}
#ifndef UINT64_MAX
#define UINT64_MAX 18446744073709551615ULL
#endif
enum {
kIODefaultProbeScore = 0
};
// masks for getState()
enum {
kIOServiceInactiveState = 0x00000001,
kIOServiceRegisteredState = 0x00000002,
kIOServiceMatchedState = 0x00000004,
kIOServiceFirstPublishState = 0x00000008,
kIOServiceFirstMatchState = 0x00000010
};
enum {
// options for registerService()
kIOServiceExclusive = 0x00000001,
// options for terminate()
kIOServiceRequired = 0x00000001,
kIOServiceTerminate = 0x00000004,
// options for registerService() & terminate()
kIOServiceSynchronous = 0x00000002,
// options for registerService()
kIOServiceAsynchronous = 0x00000008
};
// options for open()
enum {
kIOServiceSeize = 0x00000001,
kIOServiceFamilyOpenOptions = 0xffff0000
};
// options for close()
enum {
kIOServiceFamilyCloseOptions = 0xffff0000
};
typedef void * IONotificationRef;
extern const IORegistryPlane * gIOServicePlane;
extern const IORegistryPlane * gIOPowerPlane;
extern const OSSymbol * gIOResourcesKey;
extern const OSSymbol * gIOResourceMatchKey;
extern const OSSymbol * gIOProviderClassKey;
extern const OSSymbol * gIONameMatchKey;
extern const OSSymbol * gIONameMatchedKey;
extern const OSSymbol * gIOPropertyMatchKey;
extern const OSSymbol * gIOLocationMatchKey;
extern const OSSymbol * gIOParentMatchKey;
extern const OSSymbol * gIOPathMatchKey;
extern const OSSymbol * gIOMatchCategoryKey;
extern const OSSymbol * gIODefaultMatchCategoryKey;
extern const OSSymbol * gIOMatchedServiceCountKey;
extern const OSSymbol * gIOUserClientClassKey;
extern const OSSymbol * gIOKitDebugKey;
extern const OSSymbol * gIOServiceKey;
extern const OSSymbol * gIOCommandPoolSizeKey;
extern const OSSymbol * gIOPublishNotification;
extern const OSSymbol * gIOFirstPublishNotification;
extern const OSSymbol * gIOMatchedNotification;
extern const OSSymbol * gIOFirstMatchNotification;
extern const OSSymbol * gIOTerminatedNotification;
extern const OSSymbol * gIOGeneralInterest;
extern const OSSymbol * gIOBusyInterest;
extern const OSSymbol * gIOOpenInterest;
extern const OSSymbol * gIOAppPowerStateInterest;
extern const OSSymbol * gIOPriorityPowerStateInterest;
extern const OSSymbol * gIOConsoleSecurityInterest;
extern const OSSymbol * gIODeviceMemoryKey;
extern const OSSymbol * gIOInterruptControllersKey;
extern const OSSymbol * gIOInterruptSpecifiersKey;
extern SInt32 IOServiceOrdering( const OSMetaClassBase * inObj1, const OSMetaClassBase * inObj2, void * ref );
typedef void (*IOInterruptAction)( OSObject * target, void * refCon,
IOService * nub, int source );
/*! @typedef IOServiceNotificationHandler
@param target Reference supplied when the notification was registered.
@param refCon Reference constant supplied when the notification was registered.
@param newService The IOService object the notification is delivering. It is retained for the duration of the handler's invocation and doesn't need to be released by the handler. */
typedef bool (*IOServiceNotificationHandler)( void * target, void * refCon,
IOService * newService );
typedef bool (*IOServiceMatchingNotificationHandler)( void * target, void * refCon,
IOService * newService,
IONotifier * notifier );
/*! @typedef IOServiceInterestHandler
@param target Reference supplied when the notification was registered.
@param refCon Reference constant supplied when the notification was registered.
@param messageType Type of the message - IOKit defined in IOKit/IOMessage.h or family specific.
@param provider The IOService object who is delivering the notification. It is retained for the duration of the handler's invocation and doesn't need to be released by the handler.
@param messageArgument An argument for message, dependent on its type.
@param argSize Non zero if the argument represents a struct of that size, used when delivering messages outside the kernel. */
typedef IOReturn (*IOServiceInterestHandler)( void * target, void * refCon,
UInt32 messageType, IOService * provider,
void * messageArgument, vm_size_t argSize );
typedef void (*IOServiceApplierFunction)(IOService * service, void * context);
typedef void (*OSObjectApplierFunction)(OSObject * object, void * context);
class IOUserClient;
class IOPlatformExpert;
/*! @class IOService
@abstract The base class for most I/O Kit families, devices, and drivers.
@discussion The IOService base class defines APIs used to publish services, instantiate other services based on the existance of a providing service (ie. driver stacking), destroy a service and its dependent stack, notify interested parties of service state changes, and general utility functions useful across all families.
Types of service are specified with a matching dictionary that describes properties of the service. For example, a matching dictionary might describe any IOUSBDevice (or subclass), an IOUSBDevice with a certain class code, or a IOPCIDevice with a set of matching names or device & vendor IDs. Since the matching dictionary is interpreted by the family which created the service, as well as generically by IOService, the list of properties considered for matching depends on the familiy.
Matching dictionaries are associated with IOService classes by the catalogue, as driver property tables, and also supplied by clients of the notification APIs.
IOService provides matching based on C++ class (via OSMetaClass dynamic casting), registry entry name, a registry path to the service (which includes device tree paths), a name assigned by BSD, or by its location (its point of attachment).
kIOProbeScoreKey ("IOProbeScore") property in the dictionary, or supplied with the notification.
Each entry in the list is then processed in order - for notifications, the notification is delivered, for driver property tables a lot more happens.
The driver class is instantiated and init() called with its property table. The new driver instance is then attached to the provider, and has its @link probe probe@/link method called with the provider as an argument. The default probe method does nothing but return success, but a driver may implement this method to interrogate the provider to make sure it can work with it. It may also modify its probe score at this time. After probe, the driver is detached and the next in the list is considered (ie. attached, probed, and detached).
When the probing phase is complete, the list consists of successfully probed drivers, in order of their probe score (after adjustment during the @link probe probe@/link call). The list is then divided into categories based on the kIOMatchCategoryKey property ("IOMatchCategory"); drivers without a match category are all considered in one default category. Match categories allow multiple clients of a provider to be attached and started, though the provider may also enforce open/close semantics to gain active access to it.
For each category, the highest scoring driver in that category is attached to the provider, and its @link start start@/link method called. If start is successful, the rest of the drivers in the same match category are discarded, otherwise the next highest scoring driver is started, and so on.
The driver should only consider itself in action when the start method is called, meaning it has been selected for use on the provider, and consuming that particular match category. It should also be prepared to be allocated, probed and freed even if the probe was successful.
After the drivers have all synchronously been started, the installed "matched" notifications that match the registered IOService are delivered.
kIOClassKey, extern const OSSymbol * gIOClassKey, "IOClass"
kIOProviderClassKey, extern const OSSymbol * gIOProviderClassKey, "IOProviderClass"
kIOProbeScoreKey, extern const OSSymbol * gIOProbeScoreKey, "IOProbeScore"
kIOMatchCategoryKey, extern const OSSymbol * gIOMatchCategoryKey, "IOMatchCategory"
IOMatchCategory property are considered to be in the same default category. Only one driver in a category can be started on each provider.
kIONameMatchKey, extern const OSSymbol * gIONameMatchKey, "IONameMatch"
kIONameMatchedKey property.
@textblock
IONameMatch
pci106b,7
@/textblock
For a list of possible matching names, a serialized array of strings should used, eg.
@textblock
IONameMatch
APPL,happy16
pci106b,7
@/textblock
kIONameMatchedKey, extern const OSSymbol * gIONameMatchedKey, "IONameMatched"
kIONameMatchKey property will be left in the driver's property table as the kIONameMatchedKey property.
kIOPropertyMatchKey, extern const OSSymbol * gIOPropertyMatchKey, "IOPropertyMatch"
isEqualTo method.
@textblock
IOPropertyMatch
APPL,happy16
APPL,meek8
@/textblock
kIOUserClientClassKey, extern const OSSymbol * gIOUserClientClassKey, "IOUserClientClass"
kIOKitDebugKey, extern const OSSymbol * gIOKitDebugKey, "IOKitDebug"
IOKit/IOKitDebug.h, but 65535 works well.*/
class IOService : public IORegistryEntry
{
OSDeclareDefaultStructors(IOService)
protected:
/*! @struct ExpansionData
@discussion This structure will be used to expand the capablilties of this class in the future.
*/
struct ExpansionData { };
/*! @var reserved
Reserved for future use. (Internal use only) */
ExpansionData * reserved;
private:
IOService * __provider;
SInt32 __providerGeneration;
IOService * __owner;
IOOptionBits __state[2];
uint64_t __timeBusy;
uint64_t __accumBusy;
IOServicePM * pwrMgt;
protected:
// TRUE once PMinit has been called
bool initialized;
public:
// DEPRECATED
void * pm_vars;
public:
/* methods available in Mac OS X 10.1 or later */
/*! @function requestTerminate
@abstract Passes a termination up the stack.
@discussion When an IOService is made inactive the default behavior is to also make any of its clients that have it as their only provider also inactive, in this way recursing the termination up the driver stack. This method allows an IOService object to override this behavior. Returning true from this method when passed a just terminated provider will cause the client to also be terminated.
@param provider The terminated provider of this object.
@param options Options originally passed to terminate, plus kIOServiceRecursing.
@result true if this object should be terminated now that its provider has been. */
virtual bool requestTerminate( IOService * provider, IOOptionBits options );
/*! @function willTerminate
@abstract Passes a termination up the stack.
@discussion Notification that a provider has been terminated, sent before recursing up the stack, in root-to-leaf order.
@param provider The terminated provider of this object.
@param options Options originally passed to terminate.
@result true. */
virtual bool willTerminate( IOService * provider, IOOptionBits options );
/*! @function didTerminate
@abstract Passes a termination up the stack.
@discussion Notification that a provider has been terminated, sent after recursing up the stack, in leaf-to-root order.
@param provider The terminated provider of this object.
@param options Options originally passed to terminate.
@param defer If there is pending I/O that requires this object to persist, and the provider is not opened by this object set defer to true and call the IOService::didTerminate() implementation when the I/O completes. Otherwise, leave defer set to its default value of false.
@result true. */
virtual bool didTerminate( IOService * provider, IOOptionBits options, bool * defer );
/*! @function nextIdleTimeout
@availability Mac OS X v10.4 and later
@abstract Allows subclasses to customize idle power management behavior.
@discussion Returns the next time that the device should idle into its next lower power state. Subclasses may override for custom idle behavior.
A power managed driver might override this method to provide a more sophisticated idle power off algorithm than the one defined by power management.
@param currentTime The current time
@param lastActivity The time of last activity on this device
@param powerState The device's current power state.
@result Returns the next time the device should idle off (in seconds, relative to the current time). */
virtual SInt32 nextIdleTimeout(AbsoluteTime currentTime,
AbsoluteTime lastActivity, unsigned int powerState);
/*! @function systemWillShutdown
@availability Mac OS X v10.5 and later
@abstract Notifies members of the power plane of system shutdown and restart.
@discussion This function is called for all members of the power plane in leaf-to-root order. If a subclass needs to wait for a pending I/O, then the call to systemWillShutdown should be postponed until the I/O completes.
Any power managed driver (which has called @link joinPMtree joinPMtree@/link to join the power plane) interested in taking action at system shutdown or restart should override this method.
@param specifier kIOMessageSystemWillPowerOff or kIOMessageSystemWillRestart. */
virtual void systemWillShutdown( IOOptionBits specifier );
/*! @function copyClientWithCategory
@availability Mac OS X v10.6 and later
@param category An OSSymbol corresponding to an IOMatchCategory matching property.
@result Returns a reference to the IOService child with the given category. The result should be released by the caller.
*/
virtual IOService * copyClientWithCategory( const OSSymbol * category );
private:
#if __LP64__
OSMetaClassDeclareReservedUnused(IOService, 0);
OSMetaClassDeclareReservedUnused(IOService, 1);
OSMetaClassDeclareReservedUnused(IOService, 2);
OSMetaClassDeclareReservedUnused(IOService, 3);
OSMetaClassDeclareReservedUnused(IOService, 4);
OSMetaClassDeclareReservedUnused(IOService, 5);
#else
OSMetaClassDeclareReservedUsed(IOService, 0);
OSMetaClassDeclareReservedUsed(IOService, 1);
OSMetaClassDeclareReservedUsed(IOService, 2);
OSMetaClassDeclareReservedUsed(IOService, 3);
OSMetaClassDeclareReservedUsed(IOService, 4);
OSMetaClassDeclareReservedUsed(IOService, 5);
#endif
OSMetaClassDeclareReservedUnused(IOService, 6);
OSMetaClassDeclareReservedUnused(IOService, 7);
OSMetaClassDeclareReservedUnused(IOService, 8);
OSMetaClassDeclareReservedUnused(IOService, 9);
OSMetaClassDeclareReservedUnused(IOService, 10);
OSMetaClassDeclareReservedUnused(IOService, 11);
OSMetaClassDeclareReservedUnused(IOService, 12);
OSMetaClassDeclareReservedUnused(IOService, 13);
OSMetaClassDeclareReservedUnused(IOService, 14);
OSMetaClassDeclareReservedUnused(IOService, 15);
OSMetaClassDeclareReservedUnused(IOService, 16);
OSMetaClassDeclareReservedUnused(IOService, 17);
OSMetaClassDeclareReservedUnused(IOService, 18);
OSMetaClassDeclareReservedUnused(IOService, 19);
OSMetaClassDeclareReservedUnused(IOService, 20);
OSMetaClassDeclareReservedUnused(IOService, 21);
OSMetaClassDeclareReservedUnused(IOService, 22);
OSMetaClassDeclareReservedUnused(IOService, 23);
OSMetaClassDeclareReservedUnused(IOService, 24);
OSMetaClassDeclareReservedUnused(IOService, 25);
OSMetaClassDeclareReservedUnused(IOService, 26);
OSMetaClassDeclareReservedUnused(IOService, 27);
OSMetaClassDeclareReservedUnused(IOService, 28);
OSMetaClassDeclareReservedUnused(IOService, 29);
OSMetaClassDeclareReservedUnused(IOService, 30);
OSMetaClassDeclareReservedUnused(IOService, 31);
OSMetaClassDeclareReservedUnused(IOService, 32);
OSMetaClassDeclareReservedUnused(IOService, 33);
OSMetaClassDeclareReservedUnused(IOService, 34);
OSMetaClassDeclareReservedUnused(IOService, 35);
OSMetaClassDeclareReservedUnused(IOService, 36);
OSMetaClassDeclareReservedUnused(IOService, 37);
OSMetaClassDeclareReservedUnused(IOService, 38);
OSMetaClassDeclareReservedUnused(IOService, 39);
OSMetaClassDeclareReservedUnused(IOService, 40);
OSMetaClassDeclareReservedUnused(IOService, 41);
OSMetaClassDeclareReservedUnused(IOService, 42);
OSMetaClassDeclareReservedUnused(IOService, 43);
OSMetaClassDeclareReservedUnused(IOService, 44);
OSMetaClassDeclareReservedUnused(IOService, 45);
OSMetaClassDeclareReservedUnused(IOService, 46);
OSMetaClassDeclareReservedUnused(IOService, 47);
public:
/*! @function getState
@abstract Accessor for IOService state bits, not normally needed or used outside IOService.
@result State bits for the IOService, eg. kIOServiceInactiveState, kIOServiceRegisteredState. */
virtual IOOptionBits getState( void ) const;
/*! @function isInactive
@abstract Checks if the IOService object has been terminated, and is in the process of being destroyed.
@discussion When an IOService object is successfully terminated, it is immediately made inactive, which blocks further attach()es, matching or notifications occuring on the object. It remains inactive until the last client closes, and is then finalized and destroyed.
@result true if the IOService object has been terminated. */
bool isInactive( void ) const;
/* Stack creation */
/*! @function registerService
@abstract Starts the registration process for a newly discovered IOService object.
@discussion This function allows an IOService subclass to be published and made available to possible clients, by starting the registration process and delivering notifications to registered clients. The object should be completely setup and ready to field requests from clients before registerService is called.
@param options The default zero options mask is recommended and should be used in most cases. The registration process is usually asynchronous, with possible driver probing and notification occurring some time later. kIOServiceSynchronous may be passed to carry out the matching and notification process for currently registered clients before returning to the caller. */
virtual void registerService( IOOptionBits options = 0 );
/*! @function probe
@abstract During an IOService object's instantiation, probes a matched service to see if it can be used.
@discussion The registration process for an IOService object (the provider) includes instantiating possible driver clients. The probe method is called in the client instance to check the matched service can be used before the driver is considered to be started. Since matching screens many possible providers, in many cases the probe method can be left unimplemented by IOService subclasses. The client is already attached to the provider when probe is called.
@param provider The registered IOService object that matches a driver personality's matching dictionary.
@param score Pointer to the current driver's probe score, which is used to order multiple matching drivers in the same match category. It defaults to the value of the IOProbeScore property in the drivers property table, or kIODefaultProbeScore if none is specified. The probe method may alter the score to affect start order.
@result An IOService instance or zero when the probe is unsuccessful. In almost all cases the value of this is returned on success. If another IOService object is returned, the probed instance is detached and freed, and the returned instance is used in its stead for start. */
virtual IOService * probe( IOService * provider,
SInt32 * score );
/*! @function start
@abstract During an IOService object's instantiation, starts the IOService object that has been selected to run on the provider.
@discussion The start method of an IOService instance is called by its provider when it has been selected (due to its probe score and match category) as the winning client. The client is already attached to the provider when start is called.start must call start on their superclass at an appropriate point. If an implementation of start has already called super::start but subsequently determines that it will fail, it must call super::stop to balance the prior call to super::start and prevent reference leaks.
@result true if the start was successful; false otherwise (which will cause the instance to be detached and usually freed). */
virtual bool start( IOService * provider );
/*! @function stop
@abstract During an IOService termination, the stop method is called in its clients before they are detached & it is destroyed.
@discussion The termination process for an IOService (the provider) will call stop in each of its clients, after they have closed the provider if they had it open, or immediately on termination. */
virtual void stop( IOService * provider );
/* Open / Close */
/*! @function open
@abstract Requests active access to a provider.
@discussion IOService provides generic open and close semantics to track clients of a provider that have established an active datapath. The use of open and @link close close@/link, and rules regarding ownership are family defined, and defined by the @link handleOpen handleOpen@/link and @link handleClose handleClose@/link methods in the provider. Some families will limit access to a provider based on its open state.
@param forClient Designates the client of the provider requesting the open.
@param options Options for the open. The provider family may implement options for open; IOService defines only kIOServiceSeize to request the device be withdrawn from its current owner.
@result true if the open was successful; false otherwise. */
virtual bool open( IOService * forClient,
IOOptionBits options = 0,
void * arg = 0 );
/*! @function close
@abstract Releases active access to a provider.
@discussion IOService provides generic open and close semantics to track clients of a provider that have established an active datapath. The use of @link open open@/link and close, and rules regarding ownership are family defined, and defined by the @link handleOpen handleOpen@/link and @link handleClose handleClose@/link methods in the provider.
@param forClient Designates the client of the provider requesting the close.
@param options Options available for the close. The provider family may implement options for close; IOService defines none.
@param arg Family specific arguments which are ignored by IOService. */
virtual void close( IOService * forClient,
IOOptionBits options = 0 );
/*! @function isOpen
@abstract Determines whether a specific, or any, client has an IOService object open.
@discussion Returns the open state of an IOService object with respect to the specified client, or when it is open by any client.
@param forClient If non-zero, open. The object is locked via @link lockForArbitration lockForArbitration@/link before handleOpen is called.
@param forClient Designates the client of the provider requesting the open.
@param options Options for the open, may be interpreted by the implementor of handleOpen.
@result trueif the open was successful; false otherwise. */
virtual bool handleOpen( IOService * forClient,
IOOptionBits options,
void * arg );
/*! @function handleClose
@abstract Controls the open / close behavior of an IOService object (overrideable by subclasses).
@discussion IOService calls this method in its subclasses in response to the @link close close@/link method, so the subclass may implement the request. The default implementation provides single owner access to an IOService object via @link open open@/link. The object is locked via @link lockForArbitration lockForArbitration@/link before handleClose is called.
@param forClient Designates the client of the provider requesting the close.
@param options Options for the close, may be interpreted by the implementor of @link handleOpen handleOpen@/link. */
virtual void handleClose( IOService * forClient,
IOOptionBits options );
/*! @function handleIsOpen
@abstract Controls the open / close behavior of an IOService object (overrideable by subclasses).
@discussion IOService calls this method in its subclasses in response to the @link open open@/link method, so the subclass may implement the request. The default implementation provides single owner access to an IOService object via @link open open@/link. The object is locked via @link lockForArbitration lockForArbitration@/link before handleIsOpen is called.
@param forClient If non-zero, isOpen returns the open state for that client. If zero is passed, isOpen returns the open state for all clients.
@result true if the specific, or any, client has the IOService object open. */
virtual bool handleIsOpen( const IOService * forClient ) const;
/* Stacking change */
/*! @function terminate
@abstract Makes an IOService object inactive and begins its destruction.
@discussion Registering an IOService object informs possible clients of its existance and instantiates drivers that may be used with it; terminate involves the opposite process of informing clients that an IOService object is no longer able to be used and will be destroyed. By default, if any client has the service open, terminate fails. If the kIOServiceRequired flag is passed however, terminate will be successful though further progress in the destruction of the IOService object will not proceed until the last client has closed it. The service will be made inactive immediately upon successful termination, and all its clients will be notified via their @link message message@/link method with a message of type kIOMessageServiceIsTerminated. Both these actions take place on the caller's thread. After the IOService object is made inactive, further matching or attach calls will fail on it. Each client has its @link stop stop@/link method called upon their close of an inactive IOService object , or on its termination if they do not have it open. After stop, @link detach detach@/link is called in each client. When all clients have been detached, the @link finalize finalize@/link method is called in the inactive service. The termination process is inherently asynchronous because it will be deferred until all clients have chosen to close.
@param options In most cases no options are needed. kIOServiceSynchronous may be passed to cause terminate to not return until the service is finalized. */
virtual bool terminate( IOOptionBits options = 0 );
/*! @function finalize
@abstract Finalizes the destruction of an IOService object.
@discussion The finalize method is called in an inactive (ie. terminated) IOService object after the last client has detached. IOService's implementation will call @link stop stop@/link, @link close close@/link, and @link detach detach@/link on each provider. When finalize returns, the object's retain count will have no references generated by IOService's registration process.
@param options The options passed to the @link terminate terminate@/link method of the IOService object are passed on to finalize.
@result true. */
virtual bool finalize( IOOptionBits options );
/*! @function free
@abstract Frees data structures that were allocated when power management was initialized on this service. */
virtual void free( void ) override;
/*! @function lockForArbitration
@abstract Locks an IOService object against changes in state or ownership.
@discussion The registration, termination and open / close functions of IOService use lockForArbtration to single-thread access to an IOService object. lockForArbitration grants recursive access to the same thread.
@param isSuccessRequired If a request for access to an IOService object should be denied if it is terminated, pass false, otherwise pass true. */
virtual bool lockForArbitration( bool isSuccessRequired = true );
/*! @function unlockForArbitration
@abstract Unlocks an IOService obkect after a successful @link lockForArbitration lockForArbitration@/link.
