Merged PR 529759: Update XNU security headers

Updated XNU security header files to latest available, adjusted project / compilation settings to compile without issues and getting dependencies via our DownloadResolver.
This commit is contained in:
Kristijan Simic 2020-01-20 14:24:46 +00:00
Родитель 83deedddff
Коммит 8fad7a6ebb
14 изменённых файлов: 56 добавлений и 8613 удалений

Просмотреть файл

@ -9,7 +9,7 @@ To run BuildXL on macOS you need to install:
* The latest [Mono](https://www.mono-project.com/download/stable/) runtime * The latest [Mono](https://www.mono-project.com/download/stable/) runtime
* If you want to run and load the sandbox to enable fully observed and cacheable builds, you also have to [turn off System Integrity Protection](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) (SIP) on macOS. SIP blocks the installation of the unsigned kernel extension (or Kext) produced by the build. * If you want to run and load the sandbox to enable fully observed and cacheable builds, you also have to [turn off System Integrity Protection](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) (SIP) on macOS. SIP blocks the installation of the unsigned kernel extension (or Kext) produced by the build.
* Latest version of xcode * Latest version of xcode
* XCode 10.3. Obtainable from https://developer.apple.com/download/more/. After downloading, either adjust this path to where you have placed the tool or put everything into your /Applications folder, renaming the app to 'Xcode_10.3' so the xcodebuild executable can be found * Xcode 10.3. Obtainable from https://developer.apple.com/download/more/. After downloading, either adjust this path to where you have placed the tool or put everything into your /Applications folder, renaming the app to 'Xcode_10.3' so the xcodebuild executable can be found
# Performing a build # Performing a build
`bxl.cmd` (and `./bxl.sh`) are the entry points to building BuildXL. They provide some shorthands for common tasks to prevent developers from needing to specify longer command line options. While most examples below are based off of bxl.cmd for Windows, there will most times be a bxl.sh equivalent for macOS. `bxl.cmd` (and `./bxl.sh`) are the entry points to building BuildXL. They provide some shorthands for common tasks to prevent developers from needing to specify longer command line options. While most examples below are based off of bxl.cmd for Windows, there will most times be a bxl.sh equivalent for macOS.

Просмотреть файл

@ -3,7 +3,7 @@
import {Artifact, Cmd, Transformer} from "Sdk.Transformers"; import {Artifact, Cmd, Transformer} from "Sdk.Transformers";
export namespace XCode { export namespace Xcode {
const userName = Environment.getStringValue("USER") || ""; const userName = Environment.getStringValue("USER") || "";
@@public @@public
@ -18,6 +18,18 @@ export namespace XCode {
| "install-src" | "install-src"
| "clean"; | "clean";
@@public
export interface HeaderSearchPath {
/** Type of header search path location */
type: "system" | "user";
/** Location where the custom headers can be found */
directory: StaticDirectory;
/** Recursively enumrate target location */
recursive: boolean;
}
@@public @@public
export interface Arguments { export interface Arguments {
/** Location where the outputs go */ /** Location where the outputs go */
@ -64,6 +76,9 @@ export namespace XCode {
/** override xcodebuild default location */ /** override xcodebuild default location */
overrideXcodeBuildPath?: File; overrideXcodeBuildPath?: File;
/** allow for a custom header search locations */
headerSearchPaths?: HeaderSearchPath[];
} }
@@public @@public
@ -72,6 +87,9 @@ export namespace XCode {
const wd = Context.getNewOutputDirectory("xcodebuild"); const wd = Context.getNewOutputDirectory("xcodebuild");
const customSystemHeaderSearchPaths = (args.headerSearchPaths || []).filter(hp => hp.type === "system").map(hp => p`${hp.directory.path}/${hp.recursive ? '**' : ''}`);
const customUserHeaderSearchPaths = (args.headerSearchPaths || []).filter(hp => hp.type === "user").map(hp => p`${hp.directory.path}/${hp.recursive ? '**' : ''}`);
const exeArgs: Transformer.ExecuteArguments = { const exeArgs: Transformer.ExecuteArguments = {
tool: args.tool || { tool: args.tool || {
exe: args.overrideXcodeBuildPath || f`/usr/bin/xcodebuild`, exe: args.overrideXcodeBuildPath || f`/usr/bin/xcodebuild`,
@ -91,6 +109,10 @@ export namespace XCode {
Cmd.option("-arch ", args.arch), Cmd.option("-arch ", args.arch),
Cmd.option("-derivedDataPath ", Artifact.output(args.derivedDataPath)), Cmd.option("-derivedDataPath ", Artifact.output(args.derivedDataPath)),
Cmd.option("-xcconfig ", Artifact.input(args.xcconfig)), Cmd.option("-xcconfig ", Artifact.input(args.xcconfig)),
Cmd.option("SYSTEM_HEADER_SEARCH_PATHS=", Cmd.join(" ", customSystemHeaderSearchPaths)),
Cmd.option("HEADER_SEARCH_PATHS=", Cmd.join(" ", customUserHeaderSearchPaths)),
Cmd.flag("-allTargets ", args.allTargets), Cmd.flag("-allTargets ", args.allTargets),
Cmd.args(args.actions) Cmd.args(args.actions)
], ],

Просмотреть файл

@ -1158,6 +1158,7 @@
INFOPLIST_FILE = ""; INFOPLIST_FILE = "";
MTL_ENABLE_DEBUG_INFO = YES; MTL_ENABLE_DEBUG_INFO = YES;
ONLY_ACTIVE_ARCH = YES; ONLY_ACTIVE_ARCH = YES;
SYSTEM_HEADER_SEARCH_PATHS = "../../../../../Out/frontend/Download/Apple.Darwin.Xnu/c/darwin-xnu-xnu-4903.221.2/**";
USER_HEADER_SEARCH_PATHS = "../../Public/Src/Sandbox/Windows/DetoursServices/**"; USER_HEADER_SEARCH_PATHS = "../../Public/Src/Sandbox/Windows/DetoursServices/**";
}; };
name = debug; name = debug;
@ -1216,6 +1217,7 @@
GCC_WARN_UNUSED_VARIABLE = YES; GCC_WARN_UNUSED_VARIABLE = YES;
INFOPLIST_FILE = ""; INFOPLIST_FILE = "";
MTL_ENABLE_DEBUG_INFO = NO; MTL_ENABLE_DEBUG_INFO = NO;
SYSTEM_HEADER_SEARCH_PATHS = "../../../../../Out/frontend/Download/Apple.Darwin.Xnu/c/darwin-xnu-xnu-4903.221.2/**";
USER_HEADER_SEARCH_PATHS = "../../Public/Src/Sandbox/Windows/DetoursServices/**"; USER_HEADER_SEARCH_PATHS = "../../Public/Src/Sandbox/Windows/DetoursServices/**";
}; };
name = release; name = release;
@ -1236,6 +1238,7 @@
MODULE_VERSION = 1.0.0d1; MODULE_VERSION = 1.0.0d1;
PRODUCT_BUNDLE_IDENTIFIER = "$(BUILDXL_BUNDLE_IDENTIFIER)"; PRODUCT_BUNDLE_IDENTIFIER = "$(BUILDXL_BUNDLE_IDENTIFIER)";
PRODUCT_NAME = "$(TARGET_NAME)"; PRODUCT_NAME = "$(TARGET_NAME)";
SYSTEM_HEADER_SEARCH_PATHS = "../../../../../Out/frontend/Download/Apple.Darwin.Xnu/c/darwin-xnu-xnu-4903.221.2/**";
USER_HEADER_SEARCH_PATHS = "../../Windows/DetoursServices/**"; USER_HEADER_SEARCH_PATHS = "../../Windows/DetoursServices/**";
WRAPPER_EXTENSION = kext; WRAPPER_EXTENSION = kext;
}; };
@ -1257,6 +1260,7 @@
MODULE_VERSION = 1.0.0d1; MODULE_VERSION = 1.0.0d1;
PRODUCT_BUNDLE_IDENTIFIER = "$(BUILDXL_BUNDLE_IDENTIFIER)"; PRODUCT_BUNDLE_IDENTIFIER = "$(BUILDXL_BUNDLE_IDENTIFIER)";
PRODUCT_NAME = "$(TARGET_NAME)"; PRODUCT_NAME = "$(TARGET_NAME)";
SYSTEM_HEADER_SEARCH_PATHS = "../../../../../Out/frontend/Download/Apple.Darwin.Xnu/c/darwin-xnu-xnu-4903.221.2/**";
USER_HEADER_SEARCH_PATHS = "../../Windows/DetoursServices/**"; USER_HEADER_SEARCH_PATHS = "../../Windows/DetoursServices/**";
WRAPPER_EXTENSION = kext; WRAPPER_EXTENSION = kext;
}; };
@ -1279,6 +1283,7 @@
MTL_FAST_MATH = YES; MTL_FAST_MATH = YES;
PRODUCT_NAME = "$(TARGET_NAME)"; PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx; SDKROOT = macosx;
SYSTEM_HEADER_SEARCH_PATHS = "";
USER_HEADER_SEARCH_PATHS = "$(SRCROOT)/../../Windows/DetoursServices"; USER_HEADER_SEARCH_PATHS = "$(SRCROOT)/../../Windows/DetoursServices";
}; };
name = debug; name = debug;
@ -1299,6 +1304,7 @@
MTL_FAST_MATH = YES; MTL_FAST_MATH = YES;
PRODUCT_NAME = "$(TARGET_NAME)"; PRODUCT_NAME = "$(TARGET_NAME)";
SDKROOT = macosx; SDKROOT = macosx;
SYSTEM_HEADER_SEARCH_PATHS = "";
USER_HEADER_SEARCH_PATHS = "$(SRCROOT)/../../Windows/DetoursServices"; USER_HEADER_SEARCH_PATHS = "$(SRCROOT)/../../Windows/DetoursServices";
}; };
name = release; name = release;

