posixshm_check_create; 
    mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 
    mpo_posixshm_check_open_t *mpo_posixshm_check_open; 
    mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 
    mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 
    mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 
    mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 
    mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 
    mpo_posixshm_label_init_t *mpo_posixshm_label_init; 
    mpo_proc_check_debug_t *mpo_proc_check_debug; 
    mpo_proc_check_fork_t *mpo_proc_check_fork; 
    mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name; 
    mpo_proc_check_get_task_t *mpo_proc_check_get_task; 
    mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 
    mpo_proc_check_getauid_t *mpo_proc_check_getauid; 
    mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; 
    mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 
    mpo_proc_check_sched_t *mpo_proc_check_sched; 
    mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 
    mpo_proc_check_setauid_t *mpo_proc_check_setauid; 
    mpo_proc_check_setlcid_t *mpo_proc_check_setlcid; 
    mpo_proc_check_signal_t *mpo_proc_check_signal; 
    mpo_proc_check_wait_t *mpo_proc_check_wait; 
    mpo_proc_label_destroy_t *mpo_proc_label_destroy; 
    mpo_proc_label_init_t *mpo_proc_label_init; 
    mpo_socket_check_accept_t *mpo_socket_check_accept; 
    mpo_socket_check_accepted_t *mpo_socket_check_accepted; 
    mpo_socket_check_bind_t *mpo_socket_check_bind; 
    mpo_socket_check_connect_t *mpo_socket_check_connect; 
    mpo_socket_check_create_t *mpo_socket_check_create; 
    mpo_socket_check_deliver_t *mpo_socket_check_deliver; 
    mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter; 
    mpo_socket_check_label_update_t *mpo_socket_check_label_update; 
    mpo_socket_check_listen_t *mpo_socket_check_listen; 
    mpo_socket_check_receive_t *mpo_socket_check_receive; 
    mpo_socket_check_received_t *mpo_socket_check_received; 
    mpo_socket_check_select_t *mpo_socket_check_select; 
    mpo_socket_check_send_t *mpo_socket_check_send; 
    mpo_socket_check_stat_t *mpo_socket_check_stat; 
    mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 
    mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 
    mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept; 
    mpo_socket_label_associate_t *mpo_socket_label_associate; 
    mpo_socket_label_copy_t *mpo_socket_label_copy; 
    mpo_socket_label_destroy_t *mpo_socket_label_destroy; 
    mpo_socket_label_externalize_t *mpo_socket_label_externalize; 
    mpo_socket_label_init_t *mpo_socket_label_init; 
    mpo_socket_label_internalize_t *mpo_socket_label_internalize; 
    mpo_socket_label_update_t *mpo_socket_label_update; 
    mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf; 
    mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket; 
    mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy; 
    mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize; 
    mpo_socketpeer_label_init_t *mpo_socketpeer_label_init; 
    mpo_system_check_acct_t *mpo_system_check_acct; 
    mpo_system_check_audit_t *mpo_system_check_audit; 
    mpo_system_check_auditctl_t *mpo_system_check_auditctl; 
    mpo_system_check_auditon_t *mpo_system_check_auditon; 
    mpo_system_check_host_priv_t *mpo_system_check_host_priv; 
    mpo_system_check_nfsd_t *mpo_system_check_nfsd; 
    mpo_system_check_reboot_t *mpo_system_check_reboot; 
    mpo_system_check_settime_t *mpo_system_check_settime; 
    mpo_system_check_swapoff_t *mpo_system_check_swapoff; 
    mpo_system_check_swapon_t *mpo_system_check_swapon; 
    mpo_system_check_sysctl_t *mpo_system_check_sysctl; 
    mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 
    mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 
    mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 
    mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 
    mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 
    mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 
    mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 
    mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 
    mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 
    mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 
    mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 
    mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 
    mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 
    mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 
    mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 
    mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 
    mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 
    mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 
    mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 
    mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 
    mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 
    mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 
    mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 
    mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 
    mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 
    mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 
    mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 
    mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 
    mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 
    mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 
    mpo_task_label_associate_kernel_t *mpo_task_label_associate_kernel; 
    mpo_task_label_associate_t *mpo_task_label_associate; 
    mpo_task_label_copy_t *mpo_task_label_copy; 
    mpo_task_label_destroy_t *mpo_task_label_destroy; 
    mpo_task_label_externalize_t *mpo_task_label_externalize; 
    mpo_task_label_init_t *mpo_task_label_init; 
    mpo_task_label_internalize_t *mpo_task_label_internalize; 
    mpo_task_label_update_t *mpo_task_label_update; 
    mpo_thread_userret_t *mpo_thread_userret; 
    mpo_vnode_check_access_t *mpo_vnode_check_access; 
    mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 
    mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 
    mpo_vnode_check_create_t *mpo_vnode_check_create; 
    mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 
    mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 
    mpo_vnode_check_exec_t *mpo_vnode_check_exec; 
    mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 
    mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 
    mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 
    mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 
    mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 
    mpo_vnode_check_link_t *mpo_vnode_check_link; 
    mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 
    mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 
    mpo_vnode_check_open_t *mpo_vnode_check_open; 
    mpo_vnode_check_read_t *mpo_vnode_check_read; 
    mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 
    mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 
    mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 
    mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 
    mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 
    mpo_vnode_check_select_t *mpo_vnode_check_select; 
    mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 
    mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 
    mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 
    mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 
    mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 
    mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 
    mpo_vnode_check_stat_t *mpo_vnode_check_stat; 
    mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 
    mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 
    mpo_vnode_check_write_t *mpo_vnode_check_write; 
    mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 
    mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 
    mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 
    mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 
    mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 
    mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 
    mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 
    mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 
    mpo_vnode_label_copy_t *mpo_vnode_label_copy; 
    mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 
    mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 
    mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 
    mpo_vnode_label_init_t *mpo_vnode_label_init; 
    mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 
    mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 
    mpo_vnode_label_store_t *mpo_vnode_label_store; 
    mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 
    mpo_vnode_label_update_t *mpo_vnode_label_update; 
    mpo_vnode_notify_create_t *mpo_vnode_notify_create; 
    mpo_vnode_check_signature_t *mpo_vnode_check_signature; 
    mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; 
    mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; 
    mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; 
    mpo_reserved_hook_t *mpo_reserved4; 
    mpo_reserved_hook_t *mpo_reserved5; 
    mpo_reserved_hook_t *mpo_reserved6; 
    mpo_reserved_hook_t *mpo_reserved7; 
    mpo_reserved_hook_t *mpo_reserved8; 
    mpo_reserved_hook_t *mpo_reserved9; 
};