@discussion A thread granted exclusive access to an IOService object should release it with unlockForArbitration. */
virtual void unlockForArbitration( void );
/*! @function terminateClient
@abstract Passes a termination up the stack.
@discussion When an IOService object is made inactive the default behavior is to also make any of its clients that have it as their only provider inactive, in this way recursing the termination up the driver stack. This method allows a terminated IOService object to override this behavior. Note the client may also override this behavior by overriding its @link terminate terminate@/link method.
@param client The client of the terminated provider.
@param options Options originally passed to @link terminate terminate@/link, plus kIOServiceRecursing.
@result result of the terminate request on the client. */
virtual bool terminateClient( IOService * client, IOOptionBits options );
/* Busy state indicates discovery, matching or termination is in progress */
/*! @function getBusyState
@abstract Returns the busyState of an IOService object.
@discussion Many activities in IOService are asynchronous. When registration, matching, or termination is in progress on an IOService object, its busyState is increased by one. Change in busyState to or from zero also changes the IOService object's provider's busyState by one, which means that an IOService object is marked busy when any of the above activities is ocurring on it or any of its clients.
@result The busyState value. */
virtual UInt32 getBusyState( void );
/*! @function adjustBusy
@abstract Adjusts the busyState of an IOService object.
@discussion Applies a delta to an IOService object's busyState. A change in the busyState to or from zero will change the IOService object's provider's busyState by one (in the same direction).
@param delta The delta to be applied to the IOService object's busyState. */
virtual void adjustBusy( SInt32 delta );
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOReturn waitQuiet(mach_timespec_t * timeout)
APPLE_KEXT_DEPRECATED;
/*! @function waitQuiet
@abstract Waits for an IOService object's busyState to be zero.
@discussion Blocks the caller until an IOService object is non busy.
@param timeout The maximum time to wait in nanoseconds. Default is to wait forever.
@result Returns an error code if Mach synchronization primitives fail, kIOReturnTimeout, or kIOReturnSuccess. */
IOReturn waitQuiet(uint64_t timeout = UINT64_MAX);
/* Matching */
/*! @function matchPropertyTable
@abstract Allows a registered IOService object to implement family specific matching.
@discussion All matching on an IOService object will call this method to allow a family writer to implement matching in addition to the generic methods provided by IOService. The implementer should examine the matching dictionary passed to see if it contains properties the family understands for matching, and use them to match with the IOService object if so. Note that since matching is also carried out by other parts of the I/O Kit, the matching dictionary may contain properties the family does not understand - these should not be considered matching failures.
@param table The dictionary of properties to be matched against.
@param score Pointer to the current driver's probe score, which is used to order multiple matching drivers in the same match category. It defaults to the value of the IOProbeScore property in the drivers property table, or kIODefaultProbeScore if none is specified.
@result false if the family considers the matching dictionary does not match in properties it understands; true otherwise. */
virtual bool matchPropertyTable( OSDictionary * table,
SInt32 * score );
virtual bool matchPropertyTable( OSDictionary * table );
/*! @function matchLocation
@abstract Allows a registered IOService object to direct location matching.
@discussion By default, a location matching property will be applied to an IOService object's provider. This method allows that behavior to be overridden by families.
@param client The IOService object at which matching is taking place.
@result Returns the IOService instance to be used for location matching. */
virtual IOService * matchLocation( IOService * client );
/* Resource service */
/*! @function publishResource
@abstract Uses the resource service to publish a property.
@discussion The resource service uses IOService's matching and notification to allow objects to be published and found by any I/O Kit client by a global name. publishResource makes an object available to anyone waiting for it or looking for it in the future.
@param key An OSSymbol key that globally identifies the object.
@param The object to be published. */
static void publishResource( const OSSymbol * key, OSObject * value = 0 );
/*! @function publishResource
@abstract Uses the resource service to publish a property.
@discussion The resource service uses IOService object's matching and notification to allow objects to be published and found by any I/O Kit client by a global name. publishResource makes an object available to anyone waiting for it or looking for it in the future.
@param key A C string key that globally identifies the object.
@param The object to be published. */
static void publishResource( const char * key, OSObject * value = 0 );
virtual bool addNeededResource( const char * key );
/* Notifications */
/*! @function addNotification
@abstract Deprecated use addMatchingNotification(). Adds a persistant notification handler to be notified of IOService events.
@discussion IOService will deliver notifications of changes in state of an IOService object to registered clients. The type of notification is specified by a symbol, for example gIOMatchedNotification or gIOTerminatedNotification, and notifications will only include IOService objects that match the supplied matching dictionary. Notifications are ordered by a priority set with addNotification. When the notification is installed, its handler will be called with each of any currently existing IOService objects that are in the correct state (eg. registered) and match the supplied matching dictionary, avoiding races between finding preexisting and new IOService events. The notification request is identified by an instance of an IONotifier object, through which it can be enabled, disabled, or removed. addNotification consumes a retain count on the matching dictionary when the notification is removed.
@param type An OSSymbol identifying the type of notification and IOService state:
gIOPublishNotification Delivered when an IOService object is registered.
gIOFirstPublishNotification Delivered when an IOService object is registered, but only once per IOService instance. Some IOService objects may be reregistered when their state is changed.
gIOMatchedNotification Delivered when an IOService object has been matched with all client drivers, and they have been probed and started.
gIOFirstMatchNotification Delivered when an IOService object has been matched with all client drivers, but only once per IOService instance. Some IOService objects may be reregistered when their state is changed.
gIOTerminatedNotification Delivered after an IOService object has been terminated, during its finalize stage.
@param matching A matching dictionary to restrict notifications to only matching IOService objects. The dictionary will be released when the notification is removed, consuming the passed-in reference.
@param handler A C function callback to deliver notifications.
@param target An instance reference for the callback's use.
@param ref A reference constant for the callback's use.
@param priority A constant ordering all notifications of a each type.
@result An instance of an IONotifier object that can be used to control or destroy the notification request. */
static IONotifier * addNotification(
const OSSymbol * type, OSDictionary * matching,
IOServiceNotificationHandler handler,
void * target, void * ref = 0,
SInt32 priority = 0 )
APPLE_KEXT_DEPRECATED;
/*! @function addMatchingNotification
@abstract Adds a persistant notification handler to be notified of IOService events.
@discussion IOService will deliver notifications of changes in state of an IOService object to registered clients. The type of notification is specified by a symbol, for example gIOMatchedNotification or gIOTerminatedNotification, and notifications will only include IOService objects that match the supplied matching dictionary. Notifications are ordered by a priority set with addNotification. When the notification is installed, its handler will be called with each of any currently existing IOService objects that are in the correct state (eg. registered) and match the supplied matching dictionary, avoiding races between finding preexisting and new IOService events. The notification request is identified by an instance of an IONotifier object, through which it can be enabled, disabled, or removed. addMatchingNotification does not consume a reference on the matching dictionary when the notification is removed, unlike addNotification.
@param type An OSSymbol identifying the type of notification and IOService state:
gIOPublishNotification Delivered when an IOService object is registered.
gIOFirstPublishNotification Delivered when an IOService object is registered, but only once per IOService instance. Some IOService objects may be reregistered when their state is changed.
gIOMatchedNotification Delivered when an IOService object has been matched with all client drivers, and they have been probed and started.
gIOFirstMatchNotification Delivered when an IOService object has been matched with all client drivers, but only once per IOService instance. Some IOService objects may be reregistered when their state is changed.
gIOTerminatedNotification Delivered after an IOService object has been terminated, during its finalize stage.
@param matching A matching dictionary to restrict notifications to only matching IOService objects. The dictionary is retained while the notification is installed. (Differs from addNotification).
@param handler A C function callback to deliver notifications.
@param target An instance reference for the callback's use.
@param ref A reference constant for the callback's use.
@param priority A constant ordering all notifications of a each type.
@result An instance of an IONotifier object that can be used to control or destroy the notification request. */
static IONotifier * addMatchingNotification(
const OSSymbol * type, OSDictionary * matching,
IOServiceMatchingNotificationHandler handler,
void * target, void * ref = 0,
SInt32 priority = 0 );
/*! @function waitForService
@abstract Deprecated use waitForMatchingService(). Waits for a matching to service to be published.
@discussion Provides a method of waiting for an IOService object matching the supplied matching dictionary to be registered and fully matched.
@param matching The matching dictionary describing the desired IOService object. waitForService consumes one reference of the matching dictionary.
@param timeout The maximum time to wait.
@result A published IOService object matching the supplied dictionary. */
static IOService * waitForService( OSDictionary * matching,
mach_timespec_t * timeout = 0);
/*! @function waitForMatchingService
@abstract Waits for a matching to service to be published.
@discussion Provides a method of waiting for an IOService object matching the supplied matching dictionary to be registered and fully matched.
@param matching The matching dictionary describing the desired IOService object. (Does not consume a reference of the matching dictionary - differs from waitForService() which does consume a reference on the matching dictionary.)
@param timeout The maximum time to wait in nanoseconds. Default is to wait forever.
@result A published IOService object matching the supplied dictionary. waitForMatchingService returns a reference to the IOService which should be released by the caller. (Differs from waitForService() which does not retain the returned object.) */
static IOService * waitForMatchingService( OSDictionary * matching,
uint64_t timeout = UINT64_MAX);
/*! @function getMatchingServices
@abstract Finds the set of current published IOService objects matching a matching dictionary.
@discussion Provides a method of finding the current set of published IOService objects matching the supplied matching dictionary.
@param matching The matching dictionary describing the desired IOService objects.
@result An instance of an iterator over a set of IOService objects. To be released by the caller. */
static OSIterator * getMatchingServices( OSDictionary * matching );
/*! @function copyMatchingService
@abstract Finds one of the current published IOService objects matching a matching dictionary.
@discussion Provides a method to find one member of the set of published IOService objects matching the supplied matching dictionary.
@param matching The matching dictionary describing the desired IOService object.
@result The IOService object or NULL. To be released by the caller. */
static IOService * copyMatchingService( OSDictionary * matching );
public:
/* Helpers to make matching dictionaries for simple cases,
* they add keys to an existing dictionary, or create one. */
/*! @function serviceMatching
@abstract Creates a matching dictionary, or adds matching properties to an existing dictionary, that specify an IOService class match.
@discussion A very common matching criteria for IOService object is based on its class. serviceMatching creates a matching dictionary that specifies any IOService object of a class, or its subclasses. The class is specified by name, and an existing dictionary may be passed in, in which case the matching properties will be added to that dictionary rather than creating a new one.
@param className The class name, as a const C string. Class matching is successful on IOService objects of this class or any subclass.
@param table If zero, serviceMatching creates a matching dictionary and returns a reference to it, otherwise the matching properties are added to the specified dictionary.
@result The matching dictionary created, or passed in, is returned on success, or zero on failure. */
static OSDictionary * serviceMatching( const char * className,
OSDictionary * table = 0 );
/*! @function serviceMatching
@abstract Creates a matching dictionary, or adds matching properties to an existing dictionary, that specify an IOService class match.
@discussion A very common matching criteria for IOService object is based on its class. serviceMatching creates a matching dictionary that specifies any IOService of a class, or its subclasses. The class is specified by name, and an existing dictionary may be passed in, in which case the matching properties will be added to that dictionary rather than creating a new one.
@param className The class name, as an OSString (which includes OSSymbol). Class matching is successful on IOService objects of this class or any subclass.
@param table If zero, serviceMatching creates a matching dictionary and returns a reference to it, otherwise the matching properties are added to the specified dictionary.
@result The matching dictionary created, or passed in, is returned on success, or zero on failure. */
static OSDictionary * serviceMatching( const OSString * className,
OSDictionary * table = 0 );
/*! @function nameMatching
@abstract Creates a matching dictionary, or adds matching properties to an existing dictionary, that specify an IOService name match.
@discussion A very common matching criteria for IOService object is based on its name. nameMatching creates a matching dictionary that specifies any IOService object which responds successfully to the @link //apple_ref/cpp/instm/IORegistryEntry/compareName/virtualbool/(OSString*,OSString**) IORegistryEntry::compareName@/link method. An existing dictionary may be passed in, in which case the matching properties will be added to that dictionary rather than creating a new one.
@param name The service's name, as a const C string. Name matching is successful on IOService objects that respond successfully to the IORegistryEntry::compareName method.
@param table If zero, nameMatching creates a matching dictionary and returns a reference to it, otherwise the matching properties are added to the specified dictionary.
@result The matching dictionary created, or passed in, is returned on success, or zero on failure. */
static OSDictionary * nameMatching( const char * name,
OSDictionary * table = 0 );
/*! @function nameMatching
@abstract Creates a matching dictionary, or adds matching properties to an existing dictionary, that specify an IOService name match.
@discussion A very common matching criteria for IOService object is based on its name. nameMatching creates a matching dictionary that specifies any IOService object which responds successfully to the @link //apple_ref/cpp/instm/IORegistryEntry/compareName/virtualbool/(OSString*,OSString**) IORegistryEntry::compareName@/link method. An existing dictionary may be passed in, in which case the matching properties will be added to that dictionary rather than creating a new one.
@param name The service's name, as an OSString (which includes OSSymbol). Name matching is successful on IOService objects that respond successfully to the IORegistryEntry::compareName method.
@param table If zero, nameMatching creates a matching dictionary and returns a reference to it, otherwise the matching properties are added to the specified dictionary.
@result The matching dictionary created, or passed in, is returned on success, or zero on failure. */
static OSDictionary * nameMatching( const OSString* name,
OSDictionary * table = 0 );
/*! @function resourceMatching
@abstract Creates a matching dictionary, or adds matching properties to an existing dictionary, that specify a resource service match.
@discussion IOService maintains a resource service IOResources that allows objects to be published and found globally in the I/O Kit based on a name, using the standard IOService matching and notification calls.
@param name The resource name, as a const C string. Resource matching is successful when an object by that name has been published with the publishResource method.
@param table If zero, resourceMatching creates a matching dictionary and returns a reference to it, otherwise the matching properties are added to the specified dictionary.
@result The matching dictionary created, or passed in, is returned on success, or zero on failure. */
static OSDictionary * resourceMatching( const char * name,
OSDictionary * table = 0 );
/*! @function resourceMatching
@abstract Creates a matching dictionary, or adds matching properties to an existing dictionary, that specify a resource service match.
@discussion IOService maintains a resource service IOResources that allows objects to be published and found globally in the I/O Kit based on a name, using the standard IOService matching and notification calls.
@param name The resource name, as an OSString (which includes OSSymbol). Resource matching is successful when an object by that name has been published with the publishResource method.
@param table If zero, resourceMatching creates a matching dictionary and returns a reference to it, otherwise the matching properties are added to the specified dictionary.
@result The matching dictionary created, or passed in, is returned on success, or zero on failure. */
static OSDictionary * resourceMatching( const OSString * name,
OSDictionary * table = 0 );
/*! @function propertyMatching
@abstract Creates a matching dictionary, or adds matching properties to an existing dictionary, that specify an IOService phandle match.
@discussion TODO A very common matching criteria for IOService is based on its name. nameMatching will create a matching dictionary that specifies any IOService which respond successfully to the IORegistryEntry method compareName. An existing dictionary may be passed in, in which case the matching properties will be added to that dictionary rather than creating a new one.
@param key The service's phandle, as a const UInt32. PHandle matching is successful on IOService objects that respond successfully to the IORegistryEntry method compareName.
@param value The service's phandle, as a const UInt32. PHandle matching is successful on IOService's which respond successfully to the IORegistryEntry method compareName.
@param table If zero, nameMatching will create a matching dictionary and return a reference to it, otherwise the matching properties are added to the specified dictionary.
@result The matching dictionary created, or passed in, is returned on success, or zero on failure. */
static OSDictionary * propertyMatching( const OSSymbol * key, const OSObject * value,
OSDictionary * table = 0 );
/*! @function registryEntryIDMatching
@abstract Creates a matching dictionary, or adds matching properties to an existing dictionary, that specify a IORegistryEntryID match.
@discussion registryEntryIDMatching creates a matching dictionary that specifies the IOService object with the assigned registry entry ID (returned by IORegistryEntry::getRegistryEntryID()). An existing dictionary may be passed in, in which case the matching properties will be added to that dictionary rather than creating a new one.
@param name The service's ID. Matching is successful on the IOService object that return that ID from the IORegistryEntry::getRegistryEntryID() method.
@param table If zero, registryEntryIDMatching creates a matching dictionary and returns a reference to it, otherwise the matching properties are added to the specified dictionary.
@result The matching dictionary created, or passed in, is returned on success, or zero on failure. */
static OSDictionary * registryEntryIDMatching( uint64_t entryID,
OSDictionary * table = 0 );
/*! @function addLocation
@abstract Adds a location matching property to an existing dictionary.
@discussion This function creates matching properties that specify the location of a IOService object, as an embedded matching dictionary. This matching will be successful on an IOService object that attached to an IOService object which matches this location matching dictionary.
@param table The matching properties are added to the specified dictionary, which must be non-zero.
@result The location matching dictionary created is returned on success, or zero on failure. */
static OSDictionary * addLocation( OSDictionary * table );
/* Helpers for matching dictionaries. */
/*! @function compareProperty
@abstract Compares a property in a matching dictionary with an IOService object's property table.
@discussion This is a helper function to aid in implementing @link matchPropertyTable matchPropertyTable@/link. If the property specified by key exists in the matching dictionary, it is compared with a property of the same name in the IOService object's property table. The comparison is performed with the isEqualTo method. If the property does not exist in the matching table, success is returned. If the property exists in the matching dictionary but not the IOService property table, failure is returned.
@param matching The matching dictionary, which must be non-zero.
@param key The dictionary key specifying the property to be compared, as a C string.
@result true if the property does not exist in the matching table. If the property exists in the matching dictionary but not the IOService property table, failure is returned. Otherwise the result of calling the property from the matching dictionary's isEqualTo method with the IOService property as an argument is returned. */
virtual bool compareProperty( OSDictionary * matching,
const char * key );
/*! @function compareProperty
@abstract Compares a property in a matching dictionary with an IOService object's property table.
@discussion This is a helper function to aid in implementing @link matchPropertyTable matchPropertyTable@/link. If the property specified by key exists in the matching dictionary, it is compared with a property of the same name in the IOService object's property table. The comparison is performed with the isEqualTo method. If the property does not exist in the matching table, success is returned. If the property exists in the matching dictionary but not the IOService property table, failure is returned.
@param matching The matching dictionary, which must be non-zero.
@param key The dictionary key specifying the property to be compared, as an OSString (which includes OSSymbol).
@result true if the property does not exist in the matching table. If the property exists in the matching dictionary but not the IOService property table, failure is returned. Otherwise the result of calling the property from the matching dictionary's isEqualTo method with the IOService property as an argument is returned. */
virtual bool compareProperty( OSDictionary * matching,
const OSString * key );
/*! @function compareProperties
@abstract Compares a set of properties in a matching dictionary with an IOService object's property table.
@discussion This is a helper function to aid in implementing @link matchPropertyTable matchPropertyTable@/link. A collection of dictionary keys specifies properties in a matching dictionary to be compared, with compareProperty, with an IOService object's property table, if compareProperty returns true for each key, success is returned; otherwise failure.
@param matching The matching dictionary, which must be non-zero.
@param keys A collection (eg. OSSet, OSArray, OSDictionary) which should contain OSStrings (or OSSymbols) that specify the property keys to be compared.
@result Success if compareProperty returns true for each key in the collection; otherwise failure. */
virtual bool compareProperties( OSDictionary * matching,
OSCollection * keys );
/* Client / provider accessors */
/*! @function attach
@abstract Attaches an IOService client to a provider in the I/O Registry.
@discussion This function called in an IOService client enters the client into the I/O Registry as a child of the provider in the service plane. The provider must be active or the attach will fail. Multiple attach calls to the same provider are no-ops and return success. A client may be attached to multiple providers. Entering an object into the I/O Registry retains both the client and provider until they are detached.
@param provider The IOService object which will serve as this object's provider.
@result false if the provider is inactive or on a resource failure; otherwise true. */
virtual bool attach( IOService * provider );
/*! @function detach
@abstract Detaches an IOService client from a provider in the I/O Registry.
@discussion This function called in an IOService client removes the client as a child of the provider in the service plane of the I/O Registry. If the provider is not a parent of the client this is a no-op, otherwise the I/O Registry releases both the client and provider.
@param provider The IOService object to detach from. */
virtual void detach( IOService * provider );
/*! @function getProvider
@abstract Returns an IOService object's primary provider.
@discussion This function called in an IOService client will return the provider to which it was first attached. Because the majority of IOService objects have only one provider, this is a useful simplification and also supports caching of the provider when the I/O Registry is unchanged.
@result The first provider of the client, or zero if the IOService object is not attached into the I/O Registry. The provider is retained while the client is attached, and should not be released by the caller. */
virtual IOService * getProvider( void ) const;
/*! @function getWorkLoop
@abstract Returns the current work loop or provider->getWorkLoop.
@discussion This function returns a valid work loop that a client can use to add an IOCommandGate to. The intention is that an IOService client has data that needs to be protected but doesn't want to pay the cost of a dedicated thread. This data has to be accessed from a provider's call-out context as well. So to achieve both of these goals the client creates an IOCommandGate to lock access to his data but he registers it with the provider's work loop, i.e. the work loop which will make the completion call-outs. This avoids a potential deadlock because the work loop gate uses a recursive lock, which allows the same lock to be held multiple times by a single thread.
@result A work loop, either the current work loop or it walks up the @link getProvider getProvider@/link chain calling getWorkLoop. Eventually it will reach a valid work loop-based driver or the root of the I/O tree, where it will return a system-wide work loop. Returns 0 if it fails to find (or create) a work loop.*/
virtual IOWorkLoop * getWorkLoop() const;
/*! @function getProviderIterator
@abstract Returns an iterator over an IOService object's providers.
@discussion For those few IOService objects that obtain service from multiple providers, this method supplies an iterator over a client's providers.
@result An iterator over the providers of the client, or zero if there is a resource failure. The iterator must be released when the iteration is finished. All objects returned by the iteration are retained while the iterator is valid, though they may no longer be attached during the iteration. */
virtual OSIterator * getProviderIterator( void ) const;
/*! @function getOpenProviderIterator
@abstract Returns an iterator over an client's providers that are currently opened by the client.
@discussion For those few IOService objects that obtain service from multiple providers, this method supplies an iterator over a client's providers, locking each in turn with @link lockForArbitration lockForArbitration@/link and returning those that have been opened by the client.
@result An iterator over the providers the client has open, or zero if there is a resource failure. The iterator must be released when the iteration is finished. All objects returned by the iteration are retained while the iterator is valid, and the current entry in the iteration is locked with lockForArbitration, protecting it from state changes. */
virtual OSIterator * getOpenProviderIterator( void ) const;
/*! @function getClient
@abstract Returns an IOService object's primary client.
@discussion This function called in an IOService provider will return the first client to attach to it. For IOService objects which have only only one client, this may be a useful simplification.
@result The first client of the provider, or zero if the IOService object is not attached into the I/O Registry. The client is retained while it is attached, and should not be released by the caller. */
virtual IOService * getClient( void ) const;
/*! @function getClientIterator
@abstract Returns an iterator over an IOService object's clients.
@discussion For IOService objects that may have multiple clients, this method supplies an iterator over a provider's clients.