Просмотреть файл

@ -5,6 +5,7 @@
#define Listeners_hpp #define Listeners_hpp
#include <sys/vnode.h> #include <sys/vnode.h>
#include <mach/machine.h>
#pragma clang diagnostic push #pragma clang diagnostic push
#pragma clang diagnostic ignored "-W#warnings" #pragma clang diagnostic ignored "-W#warnings"

Просмотреть файл

@ -1,5 +1,5 @@
import {Cmd, Artifact, Transformer} from "Sdk.Transformers"; import {Cmd, Artifact, Transformer} from "Sdk.Transformers";
import {XCode} from "Sdk.MacOS"; import {Xcode} from "Sdk.MacOS";
namespace Sandbox { namespace Sandbox {
export declare const qualifier : { export declare const qualifier : {
@ -14,7 +14,8 @@ namespace Sandbox {
semaphores?: string[], semaphores?: string[],
xcconfig?: File, xcconfig?: File,
dependencies?: StaticDirectory[], dependencies?: StaticDirectory[],
overrideXcodeBuildPath?: File overrideXcodeBuildPath?: File,
headerSearchPaths?: Xcode.HeaderSearchPath[];
} }
interface Result { interface Result {
@ -44,7 +45,7 @@ namespace Sandbox {
const conf = args.configuration || qualifier.configuration; const conf = args.configuration || qualifier.configuration;
const outDir = Context.getNewOutputDirectory(args.scheme); const outDir = Context.getNewOutputDirectory(args.scheme);
const outFilePaths = (args.outFiles || []).map(a => p`${outDir}/Build/Products/${conf}/${a}`); const outFilePaths = (args.outFiles || []).map(a => p`${outDir}/Build/Products/${conf}/${a}`);
const result = XCode.execute({ const result = Xcode.execute({
project: args.project, project: args.project,
xcconfig: args.xcconfig, xcconfig: args.xcconfig,
scheme: args.scheme, scheme: args.scheme,
@ -58,7 +59,8 @@ namespace Sandbox {
...(args.dependencies || []), ...(args.dependencies || []),
...sourceFileDependencies ...sourceFileDependencies
], ],
overrideXcodeBuildPath: args.overrideXcodeBuildPath overrideXcodeBuildPath: args.overrideXcodeBuildPath,
headerSearchPaths: args.headerSearchPaths
}); });
return { return {
@ -140,10 +142,17 @@ namespace Sandbox {
} }
function buildKext(bundleInfo: File): KextFiles { function buildKext(bundleInfo: File): KextFiles {
const kernelHeaders = <Xcode.HeaderSearchPath>{
type: "system",
directory: importFrom("Apple.Darwin.Xnu").extracted,
recursive: true
};
const result = build({ const result = build({
project: sandboxXcodeproj, project: sandboxXcodeproj,
scheme: "BuildXLSandbox", scheme: "BuildXLSandbox",
xcconfig: bundleInfo || bundleInfoXCConfig, xcconfig: bundleInfo || bundleInfoXCConfig,
headerSearchPaths: [ kernelHeaders ],
outFiles: [ outFiles: [
r`BuildXLSandbox.kext/Contents/Info.plist`, r`BuildXLSandbox.kext/Contents/Info.plist`,
r`BuildXLSandbox.kext/Contents/MacOS/BuildXLSandbox`, r`BuildXLSandbox.kext/Contents/MacOS/BuildXLSandbox`,
@ -154,6 +163,9 @@ namespace Sandbox {
r`BuildXLSandbox.kext.dSYM/Contents/Resources/DWARF/BuildXLSandbox` r`BuildXLSandbox.kext.dSYM/Contents/Resources/DWARF/BuildXLSandbox`
]) ])
], ],
dependencies: [
kernelHeaders.directory
],
// For as long as we support the sandbox kernel extension for macOS 10.14, we have to build it with the // For as long as we support the sandbox kernel extension for macOS 10.14, we have to build it with the
// 10.3 version of Xcode, obtainable from https://developer.apple.com/download/more/. After downloading, // 10.3 version of Xcode, obtainable from https://developer.apple.com/download/more/. After downloading,
// either adjust this path to where you have placed the tool or put everything into your /Applications // either adjust this path to where you have placed the tool or put everything into your /Applications

Просмотреть файл

@ -546,6 +546,14 @@ config({
archiveType: "tgz", archiveType: "tgz",
}, },
// XNU kernel sources
{
moduleName: "Apple.Darwin.Xnu",
url: "https://github.com/apple/darwin-xnu/archive/xnu-4903.221.2.tar.gz",
hash: "VSO0:D6D26AEECA99240D2D833B6B8B811609B9A6E3516C0EE97A951B64F9AA4F90F400",
archiveType: "tgz",
},
// DotNet Core Runtime // DotNet Core Runtime
{ {
moduleName: "DotNet-Runtime.win-x64.3.1.0", moduleName: "DotNet-Runtime.win-x64.3.1.0",

94
third_party/darwin/security/_label.h поставляемый
Просмотреть файл

@ -1,94 +0,0 @@
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.
/*
* Copyright (c) 2007 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*-
* Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
* Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/sys/sys/_label.h,v 1.4 2003/05/08 19:49:42 rwatson Exp $
*/
#ifndef _SECURITY_LABEL_H_
#define _SECURITY_LABEL_H_
/*
* XXXMAC: This shouldn't be exported to userland, but is because of ucred.h
* and various other messes.
*/
#if CONFIG_EMBEDDED
#if CONFIG_VNGUARD
#define MAC_MAX_SLOTS 4
#else
#define MAC_MAX_SLOTS 3
#endif
#else
#define MAC_MAX_SLOTS 7
#endif
#define MAC_FLAG_INITIALIZED 0x0000001 /* Is initialized for use. */
struct label {
int l_flags;
union {
void *l_ptr;
long l_long;
} l_perpolicy[MAC_MAX_SLOTS];
};
#endif /* !_SECURITY_LABEL_H_ */