Discussion

\struct mac_policy_ops

Macro Definitions

_KAUTH_CRED_T
dummy
MAC_NOWAIT: Allocation operations may not block
MAC_WAITOK: Allocation operations may block
MPC_LOADTIME_BASE_POLICY: Flag to indicate a base policy
MPC_LOADTIME_FLAG_LABELMBUFS: Unsupported
MPC_LOADTIME_FLAG_NOTLATE: Flag to indicate registration preference
MPC_LOADTIME_FLAG_UNLOADOK: Flag to indicate unload preference
MPC_RUNTIME_FLAG_REGISTERED: Policy registration flag

_KAUTH_CRED_T

See Also:

dummy
dummy
kauth_cred_t

#define _KAUTH_CRED_T

dummy

See Also:

_KAUTH_CRED_T
dummy
kauth_cred_t

#define _KAUTH_CRED_T

MAC_NOWAIT

Allocation operations may not block

#define MAC_NOWAIT 1

Discussion

Rather than blocking, the allocator may return an error if memory is not immediately available. This type of allocation will not sleep, preserving locking semantics.

MAC_WAITOK

Allocation operations may block

#define MAC_WAITOK 0

Discussion

If memory is not immediately available, the allocation routine will block (typically sleeping) until memory is available.

WARNING:

Inappropriate use of this flag may cause kernel panics.

MPC_LOADTIME_BASE_POLICY

Flag to indicate a base policy

#define MPC_LOADTIME_BASE_POLICY 0x00000008

Discussion

This flag indicates that the policy module is a base policy. Only one module can declare itself as base, otherwise the boot process will be halted.

MPC_LOADTIME_FLAG_LABELMBUFS

Unsupported

#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004

Discussion

XXX This flag is not yet supported.

MPC_LOADTIME_FLAG_NOTLATE

Flag to indicate registration preference

#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001

Discussion

This flag indicates that the policy module must be loaded and initialized early in the boot process. If the flag is specified, attempts to register the module following boot will be rejected. The flag may be used by policies that require pervasive labeling of all system objects, and cannot handle objects that have not been properly initialized by the policy.

MPC_LOADTIME_FLAG_UNLOADOK

Flag to indicate unload preference

#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002

Discussion

This flag indicates that the policy module may be unloaded. If this flag is not set, then the policy framework will reject requests to unload the module. This flag might be used by modules that allocate label state and are unable to free that state at runtime, or for modules that simply do not want to permit unload operations.

MPC_RUNTIME_FLAG_REGISTERED

Policy registration flag

See:

mac_policy_conf

#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001

Discussion

This flag indicates that the policy module has been successfully registered with the TrustedBSD MAC Framework. The Framework will set this flag in the mpc_runtime_flags field of the policy's mac_policy_conf structure after registering the policy.

Last Updated: 2009-10-14