@result An iterator over the clients of the provider, or zero if there is a resource failure. The iterator must be released when the iteration is finished. All objects returned by the iteration are retained while the iterator is valid, though they may no longer be attached during the iteration. */
virtual OSIterator * getClientIterator( void ) const;
/*! @function getOpenClientIterator
@abstract Returns an iterator over a provider's clients that currently have opened the provider.
@discussion For IOService objects that may have multiple clients, this method supplies an iterator over a provider's clients, locking each in turn with @link lockForArbitration lockForArbitration@/link and returning those that have opened the provider.
@result An iterator over the clients that have opened the provider, or zero if there is a resource failure. The iterator must be released when the iteration is finished. All objects returned by the iteration are retained while the iterator is valid, and the current entry in the iteration is locked with lockForArbitration, protecting it from state changes. */
virtual OSIterator * getOpenClientIterator( void ) const;
/*! @function callPlatformFunction
@abstract Calls the platform function with the given name.
@discussion The platform expert or other drivers may implement various functions to control hardware features. callPlatformFunction allows any IOService object to access these functions. Normally callPlatformFunction is called on a service's provider. The provider services the request or passes it to its provider. The system's IOPlatformExpert subclass catches functions it knows about and redirects them into other parts of the service plane. If the IOPlatformExpert subclass cannot execute the function, the base class is called. The IOPlatformExpert base class attempts to find a service to execute the function by looking up the function name in an IOResources name space. A service may publish a service using publishResource(functionName, this). If no service can be found to execute the function an error is returned.
@param functionName Name of the function to be called. When functionName is a C string, callPlatformFunction converts the C string to an OSSymbol and calls the OSSymbol version of callPlatformFunction. This process can block and should not be used from an interrupt context.
@param waitForFunction If true, callPlatformFunction will not return until the function has been called.
@result An IOReturn code; kIOReturnSuccess if the function was successfully executed, kIOReturnUnsupported if a service to execute the function could not be found. Other return codes may be returned by the function.*/
virtual IOReturn callPlatformFunction( const OSSymbol * functionName,
bool waitForFunction,
void *param1, void *param2,
void *param3, void *param4 );
virtual IOReturn callPlatformFunction( const char * functionName,
bool waitForFunction,
void *param1, void *param2,
void *param3, void *param4 );
/* Some accessors */
/*! @function getPlatform
@abstract Returns a pointer to the platform expert instance for the computer.
@discussion This method provides an accessor to the platform expert instance for the computer.
@result A pointer to the IOPlatformExport instance. It should not be released by the caller. */
static IOPlatformExpert * getPlatform( void );
/*! @function getPMRootDomain
@abstract Returns a pointer to the power management root domain instance for the computer.
@discussion This method provides an accessor to the power management root domain instance for the computer.
@result A pointer to the power management root domain instance. It should not be released by the caller. */
static class IOPMrootDomain * getPMRootDomain( void );
/*! @function getServiceRoot
@abstract Returns a pointer to the root of the service plane.
@discussion This method provides an accessor to the root of the service plane for the computer.
@result A pointer to the IOService instance at the root of the service plane. It should not be released by the caller. */
static IOService * getServiceRoot( void );
/*! @function getResourceService
@abstract Returns a pointer to the IOResources service.
@discussion IOService maintains a resource service IOResources that allows objects to be published and found globally in the I/O Kit based on a name, using the standard IOService matching and notification calls.
@result A pointer to the IOResources instance. It should not be released by the caller. */
static IOService * getResourceService( void );
/* Allocate resources for a matched service */
/*! @function getResources
@abstract Allocates any needed resources for a published IOService object before clients attach.
@discussion This method is called during the registration process for an IOService object if there are successful driver matches, before any clients attach. It allows for lazy allocation of resources to an IOService object when a matching driver is found.
@result An IOReturn code; kIOReturnSuccess is necessary for the IOService object to be successfully used, otherwise the registration process for the object is halted. */
virtual IOReturn getResources( void );
/* Device memory accessors */
/*! @function getDeviceMemoryCount
@abstract Returns a count of the physical memory ranges available for a device.
@discussion This method returns the count of physical memory ranges, each represented by an IODeviceMemory instance, that have been allocated for a memory mapped device.
@result An integer count of the number of ranges available. */
virtual IOItemCount getDeviceMemoryCount( void );
/*! @function getDeviceMemoryWithIndex
@abstract Returns an instance of IODeviceMemory representing one of a device's memory mapped ranges.
@discussion This method returns a pointer to an instance of IODeviceMemory for the physical memory range at the given index for a memory mapped device.
@param index An index into the array of ranges assigned to the device.
@result A pointer to an instance of IODeviceMemory, or zero if the index is beyond the count available. The IODeviceMemory is retained by the provider, so is valid while attached, or while any mappings to it exist. It should not be released by the caller. See also @link mapDeviceMemoryWithIndex mapDeviceMemoryWithIndex@/link, which creates a device memory mapping. */
virtual IODeviceMemory * getDeviceMemoryWithIndex( unsigned int index );
/*! @function mapDeviceMemoryWithIndex
@abstract Maps a physical range of a device.
@discussion This method creates a mapping for the IODeviceMemory at the given index, with IODeviceMemory::map(options). The mapping is represented by the returned instance of IOMemoryMap, which should not be released until the mapping is no longer required.
@param index An index into the array of ranges assigned to the device.
@result An instance of IOMemoryMap, or zero if the index is beyond the count available. The mapping should be released only when access to it is no longer required. */
virtual IOMemoryMap * mapDeviceMemoryWithIndex( unsigned int index,
IOOptionBits options = 0 );
/*! @function getDeviceMemory
@abstract Returns the array of IODeviceMemory objects representing a device's memory mapped ranges.
@discussion This method returns an array of IODeviceMemory objects representing the physical memory ranges allocated to a memory mapped device.
@result An OSArray of IODeviceMemory objects, or zero if none are available. The array is retained by the provider, so is valid while attached. */
virtual OSArray * getDeviceMemory( void );
/*! @function setDeviceMemory
@abstract Sets the array of IODeviceMemory objects representing a device's memory mapped ranges.
@discussion This method sets an array of IODeviceMemory objects representing the physical memory ranges allocated to a memory mapped device.
@param array An OSArray of IODeviceMemory objects, or zero if none are available. The array will be retained by the object. */
virtual void setDeviceMemory( OSArray * array );
/* Interrupt accessors */
/*! @function registerInterrupt
@abstract Registers a C function interrupt handler for a device supplying interrupts.
@discussion This method installs a C function interrupt handler to be called at primary interrupt time for a device's interrupt. Only one handler may be installed per interrupt source. IOInterruptEventSource provides a work loop based abstraction for interrupt delivery that may be more appropriate for work loop based drivers.
@param source The index of the interrupt source in the device.
@param target An object instance to be passed to the interrupt handler.
@param handler The C function to be called at primary interrupt time when the interrupt occurs. The handler should process the interrupt by clearing the interrupt, or by disabling the source.
@param refCon A reference constant for the handler's use.
@result An IOReturn code.kIOReturnNoInterrupt is returned if the source is not valid; kIOReturnNoResources is returned if the interrupt already has an installed handler. */
virtual IOReturn registerInterrupt(int source, OSObject *target,
IOInterruptAction handler,
void *refCon = 0);
/*! @function unregisterInterrupt
@abstract Removes a C function interrupt handler for a device supplying hardware interrupts.
@discussion This method removes a C function interrupt handler previously installed with @link registerInterrupt registerInterrupt@/link.
@param source The index of the interrupt source in the device.
@result An IOReturn code (kIOReturnNoInterrupt is returned if the source is not valid). */
virtual IOReturn unregisterInterrupt(int source);
/*! @function getInterruptType
@abstract Returns the type of interrupt used for a device supplying hardware interrupts.
@param source The index of the interrupt source in the device.
@param interruptType The interrupt type for the interrupt source will be stored here by getInterruptType.kIOInterruptTypeEdge will be returned for edge-trigggered sources.kIOInterruptTypeLevel will be returned for level-trigggered sources.
@result An IOReturn code (kIOReturnNoInterrupt is returned if the source is not valid). */
virtual IOReturn getInterruptType(int source, int *interruptType);
/*! @function enableInterrupt
@abstract Enables a device interrupt.
@discussion It is the caller's responsiblity to keep track of the enable state of the interrupt source.
@param source The index of the interrupt source in the device.
@result An IOReturn code (kIOReturnNoInterrupt is returned if the source is not valid). */
virtual IOReturn enableInterrupt(int source);
/*! @function disableInterrupt
@abstract Synchronously disables a device interrupt.
@discussion If the interrupt routine is running, the call will block until the routine completes. It is the caller's responsiblity to keep track of the enable state of the interrupt source.
@param source The index of the interrupt source in the device.
@result An IOReturn code (kIOReturnNoInterrupt is returned if the source is not valid). */
virtual IOReturn disableInterrupt(int source);
/*! @function causeInterrupt
@abstract Causes a device interrupt to occur.
@discussion Emulates a hardware interrupt, to be called from task level.
@param source The index of the interrupt source in the device.
@result An IOReturn code (kIOReturnNoInterrupt is returned if the source is not valid). */
virtual IOReturn causeInterrupt(int source);
/*! @function requestProbe
@abstract Requests that hardware be re-scanned for devices.
@discussion For bus families that do not usually detect device addition or removal, this method represents an external request (eg. from a utility application) to rescan and publish or remove found devices.
@param options Family defined options, not interpreted by IOService.
@result An IOReturn code. */
virtual IOReturn requestProbe( IOOptionBits options );
/* Generic API for non-data-path upstream calls */
/*! @function message
@abstract Receives a generic message delivered from an attached provider.
@discussion A provider may deliver messages via the message method to its clients informing them of state changes, such as kIOMessageServiceIsTerminated or kIOMessageServiceIsSuspended. Certain messages are defined by the I/O Kit in IOMessage.h while others may be family dependent. This method is implemented in the client to receive messages.
@param type A type defined in IOMessage.h or defined by the provider family.
@param provider The provider from which the message originates.
@param argument An argument defined by the provider family, not used by IOService.
@result An IOReturn code defined by the message type. */
virtual IOReturn message( UInt32 type, IOService * provider,
void * argument = 0 );
/*! @function messageClient
@abstract Sends a generic message to an attached client.
@discussion A provider may deliver messages via the @link message message@/link method to its clients informing them of state changes, such as kIOMessageServiceIsTerminated or kIOMessageServiceIsSuspended. Certain messages are defined by the I/O Kit in IOMessage.h while others may be family dependent. This method may be called in the provider to send a message to the specified client, which may be useful for overrides.
@param messageType A type defined in IOMessage.h or defined by the provider family.
@param client A client of the IOService to send the message.
@param messageArgument An argument defined by the provider family, not used by IOService.
@param argSize Specifies the size of messageArgument, in bytes. If argSize is non-zero, messageArgument is treated as a pointer to argSize bytes of data. If argSize is 0 (the default), messageArgument is treated as an ordinal and passed by value.
@result The return code from the client message call. */
virtual IOReturn messageClient( UInt32 messageType, OSObject * client,
void * messageArgument = 0, vm_size_t argSize = 0 );
/*! @function messageClients
@abstract Sends a generic message to all attached clients.
@discussion A provider may deliver messages via the @link message message@/link method to its clients informing them of state changes, such as kIOMessageServiceIsTerminated or kIOMessageServiceIsSuspended. Certain messages are defined by the I/O Kit in IOMessage.h while others may be family dependent. This method may be called in the provider to send a message to all the attached clients, via the @link messageClient messageClient@/link method.
@param type A type defined in IOMessage.h or defined by the provider family.
@param argument An argument defined by the provider family, not used by IOService.
@param argSize Specifies the size of argument, in bytes. If argSize is non-zero, argument is treated as a pointer to argSize bytes of data. If argSize is 0 (the default), argument is treated as an ordinal and passed by value.
@result Any non-kIOReturnSuccess return codes returned by the clients, or kIOReturnSuccess if all return kIOReturnSuccess. */
virtual IOReturn messageClients( UInt32 type,
void * argument = 0, vm_size_t argSize = 0 );
virtual IONotifier * registerInterest( const OSSymbol * typeOfInterest,
IOServiceInterestHandler handler,
void * target, void * ref = 0 );
virtual void applyToProviders( IOServiceApplierFunction applier,
void * context );
virtual void applyToClients( IOServiceApplierFunction applier,
void * context );
virtual void applyToInterested( const OSSymbol * typeOfInterest,
OSObjectApplierFunction applier,
void * context );
virtual IOReturn acknowledgeNotification( IONotificationRef notification,
IOOptionBits response );
/* User client create */
/*! @function newUserClient
@abstract Creates a connection for a non kernel client.
@discussion A non kernel client may request a connection be opened via the @link //apple_ref/c/func/IOServiceOpen IOServiceOpen@/link library function, which will call this method in an IOService object. The rules and capabilities of user level clients are family dependent, and use the functions of the IOUserClient class for support. IOService's implementation returns kIOReturnUnsupported, so any family supporting user clients must implement this method.
@param owningTask The Mach task of the client thread in the process of opening the user client. Note that in Mac OS X, each process is based on a Mach task and one or more Mach threads. For more information on the composition of a Mach task and its relationship with Mach threads, see {@linkdoc //apple_ref/doc/uid/TP30000905-CH209-TPXREF103 "Tasks and Threads"}.
@param securityID A token representing the access level for the task.
@param type A constant specifying the type of connection to be created, specified by the caller of @link //apple_ref/c/func/IOServiceOpen IOServiceOpen@/link and interpreted only by the family.
@param handler An instance of an IOUserClient object to represent the connection, which will be released when the connection is closed, or zero if the connection was not opened.
@param properties A dictionary of additional properties for the connection.
@result A return code to be passed back to the caller of IOServiceOpen. */
virtual IOReturn newUserClient( task_t owningTask, void * securityID,
UInt32 type, OSDictionary * properties,
IOUserClient ** handler );
virtual IOReturn newUserClient( task_t owningTask, void * securityID,
UInt32 type, IOUserClient ** handler );
/* Return code utilities */
/*! @function stringFromReturn
@abstract Supplies a programmer-friendly string from an IOReturn code.
@discussion Strings are available for the standard return codes in IOReturn.h in IOService, while subclasses may implement this method to interpret family dependent return codes.
@param rtn The IOReturn code.
@result A pointer to a constant string, or zero if the return code is unknown. */
virtual const char * stringFromReturn( IOReturn rtn );
/*! @function errnoFromReturn
@abstract Translates an IOReturn code to a BSD errno.
@discussion BSD defines its own return codes for its functions in sys/errno.h, and I/O Kit families may need to supply compliant results in BSD shims. Results are available for the standard return codes in IOReturn.h in IOService, while subclasses may implement this method to interpret family dependent return codes.
@param rtn The IOReturn code.
@result The BSD errno or EIO if unknown. */
virtual int errnoFromReturn( IOReturn rtn );
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/* * * * * * * * * * end of IOService API * * * * * * * */
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/* for IOInterruptController implementors */
int _numInterruptSources;
IOInterruptSource *_interruptSources;
/* overrides */
virtual bool serializeProperties( OSSerialize * s ) const override;
void requireMaxBusStall(UInt32 ns);
void requireMaxInterruptDelay(uint32_t ns);
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/* * * * * * * * * * * * Internals * * * * * * * * * * * */
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * */
private:
APPLE_KEXT_COMPATIBILITY_VIRTUAL
bool checkResources( void );
APPLE_KEXT_COMPATIBILITY_VIRTUAL
bool checkResource( OSObject * matching );
APPLE_KEXT_COMPATIBILITY_VIRTUAL
void probeCandidates( OSOrderedSet * matches );
APPLE_KEXT_COMPATIBILITY_VIRTUAL
bool startCandidate( IOService * candidate );
public:
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOService * getClientWithCategory( const OSSymbol * category )
APPLE_KEXT_DEPRECATED;
// copyClientWithCategory is the public replacement
private:
APPLE_KEXT_COMPATIBILITY_VIRTUAL
bool passiveMatch( OSDictionary * matching, bool changesOK = false);
APPLE_KEXT_COMPATIBILITY_VIRTUAL
void startMatching( IOOptionBits options = 0 );
APPLE_KEXT_COMPATIBILITY_VIRTUAL
void doServiceMatch( IOOptionBits options );
APPLE_KEXT_COMPATIBILITY_VIRTUAL
void doServiceTerminate( IOOptionBits options );
private:
bool matchPassive(OSDictionary * table, uint32_t options);
bool matchInternal(OSDictionary * table, uint32_t options, unsigned int * did);
static bool instanceMatch(const OSObject * entry, void * context);
static OSObject * copyExistingServices( OSDictionary * matching,
IOOptionBits inState, IOOptionBits options = 0 );
static IONotifier * setNotification(
const OSSymbol * type, OSDictionary * matching,
IOServiceMatchingNotificationHandler handler,
void * target, void * ref,
SInt32 priority = 0 );
static IONotifier * doInstallNotification(
const OSSymbol * type, OSDictionary * matching,
IOServiceMatchingNotificationHandler handler,
void * target, void * ref,
SInt32 priority, OSIterator ** existing );
static bool syncNotificationHandler( void * target, void * ref,
IOService * newService, IONotifier * notifier );
APPLE_KEXT_COMPATIBILITY_VIRTUAL
void deliverNotification( const OSSymbol * type,
IOOptionBits orNewState, IOOptionBits andNewState );
bool invokeNotifer( class _IOServiceNotifier * notify );
APPLE_KEXT_COMPATIBILITY_VIRTUAL
void unregisterAllInterest( void );
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOReturn waitForState( UInt32 mask, UInt32 value,
mach_timespec_t * timeout = 0 );
IOReturn waitForState( UInt32 mask, UInt32 value, uint64_t timeout );
UInt32 _adjustBusy( SInt32 delta );
bool terminatePhase1( IOOptionBits options = 0 );
void scheduleTerminatePhase2( IOOptionBits options = 0 );
void scheduleStop( IOService * provider );
void scheduleFinalize( void );
static void terminateThread( void * arg, wait_result_t unused );
static void terminateWorker( IOOptionBits options );
static void actionWillTerminate( IOService * victim, IOOptionBits options,
OSArray * doPhase2List, void*, void * );
static void actionDidTerminate( IOService * victim, IOOptionBits options,
void *, void *, void *);
static void actionFinalize( IOService * victim, IOOptionBits options,
void *, void *, void *);
static void actionStop( IOService * client, IOService * provider,
void *, void *, void *);
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOReturn resolveInterrupt(IOService *nub, int source);
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOReturn lookupInterrupt(int source, bool resolve, IOInterruptController **interruptController);
/* power management */
public:
/*! @function PMinit
@abstract Initializes power management for a driver.
@discussion PMinit allocates and initializes the power management instance variables, and it should be called before accessing those variables or calling the power management methods. This method should be called inside the driver's start routine and must be paired with a call to @link PMstop PMstop@/link.
Most calls to PMinit are followed by calls to @link joinPMtree joinPMtree@/link and @link registerPowerDriver registerPowerDriver@/link. */
virtual void PMinit( void );
/*! @function PMstop
@abstract Stop power managing the driver.
@discussion Removes the driver from the power plane and stop its power management. This method is synchronous against any power management method invocations (e.g. setPowerState or setAggressiveness), so when this method returns it is guaranteed those power management methods will not be entered. Driver should not call any power management methods after this call.
Calling PMstop cleans up for the three power management initialization calls: @link PMinit PMinit@/link, @link joinPMtree joinPMtree@/link, and @link registerPowerDriver registerPowerDriver@/link. */
virtual void PMstop( void );
/*! @function joinPMtree
@abstract Joins the driver into the power plane of the I/O Registry.
@discussion A driver uses this method to call its nub when initializing (usually in its start routine after calling @link PMinit PMinit@/link), to be attached into the power management hierarchy (i.e., the power plane). A driver usually calls this method on the driver for the device that provides it power (this is frequently the nub).
Before this call returns, the caller will probably be called at @link setPowerParent setPowerParent@/link and @link setAggressiveness setAggressiveness@/link and possibly at @link addPowerChild addPowerChild@/link as it is added to the hierarchy. This method may be overridden by a nub subclass.
@param driver The driver to be added to the power plane, usually this. */
virtual void joinPMtree( IOService * driver );
/*! @function registerPowerDriver
@abstract Registers a set of power states that the driver supports.
@discussion A driver defines its array of supported power states with power management in its power management initialization (its start routine). If successful, power management will call the driver to instruct it to change its power state through @link setPowerState setPowerState@/link.
Most drivers do not need to override registerPowerDriver. A nub may override registerPowerDriver if it needs to arrange its children in the power plane differently than the default placement, but this is uncommon.
@param controllingDriver A pointer to the calling driver, usually this.
@param powerStates A driver-defined array of power states that the driver and device support. Power states are defined in pwr_mgt/IOPMpowerState.h.
@param numberOfStates The number of power states in the array.
@result IOPMNoErr. All errors are logged via kprintf. */
virtual IOReturn registerPowerDriver(
IOService * controllingDriver,
IOPMPowerState * powerStates,
unsigned long numberOfStates );
/*! @function registerInterestedDriver
@abstract Allows an IOService object to register interest in the changing power state of a power-managed IOService object.
@discussion Call registerInterestedDriver on the IOService object you are interested in receiving power state messages from, and pass a pointer to the interested driver (this) as an argument.
The interested driver is retained until the power interest is removed by calling deRegisterInterestedDriver.
The interested driver should override @link powerStateWillChangeTo powerStateWillChangeTo@/link and @link powerStateDidChangeTo powerStateDidChangeTo@/link to receive these power change messages.
Interested drivers must acknowledge power changes in powerStateWillChangeTo or powerStateDidChangeTo, either via return value or later calls to @link acknowledgePowerChange acknowledgePowerChange@/link.
@param theDriver The driver of interest adds this pointer to the list of interested drivers. It informs drivers on this list before and after the power change.
@result Flags describing the capability of the device in its current power state. If the current power state is not yet defined, zero is returned (this is the case when the driver is not yet in the power domain hierarchy or hasn't fully registered with power management yet). */
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOPMPowerFlags registerInterestedDriver( IOService * theDriver );
/*! @function deRegisterInterestedDriver
@abstract De-registers power state interest from a previous call to registerInterestedDriver.
@discussion The retain from registerInterestedDriver is released. This method is synchronous against any powerStateWillChangeTo or powerStateDidChangeTo call targeting the interested driver, so when this method returns it is guaranteed those interest handlers will not be entered.
Most drivers do not need to override deRegisterInterestedDriver.
@param theDriver The interested driver previously passed into @link registerInterestedDriver registerInterestedDriver@/link.
@result A return code that can be ignored by the caller. */
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOReturn deRegisterInterestedDriver( IOService * theDriver );
/*! @function acknowledgePowerChange
@abstract Acknowledges an in-progress power state change.
@discussion When power management informs an interested object (via @link powerStateWillChangeTo powerStateWillChangeTo@/link or @link powerStateDidChangeTo powerStateDidChangeTo@/link), the object can return an immediate acknowledgement via a return code, or it may return an indication that it will acknowledge later by calling acknowledgePowerChange.
Interested objects are those that have registered as interested drivers, as well as power plane children of the power changing driver. A driver that calls @link registerInterestedDriver registerInterestedDriver@/link must call acknowledgePowerChange, or use an immediate acknowledgement return from powerStateWillChangeTo or powerStateDidChangeTo.
@param whichDriver A pointer to the calling driver. The called object tracks all interested parties to ensure that all have acknowledged the power state change.
@result IOPMNoErr. */
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOReturn acknowledgePowerChange( IOService * whichDriver );
/*! @function acknowledgeSetPowerState
@abstract Acknowledges the belated completion of a driver's setPowerState power state change.