178
third_party/darwin/security/mac.h поставляемый
Просмотреть файл

@ -1,178 +0,0 @@
/*
* Copyright (c) 2007 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/sys/sys/mac.h,v 1.40 2003/04/18 19:57:37 rwatson Exp $
*/
/*
* Userland interface for Mandatory Access Control.
*
* The POSIX.1e implementation page may be reached at:
* http://www.trustedbsd.org/
*/
#ifndef _SECURITY_MAC_H_
#define _SECURITY_MAC_H_
#ifndef _POSIX_MAC
#define _POSIX_MAC
#endif
#include <sys/types.h>
/*
* MAC framework-related constants and limits.
*/
#define MAC_MAX_POLICY_NAME 32
#define MAC_MAX_LABEL_ELEMENT_NAME 32
#define MAC_MAX_LABEL_ELEMENT_DATA 4096
#define MAC_MAX_LABEL_BUF_LEN 8192
#define MAC_MAX_MANAGED_NAMESPACES 4
struct mac {
size_t m_buflen;
char *m_string;
};
typedef struct mac *mac_t;
#ifdef KERNEL
#ifndef PRIVATE
#warning "MAC policy is not KPI, see Technical Q&A QA1574"
#endif
#if DEBUG
#define SECURITY_MAC_CTLFLAGS (CTLFLAG_RW | CTLFLAG_LOCKED)
#define SECURITY_MAC_CHECK_ENFORCE 1
#else
#define SECURITY_MAC_CTLFLAGS (CTLFLAG_RD | CTLFLAG_LOCKED)
#define SECURITY_MAC_CHECK_ENFORCE 0
#endif
struct user_mac {
user_size_t m_buflen;
user_addr_t m_string;
};
struct user32_mac {
uint32_t m_buflen;
uint32_t m_string;
};
struct user64_mac {
uint64_t m_buflen;
uint64_t m_string;
};
#endif /* KERNEL */
/*
* Device types for mac_iokit_check_device()
*/
#define MAC_DEVICE_USB "USB"
#define MAC_DEVICE_FIREWIRE "FireWire"
#define MAC_DEVICE_TYPE_KEY "DeviceType"
/*
* Flags for mac_proc_check_suspend_resume()
*/
#define MAC_PROC_CHECK_SUSPEND 0
#define MAC_PROC_CHECK_RESUME 1
#define MAC_PROC_CHECK_HIBERNATE 2
#define MAC_PROC_CHECK_SHUTDOWN_SOCKETS 3
#define MAC_PROC_CHECK_PIDBIND 4
#ifndef KERNEL
/*
* Location of the userland MAC framework configuration file. mac.conf
* binds policy names to shared libraries that understand those policies,
* as well as setting defaults for MAC-aware applications.
*/
#define MAC_CONFFILE "/etc/mac.conf"
/*
* Extended non-POSIX.1e interfaces that offer additional services
* available from the userland and kernel MAC frameworks.
*/
#ifdef __APPLE_API_PRIVATE
__BEGIN_DECLS
int __mac_execve(char *fname, char **argv, char **envv, mac_t _label);
int __mac_get_fd(int _fd, mac_t _label);
int __mac_get_file(const char *_path, mac_t _label);
int __mac_get_link(const char *_path, mac_t _label);
int __mac_get_pid(pid_t _pid, mac_t _label);
int __mac_get_proc(mac_t _label);
int __mac_set_fd(int _fildes, const mac_t _label);
int __mac_set_file(const char *_path, mac_t _label);
int __mac_set_link(const char *_path, mac_t _label);
int __mac_mount(const char *type, const char *path, int flags, void *data,
struct mac *label);
int __mac_get_mount(const char *path, struct mac *label);
int __mac_set_proc(const mac_t _label);
int __mac_syscall(const char *_policyname, int _call, void *_arg);
__END_DECLS
#endif /*__APPLE_API_PRIVATE*/
#endif
#endif /* !_SECURITY_MAC_H_ */

77
third_party/darwin/security/mac_alloc.h поставляемый
Просмотреть файл

@ -1,77 +0,0 @@
/*
* Copyright (c) 2007 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*
* Memory allocation wrappers.
*/
#ifndef _SECURITY_MAC_ALLOC_H_
#define _SECURITY_MAC_ALLOC_H_
#include <mach/machine/vm_types.h>
#include <kern/kern_types.h>
#include <sys/appleapiopts.h>
/* JMM - should use OSMlloc.h interfaces */
#ifdef __APPLE_API_EVOLVING
/*
* Kernel Memory allocator
*/
void * mac_kalloc (vm_size_t size, int how);
void mac_kfree (void *data, vm_size_t size);
/*
* Mbuf allocator for mbuf labels.
*/
void * mac_mbuf_alloc (int len, int wait);
void mac_mbuf_free (void *data);
/*
*
*/
int mac_wire (void *start, void *end);
int mac_unwire (void *start, void *end);
/*
* Zone allocator
*/
zone_t mac_zinit (vm_size_t size, vm_size_t maxmem,
vm_size_t alloc, const char *name);
void mac_zone_change (zone_t zone, unsigned int item, boolean_t value);
void * mac_zalloc (zone_t zone, int how);
void mac_zfree (zone_t zone, void *elem);
/* Item definitions */
#define Z_EXHAUST 1 /* Make zone exhaustible */
#define Z_COLLECT 2 /* Make zone collectable */
#define Z_EXPAND 3 /* Make zone expandable */
#define Z_FOREIGN 4 /* Allow collectable zone to contain foreign elements */
#define Z_CALLERACCT 5 /* Account alloc/free against the caller */
#endif /* __APPLE_API_EVOLVING */
#endif /* _SECURITY_MAC_ALLOC_H_ */

149
third_party/darwin/security/mac_data.h поставляемый
Просмотреть файл

@ -1,149 +0,0 @@
/*
* Copyright (c) 2007 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*-
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _SECURITY_MAC_DATA_H_
#define _SECURITY_MAC_DATA_H_
#ifndef PRIVATE
#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
#endif
/**
@brief Mac policy module data
This structure specifies module data that is passed in to the
TrustedBSD MAC policy module by the kernel module loader. The
data is made of up key/value pairs where the key is always a
string and the value is a string, binary data or array. An array
may be a list of values (actually a similar set of key/value pairs,
but in this case the keys are always null), and may also consist of
a set of dictionaries, which in turn are made up of a list of key/value
pairs.
Module data may be specified in the MAC policy module's
Info.plist file as part of the OSModuleData dictionary.
E.g.
<key>OSModuleData</key>
<dict>
<key>foo</key>
<string>bar</string>
<key>Beers</key>
<array>
<dict>
<key>type</key>
<string>lager</string>
<key>Name</key>
<string>Anchor Steam</string>
</dict>
<dict>
<key>type</key>
<string>ale</string>
<key>Name</key>
<string>Sierra Nevada Pale Ale</string>
</dict>
</array>
</dict>
*/
struct mac_module_data_element {
unsigned int key_size;
unsigned int value_size;
unsigned int value_type;
char *key;
char *value;
};
struct mac_module_data_list {
unsigned int count;
unsigned int type;
struct mac_module_data_element list[1];
};
struct mac_module_data {
void *base_addr; /* Orig base address, for ptr fixup. */
unsigned int size;
unsigned int count;
struct mac_module_data_element data[1]; /* actually bigger */
};
#define MAC_DATA_TYPE_PRIMITIVE 0 /* Primitive type (int, string, etc.) */
#define MAC_DATA_TYPE_ARRAY 1 /* Array type. */
#define MAC_DATA_TYPE_DICT 2 /* Dictionary type. */
#ifdef _SECURITY_MAC_POLICY_H_
/* XXX mac_policy_handle_t is defined in mac_policy.h, move prototype there? */
int mac_find_policy_data(const mac_policy_handle_t, const char *key,
void **valp, size_t *sizep);
int mac_find_module_data(struct mac_module_data *mmd, const char *key,
void **valp, size_t *sizep);
/*
* This is a routine to fix up pointers in a mac_module_data_element when the
* mac_module_data has been copied to a new area. It depends on the pointers
* all being offset from base_addr.
*/
static __inline void
mmd_fixup_ele(struct mac_module_data *oldbase,
struct mac_module_data *newbase, struct mac_module_data_element *ele)
{
if (ele->key != NULL) { /* Array elements have no keys. */
ele->key -= (uintptr_t)oldbase;
ele->key += (uintptr_t)newbase;
}
ele->value -= (uintptr_t)oldbase;
ele->value += (uintptr_t)newbase;
}
#endif
#endif /* !_SECURITY_MAC_DATA_H_ */

610
third_party/darwin/security/mac_framework.h поставляемый
Просмотреть файл

@ -1,610 +0,0 @@
/*
* Copyright (c) 2007 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2007 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/sys/sys/mac.h,v 1.40 2003/04/18 19:57:37 rwatson Exp $
*
*/
/*
* Kernel interface for Mandatory Access Control -- how kernel services
* interact with the TrustedBSD MAC Framework.
*/
#ifndef _SECURITY_MAC_FRAMEWORK_H_
#define _SECURITY_MAC_FRAMEWORK_H_
#ifndef KERNEL
#error "no user-serviceable parts inside"
#endif
#ifndef PRIVATE
#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
#endif
struct attrlist;
struct auditinfo;
struct bpf_d;
struct componentname;
struct cs_blob;
struct devnode;
struct exception_action;
struct flock;
struct fdescnode;
struct fileglob;
struct fileproc;
struct ifnet;
struct ifreq;
struct image_params;
struct inpcb;
struct ipc_port;
struct ipq;
struct knote;
struct m_tag;
struct mac;
struct mac_module_data;
struct mbuf;
struct msg;
struct msqid_kernel;
struct mount;
struct pipe;
struct proc;
struct pseminfo;
struct pshminfo;
struct semid_kernel;
struct shmid_kernel;
struct sockaddr;
struct sockopt;
struct socket;
struct task;
struct thread;
struct timespec;
struct tty;
struct ucred;
struct uio;
struct uthread;
struct vfs_attr;
struct vfs_context;
struct vnode;
struct vnode_attr;
struct vop_setlabel_args;
#include <sys/kauth.h>
#include <sys/kernel_types.h>
#if CONFIG_MACF
#ifndef __IOKIT_PORTS_DEFINED__
#define __IOKIT_PORTS_DEFINED__
#ifdef __cplusplus
class OSObject;
typedef OSObject *io_object_t;
#else
struct OSObject;
typedef struct OSObject *io_object_t;
#endif
#endif /* __IOKIT_PORTS_DEFINED__ */
/*@ macros */
#define VNODE_LABEL_CREATE 1
/*@ === */
int mac_audit_check_postselect(kauth_cred_t cred, unsigned short syscode,
void *args, int error, int retval, int mac_forced);
int mac_audit_check_preselect(kauth_cred_t cred, unsigned short syscode,
void *args);
int mac_bpfdesc_check_receive(struct bpf_d *bpf_d, struct ifnet *ifp);
void mac_bpfdesc_label_destroy(struct bpf_d *bpf_d);
void mac_bpfdesc_label_init(struct bpf_d *bpf_d);
void mac_bpfdesc_label_associate(kauth_cred_t cred, struct bpf_d *bpf_d);
int mac_cred_check_label_update(kauth_cred_t cred,
struct label *newlabel);
int mac_cred_check_label_update_execve(vfs_context_t ctx,
struct vnode *vp, off_t offset, struct vnode *scriptvp,
struct label *scriptvnodelabel, struct label *execlabel,
proc_t proc, void *macextensions);
int mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2);
struct label *mac_cred_label_alloc(void);
void mac_cred_label_associate(kauth_cred_t cred_parent,
kauth_cred_t cred_child);
void mac_cred_label_associate_fork(kauth_cred_t cred, proc_t child);
void mac_cred_label_associate_kernel(kauth_cred_t cred);
void mac_cred_label_associate_user(kauth_cred_t cred);
void mac_cred_label_destroy(kauth_cred_t cred);
int mac_cred_label_externalize_audit(proc_t p, struct mac *mac);
void mac_cred_label_free(struct label *label);
void mac_cred_label_init(kauth_cred_t cred);
int mac_cred_label_compare(struct label *a, struct label *b);
void mac_cred_label_update(kauth_cred_t cred, struct label *newlabel);
void mac_cred_label_update_execve(vfs_context_t ctx, kauth_cred_t newcred,
struct vnode *vp, off_t offset, struct vnode *scriptvp,
struct label *scriptvnodelabel, struct label *execlabel, u_int *csflags,
void *macextensions, int *disjoint, int *labelupdateerror);
void mac_devfs_label_associate_device(dev_t dev, struct devnode *de,
const char *fullpath);
void mac_devfs_label_associate_directory(const char *dirname, int dirnamelen,
struct devnode *de, const char *fullpath);
void mac_devfs_label_copy(struct label *, struct label *label);
void mac_devfs_label_destroy(struct devnode *de);
void mac_devfs_label_init(struct devnode *de);
void mac_devfs_label_update(struct mount *mp, struct devnode *de,
struct vnode *vp);
int mac_execve_enter(user_addr_t mac_p, struct image_params *imgp);
int mac_file_check_change_offset(kauth_cred_t cred, struct fileglob *fg);
int mac_file_check_create(kauth_cred_t cred);
int mac_file_check_dup(kauth_cred_t cred, struct fileglob *fg, int newfd);
int mac_file_check_fcntl(kauth_cred_t cred, struct fileglob *fg, int cmd,
user_long_t arg);
int mac_file_check_get(kauth_cred_t cred, struct fileglob *fg,
char *elements, int len);
int mac_file_check_get_offset(kauth_cred_t cred, struct fileglob *fg);
int mac_file_check_inherit(kauth_cred_t cred, struct fileglob *fg);
int mac_file_check_ioctl(kauth_cred_t cred, struct fileglob *fg,
unsigned int cmd);
int mac_file_check_lock(kauth_cred_t cred, struct fileglob *fg, int op,
struct flock *fl);
int mac_file_check_library_validation(struct proc *proc,
struct fileglob *fg, off_t slice_offset,
user_long_t error_message, size_t error_message_size);
int mac_file_check_mmap(kauth_cred_t cred, struct fileglob *fg,
int prot, int flags, uint64_t file_pos, int *maxprot);
void mac_file_check_mmap_downgrade(kauth_cred_t cred, struct fileglob *fg,
int *prot);
int mac_file_check_receive(kauth_cred_t cred, struct fileglob *fg);
int mac_file_check_set(kauth_cred_t cred, struct fileglob *fg,
char *bufp, int buflen);
void mac_file_label_associate(kauth_cred_t cred, struct fileglob *fg);
void mac_file_label_destroy(struct fileglob *fg);
void mac_file_label_init(struct fileglob *fg);
int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf,
int family, int type);
void mac_ifnet_label_associate(struct ifnet *ifp);
void mac_ifnet_label_destroy(struct ifnet *ifp);
int mac_ifnet_label_get(kauth_cred_t cred, struct ifreq *ifr,
struct ifnet *ifp);
void mac_ifnet_label_init(struct ifnet *ifp);
void mac_ifnet_label_recycle(struct ifnet *ifp);
int mac_ifnet_label_set(kauth_cred_t cred, struct ifreq *ifr,
struct ifnet *ifp);
int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *mbuf,
int family, int type);
void mac_inpcb_label_associate(struct socket *so, struct inpcb *inp);
void mac_inpcb_label_destroy(struct inpcb *inp);
int mac_inpcb_label_init(struct inpcb *inp, int flag);
void mac_inpcb_label_recycle(struct inpcb *inp);
void mac_inpcb_label_update(struct socket *so);
int mac_iokit_check_device(char *devtype, struct mac_module_data *mdata);
int mac_iokit_check_open(kauth_cred_t cred, io_object_t user_client, unsigned int user_client_type);
int mac_iokit_check_set_properties(kauth_cred_t cred, io_object_t registry_entry, io_object_t properties);
int mac_iokit_check_filter_properties(kauth_cred_t cred, io_object_t registry_entry);
int mac_iokit_check_get_property(kauth_cred_t cred, io_object_t registry_entry, const char *name);
int mac_iokit_check_hid_control(kauth_cred_t cred);
int mac_iokit_check_nvram_delete(kauth_cred_t cred, const char *name);
int mac_iokit_check_nvram_get(kauth_cred_t cred, const char *name);
int mac_iokit_check_nvram_set(kauth_cred_t cred, const char *name, io_object_t value);
void mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq);
int mac_ipq_label_compare(struct mbuf *fragment, struct ipq *ipq);
void mac_ipq_label_destroy(struct ipq *ipq);
int mac_ipq_label_init(struct ipq *ipq, int flag);
void mac_ipq_label_update(struct mbuf *fragment, struct ipq *ipq);
void mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
void mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m);
void mac_mbuf_label_associate_inpcb(struct inpcb *inp, struct mbuf *m);
void mac_mbuf_label_associate_ipq(struct ipq *ipq, struct mbuf *mbuf);
void mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *m);
void mac_mbuf_label_associate_multicast_encap(struct mbuf *oldmbuf,
struct ifnet *ifp, struct mbuf *newmbuf);
void mac_mbuf_label_associate_netlayer(struct mbuf *oldmbuf,
struct mbuf *newmbuf);
void mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m);
void mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to);
void mac_mbuf_label_destroy(struct mbuf *m);
int mac_mbuf_label_init(struct mbuf *m, int flag);
void mac_mbuf_tag_copy(struct m_tag *m, struct m_tag *mtag);
void mac_mbuf_tag_destroy(struct m_tag *mtag);
int mac_mbuf_tag_init(struct m_tag *, int how);
int mac_mount_check_fsctl(vfs_context_t ctx, struct mount *mp,
unsigned int cmd);
int mac_mount_check_getattr(vfs_context_t ctx, struct mount *mp,
struct vfs_attr *vfa);
int mac_mount_check_label_update(vfs_context_t ctx, struct mount *mp);
int mac_mount_check_mount(vfs_context_t ctx, struct vnode *vp,
struct componentname *cnp, const char *vfc_name);
int mac_mount_check_snapshot_create(vfs_context_t ctx, struct mount *mp,
const char *name);
int mac_mount_check_snapshot_delete(vfs_context_t ctx, struct mount *mp,
const char *name);