@discussion After power management instructs a driver to change its state via @link setPowerState setPowerState@/link, that driver must acknowledge the change when its device has completed its transition. The acknowledgement may be immediate, via a return code from setPowerState, or delayed, via this call to acknowledgeSetPowerState.
Any driver that does not return kIOPMAckImplied from its setPowerState implementation must later call acknowledgeSetPowerState.
@result IOPMNoErr. */
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOReturn acknowledgeSetPowerState( void );
/*! @function requestPowerDomainState
@abstract Tells a driver to adjust its power state.
@discussion This call is handled internally by power management. It is not intended to be overridden or called by drivers. */
virtual IOReturn requestPowerDomainState(
IOPMPowerFlags desiredState,
IOPowerConnection * whichChild,
unsigned long specificationFlags );
/*! @function makeUsable
@abstract Requests that a device become usable.
@discussion This method is called when some client of a device (or the device's own driver) is asking for the device to become usable. Power management responds by telling the object upon which this method is called to change to its highest power state.
makeUsable is implemented using @link changePowerStateToPriv changePowerStateToPriv@/link. Subsequent requests for lower power, such as from changePowerStateToPriv, will pre-empt this request.
@result A return code that can be ignored by the caller. */
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOReturn makeUsable( void );
/*! @function temporaryPowerClampOn
@abstract A driver calls this method to hold itself in the highest power state until it has children.
@discussion Use temporaryPowerClampOn to hold your driver in its highest power state while waiting for child devices to attach. After children have attached, the clamp is released and the device's power state is controlled by the children's requirements.
@result A return code that can be ignored by the caller. */
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOReturn temporaryPowerClampOn( void );
/*! @function changePowerStateTo
@abstract Sets a driver's power state.
@discussion This function is one of several that are used to set a driver's power state. In most circumstances, however, you should call @link changePowerStateToPriv changePowerStateToPriv@/link instead.
Calls to changePowerStateTo, changePowerStateToPriv, and a driver's power children all affect the power state of a driver. For legacy design reasons, they have overlapping functionality. Although you should call changePowerStateToPriv to change your device's power state, you might need to call changePowerStateTo in the following circumstances:
If a driver will be using changePowerStateToPriv to change its power state, it should call changePowerStateTo(0) in its start routine to eliminate the influence changePowerStateTo has on power state calculations.
Call changePowerStateTo in conjunction with @link setIdleTimerPeriod setIdleTimerPeriod@/link and @link activityTickle activityTickle@/link to idle a driver into a low power state. For a driver with 3 power states, for example, changePowerStateTo(1) sets a minimum level of power state 1, such that the idle timer period may not set your device's power any lower than state 1. capabilityFlags field for the current power state in the power state array. */
APPLE_KEXT_COMPATIBILITY_VIRTUAL
IOPMPowerFlags currentCapability( void );
/*! @function currentPowerConsumption
@abstract Finds out the current power consumption of a device.
@discussion Most Mac OS X power managed drivers do not report their power consumption via the staticPower field. Thus this call will not accurately reflect power consumption for most drivers.
@result A copy of the staticPower field for the current power state in the power state array. */
APPLE_KEXT_COMPATIBILITY_VIRTUAL
unsigned long currentPowerConsumption( void );
/*! @function activityTickle
@abstract Informs power management when a power-managed device is in use, so that power management can track when it is idle and adjust its power state accordingly.
@discussion The activityTickle method is provided for objects in the system (or for the driver itself) to tell a driver that its device is being used.
The IOService superclass can manage idleness determination with a simple idle timer mechanism and this activityTickle call. To start this up, the driver calls its superclass's setIdleTimerPeriod. This starts a timer for the time interval specified in the call. When the timer expires, the superclass checks to see if there has been any activity since the last timer expiration. (It checks to see if activityTickle has been called). If there has been activity, it restarts the timer, and this process continues. When the timer expires, and there has been no device activity, the superclass lowers the device power state to the next lower state. This can continue until the device is in state zero.
After the device has been powered down by at least one power state, a subsequent call to activityTickle causes the device to be switched to a higher state required for the activity.
If the driver is managing the idleness determination totally on its own, the value of the type parameter should be kIOPMSubclassPolicy, and the driver should override the activityTickle method. The superclass IOService implementation of activityTickle does nothing with the kIOPMSubclassPolicy argument.
@param type When type is kIOPMSubclassPolicy, activityTickle is not handled in IOService and should be intercepted by the subclass. When type is kIOPMSuperclassPolicy1, an activity flag is set and the device state is checked. If the device has been powered down, it is powered up again.
@param stateNumber When type is kIOPMSuperclassPolicy1, stateNumber contains the desired power state ordinal for the activity. If the device is in a lower state, the superclass will switch it to this state. This is for devices that can handle some accesses in lower power states; the device is powered up only as far as it needs to be for the activity.
@result When type is kIOPMSuperclassPolicy1, the superclass returns true if the device is currently in the state specified by stateNumber. If the device is in a lower state and must be powered up, the superclass returns false; in this case the superclass will initiate a power change to power the device up. */
virtual bool activityTickle(
unsigned long type,
unsigned long stateNumber = 0 );
/*! @function setAggressiveness
@abstract Broadcasts an aggressiveness factor from the parent of a driver to the driver.
@discussion Implement setAggressiveness to receive a notification when an "aggressiveness Aggressiveness factors are a loose set of power management variables that contain values for system sleep timeout, display sleep timeout, whether the system is on battery or AC, and other power management features. There are several aggressiveness factors that can be broadcast and a driver may take action on whichever factors apply to it.
A driver that has joined the power plane via @link joinPMtree joinPMtree@/link will receive setAgressiveness calls when aggressiveness factors change.
A driver may override this call if it needs to do something with the new factor (such as change its idle timeout). If overridden, the driver must call its superclass's setAgressiveness method in its own setAgressiveness implementation.
Most drivers do not need to implement setAgressiveness.
@param type The aggressiveness factor type, such as kPMMinutesToDim, kPMMinutesToSpinDown, kPMMinutesToSleep, and kPMPowerSource. (Aggressiveness factors are defined in pwr_mgt/IOPM.h.)
@param newLevel The aggressiveness factor's new value.
@result IOPMNoErr. */
virtual IOReturn setAggressiveness(
unsigned long type,
unsigned long newLevel );
/*! @function getAggressiveness
@abstract Returns the current aggressiveness value for the given type.
@param type The aggressiveness factor to query.
@param currentLevel Upon successful return, contains the value of aggressiveness factor type.
@result kIOReturnSuccess upon success; an I/O Kit error code otherwise. */
virtual IOReturn getAggressiveness(
unsigned long type,
unsigned long * currentLevel );
#ifndef __LP64__
/*! @function systemWake
@abstract Tells every driver in the power plane that the system is waking up.
@discussion This call is handled internally by power management. It is not intended to be overridden or called by drivers. */
virtual IOReturn systemWake( void )
APPLE_KEXT_DEPRECATED;
/*! @function temperatureCriticalForZone
@abstract Alerts a driver to a critical temperature in some thermal zone.
@discussion This call is unused by power management. It is not intended to be called or overridden. */
virtual IOReturn temperatureCriticalForZone( IOService * whichZone )
APPLE_KEXT_DEPRECATED;
/*! @function youAreRoot
@abstract Informs power management which IOService object is the power plane root.
@discussion This call is handled internally by power management. It is not intended to be overridden or called by drivers. */
virtual IOReturn youAreRoot( void )
APPLE_KEXT_DEPRECATED;
/*! @function setPowerParent
@abstract This call is handled internally by power management. It is not intended to be overridden or called by drivers. */
virtual IOReturn setPowerParent(
IOPowerConnection * parent,
bool stateKnown,
IOPMPowerFlags currentState )
APPLE_KEXT_DEPRECATED;
#endif /* !__LP64__ */
/*! @function addPowerChild
@abstract Informs a driver that it has a new child.
@discussion The Platform Expert uses this method to call a driver and introduce it to a new child. This call is handled internally by power management. It is not intended to be overridden or called by drivers.
@param theChild A pointer to the child IOService object. */
virtual IOReturn addPowerChild( IOService * theChild );
/*! @function removePowerChild
@abstract Informs a power managed driver that one of its power plane childen is disappearing.
@discussion This call is handled internally by power management. It is not intended to be overridden or called by drivers. */
virtual IOReturn removePowerChild( IOPowerConnection * theChild );
#ifndef __LP64__
/*! @function command_received
@discussion This call is handled internally by power management. It is not intended to be overridden or called by drivers. */
virtual void command_received( void *, void * , void * , void * );
#endif
/*! @function start_PM_idle_timer
@discussion This call is handled internally by power management. It is not intended to be overridden or called by drivers. */
APPLE_KEXT_COMPATIBILITY_VIRTUAL
void start_PM_idle_timer( void );
#ifndef __LP64__
/*! @function PM_idle_timer_expiration
@discussion This call is handled internally by power management. It is not intended to be overridden or called by drivers. */
virtual void PM_idle_timer_expiration( void )
APPLE_KEXT_DEPRECATED;
/*! @function PM_Clamp_Timer_Expired
@discussion This call is handled internally by power management. It is not intended to be overridden or called by drivers. */
virtual void PM_Clamp_Timer_Expired( void )
APPLE_KEXT_DEPRECATED;
#endif
/*! @function setIdleTimerPeriod
@abstract Sets or changes the idle timer period.
@discussion A driver using the idleness determination provided by IOService calls its superclass with this method to set or change the idle timer period. See @link activityTickle activityTickle@/link for a description of this type of idleness determination.
@param period The desired idle timer period in seconds.
@result kIOReturnSuccess upon success; an I/O Kit error code otherwise. */
virtual IOReturn setIdleTimerPeriod( unsigned long );
#ifndef __LP64__
/*! @function getPMworkloop
@abstract Returns a pointer to the system-wide power management work loop.
@availability Deprecated in Mac OS X version 10.6.
@discussion Most drivers should create their own work loops to synchronize their code; drivers should not run arbitrary code on the power management work loop. */
virtual IOWorkLoop * getPMworkloop( void )
APPLE_KEXT_DEPRECATED;
#endif
/*! @function getPowerState
@abstract Determines a device's power state.
@discussion A device's "current power state" is updated at the end of each power state transition (e.g. transition from state 1 to state 0, or state 0 to state 2). This transition includes the time spent powering on or off any power plane children. Thus, if a child calls getPowerState on its power parent during system wake from sleep, the call will return the index to the device's off state rather than its on state.
@result The current power state's index into the device's power state array. */
UInt32 getPowerState( void );
/*! @function setPowerState
@abstract Requests a power managed driver to change the power state of its device.
@discussion A power managed driver must override setPowerState to take part in system power management. After a driver is registered with power management, the system uses setPowerState to power the device off and on for system sleep and wake.
Calls to @link PMinit PMinit@/link and @link registerPowerDriver registerPowerDriver@/link enable power management to change a device's power state using setPowerState. setPowerState is called in a clean and separate thread context.
@param powerStateOrdinal The number in the power state array of the state the driver is being instructed to switch to.
@param whatDevice A pointer to the power management object which registered to manage power for this device. In most cases, whatDevice will be equal to your driver's own this pointer.
@result The driver must return IOPMAckImplied if it has complied with the request when it returns. Otherwise if it has started the process of changing power state but not finished it, the driver should return a number of microseconds which is an upper limit of the time it will need to finish. Then, when it has completed the power switch, it should call @link acknowledgeSetPowerState acknowledgeSetPowerState@/link. */
virtual IOReturn setPowerState(
unsigned long powerStateOrdinal,
IOService * whatDevice );
#ifndef __LP64__
/*! @function clampPowerOn
@abstract Deprecated. Do not use. */
virtual void clampPowerOn( unsigned long duration );
#endif
/*! @function maxCapabilityForDomainState
@abstract Determines a driver's highest power state possible for a given power domain state.
@discussion This happens when the power domain is changing state and power management needs to determine which state the device is capable of in the new domain state.
Most drivers do not need to implement this method, and can rely upon the default IOService implementation. The IOService implementation scans the power state array looking for the highest state whose inputPowerRequirement field exactly matches the value of the domainState parameter. If more intelligent determination is required, the driver itself should implement the method and override the superclass's implementation.
@param domainState Flags that describe the character of "domain power"; they represent the outputPowerCharacter field of a state in the power domain's power state array.
@result A state number. */
virtual unsigned long maxCapabilityForDomainState( IOPMPowerFlags domainState );
/*! @function initialPowerStateForDomainState
@abstract Determines which power state a device is in, given the current power domain state.
@discussion Power management calls this method once, when the driver is initializing power management.
Most drivers do not need to implement this method, and can rely upon the default IOService implementation. The IOService implementation scans the power state array looking for the highest state whose inputPowerRequirement field exactly matches the value of the domainState parameter. If more intelligent determination is required, the power managed driver should implement the method and override the superclass's implementation.
@param domainState Flags that describe the character of "domain power"; they represent the outputPowerCharacter field of a state in the power domain's power state array.
@result A state number. */
virtual unsigned long initialPowerStateForDomainState( IOPMPowerFlags domainState );
/*! @function powerStateForDomainState
@abstract Determines what power state the device would be in for a given power domain state.
@discussion Power management calls a driver with this method to find out what power state the device would be in for a given power domain state. This happens when the power domain is changing state and power management needs to determine the effect of the change.
Most drivers do not need to implement this method, and can rely upon the default IOService implementation. The IOService implementation scans the power state array looking for the highest state whose inputPowerRequirement field exactly matches the value of the domainState parameter. If more intelligent determination is required, the power managed driver should implement the method and override the superclass's implementation.
@param domainState Flags that describe the character of "domain power"; they represent the outputPowerCharacter field of a state in the power domain's power state array.
@result A state number. */
virtual unsigned long powerStateForDomainState( IOPMPowerFlags domainState );
/*! @function powerStateWillChangeTo
@abstract Informs interested parties that a device is about to change its power state.
@discussion Power management informs interested parties that a device is about to change to a different power state. Interested parties are those that have registered for this notification via @link registerInterestedDriver registerInterestedDriver@/link. If you have called registerInterestedDriver on a power managed driver, you must implement powerStateWillChangeTo and @link powerStateDidChangeTo powerStateDidChangeTo@/link to receive the notifications.
powerStateWillChangeTo is called in a clean and separate thread context. powerStateWillChangeTo is called before a power state transition takes place; powerStateDidChangeTo is called after the transition has completed.
@param capabilities Flags that describe the capability of the device in the new power state (they come from the capabilityFlags field of the new state in the power state array).
@param stateNumber The number of the state in the state array that the device is switching to.
@param whatDevice A pointer to the driver that is changing. It can be used by a driver that is receiving power state change notifications for multiple devices to distinguish between them.
@result The driver returns IOPMAckImplied if it has prepared for the power change when it returns. If it has started preparing but not finished, it should return a number of microseconds which is an upper limit of the time it will need to finish preparing. Then, when it has completed its preparations, it should call @link acknowledgePowerChange acknowledgePowerChange@/link. */
virtual IOReturn powerStateWillChangeTo(
IOPMPowerFlags capabilities,
unsigned long stateNumber,
IOService * whatDevice );
/*! @function powerStateDidChangeTo
@abstract Informs interested parties that a device has changed to a different power state.
@discussion Power management informs interested parties that a device has changed to a different power state. Interested parties are those that have registered for this notification via @link registerInterestedDriver registerInterestedDriver@/link. If you have called registerInterestedDriver on a power managed driver, you must implemnt @link powerStateWillChangeTo powerStateWillChangeTo@/link and powerStateDidChangeTo to receive the notifications.
powerStateDidChangeTo is called in a clean and separate thread context. powerStateWillChangeTo is called before a power state transition takes place; powerStateDidChangeTo is called after the transition has completed.
@param capabilities Flags that describe the capability of the device in the new power state (they come from the capabilityFlags field of the new state in the power state array).
@param stateNumber The number of the state in the state array that the device is switching to.
@param whatDevice A pointer to the driver that is changing. It can be used by a driver that is receiving power state change notifications for multiple devices to distinguish between them.
@result The driver returns IOPMAckImplied if it has prepared for the power change when it returns. If it has started preparing but not finished, it should return a number of microseconds which is an upper limit of the time it will need to finish preparing. Then, when it has completed its preparations, it should call @link acknowledgePowerChange acknowledgePowerChange@/link. */
virtual IOReturn powerStateDidChangeTo(
IOPMPowerFlags capabilities,
unsigned long stateNumber,
IOService * whatDevice );
#ifndef __LP64__
/*! @function didYouWakeSystem
@abstract Asks a driver if its device is the one that just woke the system from sleep.
@availability Deprecated in Mac OS X version 10.6.
@discussion Power management calls a power managed driver with this method to ask if its device is the one that just woke the system from sleep. If a device is capable of waking the system from sleep, its driver should implement didYouWakeSystem and return true if its device was responsible for waking the system.
@result true if the driver's device woke the system and false otherwise. */
virtual bool didYouWakeSystem( void )
APPLE_KEXT_DEPRECATED;
/*! @function newTemperature
@abstract Tells a power managed driver that the temperature in the thermal zone has changed.
@discussion This call is unused by power management. It is not intended to be called or overridden. */
virtual IOReturn newTemperature( long currentTemp, IOService * whichZone )
APPLE_KEXT_DEPRECATED;
#endif
virtual bool askChangeDown( unsigned long );
virtual bool tellChangeDown( unsigned long );
virtual void tellNoChangeDown ( unsigned long );
virtual void tellChangeUp( unsigned long );
virtual IOReturn allowPowerChange( unsigned long refcon );
virtual IOReturn cancelPowerChange( unsigned long refcon );
protected:
/*! @function changePowerStateToPriv
@abstract Tells a driver's superclass to change the power state of its device.
@discussion A driver uses this method to tell its superclass to change the power state of the device. This is the recommended way to change the power state of a device.
Three things affect driver power state: @link changePowerStateTo changePowerStateTo@/link, changePowerStateToPriv, and the desires of the driver's power plane children. Power management puts the device into the maximum state governed by those three entities.
Drivers may eliminate the influence of the changePowerStateTo method on power state one of two ways. See @link powerOverrideOnPriv powerOverrideOnPriv@/link to ignore the method's influence, or call changePowerStateTo(0) in the driver's start routine to remove the changePowerStateTo method's power request.
@param ordinal The number of the desired power state in the power state array.
@result A return code that can be ignored by the caller. */
IOReturn changePowerStateToPriv( unsigned long ordinal );
/*! @function powerOverrideOnPriv
@abstract Allows a driver to ignore its children's power management requests and only use changePowerStateToPriv to define its own power state.
@discussion Power management normally keeps a device at the highest state required by its requests via @link changePowerStateTo changePowerStateTo@/link, @link changePowerStateToPriv changePowerStateToPriv@/link, and its children. However, a driver may ensure a lower power state than otherwise required by itself and its children using powerOverrideOnPriv. When the override is on, power management keeps the device's power state in the state specified by changePowerStateToPriv. Turning on the override will initiate a power change if the driver's changePowerStateToPriv desired power state is different from the maximum of the changePowerStateTo desired power state and the children's desires.
@result A return code that can be ignored by the caller. */
IOReturn powerOverrideOnPriv( void );
/*! @function powerOverrideOffPriv
@abstract Allows a driver to disable a power override.
@discussion When a driver has enabled an override via @link powerOverrideOnPriv powerOverrideOnPriv@/link, it can disable it again by calling this method in its superclass. Disabling the override reverts to the default algorithm for determining a device's power state. The superclass will now keep the device at the highest state required by changePowerStateTo, changePowerStateToPriv, and its children. Turning off the override will initiate a power change if the driver's desired power state is different from the maximum of the power managed driver's desire and the children's desires.
@result A return code that can be ignored by the caller. */
IOReturn powerOverrideOffPriv( void );
/*! @function powerChangeDone
@abstract Tells a driver when a power state change is complete.
@discussion Power management uses this method to inform a driver when a power change is completely done, when all interested parties have acknowledged the @link powerStateDidChangeTo powerStateDidChangeTo@/link call. The default implementation of this method is null; the method is meant to be overridden by subclassed power managed drivers. A driver should use this method to find out if a power change it initiated is complete.
@param stateNumber The number of the state in the state array that the device has switched from. */
virtual void powerChangeDone( unsigned long stateNumber );
};
#endif /* ! _IOKIT_IOSERVICE_H */
================================================
FILE: EFI/CLOVER/kexts/Other/Lilu_v1.3.7.kext/Contents/Resources/Library/plugin_start.cpp
================================================
//
// plugin_start.cpp
// Lilu
//
// Copyright © 2016-2017 vit9696. All rights reserved.
//
#include
#include
#include
#ifndef LILU_CUSTOM_KMOD_INIT
bool ADDPR(startSuccess) = false;
#else
// Workaround custom kmod code and enable by default
bool ADDPR(startSuccess) = true;
#endif
bool ADDPR(debugEnabled) = false;
uint32_t ADDPR(debugPrintDelay) = 0;
#if !defined(LILU_CUSTOM_KMOD_INIT) || !defined(LILU_CUSTOM_IOKIT_INIT)
static const char kextVersion[] {
#ifdef DEBUG
'D', 'B', 'G', '-',
#else
'R', 'E', 'L', '-',
#endif
xStringify(MODULE_VERSION)[0], xStringify(MODULE_VERSION)[2], xStringify(MODULE_VERSION)[4], '-',
getBuildYear<0>(), getBuildYear<1>(), getBuildYear<2>(), getBuildYear<3>(), '-',
getBuildMonth<0>(), getBuildMonth<1>(), '-', getBuildDay<0>(), getBuildDay<1>(), '\0'
};
#endif
#ifndef LILU_CUSTOM_IOKIT_INIT
OSDefineMetaClassAndStructors(PRODUCT_NAME, IOService)
PRODUCT_NAME *ADDPR(selfInstance) = nullptr;
IOService *PRODUCT_NAME::probe(IOService *provider, SInt32 *score) {
ADDPR(selfInstance) = this;
setProperty("VersionInfo", kextVersion);
auto service = IOService::probe(provider, score);
return ADDPR(startSuccess) ? service : nullptr;
}
bool PRODUCT_NAME::start(IOService *provider) {
ADDPR(selfInstance) = this;
if (!IOService::start(provider)) {
SYSLOG("init", "failed to start the parent");
return false;
}
return ADDPR(startSuccess);
}
void PRODUCT_NAME::stop(IOService *provider) {
ADDPR(selfInstance) = nullptr;
IOService::stop(provider);
}
#endif /* LILU_CUSTOM_IOKIT_INIT */
#ifndef LILU_CUSTOM_KMOD_INIT
EXPORT extern "C" kern_return_t ADDPR(kern_start)(kmod_info_t *, void *) {
// This is an ugly hack necessary on some systems where buffering kills most of debug output.
PE_parse_boot_argn("liludelay", &ADDPR(debugPrintDelay), sizeof(ADDPR(debugPrintDelay)));
auto error = lilu.requestAccess();
if (error == LiluAPI::Error::NoError) {
error = lilu.shouldLoad(ADDPR(config).product, ADDPR(config).version, ADDPR(config).runmode, ADDPR(config).disableArg, ADDPR(config).disableArgNum,
ADDPR(config).debugArg, ADDPR(config).debugArgNum, ADDPR(config).betaArg, ADDPR(config).betaArgNum, ADDPR(config).minKernel,
ADDPR(config).maxKernel, ADDPR(debugEnabled));
if (error == LiluAPI::Error::NoError) {
DBGLOG("init", "%s bootstrap %s", xStringify(PRODUCT_NAME), kextVersion);
(void)kextVersion;
ADDPR(startSuccess) = true;
ADDPR(config).pluginStart();
} else {
SYSLOG("init", "parent said we should not continue %d", error);
}
lilu.releaseAccess();
} else {
SYSLOG("init", "failed to call parent %d", error);
}
// Report success but actually do not start and let I/O Kit unload us.