int mac_mount_check_snapshot_revert(vfs_context_t ctx, struct mount *mp,
const char *name);
int mac_mount_check_remount(vfs_context_t ctx, struct mount *mp);
int mac_mount_check_setattr(vfs_context_t ctx, struct mount *mp,
struct vfs_attr *vfa);
int mac_mount_check_stat(vfs_context_t ctx, struct mount *mp);
int mac_mount_check_umount(vfs_context_t ctx, struct mount *mp);
void mac_mount_label_associate(vfs_context_t ctx, struct mount *mp);
void mac_mount_label_destroy(struct mount *mp);
int mac_mount_label_externalize(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_mount_label_get(struct mount *mp, user_addr_t mac_p);
void mac_mount_label_init(struct mount *);
int mac_mount_label_internalize(struct label *, char *string);
void mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment);
void mac_netinet_icmp_reply(struct mbuf *m);
void mac_netinet_tcp_reply(struct mbuf *m);
int mac_pipe_check_ioctl(kauth_cred_t cred, struct pipe *cpipe,
unsigned int cmd);
int mac_pipe_check_kqfilter(kauth_cred_t cred, struct knote *kn,
struct pipe *cpipe);
int mac_pipe_check_read(kauth_cred_t cred, struct pipe *cpipe);
int mac_pipe_check_select(kauth_cred_t cred, struct pipe *cpipe,
int which);
int mac_pipe_check_stat(kauth_cred_t cred, struct pipe *cpipe);
int mac_pipe_check_write(kauth_cred_t cred, struct pipe *cpipe);
struct label *mac_pipe_label_alloc(void);
void mac_pipe_label_associate(kauth_cred_t cred, struct pipe *cpipe);
void mac_pipe_label_copy(struct label *src, struct label *dest);
void mac_pipe_label_destroy(struct pipe *cpipe);
void mac_pipe_label_free(struct label *label);
void mac_pipe_label_init(struct pipe *cpipe);
int mac_pipe_label_update(kauth_cred_t cred, struct pipe *cpipe,
struct label *label);
void mac_policy_initbsd(void);
int mac_posixsem_check_create(kauth_cred_t cred, const char *name);
int mac_posixsem_check_open(kauth_cred_t cred, struct pseminfo *psem);
int mac_posixsem_check_post(kauth_cred_t cred, struct pseminfo *psem);
int mac_posixsem_check_unlink(kauth_cred_t cred, struct pseminfo *psem,
const char *name);
int mac_posixsem_check_wait(kauth_cred_t cred, struct pseminfo *psem);
void mac_posixsem_vnode_label_associate(kauth_cred_t cred,
struct pseminfo *psem, struct label *plabel,
vnode_t vp, struct label *vlabel);
void mac_posixsem_label_associate(kauth_cred_t cred,
struct pseminfo *psem, const char *name);
void mac_posixsem_label_destroy(struct pseminfo *psem);
void mac_posixsem_label_init(struct pseminfo *psem);
int mac_posixshm_check_create(kauth_cred_t cred, const char *name);
int mac_posixshm_check_mmap(kauth_cred_t cred, struct pshminfo *pshm,
int prot, int flags);
int mac_posixshm_check_open(kauth_cred_t cred, struct pshminfo *pshm,
int fflags);
int mac_posixshm_check_stat(kauth_cred_t cred, struct pshminfo *pshm);
int mac_posixshm_check_truncate(kauth_cred_t cred, struct pshminfo *pshm,
off_t s);
int mac_posixshm_check_unlink(kauth_cred_t cred, struct pshminfo *pshm,
const char *name);
void mac_posixshm_vnode_label_associate(kauth_cred_t cred,
struct pshminfo *pshm, struct label *plabel,
vnode_t vp, struct label *vlabel);
void mac_posixshm_label_associate(kauth_cred_t cred,
struct pshminfo *pshm, const char *name);
void mac_posixshm_label_destroy(struct pshminfo *pshm);
void mac_posixshm_label_init(struct pshminfo *pshm);
int mac_priv_check(kauth_cred_t cred, int priv);
int mac_priv_grant(kauth_cred_t cred, int priv);
int mac_proc_check_debug(proc_t proc1, proc_t proc2);
int mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor);
int mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op);
int mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op);
int mac_proc_check_fork(proc_t proc);
int mac_proc_check_suspend_resume(proc_t proc, int sr);
int mac_proc_check_get_task_name(kauth_cred_t cred, struct proc *p);
int mac_proc_check_get_task(kauth_cred_t cred, struct proc *p);
int mac_proc_check_expose_task(kauth_cred_t cred, struct proc *p);
int mac_proc_check_inherit_ipc_ports(struct proc *p, struct vnode *cur_vp, off_t cur_offset, struct vnode *img_vp, off_t img_offset, struct vnode *scriptvp);
int mac_proc_check_getaudit(proc_t proc);
int mac_proc_check_getauid(proc_t proc);
int mac_proc_check_getlcid(proc_t proc1, proc_t proc2,
pid_t pid);
int mac_proc_check_ledger(proc_t curp, proc_t target, int op);
int mac_proc_check_map_anon(proc_t proc, user_addr_t u_addr,
user_size_t u_size, int prot, int flags, int *maxprot);
int mac_proc_check_mprotect(proc_t proc,
user_addr_t addr, user_size_t size, int prot);
int mac_proc_check_run_cs_invalid(proc_t proc);
int mac_proc_check_sched(proc_t proc, proc_t proc2);
int mac_proc_check_setaudit(proc_t proc, struct auditinfo_addr *ai);
int mac_proc_check_setauid(proc_t proc, uid_t auid);
int mac_proc_check_setlcid(proc_t proc1, proc_t proc2,
pid_t pid1, pid_t pid2);
int mac_proc_check_signal(proc_t proc1, proc_t proc2,
int signum);
int mac_proc_check_wait(proc_t proc1, proc_t proc2);
void mac_proc_notify_exit(proc_t proc);
int mac_setsockopt_label(kauth_cred_t cred, struct socket *so,
struct mac *extmac);
int mac_socket_check_accept(kauth_cred_t cred, struct socket *so);
int mac_socket_check_accepted(kauth_cred_t cred, struct socket *so);
int mac_socket_check_bind(kauth_cred_t cred, struct socket *so,
struct sockaddr *addr);
int mac_socket_check_connect(kauth_cred_t cred, struct socket *so,
struct sockaddr *addr);
int mac_socket_check_create(kauth_cred_t cred, int domain,
int type, int protocol);
int mac_socket_check_deliver(struct socket *so, struct mbuf *m);
int mac_socket_check_ioctl(kauth_cred_t cred, struct socket *so,
unsigned int cmd);
int mac_socket_check_kqfilter(kauth_cred_t cred, struct knote *kn,
struct socket *so);
int mac_socket_check_listen(kauth_cred_t cred, struct socket *so);
int mac_socket_check_receive(kauth_cred_t cred, struct socket *so);
int mac_socket_check_received(kauth_cred_t cred, struct socket *so,
struct sockaddr *saddr);
int mac_socket_check_select(kauth_cred_t cred, struct socket *so,
int which);
int mac_socket_check_send(kauth_cred_t cred, struct socket *so,
struct sockaddr *addr);
int mac_socket_check_getsockopt(kauth_cred_t cred, struct socket *so,
struct sockopt *sopt);
int mac_socket_check_setsockopt(kauth_cred_t cred, struct socket *so,
struct sockopt *sopt);
int mac_socket_check_stat(kauth_cred_t cred, struct socket *so);
void mac_socket_label_associate(kauth_cred_t cred, struct socket *so);
void mac_socket_label_associate_accept(struct socket *oldsocket,
struct socket *newsocket);
void mac_socket_label_copy(struct label *from, struct label *to);
void mac_socket_label_destroy(struct socket *);
int mac_socket_label_get(kauth_cred_t cred, struct socket *so,
struct mac *extmac);
int mac_socket_label_init(struct socket *, int waitok);
void mac_socketpeer_label_associate_mbuf(struct mbuf *m, struct socket *so);
void mac_socketpeer_label_associate_socket(struct socket *peersocket,
struct socket *socket_to_modify);
int mac_socketpeer_label_get(kauth_cred_t cred, struct socket *so,
struct mac *extmac);
int mac_system_check_acct(kauth_cred_t cred, struct vnode *vp);
int mac_system_check_audit(kauth_cred_t cred, void *record, int length);
int mac_system_check_auditctl(kauth_cred_t cred, struct vnode *vp);
int mac_system_check_auditon(kauth_cred_t cred, int cmd);
int mac_system_check_chud(kauth_cred_t cred);
int mac_system_check_host_priv(kauth_cred_t cred);
int mac_system_check_info(kauth_cred_t, const char *info_type);
int mac_system_check_nfsd(kauth_cred_t cred);
int mac_system_check_reboot(kauth_cred_t cred, int howto);
int mac_system_check_settime(kauth_cred_t cred);
int mac_system_check_swapoff(kauth_cred_t cred, struct vnode *vp);
int mac_system_check_swapon(kauth_cred_t cred, struct vnode *vp);
int mac_system_check_sysctlbyname(kauth_cred_t cred, const char *namestring, int *name,
u_int namelen, user_addr_t oldctl, size_t oldlen,
user_addr_t newctl, size_t newlen);
int mac_system_check_kas_info(kauth_cred_t cred, int selector);
void mac_sysvmsg_label_associate(kauth_cred_t cred,
struct msqid_kernel *msqptr, struct msg *msgptr);
void mac_sysvmsg_label_init(struct msg *msgptr);
void mac_sysvmsg_label_recycle(struct msg *msgptr);
int mac_sysvmsq_check_enqueue(kauth_cred_t cred, struct msg *msgptr,
struct msqid_kernel *msqptr);
int mac_sysvmsq_check_msgrcv(kauth_cred_t cred, struct msg *msgptr);
int mac_sysvmsq_check_msgrmid(kauth_cred_t cred, struct msg *msgptr);
int mac_sysvmsq_check_msqctl(kauth_cred_t cred,
struct msqid_kernel *msqptr, int cmd);
int mac_sysvmsq_check_msqget(kauth_cred_t cred,
struct msqid_kernel *msqptr);
int mac_sysvmsq_check_msqrcv(kauth_cred_t cred,
struct msqid_kernel *msqptr);
int mac_sysvmsq_check_msqsnd(kauth_cred_t cred,
struct msqid_kernel *msqptr);
void mac_sysvmsq_label_associate(kauth_cred_t cred,
struct msqid_kernel *msqptr);
void mac_sysvmsq_label_init(struct msqid_kernel *msqptr);
void mac_sysvmsq_label_recycle(struct msqid_kernel *msqptr);
int mac_sysvsem_check_semctl(kauth_cred_t cred,
struct semid_kernel *semakptr, int cmd);
int mac_sysvsem_check_semget(kauth_cred_t cred,
struct semid_kernel *semakptr);
int mac_sysvsem_check_semop(kauth_cred_t cred,
struct semid_kernel *semakptr, size_t accesstype);
void mac_sysvsem_label_associate(kauth_cred_t cred,
struct semid_kernel *semakptr);
void mac_sysvsem_label_destroy(struct semid_kernel *semakptr);
void mac_sysvsem_label_init(struct semid_kernel *semakptr);
void mac_sysvsem_label_recycle(struct semid_kernel *semakptr);
int mac_sysvshm_check_shmat(kauth_cred_t cred,
struct shmid_kernel *shmsegptr, int shmflg);
int mac_sysvshm_check_shmctl(kauth_cred_t cred,
struct shmid_kernel *shmsegptr, int cmd);
int mac_sysvshm_check_shmdt(kauth_cred_t cred,
struct shmid_kernel *shmsegptr);
int mac_sysvshm_check_shmget(kauth_cred_t cred,
struct shmid_kernel *shmsegptr, int shmflg);
void mac_sysvshm_label_associate(kauth_cred_t cred,
struct shmid_kernel *shmsegptr);
void mac_sysvshm_label_destroy(struct shmid_kernel *shmsegptr);
void mac_sysvshm_label_init(struct shmid_kernel* shmsegptr);
void mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr);
int mac_vnode_check_access(vfs_context_t ctx, struct vnode *vp,
int acc_mode);
int mac_vnode_check_chdir(vfs_context_t ctx, struct vnode *dvp);
int mac_vnode_check_chroot(vfs_context_t ctx, struct vnode *dvp,
struct componentname *cnp);
int mac_vnode_check_clone(vfs_context_t ctx, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_create(vfs_context_t ctx, struct vnode *dvp,
struct componentname *cnp, struct vnode_attr *vap);
int mac_vnode_check_deleteextattr(vfs_context_t ctx, struct vnode *vp,
const char *name);
int mac_vnode_check_exchangedata(vfs_context_t ctx, struct vnode *v1,
struct vnode *v2);
int mac_vnode_check_exec(vfs_context_t ctx, struct vnode *vp,
struct image_params *imgp);
int mac_vnode_check_fsgetpath(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_getattr(vfs_context_t ctx, struct ucred *file_cred,
struct vnode *vp, struct vnode_attr *va);
int mac_vnode_check_getattrlist(vfs_context_t ctx, struct vnode *vp,
struct attrlist *alist);
int mac_vnode_check_getextattr(vfs_context_t ctx, struct vnode *vp,
const char *name, struct uio *uio);
int mac_vnode_check_ioctl(vfs_context_t ctx, struct vnode *vp,
unsigned int cmd);
int mac_vnode_check_kqfilter(vfs_context_t ctx,
kauth_cred_t file_cred, struct knote *kn, struct vnode *vp);
int mac_vnode_check_label_update(vfs_context_t ctx, struct vnode *vp,
struct label *newlabel);
int mac_vnode_check_link(vfs_context_t ctx, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_listextattr(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_lookup(vfs_context_t ctx, struct vnode *dvp,
struct componentname *cnp);
int mac_vnode_check_lookup_preflight(vfs_context_t ctx, struct vnode *dvp,
const char *path, size_t pathlen);
int mac_vnode_check_open(vfs_context_t ctx, struct vnode *vp,
int acc_mode);
int mac_vnode_check_read(vfs_context_t ctx,
kauth_cred_t file_cred, struct vnode *vp);
int mac_vnode_check_readdir(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_readlink(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_rename(vfs_context_t ctx, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp, struct vnode *tdvp,
struct vnode *tvp, struct componentname *tcnp);
int mac_vnode_check_revoke(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_searchfs(vfs_context_t ctx, struct vnode *vp,
struct attrlist *alist);
int mac_vnode_check_select(vfs_context_t ctx, struct vnode *vp,
int which);
int mac_vnode_check_setacl(vfs_context_t ctx, struct vnode *vp,
struct kauth_acl *acl);
int mac_vnode_check_setattrlist(vfs_context_t ctxd, struct vnode *vp,
struct attrlist *alist);
int mac_vnode_check_setextattr(vfs_context_t ctx, struct vnode *vp,
const char *name, struct uio *uio);
int mac_vnode_check_setflags(vfs_context_t ctx, struct vnode *vp,
u_long flags);
int mac_vnode_check_setmode(vfs_context_t ctx, struct vnode *vp,
mode_t mode);
int mac_vnode_check_setowner(vfs_context_t ctx, struct vnode *vp,
uid_t uid, gid_t gid);
int mac_vnode_check_setutimes(vfs_context_t ctx, struct vnode *vp,
struct timespec atime, struct timespec mtime);
int mac_vnode_check_signature(struct vnode *vp,
struct cs_blob *cs_blob, struct image_params *imgp,
unsigned int *cs_flags, unsigned int *signer_type,
int flags);
int mac_vnode_check_stat(vfs_context_t ctx,
kauth_cred_t file_cred, struct vnode *vp);
int mac_vnode_check_truncate(vfs_context_t ctx,
kauth_cred_t file_cred, struct vnode *vp);
int mac_vnode_check_uipc_bind(vfs_context_t ctx, struct vnode *dvp,
struct componentname *cnp, struct vnode_attr *vap);
int mac_vnode_check_uipc_connect(vfs_context_t ctx, struct vnode *vp, struct socket *so);
int mac_vnode_check_unlink(vfs_context_t ctx, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_write(vfs_context_t ctx,
kauth_cred_t file_cred, struct vnode *vp);
struct label *mac_vnode_label_alloc(void);
int mac_vnode_label_associate(struct mount *mp, struct vnode *vp,
vfs_context_t ctx);
void mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de,
struct vnode *vp);
int mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp);
int mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp,
struct vnode *vp, vfs_context_t ctx);
void mac_vnode_label_associate_singlelabel(struct mount *mp,
struct vnode *vp);
void mac_vnode_label_copy(struct label *l1, struct label *l2);
void mac_vnode_label_destroy(struct vnode *vp);
int mac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac);
void mac_vnode_label_free(struct label *label);
void mac_vnode_label_init(struct vnode *vp);
int mac_vnode_label_init_needed(struct vnode *vp);
void mac_vnode_label_recycle(struct vnode *vp);
void mac_vnode_label_update(vfs_context_t ctx, struct vnode *vp,
struct label *newlabel);
void mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp,
const char *name);
int mac_vnode_notify_create(vfs_context_t ctx, struct mount *mp,
struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
void mac_vnode_notify_deleteextattr(vfs_context_t ctx, struct vnode *vp, const char *name);
void mac_vnode_notify_link(vfs_context_t ctx, struct vnode *vp,
struct vnode *dvp, struct componentname *cnp);
void mac_vnode_notify_open(vfs_context_t ctx, struct vnode *vp, int acc_flags);
void mac_vnode_notify_rename(vfs_context_t ctx, struct vnode *vp,
struct vnode *dvp, struct componentname *cnp);
void mac_vnode_notify_setacl(vfs_context_t ctx, struct vnode *vp, struct kauth_acl *acl);
void mac_vnode_notify_setattrlist(vfs_context_t ctx, struct vnode *vp, struct attrlist *alist);
void mac_vnode_notify_setextattr(vfs_context_t ctx, struct vnode *vp, const char *name, struct uio *uio);
void mac_vnode_notify_setflags(vfs_context_t ctx, struct vnode *vp, u_long flags);
void mac_vnode_notify_setmode(vfs_context_t ctx, struct vnode *vp, mode_t mode);
void mac_vnode_notify_setowner(vfs_context_t ctx, struct vnode *vp, uid_t uid, gid_t gid);
void mac_vnode_notify_setutimes(vfs_context_t ctx, struct vnode *vp, struct timespec atime, struct timespec mtime);
void mac_vnode_notify_truncate(vfs_context_t ctx, kauth_cred_t file_cred, struct vnode *vp);
int mac_vnode_find_sigs(struct proc *p, struct vnode *vp, off_t offsetInMacho);
int vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp,
struct componentname *cnp, int flags, vfs_context_t ctx);
void vnode_relabel(struct vnode *vp);
void mac_pty_notify_grant(proc_t p, struct tty *tp, dev_t dev, struct label *label);
void mac_pty_notify_close(proc_t p, struct tty *tp, dev_t dev, struct label *label);
int mac_kext_check_load(kauth_cred_t cred, const char *identifier);
int mac_kext_check_unload(kauth_cred_t cred, const char *identifier);
int mac_kext_check_query(kauth_cred_t cred);
int mac_skywalk_flow_check_connect(proc_t p, void *flow, const struct sockaddr *addr, int type, int protocol);
int mac_skywalk_flow_check_listen(proc_t p, void *flow, const struct sockaddr *addr, int type, int protocol);
void psem_label_associate(struct fileproc *fp, struct vnode *vp, struct vfs_context *ctx);
void pshm_label_associate(struct fileproc *fp, struct vnode *vp, struct vfs_context *ctx);
#if CONFIG_MACF_NET
struct label *mac_bpfdesc_label_get(struct bpf_d *d);
void mac_bpfdesc_label_set(struct bpf_d *d, struct label *label);
#endif
#endif /* CONFIG_MACF */
#endif /* !_SECURITY_MAC_FRAMEWORK_H_ */