// This works better and increases boot speed in some cases.
return KERN_SUCCESS;
}
EXPORT extern "C" kern_return_t ADDPR(kern_stop)(kmod_info_t *, void *) {
// It is not safe to unload Lilu plugins unless they were disabled!
return ADDPR(startSuccess) ? KERN_FAILURE : KERN_SUCCESS;
}
#endif /* LILU_CUSTOM_KMOD_INIT */
================================================
FILE: EFI/CLOVER/kexts/Other/Lilu_v1.3.7.kext/Contents/Resources/Library/security/_label.h
================================================
/*
* Copyright (c) 2007 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*-
* Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
* Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/sys/sys/_label.h,v 1.4 2003/05/08 19:49:42 rwatson Exp $
*/
#ifndef _SECURITY_LABEL_H_
#define _SECURITY_LABEL_H_
/*
* XXXMAC: This shouldn't be exported to userland, but is because of ucred.h
* and various other messes.
*/
#if CONFIG_EMBEDDED
#define MAC_MAX_SLOTS 3
#else
#define MAC_MAX_SLOTS 7
#endif
#define MAC_FLAG_INITIALIZED 0x0000001 /* Is initialized for use. */
struct label {
int l_flags;
union {
void *l_ptr;
long l_long;
} l_perpolicy[MAC_MAX_SLOTS];
};
#endif /* !_SECURITY_LABEL_H_ */
================================================
FILE: EFI/CLOVER/kexts/Other/Lilu_v1.3.7.kext/Contents/Resources/Library/security/mac_framework.h
================================================
/*
* Copyright (c) 2007 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2007 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/sys/sys/mac.h,v 1.40 2003/04/18 19:57:37 rwatson Exp $
*
*/
/*
* Kernel interface for Mandatory Access Control -- how kernel services
* interact with the TrustedBSD MAC Framework.
*/
#ifndef _SECURITY_MAC_FRAMEWORK_H_
#define _SECURITY_MAC_FRAMEWORK_H_
//#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
#ifdef __cplusplus
extern "C" {
#endif
struct attrlist;
struct auditinfo;
struct bpf_d;
struct componentname;
struct cs_blob;
struct devnode;
struct exception_action;
struct flock;
struct fdescnode;
struct fileglob;
struct fileproc;
struct ifnet;
struct ifreq;
struct image_params;
struct inpcb;
struct ipc_port;
struct ipq;
struct knote;
struct m_tag;
struct mac;
struct mac_module_data;
struct mbuf;
struct msg;
struct msqid_kernel;
struct mount;
struct pipe;
struct proc;
struct pseminfo;
struct pshminfo;
struct semid_kernel;
struct shmid_kernel;
struct sockaddr;
struct sockopt;
struct socket;
struct task;
struct thread;
struct timespec;
struct tty;
struct ucred;
struct uio;
struct uthread;
struct vfs_attr;
struct vfs_context;
struct vnode;
struct vnode_attr;
struct vop_setlabel_args;
#include
#include
#if CONFIG_MACF
#ifndef __IOKIT_PORTS_DEFINED__
#define __IOKIT_PORTS_DEFINED__
#ifdef __cplusplus
class OSObject;
typedef OSObject *io_object_t;
#else
struct OSObject;
typedef struct OSObject *io_object_t;
#endif
#endif /* __IOKIT_PORTS_DEFINED__ */
/*@ macros */
#define VNODE_LABEL_CREATE 1
/*@ === */
int mac_audit_check_postselect(kauth_cred_t cred, unsigned short syscode,
void *args, int error, int retval, int mac_forced);
int mac_audit_check_preselect(kauth_cred_t cred, unsigned short syscode,
void *args);
int mac_bpfdesc_check_receive(struct bpf_d *bpf_d, struct ifnet *ifp);
void mac_bpfdesc_label_destroy(struct bpf_d *bpf_d);
void mac_bpfdesc_label_init(struct bpf_d *bpf_d);
void mac_bpfdesc_label_associate(kauth_cred_t cred, struct bpf_d *bpf_d);
int mac_cred_check_label_update(kauth_cred_t cred,
struct label *newlabel);
int mac_cred_check_label_update_execve(vfs_context_t ctx,
struct vnode *vp, off_t offset, struct vnode *scriptvp,
struct label *scriptvnodelabel, struct label *execlabel,
proc_t proc, void *macextensions);
int mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2);
struct label *mac_cred_label_alloc(void);
void mac_cred_label_associate(kauth_cred_t cred_parent,
kauth_cred_t cred_child);
void mac_cred_label_associate_fork(kauth_cred_t cred, proc_t child);
void mac_cred_label_associate_kernel(kauth_cred_t cred);
void mac_cred_label_associate_user(kauth_cred_t cred);
void mac_cred_label_destroy(kauth_cred_t cred);
int mac_cred_label_externalize_audit(proc_t p, struct mac *mac);
void mac_cred_label_free(struct label *label);
void mac_cred_label_init(kauth_cred_t cred);
int mac_cred_label_compare(struct label *a, struct label *b);
void mac_cred_label_update(kauth_cred_t cred, struct label *newlabel);
void mac_cred_label_update_execve(vfs_context_t ctx, kauth_cred_t newcred,
struct vnode *vp, off_t offset, struct vnode *scriptvp,
struct label *scriptvnodelabel, struct label *execlabel, u_int *csflags,
void *macextensions, int *disjoint, int *labelupdateerror);
void mac_devfs_label_associate_device(dev_t dev, struct devnode *de,
const char *fullpath);
void mac_devfs_label_associate_directory(const char *dirname, int dirnamelen,
struct devnode *de, const char *fullpath);
void mac_devfs_label_copy(struct label *, struct label *label);
void mac_devfs_label_destroy(struct devnode *de);
void mac_devfs_label_init(struct devnode *de);
void mac_devfs_label_update(struct mount *mp, struct devnode *de,
struct vnode *vp);
int mac_execve_enter(user_addr_t mac_p, struct image_params *imgp);
int mac_file_check_change_offset(kauth_cred_t cred, struct fileglob *fg);
int mac_file_check_create(kauth_cred_t cred);
int mac_file_check_dup(kauth_cred_t cred, struct fileglob *fg, int newfd);
int mac_file_check_fcntl(kauth_cred_t cred, struct fileglob *fg, int cmd,
user_long_t arg);
int mac_file_check_get(kauth_cred_t cred, struct fileglob *fg,
char *elements, int len);
int mac_file_check_get_offset(kauth_cred_t cred, struct fileglob *fg);
int mac_file_check_inherit(kauth_cred_t cred, struct fileglob *fg);
int mac_file_check_ioctl(kauth_cred_t cred, struct fileglob *fg,
unsigned int cmd);
int mac_file_check_lock(kauth_cred_t cred, struct fileglob *fg, int op,
struct flock *fl);
int mac_file_check_library_validation(struct proc *proc,
struct fileglob *fg, off_t slice_offset,
user_long_t error_message, size_t error_message_size);
int mac_file_check_mmap(kauth_cred_t cred, struct fileglob *fg,
int prot, int flags, uint64_t file_pos, int *maxprot);
void mac_file_check_mmap_downgrade(kauth_cred_t cred, struct fileglob *fg,
int *prot);
int mac_file_check_receive(kauth_cred_t cred, struct fileglob *fg);
int mac_file_check_set(kauth_cred_t cred, struct fileglob *fg,
char *bufp, int buflen);
void mac_file_label_associate(kauth_cred_t cred, struct fileglob *fg);
void mac_file_label_destroy(struct fileglob *fg);
void mac_file_label_init(struct fileglob *fg);
int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf,
int family, int type);
void mac_ifnet_label_associate(struct ifnet *ifp);
void mac_ifnet_label_destroy(struct ifnet *ifp);
int mac_ifnet_label_get(kauth_cred_t cred, struct ifreq *ifr,
struct ifnet *ifp);
void mac_ifnet_label_init(struct ifnet *ifp);
void mac_ifnet_label_recycle(struct ifnet *ifp);
int mac_ifnet_label_set(kauth_cred_t cred, struct ifreq *ifr,
struct ifnet *ifp);
int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *mbuf,
int family, int type);
void mac_inpcb_label_associate(struct socket *so, struct inpcb *inp);
void mac_inpcb_label_destroy(struct inpcb *inp);
int mac_inpcb_label_init(struct inpcb *inp, int flag);
void mac_inpcb_label_recycle(struct inpcb *inp);
void mac_inpcb_label_update(struct socket *so);
int mac_iokit_check_device(char *devtype, struct mac_module_data *mdata);
int mac_iokit_check_open(kauth_cred_t cred, io_object_t user_client, unsigned int user_client_type);
int mac_iokit_check_set_properties(kauth_cred_t cred, io_object_t registry_entry, io_object_t properties);
int mac_iokit_check_filter_properties(kauth_cred_t cred, io_object_t registry_entry);
int mac_iokit_check_get_property(kauth_cred_t cred, io_object_t registry_entry, const char *name);
int mac_iokit_check_hid_control(kauth_cred_t cred);
int mac_iokit_check_nvram_delete(kauth_cred_t cred, const char *name);
int mac_iokit_check_nvram_get(kauth_cred_t cred, const char *name);
int mac_iokit_check_nvram_set(kauth_cred_t cred, const char *name, io_object_t value);
void mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq);
int mac_ipq_label_compare(struct mbuf *fragment, struct ipq *ipq);
void mac_ipq_label_destroy(struct ipq *ipq);
int mac_ipq_label_init(struct ipq *ipq, int flag);
void mac_ipq_label_update(struct mbuf *fragment, struct ipq *ipq);
void mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
void mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m);
void mac_mbuf_label_associate_inpcb(struct inpcb *inp, struct mbuf *m);
void mac_mbuf_label_associate_ipq(struct ipq *ipq, struct mbuf *mbuf);
void mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *m);
void mac_mbuf_label_associate_multicast_encap(struct mbuf *oldmbuf,
struct ifnet *ifp, struct mbuf *newmbuf);
void mac_mbuf_label_associate_netlayer(struct mbuf *oldmbuf,
struct mbuf *newmbuf);
void mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m);
void mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to);
void mac_mbuf_label_destroy(struct mbuf *m);
int mac_mbuf_label_init(struct mbuf *m, int flag);
void mac_mbuf_tag_copy(struct m_tag *m, struct m_tag *mtag);
void mac_mbuf_tag_destroy(struct m_tag *mtag);
int mac_mbuf_tag_init(struct m_tag *, int how);
int mac_mount_check_fsctl(vfs_context_t ctx, struct mount *mp,
unsigned int cmd);
int mac_mount_check_getattr(vfs_context_t ctx, struct mount *mp,
struct vfs_attr *vfa);
int mac_mount_check_label_update(vfs_context_t ctx, struct mount *mp);
int mac_mount_check_mount(vfs_context_t ctx, struct vnode *vp,
struct componentname *cnp, const char *vfc_name);
int mac_mount_check_snapshot_create(vfs_context_t ctx, struct mount *mp,
const char *name);
int mac_mount_check_snapshot_delete(vfs_context_t ctx, struct mount *mp,
const char *name);
int mac_mount_check_snapshot_revert(vfs_context_t ctx, struct mount *mp,
const char *name);
int mac_mount_check_remount(vfs_context_t ctx, struct mount *mp);
int mac_mount_check_setattr(vfs_context_t ctx, struct mount *mp,
struct vfs_attr *vfa);
int mac_mount_check_stat(vfs_context_t ctx, struct mount *mp);
int mac_mount_check_umount(vfs_context_t ctx, struct mount *mp);
void mac_mount_label_associate(vfs_context_t ctx, struct mount *mp);
void mac_mount_label_destroy(struct mount *mp);
int mac_mount_label_externalize(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_mount_label_get(struct mount *mp, user_addr_t mac_p);
void mac_mount_label_init(struct mount *);
int mac_mount_label_internalize(struct label *, char *string);
void mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment);
void mac_netinet_icmp_reply(struct mbuf *m);
void mac_netinet_tcp_reply(struct mbuf *m);
int mac_pipe_check_ioctl(kauth_cred_t cred, struct pipe *cpipe,
unsigned int cmd);
int mac_pipe_check_kqfilter(kauth_cred_t cred, struct knote *kn,
struct pipe *cpipe);
int mac_pipe_check_read(kauth_cred_t cred, struct pipe *cpipe);
int mac_pipe_check_select(kauth_cred_t cred, struct pipe *cpipe,
int which);
int mac_pipe_check_stat(kauth_cred_t cred, struct pipe *cpipe);
int mac_pipe_check_write(kauth_cred_t cred, struct pipe *cpipe);
struct label *mac_pipe_label_alloc(void);
void mac_pipe_label_associate(kauth_cred_t cred, struct pipe *cpipe);
void mac_pipe_label_copy(struct label *src, struct label *dest);
void mac_pipe_label_destroy(struct pipe *cpipe);
void mac_pipe_label_free(struct label *label);
void mac_pipe_label_init(struct pipe *cpipe);
int mac_pipe_label_update(kauth_cred_t cred, struct pipe *cpipe,
struct label *label);
void mac_policy_initbsd(void);
int mac_posixsem_check_create(kauth_cred_t cred, const char *name);
int mac_posixsem_check_open(kauth_cred_t cred, struct pseminfo *psem);
int mac_posixsem_check_post(kauth_cred_t cred, struct pseminfo *psem);
int mac_posixsem_check_unlink(kauth_cred_t cred, struct pseminfo *psem,
const char *name);
int mac_posixsem_check_wait(kauth_cred_t cred, struct pseminfo *psem);
void mac_posixsem_vnode_label_associate(kauth_cred_t cred,
struct pseminfo *psem, struct label *plabel,
vnode_t vp, struct label *vlabel);
void mac_posixsem_label_associate(kauth_cred_t cred,
struct pseminfo *psem, const char *name);
void mac_posixsem_label_destroy(struct pseminfo *psem);
void mac_posixsem_label_init(struct pseminfo *psem);
int mac_posixshm_check_create(kauth_cred_t cred, const char *name);
int mac_posixshm_check_mmap(kauth_cred_t cred, struct pshminfo *pshm,
int prot, int flags);
int mac_posixshm_check_open(kauth_cred_t cred, struct pshminfo *pshm,
int fflags);
int mac_posixshm_check_stat(kauth_cred_t cred, struct pshminfo *pshm);
int mac_posixshm_check_truncate(kauth_cred_t cred, struct pshminfo *pshm,
off_t s);
int mac_posixshm_check_unlink(kauth_cred_t cred, struct pshminfo *pshm,
const char *name);
void mac_posixshm_vnode_label_associate(kauth_cred_t cred,
struct pshminfo *pshm, struct label *plabel,
vnode_t vp, struct label *vlabel);
void mac_posixshm_label_associate(kauth_cred_t cred,
struct pshminfo *pshm, const char *name);
void mac_posixshm_label_destroy(struct pshminfo *pshm);
void mac_posixshm_label_init(struct pshminfo *pshm);
int mac_priv_check(kauth_cred_t cred, int priv);
int mac_priv_grant(kauth_cred_t cred, int priv);
int mac_proc_check_debug(proc_t proc1, proc_t proc2);
int mac_proc_check_cpumon(proc_t curp);
int mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor);
int mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op);
int mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op);
int mac_proc_check_fork(proc_t proc);
int mac_proc_check_suspend_resume(proc_t proc, int sr);
int mac_proc_check_get_task_name(kauth_cred_t cred, struct proc *p);
int mac_proc_check_get_task(kauth_cred_t cred, struct proc *p);
int mac_proc_check_expose_task(kauth_cred_t cred, struct proc *p);
int mac_proc_check_inherit_ipc_ports(struct proc *p, struct vnode *cur_vp, off_t cur_offset, struct vnode *img_vp, off_t img_offset, struct vnode *scriptvp);
int mac_proc_check_getaudit(proc_t proc);
int mac_proc_check_getauid(proc_t proc);
int mac_proc_check_getlcid(proc_t proc1, proc_t proc2,
pid_t pid);
int mac_proc_check_ledger(proc_t curp, proc_t target, int op);
int mac_proc_check_map_anon(proc_t proc, user_addr_t u_addr,
user_size_t u_size, int prot, int flags, int *maxprot);
int mac_proc_check_mprotect(proc_t proc,
user_addr_t addr, user_size_t size, int prot);
int mac_proc_check_run_cs_invalid(proc_t proc);
int mac_proc_check_sched(proc_t proc, proc_t proc2);
int mac_proc_check_setaudit(proc_t proc, struct auditinfo_addr *ai);
int mac_proc_check_setauid(proc_t proc, uid_t auid);
int mac_proc_check_setlcid(proc_t proc1, proc_t proc2,
pid_t pid1, pid_t pid2);
int mac_proc_check_signal(proc_t proc1, proc_t proc2,
int signum);
int mac_proc_check_wait(proc_t proc1, proc_t proc2);
void mac_proc_set_enforce(proc_t p, int enforce_flags);
int mac_setsockopt_label(kauth_cred_t cred, struct socket *so,
struct mac *extmac);
int mac_socket_check_accept(kauth_cred_t cred, struct socket *so);
int mac_socket_check_accepted(kauth_cred_t cred, struct socket *so);
int mac_socket_check_bind(kauth_cred_t cred, struct socket *so,
struct sockaddr *addr);
int mac_socket_check_connect(kauth_cred_t cred, struct socket *so,
struct sockaddr *addr);
int mac_socket_check_create(kauth_cred_t cred, int domain,
int type, int protocol);
int mac_socket_check_deliver(struct socket *so, struct mbuf *m);
int mac_socket_check_kqfilter(kauth_cred_t cred, struct knote *kn,
struct socket *so);
int mac_socket_check_listen(kauth_cred_t cred, struct socket *so);
int mac_socket_check_receive(kauth_cred_t cred, struct socket *so);
int mac_socket_check_received(kauth_cred_t cred, struct socket *so,
struct sockaddr *saddr);
int mac_socket_check_select(kauth_cred_t cred, struct socket *so,
int which);
int mac_socket_check_send(kauth_cred_t cred, struct socket *so,
struct sockaddr *addr);
int mac_socket_check_getsockopt(kauth_cred_t cred, struct socket *so,
struct sockopt *sopt);
int mac_socket_check_setsockopt(kauth_cred_t cred, struct socket *so,
struct sockopt *sopt);
int mac_socket_check_stat(kauth_cred_t cred, struct socket *so);
void mac_socket_label_associate(kauth_cred_t cred, struct socket *so);
void mac_socket_label_associate_accept(struct socket *oldsocket,
struct socket *newsocket);
void mac_socket_label_copy(struct label *from, struct label *to);
void mac_socket_label_destroy(struct socket *);
int mac_socket_label_get(kauth_cred_t cred, struct socket *so,
struct mac *extmac);
int mac_socket_label_init(struct socket *, int waitok);
void mac_socketpeer_label_associate_mbuf(struct mbuf *m, struct socket *so);
void mac_socketpeer_label_associate_socket(struct socket *peersocket,
struct socket *socket_to_modify);
int mac_socketpeer_label_get(kauth_cred_t cred, struct socket *so,
struct mac *extmac);
int mac_system_check_acct(kauth_cred_t cred, struct vnode *vp);
int mac_system_check_audit(kauth_cred_t cred, void *record, int length);
int mac_system_check_auditctl(kauth_cred_t cred, struct vnode *vp);
int mac_system_check_auditon(kauth_cred_t cred, int cmd);
int mac_system_check_chud(kauth_cred_t cred);
int mac_system_check_host_priv(kauth_cred_t cred);
int mac_system_check_info(kauth_cred_t, const char *info_type);
int mac_system_check_nfsd(kauth_cred_t cred);
int mac_system_check_reboot(kauth_cred_t cred, int howto);
int mac_system_check_settime(kauth_cred_t cred);
int mac_system_check_swapoff(kauth_cred_t cred, struct vnode *vp);
int mac_system_check_swapon(kauth_cred_t cred, struct vnode *vp);
int mac_system_check_sysctlbyname(kauth_cred_t cred, const char *namestring, int *name,
u_int namelen, user_addr_t oldctl, size_t oldlen,
user_addr_t newctl, size_t newlen);
int mac_system_check_kas_info(kauth_cred_t cred, int selector);
void mac_sysvmsg_label_associate(kauth_cred_t cred,
struct msqid_kernel *msqptr, struct msg *msgptr);
void mac_sysvmsg_label_init(struct msg *msgptr);
void mac_sysvmsg_label_recycle(struct msg *msgptr);
int mac_sysvmsq_check_enqueue(kauth_cred_t cred, struct msg *msgptr,
struct msqid_kernel *msqptr);
int mac_sysvmsq_check_msgrcv(kauth_cred_t cred, struct msg *msgptr);
int mac_sysvmsq_check_msgrmid(kauth_cred_t cred, struct msg *msgptr);
int mac_sysvmsq_check_msqctl(kauth_cred_t cred,
struct msqid_kernel *msqptr, int cmd);
int mac_sysvmsq_check_msqget(kauth_cred_t cred,
struct msqid_kernel *msqptr);
int mac_sysvmsq_check_msqrcv(kauth_cred_t cred,
struct msqid_kernel *msqptr);
int mac_sysvmsq_check_msqsnd(kauth_cred_t cred,
struct msqid_kernel *msqptr);
void mac_sysvmsq_label_associate(kauth_cred_t cred,
struct msqid_kernel *msqptr);
void mac_sysvmsq_label_init(struct msqid_kernel *msqptr);
void mac_sysvmsq_label_recycle(struct msqid_kernel *msqptr);
int mac_sysvsem_check_semctl(kauth_cred_t cred,
struct semid_kernel *semakptr, int cmd);
int mac_sysvsem_check_semget(kauth_cred_t cred,
struct semid_kernel *semakptr);
int mac_sysvsem_check_semop(kauth_cred_t cred,
struct semid_kernel *semakptr, size_t accesstype);
void mac_sysvsem_label_associate(kauth_cred_t cred,
struct semid_kernel *semakptr);
void mac_sysvsem_label_destroy(struct semid_kernel *semakptr);
void mac_sysvsem_label_init(struct semid_kernel *semakptr);
void mac_sysvsem_label_recycle(struct semid_kernel *semakptr);
int mac_sysvshm_check_shmat(kauth_cred_t cred,
struct shmid_kernel *shmsegptr, int shmflg);
int mac_sysvshm_check_shmctl(kauth_cred_t cred,
struct shmid_kernel *shmsegptr, int cmd);
int mac_sysvshm_check_shmdt(kauth_cred_t cred,
struct shmid_kernel *shmsegptr);
int mac_sysvshm_check_shmget(kauth_cred_t cred,
struct shmid_kernel *shmsegptr, int shmflg);
void mac_sysvshm_label_associate(kauth_cred_t cred,
struct shmid_kernel *shmsegptr);
void mac_sysvshm_label_destroy(struct shmid_kernel *shmsegptr);
void mac_sysvshm_label_init(struct shmid_kernel* shmsegptr);
void mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr);
int mac_vnode_check_access(vfs_context_t ctx, struct vnode *vp,
int acc_mode);
int mac_vnode_check_chdir(vfs_context_t ctx, struct vnode *dvp);
int mac_vnode_check_chroot(vfs_context_t ctx, struct vnode *dvp,
struct componentname *cnp);
int mac_vnode_check_clone(vfs_context_t ctx, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_create(vfs_context_t ctx, struct vnode *dvp,
struct componentname *cnp, struct vnode_attr *vap);
int mac_vnode_check_deleteextattr(vfs_context_t ctx, struct vnode *vp,
const char *name);
int mac_vnode_check_exchangedata(vfs_context_t ctx, struct vnode *v1,
struct vnode *v2);
int mac_vnode_check_exec(vfs_context_t ctx, struct vnode *vp,
struct image_params *imgp);
int mac_vnode_check_fsgetpath(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_getattr(vfs_context_t ctx, struct ucred *file_cred,
struct vnode *vp, struct vnode_attr *va);
int mac_vnode_check_getattrlist(vfs_context_t ctx, struct vnode *vp,
struct attrlist *alist);
int mac_vnode_check_getextattr(vfs_context_t ctx, struct vnode *vp,
const char *name, struct uio *uio);
int mac_vnode_check_ioctl(vfs_context_t ctx, struct vnode *vp,
unsigned int cmd);
int mac_vnode_check_kqfilter(vfs_context_t ctx,
kauth_cred_t file_cred, struct knote *kn, struct vnode *vp);
int mac_vnode_check_label_update(vfs_context_t ctx, struct vnode *vp,
struct label *newlabel);
int mac_vnode_check_link(vfs_context_t ctx, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_listextattr(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_lookup(vfs_context_t ctx, struct vnode *dvp,
struct componentname *cnp);
int mac_vnode_check_open(vfs_context_t ctx, struct vnode *vp,
int acc_mode);
int mac_vnode_check_read(vfs_context_t ctx,
kauth_cred_t file_cred, struct vnode *vp);
int mac_vnode_check_readdir(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_readlink(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_rename(vfs_context_t ctx, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp, struct vnode *tdvp,
struct vnode *tvp, struct componentname *tcnp);
int mac_vnode_check_revoke(vfs_context_t ctx, struct vnode *vp);
int mac_vnode_check_searchfs(vfs_context_t ctx, struct vnode *vp,
struct attrlist *alist);
int mac_vnode_check_select(vfs_context_t ctx, struct vnode *vp,
int which);
int mac_vnode_check_setacl(vfs_context_t ctx, struct vnode *vp,
struct kauth_acl *acl);
int mac_vnode_check_setattrlist(vfs_context_t ctxd, struct vnode *vp,
struct attrlist *alist);
int mac_vnode_check_setextattr(vfs_context_t ctx, struct vnode *vp,
const char *name, struct uio *uio);
int mac_vnode_check_setflags(vfs_context_t ctx, struct vnode *vp,
u_long flags);
int mac_vnode_check_setmode(vfs_context_t ctx, struct vnode *vp,
mode_t mode);
int mac_vnode_check_setowner(vfs_context_t ctx, struct vnode *vp,
uid_t uid, gid_t gid);
int mac_vnode_check_setutimes(vfs_context_t ctx, struct vnode *vp,
struct timespec atime, struct timespec mtime);
int mac_vnode_check_signature(struct vnode *vp,
struct cs_blob *cs_blob, struct image_params *imgp,
unsigned int *cs_flags,
int flags);