415
third_party/darwin/security/mac_internal.h поставляемый
Просмотреть файл

@ -1,415 +0,0 @@
/*
* Copyright (c) 2007 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*-
* Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
* TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#ifndef _SECURITY_MAC_INTERNAL_H_
#define _SECURITY_MAC_INTERNAL_H_
#ifndef PRIVATE
#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
#endif
#include <string.h>
#include <sys/param.h>
#include <sys/queue.h>
#include <security/mac.h>
#include <security/mac_framework.h>
#include <security/mac_policy.h>
#include <security/mac_data.h>
#include <sys/sysctl.h>
#include <kern/locks.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/sbuf.h>
#include <sys/proc.h>
#include <sys/systm.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/vnode.h>
/*
* MAC Framework sysctl namespace.
*/
SYSCTL_DECL(_security);
SYSCTL_DECL(_security_mac);
extern int mac_late;
struct mac_policy_list_element {
struct mac_policy_conf *mpc;
};
struct mac_policy_list {
u_int numloaded;
u_int max;
u_int maxindex;
u_int staticmax;
u_int chunks;
u_int freehint;
struct mac_policy_list_element *entries;
};
typedef struct mac_policy_list mac_policy_list_t;
/*
* Policy that has registered with the framework for a specific
* label namespace name.
*/
struct mac_label_listener {
mac_policy_handle_t mll_handle;
LIST_ENTRY(mac_label_listener) mll_list;
};
LIST_HEAD(mac_label_listeners_t, mac_label_listener);
/*
* Type of list used to manage label namespace names.
*/
struct mac_label_element {
char mle_name[MAC_MAX_LABEL_ELEMENT_NAME];
struct mac_label_listeners_t mle_listeners;
LIST_ENTRY(mac_label_element) mle_list;
};
LIST_HEAD(mac_label_element_list_t, mac_label_element);
/*
* MAC Framework global variables.
*/
extern struct mac_label_element_list_t mac_label_element_list;
extern struct mac_label_element_list_t mac_static_label_element_list;
extern struct mac_policy_list mac_policy_list;
/*
* global flags to control whether a MACF subsystem is configured
* at all in the system.
*/
extern unsigned int mac_device_enforce;
extern unsigned int mac_pipe_enforce;
extern unsigned int mac_posixsem_enforce;
extern unsigned int mac_posixshm_enforce;
extern unsigned int mac_proc_enforce;
extern unsigned int mac_socket_enforce;
extern unsigned int mac_system_enforce;
extern unsigned int mac_sysvmsg_enforce;
extern unsigned int mac_sysvsem_enforce;
extern unsigned int mac_sysvshm_enforce;
extern unsigned int mac_vm_enforce;
extern unsigned int mac_vnode_enforce;
#if CONFIG_MACF_NET
extern unsigned int mac_label_mbufs;
#endif
extern unsigned int mac_label_vnodes;
static bool mac_proc_check_enforce(proc_t p);
static __inline__ bool mac_proc_check_enforce(proc_t p)
{
#if CONFIG_MACF
// Don't apply policies to the kernel itself.
return (p != kernproc);
#else
#pragma unused(p)
return false;
#endif // CONFIG_MACF
}
static bool mac_cred_check_enforce(kauth_cred_t cred);
static __inline__ bool mac_cred_check_enforce(kauth_cred_t cred)
{
#if CONFIG_MACF
return (cred != proc_ucred(kernproc));
#else
#pragma unused(p)
return false;
#endif // CONFIG_MACF
}
/*
* MAC Framework infrastructure functions.
*/
int mac_error_select(int error1, int error2);
void mac_policy_list_busy(void);
int mac_policy_list_conditional_busy(void);
void mac_policy_list_unbusy(void);
void mac_labelzone_init(void);
struct label *mac_labelzone_alloc(int flags);
void mac_labelzone_free(struct label *label);
void mac_label_init(struct label *label);
void mac_label_destroy(struct label *label);
#if KERNEL
int mac_check_structmac_consistent(struct user_mac *mac);
#else
int mac_check_structmac_consistent(struct mac *mac);
#endif
int mac_cred_label_externalize(struct label *, char *e, char *out, size_t olen, int flags);
#if CONFIG_MACF_SOCKET
int mac_socket_label_externalize(struct label *, char *e, char *out, size_t olen);
#endif /* CONFIG_MACF_SOCKET */
int mac_vnode_label_externalize(struct label *, char *e, char *out, size_t olen, int flags);
int mac_pipe_label_externalize(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_cred_label_internalize(struct label *label, char *string);
#if CONFIG_MACF_SOCKET
int mac_socket_label_internalize(struct label *label, char *string);
#endif /* CONFIG_MACF_SOCKET */
int mac_vnode_label_internalize(struct label *label, char *string);
int mac_pipe_label_internalize(struct label *label, char *string);
#if CONFIG_MACF_SOCKET
/* internal socket label manipulation functions */
struct label *mac_socket_label_alloc(int flags);
void mac_socket_label_free(struct label *l);
int mac_socket_label_update(struct ucred *cred, struct socket *so, struct label *l);
#endif /* MAC_SOCKET */
#if CONFIG_MACF_NET
struct label *mac_mbuf_to_label(struct mbuf *m);
#else
#define mac_mbuf_to_label(m) (NULL)
#endif
/*
* MAC_CHECK performs the designated check by walking the policy
* module list and checking with each as to how it feels about the
* request. Note that it returns its value via 'error' in the scope
* of the caller.
*/
#define MAC_CHECK(check, args...) do { \
struct mac_policy_conf *mpc; \
u_int i; \
\
error = 0; \
for (i = 0; i < mac_policy_list.staticmax; i++) { \
mpc = mac_policy_list.entries[i].mpc; \
if (mpc == NULL) \
continue; \
\
if (mpc->mpc_ops->mpo_ ## check != NULL) \
error = mac_error_select( \
mpc->mpc_ops->mpo_ ## check (args), \
error); \
} \
if (mac_policy_list_conditional_busy() != 0) { \
for (; i <= mac_policy_list.maxindex; i++) { \
mpc = mac_policy_list.entries[i].mpc; \
if (mpc == NULL) \
continue; \
\
if (mpc->mpc_ops->mpo_ ## check != NULL) \
error = mac_error_select( \
mpc->mpc_ops->mpo_ ## check (args), \
error); \
} \
mac_policy_list_unbusy(); \
} \
} while (0)
/*
* MAC_GRANT performs the designated check by walking the policy
* module list and checking with each as to how it feels about the