int mac_vnode_check_stat(vfs_context_t ctx,
kauth_cred_t file_cred, struct vnode *vp);
int mac_vnode_check_truncate(vfs_context_t ctx,
kauth_cred_t file_cred, struct vnode *vp);
int mac_vnode_check_uipc_bind(vfs_context_t ctx, struct vnode *dvp,
struct componentname *cnp, struct vnode_attr *vap);
int mac_vnode_check_uipc_connect(vfs_context_t ctx, struct vnode *vp, struct socket *so);
int mac_vnode_check_unlink(vfs_context_t ctx, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_write(vfs_context_t ctx,
kauth_cred_t file_cred, struct vnode *vp);
struct label *mac_vnode_label_alloc(void);
int mac_vnode_label_associate(struct mount *mp, struct vnode *vp,
vfs_context_t ctx);
void mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de,
struct vnode *vp);
int mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp);
int mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp,
struct vnode *vp, vfs_context_t ctx);
void mac_vnode_label_associate_singlelabel(struct mount *mp,
struct vnode *vp);
void mac_vnode_label_copy(struct label *l1, struct label *l2);
void mac_vnode_label_destroy(struct vnode *vp);
int mac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac);
void mac_vnode_label_free(struct label *label);
void mac_vnode_label_init(struct vnode *vp);
int mac_vnode_label_init_needed(struct vnode *vp);
void mac_vnode_label_recycle(struct vnode *vp);
void mac_vnode_label_update(vfs_context_t ctx, struct vnode *vp,
struct label *newlabel);
void mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp,
const char *name);
int mac_vnode_notify_create(vfs_context_t ctx, struct mount *mp,
struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
void mac_vnode_notify_deleteextattr(vfs_context_t ctx, struct vnode *vp, const char *name);
void mac_vnode_notify_link(vfs_context_t ctx, struct vnode *vp,
struct vnode *dvp, struct componentname *cnp);
void mac_vnode_notify_open(vfs_context_t ctx, struct vnode *vp, int acc_flags);
void mac_vnode_notify_rename(vfs_context_t ctx, struct vnode *vp,
struct vnode *dvp, struct componentname *cnp);
void mac_vnode_notify_setacl(vfs_context_t ctx, struct vnode *vp, struct kauth_acl *acl);
void mac_vnode_notify_setattrlist(vfs_context_t ctx, struct vnode *vp, struct attrlist *alist);
void mac_vnode_notify_setextattr(vfs_context_t ctx, struct vnode *vp, const char *name, struct uio *uio);
void mac_vnode_notify_setflags(vfs_context_t ctx, struct vnode *vp, u_long flags);
void mac_vnode_notify_setmode(vfs_context_t ctx, struct vnode *vp, mode_t mode);
void mac_vnode_notify_setowner(vfs_context_t ctx, struct vnode *vp, uid_t uid, gid_t gid);
void mac_vnode_notify_setutimes(vfs_context_t ctx, struct vnode *vp, struct timespec atime, struct timespec mtime);
void mac_vnode_notify_truncate(vfs_context_t ctx, kauth_cred_t file_cred, struct vnode *vp);
int mac_vnode_find_sigs(struct proc *p, struct vnode *vp, off_t offsetInMacho);
int vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp,
struct componentname *cnp, int flags, vfs_context_t ctx);
void vnode_relabel(struct vnode *vp);
void mac_pty_notify_grant(proc_t p, struct tty *tp, dev_t dev, struct label *label);
void mac_pty_notify_close(proc_t p, struct tty *tp, dev_t dev, struct label *label);
int mac_kext_check_load(kauth_cred_t cred, const char *identifier);
int mac_kext_check_unload(kauth_cred_t cred, const char *identifier);
int mac_kext_check_query(kauth_cred_t cred);
void psem_label_associate(struct fileproc *fp, struct vnode *vp, struct vfs_context *ctx);
void pshm_label_associate(struct fileproc *fp, struct vnode *vp, struct vfs_context *ctx);
#if CONFIG_MACF_NET
struct label *mac_bpfdesc_label_get(struct bpf_d *d);
void mac_bpfdesc_label_set(struct bpf_d *d, struct label *label);
#endif
#endif /* CONFIG_MACF */
#ifdef __cplusplus
}
#endif
#endif /* !_SECURITY_MAC_FRAMEWORK_H_ */
================================================
FILE: EFI/CLOVER/kexts/Other/Lilu_v1.3.7.kext/Contents/Resources/Library/security/mac_policy.h
================================================
/*
* Copyright (c) 2007-2016 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2007 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
*/
/**
@file mac_policy.h
@brief Kernel Interfaces for MAC policy modules
This header defines the list of operations that are defined by the
TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
with the framework to declare interest in a specific set of
operations. If interest in an entry point is not declared, then
the policy will be ignored when the Framework evaluates that entry
point.
*/
#ifndef _SECURITY_MAC_POLICY_H_
#define _SECURITY_MAC_POLICY_H_
//#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
#ifdef __cplusplus
extern "C" {
#endif
#include
struct attrlist;
struct auditinfo;
struct bpf_d;
struct cs_blob;
struct devnode;
struct exception_action;
struct fileglob;
struct ifnet;
struct inpcb;
struct ipq;
struct label;
struct mac_module_data;
struct mac_policy_conf;
struct mbuf;
struct mount;
struct msg;
struct msqid_kernel;
struct pipe;
struct pseminfo;
struct pshminfo;
struct sbuf;
struct semid_kernel;
struct shmid_kernel;
struct socket;
struct sockopt;
struct task;
struct thread;
struct tty;
struct ucred;
struct vfs_attr;
struct vnode;
/** @struct dummy */
#ifndef _KAUTH_CRED_T
#define _KAUTH_CRED_T
typedef struct ucred *kauth_cred_t;
#endif /* !_KAUTH_CRED_T */
#ifndef __IOKIT_PORTS_DEFINED__
#define __IOKIT_PORTS_DEFINED__
#ifdef __cplusplus
class OSObject;
typedef OSObject *io_object_t;
#else
struct OSObject;
typedef struct OSObject *io_object_t;
#endif
#endif /* __IOKIT_PORTS_DEFINED__ */
/*-
* MAC entry points are generally named using the following template:
*
* mpo__()
*
* or:
*
* mpo__check_()
*
* Entry points are sorted by object type.
*
* It may be desirable also to consider some subsystems as "objects", such
* as system, iokit, etc.
*/
/**
@name Entry Points for Label Management
These are the entry points corresponding to the life cycle events for
kernel objects, such as initialization, creation, and destruction.
Most policies (that use labels) will initialize labels by allocating
space for policy-specific data. In most cases, it is permitted to
sleep during label initialization operations; it will be noted when
it is not permitted.
Initialization usually will not require doing more than allocating a
generic label for the given object. What follows initialization is
creation, where a label is made specific to the object it is associated
with. Destruction occurs when the label is no longer needed, such as
when the corresponding object is destroyed. All necessary cleanup should
be performed in label destroy operations.
Where possible, the label entry points have identical parameters. If
the policy module does not require structure-specific label
information, the same function may be registered in the policy
operation vector. Many policies will implement two such generic
allocation calls: one to handle sleepable requests, and one to handle
potentially non-sleepable requests.
*/
/**
@brief Audit event postselection
@param cred Subject credential
@param syscode Syscall number
@param args Syscall arguments
@param error Syscall errno
@param retval Syscall return value
This is the MAC Framework audit postselect, which is called before
exiting a syscall to determine if an audit event should be committed.
A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
Any other return value results in the audit record being committed.
@warning The suppression behavior will probably go away in Apple's
future version of the audit implementation.
@return Return MAC_AUDIT_NO to force suppression of the audit record.
Any other value results in the audit record being committed.
*/
typedef int mpo_audit_check_postselect_t(
kauth_cred_t cred,
unsigned short syscode,
void *args,
int error,
int retval
);
/**
@brief Audit event preselection
@param cred Subject credential
@param syscode Syscall number
@param args Syscall arguments
This is the MAC Framework audit preselect, which is called before a
syscall is entered to determine if an audit event should be created.
If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
returned. A return value of MAC_AUDIT_NO causes the audit record to
be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
to defer to the system's existing preselection mechanism.
When policies return different preferences, the Framework decides what action
to take based on the following policy. If any policy returns MAC_AUDIT_YES,
then create an audit record, else if any policy returns MAC_AUDIT_NO, then
suppress the creations of an audit record, else defer to the system's
existing preselection mechanism.
@warning The audit implementation in Apple's current version is
incomplete, so the MAC policies have priority over the system's existing
mechanisms. This will probably change in the future version where
the audit implementation is more complete.
@return Return MAC_AUDIT_YES to force auditing of the syscall,
MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
to allow auditing mechanisms to determine if the syscall is audited.
*/
typedef int mpo_audit_check_preselect_t(
kauth_cred_t cred,
unsigned short syscode,
void *args
);
/**
@brief Initialize BPF descriptor label
@param label New label to initialize
Initialize the label for a newly instantiated BPF descriptor.
Sleeping is permitted.
*/
typedef void mpo_bpfdesc_label_init_t(
struct label *label
);
/**
@brief Destroy BPF descriptor label
@param label The label to be destroyed
Destroy a BPF descriptor label. Since the BPF descriptor
is going out of scope, policy modules should free any internal
storage associated with the label so that it may be destroyed.
*/
typedef void mpo_bpfdesc_label_destroy_t(
struct label *label
);
/**
@brief Associate a BPF descriptor with a label
@param cred User credential creating the BPF descriptor
@param bpf_d The BPF descriptor
@param bpflabel The new label
Set the label on a newly created BPF descriptor from the passed
subject credential. This call will be made when a BPF device node
is opened by a process with the passed subject credential.
*/
typedef void mpo_bpfdesc_label_associate_t(
kauth_cred_t cred,
struct bpf_d *bpf_d,
struct label *bpflabel
);
/**
@brief Check whether BPF can read from a network interface
@param bpf_d Subject; the BPF descriptor
@param bpflabel Policy label for bpf_d
@param ifp Object; the network interface
@param ifnetlabel Policy label for ifp
Determine whether the MAC framework should permit datagrams from
the passed network interface to be delivered to the buffers of
the passed BPF descriptor. Return (0) for success, or an errno
value for failure. Suggested failure: EACCES for label mismatches,
EPERM for lack of privilege.
*/
typedef int mpo_bpfdesc_check_receive_t(
struct bpf_d *bpf_d,
struct label *bpflabel,
struct ifnet *ifp,
struct label *ifnetlabel
);
/**
@brief Indicate desire to change the process label at exec time
@param old Existing subject credential
@param vp File being executed
@param offset Offset of binary within file being executed
@param scriptvp Script being executed by interpreter, if any.
@param vnodelabel Label corresponding to vp
@param scriptvnodelabel Script vnode label
@param execlabel Userspace provided execution label
@param p Object process
@param macpolicyattr MAC policy-specific spawn attribute data
@param macpolicyattrlen Length of policy-specific spawn attribute data
@see mac_execve
@see mpo_cred_label_update_execve_t
@see mpo_vnode_check_exec_t
Indicate whether this policy intends to update the label of a newly
created credential from the existing subject credential (old). This
call occurs when a process executes the passed vnode. If a policy
returns success from this entry point, the mpo_cred_label_update_execve
entry point will later be called with the same parameters. Access
has already been checked via the mpo_vnode_check_exec entry point,
this entry point is necessary to preserve kernel locking constraints
during program execution.
The supplied vnode and vnodelabel correspond with the file actually
being executed; in the case that the file is interpreted (for
example, a script), the label of the original exec-time vnode has
been preserved in scriptvnodelabel.
The final label, execlabel, corresponds to a label supplied by a
user space application through the use of the mac_execve system call.
The vnode lock is held during this operation. No changes should be
made to the old credential structure.
@warning Even if a policy returns 0, it should behave correctly in
the presence of an invocation of mpo_cred_label_update_execve, as that
call may happen as a result of another policy requesting a transition.
@return Non-zero if a transition is required, 0 otherwise.
*/
typedef int mpo_cred_check_label_update_execve_t(
kauth_cred_t old,
struct vnode *vp,
off_t offset,
struct vnode *scriptvp,
struct label *vnodelabel,
struct label *scriptvnodelabel,
struct label *execlabel,
struct proc *p,
void *macpolicyattr,
size_t macpolicyattrlen
);
/**
@brief Access control check for relabelling processes
@param cred Subject credential
@param newlabel New label to apply to the user credential
@see mpo_cred_label_update_t
@see mac_set_proc
Determine whether the subject identified by the credential can relabel
itself to the supplied new label (newlabel). This access control check
is called when the mac_set_proc system call is invoked. A user space
application will supply a new value, the value will be internalized
and provided in newlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_cred_check_label_update_t(
kauth_cred_t cred,
struct label *newlabel
);
/**
@brief Access control check for visibility of other subjects
@param u1 Subject credential
@param u2 Object credential
Determine whether the subject identified by the credential u1 can
"see" other subjects with the passed subject credential u2. This call
may be made in a number of situations, including inter-process status
sysctls used by ps, and in procfs lookups.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to hide visibility.
*/
typedef int mpo_cred_check_visible_t(
kauth_cred_t u1,
kauth_cred_t u2
);
/**
@brief Associate a credential with a new process at fork
@param cred credential to inherited by new process
@param proc the new process
Allow a process to associate the credential with a new
process for reference countng purposes.
NOTE: the credential can be dis-associated in ways other
than exit - so this strategy is flawed - should just
catch label destroy callback.
*/
typedef void mpo_cred_label_associate_fork_t(
kauth_cred_t cred,
proc_t proc
);
/**
@brief Create the first process
@param cred Subject credential to be labeled
Create the subject credential of process 0, the parent of all BSD
kernel processes. Policies should update the label in the
previously initialized credential structure.
*/
typedef void mpo_cred_label_associate_kernel_t(
kauth_cred_t cred
);
/**
@brief Create a credential label
@param parent_cred Parent credential
@param child_cred Child credential
Set the label of a newly created credential, most likely using the
information in the supplied parent credential.
@warning This call is made when crcopy or crdup is invoked on a
newly created struct ucred, and should not be confused with a
process fork or creation event.
*/
typedef void mpo_cred_label_associate_t(
kauth_cred_t parent_cred,
kauth_cred_t child_cred
);
/**
@brief Create the first process
@param cred Subject credential to be labeled
Create the subject credential of process 1, the parent of all BSD
user processes. Policies should update the label in the previously
initialized credential structure. This is the 'init' process.
*/
typedef void mpo_cred_label_associate_user_t(
kauth_cred_t cred
);
/**
@brief Destroy credential label
@param label The label to be destroyed
Destroy a user credential label. Since the user credential
is going out of scope, policy modules should free any internal
storage associated with the label so that it may be destroyed.
*/
typedef void mpo_cred_label_destroy_t(
struct label *label
);
/**
@brief Externalize a user credential label for auditing
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a user credential for
inclusion in an audit record. An externalized label consists of a text
representation of the label contents that will be added to the audit record
as part of a text token. Policy-agnostic user space tools will display
this externalized version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/
typedef int mpo_cred_label_externalize_audit_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Externalize a user credential label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a user
credential. An externalized label consists of a text representation
of the label contents that can be used with user applications.
Policy-agnostic user space tools will display this externalized
version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/
typedef int mpo_cred_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize user credential label
@param label New label to initialize
Initialize the label for a newly instantiated user credential.
Sleeping is permitted.
*/
typedef void mpo_cred_label_init_t(
struct label *label
);
/**
@brief Internalize a user credential label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a user credential label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/
typedef int mpo_cred_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Update credential at exec time
@param old_cred Existing subject credential
@param new_cred New subject credential to be labeled
@param p Object process.
@param vp File being executed
@param offset Offset of binary within file being executed
@param scriptvp Script being executed by interpreter, if any.
@param vnodelabel Label corresponding to vp
@param scriptvnodelabel Script vnode label
@param execlabel Userspace provided execution label
@param csflags Code signing flags to be set after exec
@param macpolicyattr MAC policy-specific spawn attribute data.
@param macpolicyattrlen Length of policy-specific spawn attribute data.
@see mac_execve
@see mpo_cred_check_label_update_execve_t
@see mpo_vnode_check_exec_t
Update the label of a newly created credential (new) from the
existing subject credential (old). This call occurs when a process
executes the passed vnode and one of the loaded policy modules has
returned success from the mpo_cred_check_label_update_execve entry point.
Access has already been checked via the mpo_vnode_check_exec entry
point, this entry point is only used to update any policy state.
The supplied vnode and vnodelabel correspond with the file actually
being executed; in the case that the file is interpreted (for
example, a script), the label of the original exec-time vnode has
been preserved in scriptvnodelabel.
The final label, execlabel, corresponds to a label supplied by a
user space application through the use of the mac_execve system call.
If non-NULL, the value pointed to by disjointp will be set to 0 to
indicate that the old and new credentials are not disjoint, or 1 to
indicate that they are.
The vnode lock is held during this operation. No changes should be
made to the old credential structure.
@return 0 on success, Otherwise, return non-zero if update results in
termination of child.
*/
typedef int mpo_cred_label_update_execve_t(
kauth_cred_t old_cred,
kauth_cred_t new_cred,
struct proc *p,
struct vnode *vp,
off_t offset,
struct vnode *scriptvp,
struct label *vnodelabel,
struct label *scriptvnodelabel,
struct label *execlabel,
u_int *csflags,
void *macpolicyattr,
size_t macpolicyattrlen,
int *disjointp
);
/**
@brief Update a credential label
@param cred The existing credential
@param newlabel A new label to apply to the credential
@see mpo_cred_check_label_update_t
@see mac_set_proc
Update the label on a user credential, using the supplied new label.
This is called as a result of a process relabel operation. Access
control was already confirmed by mpo_cred_check_label_update.
*/
typedef void mpo_cred_label_update_t(
kauth_cred_t cred,
struct label *newlabel
);
/**
@brief Create a new devfs device
@param dev Major and minor numbers of special file
@param de "inode" of new device file
@param label Destination label
@param fullpath Path relative to mount (e.g. /dev) of new device file
This entry point labels a new devfs device. The label will likely be based
on the path to the device, or the major and minor numbers.
The policy should store an appropriate label into 'label'.
*/
typedef void mpo_devfs_label_associate_device_t(
dev_t dev,
struct devnode *de,
struct label *label,
const char *fullpath
);
/**
@brief Create a new devfs directory
@param dirname Name of new directory
@param dirnamelen Length of 'dirname'
@param de "inode" of new directory
@param label Destination label
@param fullpath Path relative to mount (e.g. /dev) of new directory
This entry point labels a new devfs directory. The label will likely be
based on the path of the new directory. The policy should store an appropriate
label into 'label'. The devfs root directory is labelled in this way.
*/
typedef void mpo_devfs_label_associate_directory_t(
const char *dirname,
int dirnamelen,
struct devnode *de,
struct label *label,
const char *fullpath
);
/**
@brief Copy a devfs label
@param src Source devfs label
@param dest Destination devfs label
Copy the label information from src to dest. The devfs file system
often duplicates (splits) existing device nodes rather than creating
new ones.
*/
typedef void mpo_devfs_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy devfs label
@param label The label to be destroyed
Destroy a devfs entry label. Since the object is going out
of scope, policy modules should free any internal storage associated
with the label so that it may be destroyed.
*/
typedef void mpo_devfs_label_destroy_t(
struct label *label
);
/**
@brief Initialize devfs label
@param label New label to initialize
Initialize the label for a newly instantiated devfs entry. Sleeping
is permitted.
*/
typedef void mpo_devfs_label_init_t(
struct label *label
);
/**
@brief Update a devfs label after relabelling its vnode
@param mp Devfs mount point
@param de Affected devfs directory entry
@param delabel Label of devfs directory entry
@param vp Vnode associated with de
@param vnodelabel New label of vnode
Update a devfs label when its vnode is manually relabelled,
for example with setfmac(1). Typically, this will simply copy
the vnode label into the devfs label.
*/
typedef void mpo_devfs_label_update_t(
struct mount *mp,
struct devnode *de,
struct label *delabel,
struct vnode *vp,
struct label *vnodelabel
);
/**
@brief Access control for sending an exception to an exception action
@param crashlabel The crashing process's label
@param action Exception action
@param exclabel Policy label for exception action
Determine whether the the exception message caused by the victim
process can be sent to the exception action.
@return Return 0 if the message can be sent, otherwise an
appropriate value for errno should be returned.
*/
typedef int mpo_exc_action_check_exception_send_t(
struct label *crashlabel,
struct exception_action *action,
struct label *exclabel
);
/**
@brief Create an exception action label
@param action Exception action to label
@param exclabel Policy label to be filled in for exception action
Set the label on an exception action.
*/
typedef void mpo_exc_action_label_associate_t(
struct exception_action *action,
struct label *exclabel
);
/**
@brief Copy an exception action label
@param src Source exception action label
@param dest Destination exception action label
Copy the label information from src to dest.
Exception actions are often inherited, e.g. from parent to child.
In that case, the labels are copied instead of created fresh.
*/
typedef void mpo_exc_action_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy exception action label
@param label The label to be destroyed
Destroy the label on an exception action. In this entry point, a
policy module should free any internal storage associated with
label so that it may be destroyed.
*/
typedef void mpo_exc_action_label_destroy_t(
struct label *label
);
/**
@brief Initialize exception action label
@param label New label to initialize
Initialize a label for an exception action.
*/
typedef int mpo_exc_action_label_init_t(
struct label *label
);
/**
@brief Update the label on an exception action
@param p Process to update the label from
@param exclabel Policy label to be updated for exception action
Update the credentials of an exception action with the given task.
*/
typedef void mpo_exc_action_label_update_t(
struct proc *p,
struct label *exclabel
);
/**
@brief Access control for changing the offset of a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
Determine whether the subject identified by the credential can
change the offset of the file represented by fg.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_file_check_change_offset_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Access control for creating a file descriptor
@param cred Subject credential
Determine whether the subject identified by the credential can
allocate a new file descriptor.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_file_check_create_t(
kauth_cred_t cred
);
/**
@brief Access control for duplicating a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
@param newfd New file descriptor number
Determine whether the subject identified by the credential can
duplicate the fileglob structure represented by fg and as file
descriptor number newfd.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_file_check_dup_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int newfd
);
/**
@brief Access control check for fcntl
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
@param cmd Control operation to be performed; see fcntl(2)
@param arg fcnt arguments; see fcntl(2)
Determine whether the subject identified by the credential can perform
the file control operation indicated by cmd.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_file_check_fcntl_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int cmd,
user_long_t arg
);
/**
@brief Access control check for mac_get_fd
@param cred Subject credential
@param fg Fileglob structure
@param elements Element buffer
@param len Length of buffer
Determine whether the subject identified by the credential should be allowed
to get an externalized version of the label on the object indicated by fd.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_file_check_get_t(
kauth_cred_t cred,
struct fileglob *fg,
char *elements,
int len
);
/**
@brief Access control for getting the offset of a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
Determine whether the subject identified by the credential can
get the offset of the file represented by fg.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_file_check_get_offset_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Access control for inheriting a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
Determine whether the subject identified by the credential can
inherit the fileglob structure represented by fg.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_file_check_inherit_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Access control check for file ioctl
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
@param cmd The ioctl command; see ioctl(2)
Determine whether the subject identified by the credential can perform
the ioctl operation indicated by cmd.
@warning Since ioctl data is opaque from the standpoint of the MAC
framework, policies must exercise extreme care when implementing
access control checks.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_file_check_ioctl_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
unsigned int cmd
);
/**
@brief Access control check for file locking
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
@param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
@param fl The flock structure
Determine whether the subject identified by the credential can perform
the lock operation indicated by op and fl on the file represented by fg.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_file_check_lock_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int op,
struct flock *fl
);
/**
@brief Check with library validation if a macho slice is allowed to be combined into a proc.
@param p Subject process
@param fg Fileglob structure
@param slice_offset offset of the code slice
@param error_message error message returned to user-space in case of error (userspace pointer)
@param error_message_size error message size
Its a little odd that the MAC/kext writes into userspace since this
implies there is only one MAC module that implements this, however
the alterantive is to allocate memory in xnu, on the hope that
the MAC module will use it, or allocated in the MAC module and then
free it in xnu. Either of these are very appeling, so lets go with
the slightly more hacky way.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_file_check_library_validation_t(
struct proc *p,
struct fileglob *fg,
off_t slice_offset,
user_long_t error_message,
size_t error_message_size
);
/**
@brief Access control check for mapping a file
@param cred Subject credential
@param fg fileglob representing file to map
@param label Policy label associated with vp
@param prot mmap protections; see mmap(2)
@param flags Type of mapped object; see mmap(2)
@param maxprot Maximum rights
Determine whether the subject identified by the credential should be
allowed to map the file represented by fg with the protections specified
in prot. The maxprot field holds the maximum permissions on the new
mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
To avoid overriding prior access control checks, a policy should only
remove flags from maxprot.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_file_check_mmap_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int prot,
int flags,
uint64_t file_pos,
int *maxprot
);
/**
@brief Downgrade the mmap protections
@param cred Subject credential
@param fg file to map
@param label Policy label associated with vp
@param prot mmap protections to be downgraded
Downgrade the mmap protections based on the subject and object labels.
*/
typedef void mpo_file_check_mmap_downgrade_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int *prot
);
/**
@brief Access control for receiving a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
Determine whether the subject identified by the credential can
receive the fileglob structure represented by fg.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_file_check_receive_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Access control check for mac_set_fd
@param cred Subject credential
@param fg Fileglob structure
@param elements Elements buffer
@param len Length of elements buffer
Determine whether the subject identified by the credential can
perform the mac_set_fd operation. The mac_set_fd operation is used
to associate a MAC label with a file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_file_check_set_t(
kauth_cred_t cred,
struct fileglob *fg,
char *elements,
int len
);
/**
@brief Create file label
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
*/
typedef void mpo_file_label_associate_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Destroy file label
@param label The label to be destroyed
Destroy the label on a file descriptor. In this entry point, a
policy module should free any internal storage associated with
label so that it may be destroyed.
*/
typedef void mpo_file_label_destroy_t(
struct label *label
);
/**
@brief Initialize file label
@param label New label to initialize
*/
typedef void mpo_file_label_init_t(
struct label *label
);
/**
@brief Access control check for relabeling network interfaces
@param cred Subject credential
@param ifp network interface being relabeled
@param ifnetlabel Current label of the network interfaces
@param newlabel New label to apply to the network interfaces
@see mpo_ifnet_label_update_t
Determine whether the subject identified by the credential can
relabel the network interface represented by ifp to the supplied
new label (newlabel).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_ifnet_check_label_update_t(
kauth_cred_t cred,
struct ifnet *ifp,
struct label *ifnetlabel,
struct label *newlabel
);
/**
@brief Access control check for relabeling network interfaces
@param ifp Network interface mbuf will be transmitted through
@param ifnetlabel Label of the network interfaces
@param m The mbuf to be transmitted
@param mbuflabel Label of the mbuf to be transmitted
@param family Address Family, AF_*
@param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
Determine whether the mbuf with label mbuflabel may be transmitted
through the network interface represented by ifp that has the
label ifnetlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_ifnet_check_transmit_t(
struct ifnet *ifp,
struct label *ifnetlabel,
struct mbuf *m,
struct label *mbuflabel,
int family,
int type
);
/**
@brief Create a network interface label
@param ifp Network interface labeled
@param ifnetlabel Label for the network interface
Set the label of a newly created network interface, most likely
using the information in the supplied network interface struct.
*/
typedef void mpo_ifnet_label_associate_t(
struct ifnet *ifp,
struct label *ifnetlabel
);
/**
@brief Copy an ifnet label
@param src Source ifnet label
@param dest Destination ifnet label
Copy the label information from src to dest.
*/
typedef void mpo_ifnet_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy ifnet label
@param label The label to be destroyed
Destroy the label on an ifnet label. In this entry point, a
policy module should free any internal storage associated with
label so that it may be destroyed.
*/
typedef void mpo_ifnet_label_destroy_t(
struct label *label
);
/**
@brief Externalize an ifnet label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on an interface.
An externalized label consists of a text representation of the
label contents that can be used with user applications.
Policy-agnostic user space tools will display this externalized
version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/
typedef int mpo_ifnet_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize ifnet label
@param label New label to initialize
*/
typedef void mpo_ifnet_label_init_t(
struct label *label
);
/**
@brief Internalize an interface label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce an interface label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/
typedef int mpo_ifnet_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Recycle up a network interface label
@param label The label to be recycled
Recycle a network interface label. Darwin caches the struct ifnet
of detached ifnets in a "free pool". Before ifnets are returned
to the "free pool", policies can cleanup or overwrite any information
present in the label.
*/
typedef void mpo_ifnet_label_recycle_t(
struct label *label
);
/**
@brief Update a network interface label
@param cred Subject credential
@param ifp The network interface to be relabeled
@param ifnetlabel The current label of the network interface
@param newlabel A new label to apply to the network interface
@see mpo_ifnet_check_label_update_t
Update the label on a network interface, using the supplied new label.
*/
typedef void mpo_ifnet_label_update_t(
kauth_cred_t cred,
struct ifnet *ifp,
struct label *ifnetlabel,
struct label *newlabel
);
/**
@brief Access control check for delivering a packet to a socket
@param inp inpcb the socket is associated with
@param inplabel Label of the inpcb
@param m The mbuf being received
@param mbuflabel Label of the mbuf being received
@param family Address family, AF_*
@param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
Determine whether the mbuf with label mbuflabel may be received
by the socket associated with inpcb that has the label inplabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_inpcb_check_deliver_t(
struct inpcb *inp,
struct label *inplabel,
struct mbuf *m,
struct label *mbuflabel,
int family,
int type
);
/**
@brief Create an inpcb label
@param so Socket containing the inpcb to be labeled
@param solabel Label of the socket
@param inp inpcb to be labeled
@param inplabel Label for the inpcb
Set the label of a newly created inpcb, most likely
using the information in the socket and/or socket label.
*/
typedef void mpo_inpcb_label_associate_t(
struct socket *so,
struct label *solabel,
struct inpcb *inp,
struct label *inplabel
);
/**
@brief Destroy inpcb label
@param label The label to be destroyed
Destroy the label on an inpcb label. In this entry point, a
policy module should free any internal storage associated with
label so that it may be destroyed.
*/
typedef void mpo_inpcb_label_destroy_t(
struct label *label
);
/**
@brief Initialize inpcb label
@param label New label to initialize
@param flag M_WAITOK or M_NOWAIT
*/
typedef int mpo_inpcb_label_init_t(
struct label *label,
int flag
);
/**
@brief Recycle up an inpcb label
@param label The label to be recycled
Recycle an inpcb label. Darwin allocates the inpcb as part of
the socket structure in some cases. For this case we must recycle
rather than destroy the inpcb as it will be reused later.
*/
typedef void mpo_inpcb_label_recycle_t(
struct label *label
);
/**
@brief Update an inpcb label from a socket label
@param so Socket containing the inpcb to be relabeled
@param solabel New label of the socket
@param inp inpcb to be labeled
@param inplabel Label for the inpcb
Set the label of a newly created inpcb due to a change in the
underlying socket label.
*/
typedef void mpo_inpcb_label_update_t(
struct socket *so,
struct label *solabel,
struct inpcb *inp,
struct label *inplabel
);
/**
@brief Device hardware access control
@param devtype Type of device connected
This is the MAC Framework device access control, which is called by the I/O
Kit when a new device is connected to the system to determine whether that
device should be trusted. A list of properties associated with the device
is passed as an XML-formatted string. The routine should examine these
properties to determine the trustworthiness of the device. A return value
of EPERM forces the device to be claimed by a special device driver that
will prevent its operation.
@warning This is an experimental interface and may change in the future.
@return Return EPERM to indicate that the device is untrusted and should
not be allowed to operate. Return zero to indicate that the device is
trusted and should be allowed to operate normally.
*/
typedef int mpo_iokit_check_device_t(
char *devtype,
struct mac_module_data *mdata
);
/**
@brief Access control check for opening an I/O Kit device
@param cred Subject credential
@param user_client User client instance
@param user_client_type User client type
Determine whether the subject identified by the credential can open an
I/O Kit device at the passed path of the passed user client class and
type.
@return Return 0 if access is granted, or an appropriate value for
errno should be returned.
*/
typedef int mpo_iokit_check_open_t(
kauth_cred_t cred,
io_object_t user_client,
unsigned int user_client_type
);
/**
@brief Access control check for setting I/O Kit device properties
@param cred Subject credential
@param entry Target device
@param properties Property list
Determine whether the subject identified by the credential can set
properties on an I/O Kit device.
@return Return 0 if access is granted, or an appropriate value for
errno should be returned.
*/
typedef int mpo_iokit_check_set_properties_t(
kauth_cred_t cred,
io_object_t entry,
io_object_t properties
);
/**
@brief Indicate desire to filter I/O Kit devices properties
@param cred Subject credential
@param entry Target device
@see mpo_iokit_check_get_property_t
Indicate whether this policy may restrict the subject credential
from reading properties of the target device.
If a policy returns success from this entry point, the
mpo_iokit_check_get_property entry point will later be called
for each property that the subject credential tries to read from
the target device.
This entry point is primarilly to optimize bulk property reads
by skipping calls to the mpo_iokit_check_get_property entry point
for credentials / devices no MAC policy is interested in.
@warning Even if a policy returns 0, it should behave correctly in
the presence of an invocation of mpo_iokit_check_get_property, as that
call may happen as a result of another policy requesting a transition.
@return Non-zero if a transition is required, 0 otherwise.
*/
typedef int mpo_iokit_check_filter_properties_t(
kauth_cred_t cred,
io_object_t entry
);
/**
@brief Access control check for getting I/O Kit device properties
@param cred Subject credential
@param entry Target device
@param name Property name
Determine whether the subject identified by the credential can get
properties on an I/O Kit device.
@return Return 0 if access is granted, or an appropriate value for
errno.
*/
typedef int mpo_iokit_check_get_property_t(
kauth_cred_t cred,
io_object_t entry,
const char *name
);
/**
@brief Access control check for software HID control
@param cred Subject credential
Determine whether the subject identified by the credential can
control the HID (Human Interface Device) subsystem, such as to
post synthetic keypresses, pointer movement and clicks.
@return Return 0 if access is granted, or an appropriate value for
errno.
*/
typedef int mpo_iokit_check_hid_control_t(
kauth_cred_t cred
);
/**
@brief Create an IP reassembly queue label
@param fragment First received IP fragment
@param fragmentlabel Policy label for fragment
@param ipq IP reassembly queue to be labeled
@param ipqlabel Policy label to be filled in for ipq
Set the label on a newly created IP reassembly queue from
the mbuf header of the first received fragment.
*/
typedef void mpo_ipq_label_associate_t(
struct mbuf *fragment,
struct label *fragmentlabel,
struct ipq *ipq,
struct label *ipqlabel
);
/**
@brief Compare an mbuf header label to an ipq label
@param fragment IP datagram fragment
@param fragmentlabel Policy label for fragment
@param ipq IP fragment reassembly queue
@param ipqlabel Policy label for ipq
Compare the label of the mbuf header containing an IP datagram
(fragment) fragment with the label of the passed IP fragment
reassembly queue (ipq). Return (1) for a successful match, or (0)
for no match. This call is made when the IP stack attempts to
find an existing fragment reassembly queue for a newly received
fragment; if this fails, a new fragment reassembly queue may be
instantiated for the fragment. Policies may use this entry point
to prevent the reassembly of otherwise matching IP fragments if
policy does not permit them to be reassembled based on the label
or other information.
*/
typedef int mpo_ipq_label_compare_t(
struct mbuf *fragment,
struct label *fragmentlabel,
struct ipq *ipq,
struct label *ipqlabel
);
/**
@brief Destroy IP reassembly queue label
@param label The label to be destroyed
Destroy the label on an IP fragment queue. In this entry point, a
policy module should free any internal storage associated with
label so that it may be destroyed.
*/
typedef void mpo_ipq_label_destroy_t(
struct label *label
);
/**
@brief Initialize IP reassembly queue label
@param label New label to initialize
@param flag M_WAITOK or M_NOWAIT
Initialize the label on a newly instantiated IP fragment reassembly
queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
should be employed to avoid performing a sleeping malloc(9) during
this initialization call. IP fragment reassembly queue allocation
frequently occurs in performance sensitive environments, and the
implementation should be careful to avoid sleeping or long-lived
operations. This entry point is permitted to fail resulting in
the failure to allocate the IP fragment reassembly queue.
*/
typedef int mpo_ipq_label_init_t(
struct label *label,
int flag
);
/**
@brief Update the label on an IP fragment reassembly queue
@param fragment IP fragment
@param fragmentlabel Policy label for fragment
@param ipq IP fragment reassembly queue
@param ipqlabel Policy label to be updated for ipq
Update the label on an IP fragment reassembly queue (ipq) based
on the acceptance of the passed IP fragment mbuf header (fragment).
*/
typedef void mpo_ipq_label_update_t(
struct mbuf *fragment,
struct label *fragmentlabel,
struct ipq *ipq,
struct label *ipqlabel
);
/**
@brief Assign a label to a new mbuf
@param bpf_d BPF descriptor
@param b_label Policy label for bpf_d
@param m Object; mbuf
@param m_label Policy label to fill in for m
Set the label on the mbuf header of a newly created datagram
generated using the passed BPF descriptor. This call is made when
a write is performed to the BPF device associated with the passed
BPF descriptor.
*/
typedef void mpo_mbuf_label_associate_bpfdesc_t(
struct bpf_d *bpf_d,
struct label *b_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Assign a label to a new mbuf
@param ifp Interface descriptor
@param i_label Existing label of ifp
@param m Object; mbuf
@param m_label Policy label to fill in for m
Label an mbuf based on the interface from which it was received.
*/
typedef void mpo_mbuf_label_associate_ifnet_t(
struct ifnet *ifp,
struct label *i_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Assign a label to a new mbuf
@param inp inpcb structure
@param i_label Existing label of inp
@param m Object; mbuf
@param m_label Policy label to fill in for m
Label an mbuf based on the inpcb from which it was derived.
*/
typedef void mpo_mbuf_label_associate_inpcb_t(
struct inpcb *inp,
struct label *i_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Set the label on a newly reassembled IP datagram
@param ipq IP fragment reassembly queue
@param ipqlabel Policy label for ipq
@param mbuf IP datagram to be labeled
@param mbuflabel Policy label to be filled in for mbuf
Set the label on a newly reassembled IP datagram (mbuf) from the IP
fragment reassembly queue (ipq) from which it was generated.
*/
typedef void mpo_mbuf_label_associate_ipq_t(
struct ipq *ipq,
struct label *ipqlabel,
struct mbuf *mbuf,
struct label *mbuflabel
);
/**
@brief Assign a label to a new mbuf
@param ifp Subject; network interface
@param i_label Existing label of ifp
@param m Object; mbuf
@param m_label Policy label to fill in for m
Set the label on the mbuf header of a newly created datagram
generated for the purposes of a link layer response for the passed
interface. This call may be made in a number of situations, including
for ARP or ND6 responses in the IPv4 and IPv6 stacks.
*/
typedef void mpo_mbuf_label_associate_linklayer_t(
struct ifnet *ifp,
struct label *i_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Assign a label to a new mbuf
@param oldmbuf mbuf headerder for existing datagram for existing datagram
@param oldmbuflabel Policy label for oldmbuf
@param ifp Network interface
@param ifplabel Policy label for ifp
@param newmbuf mbuf header to be labeled for new datagram
@param newmbuflabel Policy label for newmbuf
Set the label on the mbuf header of a newly created datagram
generated from the existing passed datagram when it is processed
by the passed multicast encapsulation interface. This call is made
when an mbuf is to be delivered using the virtual interface.
*/
typedef void mpo_mbuf_label_associate_multicast_encap_t(
struct mbuf *oldmbuf,
struct label *oldmbuflabel,
struct ifnet *ifp,
struct label *ifplabel,
struct mbuf *newmbuf,
struct label *newmbuflabel
);
/**
@brief Assign a label to a new mbuf
@param oldmbuf Received datagram
@param oldmbuflabel Policy label for oldmbuf
@param newmbuf Newly created datagram
@param newmbuflabel Policy label for newmbuf
Set the label on the mbuf header of a newly created datagram generated
by the IP stack in response to an existing received datagram (oldmbuf).
This call may be made in a number of situations, including when responding
to ICMP request datagrams.
*/
typedef void mpo_mbuf_label_associate_netlayer_t(
struct mbuf *oldmbuf,
struct label *oldmbuflabel,
struct mbuf *newmbuf,
struct label *newmbuflabel
);
/**
@brief Assign a label to a new mbuf
@param so Socket to label
@param so_label Policy label for socket
@param m Object; mbuf
@param m_label Policy label to fill in for m
An mbuf structure is used to store network traffic in transit.
When an application sends data to a socket or a pipe, it is wrapped
in an mbuf first. This function sets the label on a newly created mbuf header
based on the socket sending the data. The contents of the label should be
suitable for performing an access check on the receiving side of the
communication.
Only labeled MBUFs will be presented to the policy via this entrypoint.
*/
typedef void mpo_mbuf_label_associate_socket_t(
socket_t so,
struct label *so_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Copy a mbuf label
@param src Source label
@param dest Destination label
Copy the mbuf label information in src into dest.
Only called when both source and destination mbufs have labels.
*/
typedef void mpo_mbuf_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy mbuf label
@param label The label to be destroyed
Destroy a mbuf label. Since the
object is going out of scope, policy modules should free any
internal storage associated with the label so that it may be
destroyed.
*/
typedef void mpo_mbuf_label_destroy_t(
struct label *label
);
/**
@brief Initialize mbuf label
@param label New label to initialize
@param flag Malloc flags
Initialize the label for a newly instantiated mbuf.
@warning Since it is possible for the flags to be set to
M_NOWAIT, the malloc operation may fail.
@return On success, 0, otherwise, an appropriate errno return value.
*/
typedef int mpo_mbuf_label_init_t(
struct label *label,
int flag
);
/**
@brief Access control check for fsctl
@param cred Subject credential
@param mp The mount point
@param label Label associated with the mount point
@param cmd Filesystem-dependent request code; see fsctl(2)
Determine whether the subject identified by the credential can perform
the volume operation indicated by com.
@warning The fsctl() system call is directly analogous to ioctl(); since
the associated data is opaque from the standpoint of the MAC framework
and since these operations can affect many aspects of system operation,
policies must exercise extreme care when implementing access control checks.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_mount_check_fsctl_t(
kauth_cred_t cred,
struct mount *mp,
struct label *label,
unsigned int cmd
);
/**
@brief Access control check for the retrieval of file system attributes
@param cred Subject credential
@param mp The mount structure of the file system
@param vfa The attributes requested
This entry point determines whether given subject can get information
about the given file system. This check happens during statfs() syscalls,
but is also used by other parts within the kernel such as the audit system.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
@note Policies may change the contents of vfa to alter the list of
file system attributes returned.
*/
typedef int mpo_mount_check_getattr_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mp_label,
struct vfs_attr *vfa
);
/**
@brief Access control check for mount point relabeling
@param cred Subject credential
@param mp Object file system mount point
@param mntlabel Policy label for fle system mount point
Determine whether the subject identified by the credential can relabel
the mount point. This call is made when a file system mount is updated.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch
or EPERM for lack of privilege.