* request. Unlike MAC_CHECK, it grants if any policies return '0',
* and otherwise returns EPERM. Note that it returns its value via
* 'error' in the scope of the caller.
*/
#define MAC_GRANT(check, args...) do { \
struct mac_policy_conf *mpc; \
u_int i; \
\
error = EPERM; \
for (i = 0; i < mac_policy_list.staticmax; i++) { \
mpc = mac_policy_list.entries[i].mpc; \
if (mpc == NULL) \
continue; \
\
if (mpc->mpc_ops->mpo_ ## check != NULL) { \
if (mpc->mpc_ops->mpo_ ## check (args) == 0) \
error = 0; \
} \
} \
if (mac_policy_list_conditional_busy() != 0) { \
for (; i <= mac_policy_list.maxindex; i++) { \
mpc = mac_policy_list.entries[i].mpc; \
if (mpc == NULL) \
continue; \
\
if (mpc->mpc_ops->mpo_ ## check != NULL) { \
if (mpc->mpc_ops->mpo_ ## check (args) \
== 0) \
error = 0; \
} \
} \
mac_policy_list_unbusy(); \
} \
} while (0)
/*
* MAC_BOOLEAN performs the designated boolean composition by walking
* the module list, invoking each instance of the operation, and
* combining the results using the passed C operator. Note that it
* returns its value via 'result' in the scope of the caller, which
* should be initialized by the caller in a meaningful way to get
* a meaningful result.
*/
#define MAC_BOOLEAN(operation, composition, args...) do { \
struct mac_policy_conf *mpc; \
u_int i; \
\
for (i = 0; i < mac_policy_list.staticmax; i++) { \
mpc = mac_policy_list.entries[i].mpc; \
if (mpc == NULL) \
continue; \
\
if (mpc->mpc_ops->mpo_ ## operation != NULL) \
result = result composition \
mpc->mpc_ops->mpo_ ## operation \
(args); \
} \
if (mac_policy_list_conditional_busy() != 0) { \
for (; i <= mac_policy_list.maxindex; i++) { \
mpc = mac_policy_list.entries[i].mpc; \
if (mpc == NULL) \
continue; \
\
if (mpc->mpc_ops->mpo_ ## operation != NULL) \
result = result composition \
mpc->mpc_ops->mpo_ ## operation \
(args); \
} \
mac_policy_list_unbusy(); \
} \
} while (0)
#define MAC_INTERNALIZE(obj, label, instring) \
mac_internalize(offsetof(struct mac_policy_ops, mpo_ ## obj ## _label_internalize), label, instring)
#define MAC_EXTERNALIZE(obj, label, elementlist, outbuf, outbuflen) \
mac_externalize(offsetof(struct mac_policy_ops, mpo_ ## obj ## _label_externalize), label, elementlist, outbuf, outbuflen)
#define MAC_EXTERNALIZE_AUDIT(obj, label, outbuf, outbuflen) \
mac_externalize(offsetof(struct mac_policy_ops, mpo_ ## obj ## _label_externalize_audit), label, "*", outbuf, outbuflen)
/*
* MAC_PERFORM performs the designated operation by walking the policy
* module list and invoking that operation for each policy.
*/
#define MAC_PERFORM(operation, args...) do { \
struct mac_policy_conf *mpc; \
u_int i; \
\
for (i = 0; i < mac_policy_list.staticmax; i++) { \
mpc = mac_policy_list.entries[i].mpc; \
if (mpc == NULL) \
continue; \
\
if (mpc->mpc_ops->mpo_ ## operation != NULL) \
mpc->mpc_ops->mpo_ ## operation (args); \
} \
if (mac_policy_list_conditional_busy() != 0) { \
for (; i <= mac_policy_list.maxindex; i++) { \
mpc = mac_policy_list.entries[i].mpc; \
if (mpc == NULL) \
continue; \
\
if (mpc->mpc_ops->mpo_ ## operation != NULL) \
mpc->mpc_ops->mpo_ ## operation (args); \
} \
mac_policy_list_unbusy(); \
} \
} while (0)
struct __mac_get_pid_args;
struct __mac_get_proc_args;
struct __mac_set_proc_args;
struct __mac_get_lcid_args;
struct __mac_get_fd_args;
struct __mac_get_file_args;
struct __mac_get_link_args;
struct __mac_set_fd_args;
struct __mac_set_file_args;
struct __mac_syscall_args;
void mac_policy_addto_labellist(const mac_policy_handle_t, int);
void mac_policy_removefrom_labellist(const mac_policy_handle_t);
int mac_externalize(size_t mpo_externalize_off, struct label *label,
const char *elementlist, char *outbuf, size_t outbuflen);
int mac_internalize(size_t mpo_internalize_off, struct label *label,
char *elementlist);
#endif /* !_SECURITY_MAC_INTERNAL_H_ */

Просмотреть файл

@ -1,107 +0,0 @@
/*
* Copyright (c) 2007 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*-
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _SECURITY_MAC_MACH_INTERNAL_H_
#define _SECURITY_MAC_MACH_INTERNAL_H_
#ifndef PRIVATE
#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
#endif
/* mac_do_machexc() flags */
#define MAC_DOEXCF_TRACED 0x01 /* Only do mach exeception if
being ptrace()'ed */
struct exception_action;
struct uthread;
struct task;
int mac_do_machexc(int64_t code, int64_t subcode, uint32_t flags __unused);
int mac_schedule_userret(void);
#if CONFIG_MACF
void mac_policy_init(void);
void mac_policy_initmach(void);
/* tasks */
int mac_task_check_expose_task(struct task *t);
int mac_task_check_set_host_special_port(struct task *task,
int id, struct ipc_port *port);
int mac_task_check_set_host_exception_port(struct task *task,
unsigned int exception);
int mac_task_check_set_host_exception_ports(struct task *task,
unsigned int exception_mask);
/* threads */
void act_set_astmacf(struct thread *);
void mac_thread_userret(struct thread *);
/* exception actions */
struct label *mac_exc_create_label(void);
void mac_exc_free_label(struct label *label);
void mac_exc_associate_action_label(struct exception_action *action, struct label *label);
void mac_exc_free_action_label(struct exception_action *action);
int mac_exc_update_action_label(struct exception_action *action, struct label *newlabel);
int mac_exc_inherit_action_label(struct exception_action *parent, struct exception_action *child);
int mac_exc_update_task_crash_label(struct task *task, struct label *newlabel);
int mac_exc_action_check_exception_send(struct task *victim_task, struct exception_action *action);
struct label *mac_exc_create_label_for_proc(struct proc *proc);
struct label *mac_exc_create_label_for_current_proc(void);
#endif /* MAC */
#endif /* !_SECURITY_MAC_MACH_INTERNAL_H_ */

6976
third_party/darwin/security/mac_policy.h поставляемый

Разница между файлами не показана из-за своего большого размера Загрузить разницу