*/
typedef int mpo_mount_check_label_update_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mntlabel
);
/**
@brief Access control check for mounting a file system
@param cred Subject credential
@param vp Vnode that is to be the mount point
@param vlabel Label associated with the vnode
@param cnp Component name for vp
@param vfc_name Filesystem type name
Determine whether the subject identified by the credential can perform
the mount operation on the target vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_mount_check_mount_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct componentname *cnp,
const char *vfc_name
);
/**
@brief Access control check for fs_snapshot_create
@param cred Subject credential
@mp Filesystem mount point to create snapshot of
@name Name of snapshot to create
Determine whether the subject identified by the credential can
create a snapshot of the filesystem at the given mount point.
@return Return 0 if access is granted, otherwise an appropriate value
for errno should be returned.
*/
typedef int mpo_mount_check_snapshot_create_t(
kauth_cred_t cred,
struct mount *mp,
const char *name
);
/**
@brief Access control check for fs_snapshot_delete
@param cred Subject credential
@mp Filesystem mount point to delete snapshot of
@name Name of snapshot to delete
Determine whether the subject identified by the credential can
delete the named snapshot from the filesystem at the given
mount point.
@return Return 0 if access is granted, otherwise an appropriate value
for errno should be returned.
*/
typedef int mpo_mount_check_snapshot_delete_t(
kauth_cred_t cred,
struct mount *mp,
const char *name
);
/**
@brief Access control check for fs_snapshot_revert
@param cred Subject credential
@mp Filesystem mount point to revert to snapshot
@name Name of snapshot to revert to
Determine whether the subject identified by the credential can
revert the filesystem at the given mount point to the named snapshot.
@return Return 0 if access is granted, otherwise an appropriate value
for errno should be returned.
*/
typedef int mpo_mount_check_snapshot_revert_t(
kauth_cred_t cred,
struct mount *mp,
const char *name
);
/**
@brief Access control check remounting a filesystem
@param cred Subject credential
@param mp The mount point
@param mlabel Label currently associated with the mount point
Determine whether the subject identified by the credential can perform
the remount operation on the target vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_mount_check_remount_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mlabel
);
/**
@brief Access control check for the settting of file system attributes
@param cred Subject credential
@param mp The mount structure of the file system
@param vfa The attributes requested
This entry point determines whether given subject can set information
about the given file system, for example the volume name.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_mount_check_setattr_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mp_label,
struct vfs_attr *vfa
);
/**
@brief Access control check for file system statistics
@param cred Subject credential
@param mp Object file system mount
@param mntlabel Policy label for mp
Determine whether the subject identified by the credential can see
the results of a statfs performed on the file system. This call may
be made in a number of situations, including during invocations of
statfs(2) and related calls, as well as to determine what file systems
to exclude from listings of file systems, such as when getfsstat(2)
is invoked.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch
or EPERM for lack of privilege.
*/
typedef int mpo_mount_check_stat_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mntlabel
);
/**
@brief Access control check for unmounting a filesystem
@param cred Subject credential
@param mp The mount point
@param mlabel Label associated with the mount point
Determine whether the subject identified by the credential can perform
the unmount operation on the target vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_mount_check_umount_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mlabel
);
/**
@brief Create mount labels
@param cred Subject credential
@param mp Mount point of file system being mounted
@param mntlabel Label to associate with the new mount point
@see mpo_mount_label_init_t
Fill out the labels on the mount point being created by the supplied
user credential. This call is made when file systems are first mounted.
*/
typedef void mpo_mount_label_associate_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mntlabel
);
/**
@brief Destroy mount label
@param label The label to be destroyed
Destroy a file system mount label. Since the
object is going out of scope, policy modules should free any
internal storage associated with the label so that it may be
destroyed.
*/
typedef void mpo_mount_label_destroy_t(
struct label *label
);
/**
@brief Externalize a mount point label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the mount point label. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will display this externalized version.
The policy's externalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/
typedef int mpo_mount_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize mount point label
@param label New label to initialize
Initialize the label for a newly instantiated mount structure.
This label is typically used to store a default label in the case
that the file system has been mounted singlelabel. Since some
file systems do not support persistent labels (extended attributes)
or are read-only (such as CD-ROMs), it is often necessary to store
a default label separately from the label of the mount point
itself. Sleeping is permitted.
*/
typedef void mpo_mount_label_init_t(
struct label *label
);
/**
@brief Internalize a mount point label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a mount point file system label from an external representation.
An externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/
typedef int mpo_mount_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Set the label on an IPv4 datagram fragment
@param datagram Datagram being fragmented
@param datagramlabel Policy label for datagram
@param fragment New fragment
@param fragmentlabel Policy label for fragment
Called when an IPv4 datagram is fragmented into several smaller datagrams.
Policies implementing mbuf labels will typically copy the label from the
source datagram to the new fragment.
*/
typedef void mpo_netinet_fragment_t(
struct mbuf *datagram,
struct label *datagramlabel,
struct mbuf *fragment,
struct label *fragmentlabel
);
/**
@brief Set the label on an ICMP reply
@param m mbuf containing the ICMP reply
@param mlabel Policy label for m
A policy may wish to update the label of an mbuf that refers to
an ICMP packet being sent in response to an IP packet. This may
be called in response to a bad packet or an ICMP request.
*/
typedef void mpo_netinet_icmp_reply_t(
struct mbuf *m,
struct label *mlabel
);
/**
@brief Set the label on a TCP reply
@param m mbuf containing the TCP reply
@param mlabel Policy label for m
Called for outgoing TCP packets not associated with an actual socket.
*/
typedef void mpo_netinet_tcp_reply_t(
struct mbuf *m,
struct label *mlabel
);
/**
@brief Access control check for pipe ioctl
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
@param cmd The ioctl command; see ioctl(2)
Determine whether the subject identified by the credential can perform
the ioctl operation indicated by cmd.
@warning Since ioctl data is opaque from the standpoint of the MAC
framework, policies must exercise extreme care when implementing
access control checks.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_pipe_check_ioctl_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel,
unsigned int cmd
);
/**
@brief Access control check for pipe kqfilter
@param cred Subject credential
@param kn Object knote
@param cpipe Object to be accessed
@param pipelabel Policy label for the pipe
Determine whether the subject identified by the credential can
receive the knote on the passed pipe.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_pipe_check_kqfilter_t(
kauth_cred_t cred,
struct knote *kn,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Access control check for pipe relabel
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The current label on the pipe
@param newlabel The new label to be used
Determine whether the subject identified by the credential can
perform a relabel operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_pipe_check_label_update_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel,
struct label *newlabel
);
/**
@brief Access control check for pipe read
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
Determine whether the subject identified by the credential can
perform a read operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_pipe_check_read_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Access control check for pipe select
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
@param which The operation selected on: FREAD or FWRITE
Determine whether the subject identified by the credential can
perform a select operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_pipe_check_select_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel,
int which
);
/**
@brief Access control check for pipe stat
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
Determine whether the subject identified by the credential can
perform a stat operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_pipe_check_stat_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Access control check for pipe write
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
Determine whether the subject identified by the credential can
perform a write operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_pipe_check_write_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Create a pipe label
@param cred Subject credential
@param cpipe object to be labeled
@param pipelabel Label for the pipe object
Create a label for the pipe object being created by the supplied
user credential. This call is made when the pipe is being created
XXXPIPE(for one or both sides of the pipe?).
*/
typedef void mpo_pipe_label_associate_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Copy a pipe label
@param src Source pipe label
@param dest Destination pipe label
Copy the pipe label associated with src to dest.
XXXPIPE Describe when this is used: most likely during pipe creation to
copy from rpipe to wpipe.
*/
typedef void mpo_pipe_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy pipe label
@param label The label to be destroyed
Destroy a pipe label. Since the object is going out of scope,
policy modules should free any internal storage associated with the
label so that it may be destroyed.
*/
typedef void mpo_pipe_label_destroy_t(
struct label *label
);
/**
@brief Externalize a pipe label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a pipe.
An externalized label consists of a text representation
of the label contents that can be used with user applications.
Policy-agnostic user space tools will display this externalized
version.
The policy's externalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/
typedef int mpo_pipe_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize pipe label
@param label New label to initialize
Initialize label storage for use with a newly instantiated pipe object.
Sleeping is permitted.
*/
typedef void mpo_pipe_label_init_t(
struct label *label
);
/**
@brief Internalize a pipe label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a pipe label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/
typedef int mpo_pipe_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Update a pipe label
@param cred Subject credential
@param cpipe Object to be labeled
@param oldlabel Existing pipe label
@param newlabel New label to replace existing label
@see mpo_pipe_check_label_update_t
The subject identified by the credential has previously requested
and was authorized to relabel the pipe; this entry point allows
policies to perform the actual relabel operation. Policies should
update oldlabel using the label stored in the newlabel parameter.
*/
typedef void mpo_pipe_label_update_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *oldlabel,
struct label *newlabel
);
/**
@brief Policy unload event
@param mpc MAC policy configuration
This is the MAC Framework policy unload event. This entry point will
only be called if the module's policy configuration allows unload (if
the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
want to be unloaded; they should set their flags to prevent this
entry point from being called.
@warning During this call, the mac policy list mutex is held, so
sleep operations cannot be performed, and calls out to other kernel
subsystems must be made with caution.
@see MPC_LOADTIME_FLAG_UNLOADOK
*/
typedef void mpo_policy_destroy_t(
struct mac_policy_conf *mpc
);
/**
@brief Policy initialization event
@param mpc MAC policy configuration
@see mac_policy_register
@see mpo_policy_initbsd_t
This is the MAC Framework policy initialization event. This entry
point is called during mac_policy_register, when the policy module
is first registered with the MAC Framework. This is often done very
early in the boot process, after the kernel Mach subsystem has been
initialized, but prior to the BSD subsystem being initialized.
Since the kernel BSD services are not yet available, it is possible
that some initialization must occur later, possibly in the
mpo_policy_initbsd_t policy entry point, such as registering BSD system
controls (sysctls). Policy modules loaded at boot time will be
registered and initialized before labeled Mach objects are created.
@warning During this call, the mac policy list mutex is held, so
sleep operations cannot be performed, and calls out to other kernel
subsystems must be made with caution.
*/
typedef void mpo_policy_init_t(
struct mac_policy_conf *mpc
);
/**
@brief Policy BSD initialization event
@param mpc MAC policy configuration
@see mpo_policy_init_t
This entry point is called after the kernel BSD subsystem has been
initialized. By this point, the module should already be loaded,
registered, and initialized. Since policy modules are initialized
before kernel BSD services are available, this second initialization
phase is necessary. At this point, BSD services (memory management,
synchronization primitives, vfs, etc.) are available, but the first
process has not yet been created. Mach-related objects and tasks
will already be fully initialized and may be in use--policies requiring
ubiquitous labeling may also want to implement mpo_policy_init_t.
@warning During this call, the mac policy list mutex is held, so
sleep operations cannot be performed, and calls out to other kernel
subsystems must be made with caution.
*/
typedef void mpo_policy_initbsd_t(
struct mac_policy_conf *mpc
);
/**
@brief Policy extension service
@param p Calling process
@param call Policy-specific syscall number
@param arg Pointer to syscall arguments
This entry point provides a policy-multiplexed system call so that
policies may provide additional services to user processes without
registering specific system calls. The policy name provided during
registration is used to demux calls from userland, and the arguments
will be forwarded to this entry point. When implementing new
services, security modules should be sure to invoke appropriate
access control checks from the MAC framework as needed. For
example, if a policy implements an augmented signal functionality,
it should call the necessary signal access control checks to invoke
the MAC framework and other registered policies.
@warning Since the format and contents of the policy-specific
arguments are unknown to the MAC Framework, modules must perform the
required copyin() of the syscall data on their own. No policy
mediation is performed, so policies must perform any necessary
access control checks themselves. If multiple policies are loaded,
they will currently be unable to mediate calls to other policies.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/
typedef int mpo_policy_syscall_t(
struct proc *p,
int call,
user_addr_t arg
);
/**
@brief Access control check for POSIX semaphore create
@param cred Subject credential
@param name String name of the semaphore
Determine whether the subject identified by the credential can create
a POSIX semaphore specified by name.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixsem_check_create_t(
kauth_cred_t cred,
const char *name
);
/**
@brief Access control check for POSIX semaphore open
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label associated with the semaphore
Determine whether the subject identified by the credential can open
the named POSIX semaphore with label semlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixsem_check_open_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel
);
/**
@brief Access control check for POSIX semaphore post
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label associated with the semaphore
Determine whether the subject identified by the credential can unlock
the named POSIX semaphore with label semlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixsem_check_post_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel
);
/**
@brief Access control check for POSIX semaphore unlink
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label associated with the semaphore
@param name String name of the semaphore
Determine whether the subject identified by the credential can remove
the named POSIX semaphore with label semlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixsem_check_unlink_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel,
const char *name
);
/**
@brief Access control check for POSIX semaphore wait
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label associated with the semaphore
Determine whether the subject identified by the credential can lock
the named POSIX semaphore with label semlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixsem_check_wait_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel
);
/**
@brief Create a POSIX semaphore label
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label to associate with the new semaphore
@param name String name of the semaphore
Label a new POSIX semaphore. The label was previously
initialized and associated with the semaphore. At this time, an
appropriate initial label value should be assigned to the object and
stored in semalabel.
*/
typedef void mpo_posixsem_label_associate_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel,
const char *name
);
/**
@brief Destroy POSIX semaphore label
@param label The label to be destroyed
Destroy a POSIX semaphore label. Since the object is
going out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/
typedef void mpo_posixsem_label_destroy_t(
struct label *label
);
/**
@brief Initialize POSIX semaphore label
@param label New label to initialize
Initialize the label for a newly instantiated POSIX semaphore. Sleeping
is permitted.
*/
typedef void mpo_posixsem_label_init_t(
struct label *label
);
/**
@brief Access control check for POSIX shared memory region create
@param cred Subject credential
@param name String name of the shared memory region
Determine whether the subject identified by the credential can create
the POSIX shared memory region referenced by name.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixshm_check_create_t(
kauth_cred_t cred,
const char *name
);
/**
@brief Access control check for mapping POSIX shared memory
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
@param prot mmap protections; see mmap(2)
@param flags shmat flags; see shmat(2)
Determine whether the subject identified by the credential can map
the POSIX shared memory segment associated with shmlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixshm_check_mmap_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
int prot,
int flags
);
/**
@brief Access control check for POSIX shared memory region open
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
@param fflags shm_open(2) open flags ('fflags' encoded)
Determine whether the subject identified by the credential can open
the POSIX shared memory region.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixshm_check_open_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
int fflags
);
/**
@brief Access control check for POSIX shared memory stat
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
Determine whether the subject identified by the credential can obtain
status for the POSIX shared memory segment associated with shmlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixshm_check_stat_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel
);
/**
@brief Access control check for POSIX shared memory truncate
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
@param len Length to truncate or extend shared memory segment
Determine whether the subject identified by the credential can truncate
or extend (to len) the POSIX shared memory segment associated with shmlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixshm_check_truncate_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
off_t len
);
/**
@brief Access control check for POSIX shared memory unlink
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
@param name String name of the shared memory region
Determine whether the subject identified by the credential can delete
the POSIX shared memory segment associated with shmlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_posixshm_check_unlink_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
const char *name
);
/**
@brief Create a POSIX shared memory region label
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label to associate with the new shared memory region
@param name String name of the shared memory region
Label a new POSIX shared memory region. The label was previously
initialized and associated with the shared memory region. At this
time, an appropriate initial label value should be assigned to the
object and stored in shmlabel.
*/
typedef void mpo_posixshm_label_associate_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
const char *name
);
/**
@brief Destroy POSIX shared memory label
@param label The label to be destroyed
Destroy a POSIX shared memory region label. Since the
object is going out of scope, policy modules should free any
internal storage associated with the label so that it may be
destroyed.
*/
typedef void mpo_posixshm_label_destroy_t(
struct label *label
);
/**
@brief Initialize POSIX Shared Memory region label
@param label New label to initialize
Initialize the label for newly a instantiated POSIX Shared Memory
region. Sleeping is permitted.
*/
typedef void mpo_posixshm_label_init_t(
struct label *label
);
/**
@brief Access control check for privileged operations
@param cred Subject credential
@param priv Requested privilege (see sys/priv.h)
Determine whether the subject identified by the credential can perform
a privileged operation. Privileged operations are allowed if the cred
is the superuser or any policy returns zero for mpo_priv_grant, unless
any policy returns nonzero for mpo_priv_check.
@return Return 0 if access is granted, otherwise EPERM should be returned.
*/
typedef int mpo_priv_check_t(
kauth_cred_t cred,
int priv
);
/**
@brief Grant regular users the ability to perform privileged operations
@param cred Subject credential
@param priv Requested privilege (see sys/priv.h)
Determine whether the subject identified by the credential should be
allowed to perform a privileged operation that in the absense of any
MAC policy it would not be able to perform. Privileged operations are
allowed if the cred is the superuser or any policy returns zero for
mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
Unlike other MAC hooks which can only reduce the privilege of a
credential, this hook raises the privilege of a credential when it
returns 0. Extreme care must be taken when implementing this hook to
avoid undermining the security of the system.
@return Return 0 if additional privilege is granted, otherwise EPERM
should be returned.
*/
typedef int mpo_priv_grant_t(
kauth_cred_t cred,
int priv
);
/**
@brief Access control check for debugging process
@param cred Subject credential
@param proc Object process
Determine whether the subject identified by the credential can debug
the passed process. This call may be made in a number of situations,
including use of the ptrace(2) and ktrace(2) APIs, as well as for some
types of procfs operations.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to hide visibility of the target.
*/
typedef int mpo_proc_check_debug_t(
kauth_cred_t cred,
struct proc *proc
);
/**
@brief Access control over fork
@param cred Subject credential
@param proc Subject process trying to fork
Determine whether the subject identified is allowed to fork.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_fork_t(
kauth_cred_t cred,
struct proc *proc
);
/**
@brief Access control check for setting host special ports.
@param cred Subject credential
@param id The host special port to set
@param port The new value to set for the special port
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_set_host_special_port_t(
kauth_cred_t cred,
int id,
struct ipc_port *port
);
/**
@brief Access control check for setting host exception ports.
@param cred Subject credential
@param exception Exception port to set
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_set_host_exception_port_t(
kauth_cred_t cred,
unsigned int exception
);
/**
@brief Access control over pid_suspend and pid_resume
@param cred Subject credential
@param proc Subject process trying to run pid_suspend or pid_resume
@param sr Call is suspend (0) or resume (1)
Determine whether the subject identified is allowed to suspend or resume
other processes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_suspend_resume_t(
kauth_cred_t cred,
struct proc *proc,
int sr
);
/**
@brief Access control check for retrieving audit information
@param cred Subject credential
Determine whether the subject identified by the credential can get
audit information such as the audit user ID, the preselection mask,
the terminal ID and the audit session ID, using the getaudit() system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_getaudit_t(
kauth_cred_t cred
);
/**
@brief Access control check for retrieving audit user ID
@param cred Subject credential
Determine whether the subject identified by the credential can get
the user identity being used by the auditing system, using the getauid()
system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_getauid_t(
kauth_cred_t cred
);
/**
@brief Access control check for retrieving Login Context ID
@param p0 Calling process
@param p Effected process
@param pid syscall PID argument
Determine if getlcid(2) system call is permitted.
Information returned by this system call is similar to that returned via
process listings etc.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_getlcid_t(
struct proc *p0,
struct proc *p,
pid_t pid
);
/**
@brief Access control check for retrieving ledger information
@param cred Subject credential
@param target Object process
@param op ledger operation
Determine if ledger(2) system call is permitted.
Information returned by this system call is similar to that returned via
process listings etc.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_ledger_t(
kauth_cred_t cred,
struct proc *target,
int op
);
/**
@brief Access control check for escaping default CPU usage monitor parameters.
@param cred Subject credential
Determine if a credential has permission to program CPU usage monitor parameters
that are less restrictive than the global system-wide defaults.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_cpumon_t(
kauth_cred_t cred
);
/**
@brief Access control check for retrieving process information.
@param cred Subject credential
@param target Target process (may be null, may be zombie)
Determine if a credential has permission to access process information as defined
by call number and flavor on target process
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_proc_info_t(
kauth_cred_t cred,
struct proc *target,
int callnum,
int flavor
);
/**
@brief Access control check for retrieving code signing information.
@param cred Subject credential
@param target Target process
@param op Code signing operation being performed
Determine whether the subject identified by the credential should be
allowed to get code signing information about the target process.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_get_cs_info_t(
kauth_cred_t cred,
struct proc *target,
unsigned int op
);
/**
@brief Access control check for setting code signing information.
@param cred Subject credential
@param target Target process
@param op Code signing operation being performed.
Determine whether the subject identified by the credential should be
allowed to set code signing information about the target process.
@return Return 0 if permission is granted, otherwise an appropriate
value of errno should be returned.
*/
typedef int mpo_proc_check_set_cs_info_t(
kauth_cred_t cred,
struct proc *target,
unsigned int op
);
/**
@brief Access control check for mmap MAP_ANON
@param proc User process requesting the memory
@param cred Subject credential
@param u_addr Start address of the memory range
@param u_size Length address of the memory range
@param prot mmap protections; see mmap(2)
@param flags Type of mapped object; see mmap(2)
@param maxprot Maximum rights
Determine whether the subject identified by the credential should be
allowed to obtain anonymous memory using the specified flags and
protections on the new mapping. MAP_ANON will always be present in the
flags. Certain combinations of flags with a non-NULL addr may
cause a mapping to be rejected before this hook is called. The maxprot field
holds the maximum permissions on the new mapping, a combination of
VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
access control checks, a policy should only remove flags from maxprot.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EPERM for lack of privilege.
*/
typedef int mpo_proc_check_map_anon_t(
struct proc *proc,
kauth_cred_t cred,
user_addr_t u_addr,
user_size_t u_size,
int prot,
int flags,
int *maxprot
);
/**
@brief Access control check for setting memory protections
@param cred Subject credential
@param proc User process requesting the change
@param addr Start address of the memory range
@param size Length address of the memory range
@param prot Memory protections, see mmap(2)
Determine whether the subject identified by the credential should
be allowed to set the specified memory protections on memory mapped
in the process proc.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_mprotect_t(
kauth_cred_t cred,
struct proc *proc,
user_addr_t addr,
user_size_t size,
int prot
);
/**
@brief Access control check for changing scheduling parameters
@param cred Subject credential
@param proc Object process
Determine whether the subject identified by the credential can change
the scheduling parameters of the passed process.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to limit visibility.
*/
typedef int mpo_proc_check_sched_t(
kauth_cred_t cred,
struct proc *proc
);
/**
@brief Access control check for setting audit information
@param cred Subject credential
@param ai Audit information
Determine whether the subject identified by the credential can set
audit information such as the the preselection mask, the terminal ID
and the audit session ID, using the setaudit() system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_setaudit_t(
kauth_cred_t cred,
struct auditinfo_addr *ai
);
/**
@brief Access control check for setting audit user ID
@param cred Subject credential
@param auid Audit user ID
Determine whether the subject identified by the credential can set
the user identity used by the auditing system, using the setauid()
system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_setauid_t(
kauth_cred_t cred,
uid_t auid
);
/**
@brief Access control check for setting the Login Context
@param p0 Calling process
@param p Effected process
@param pid syscall PID argument
@param lcid syscall LCID argument
Determine if setlcid(2) system call is permitted.
See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
decoding syscall arguments to determine action desired by caller.
Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_setlcid_t(
struct proc *p0,
struct proc *p,
pid_t pid,
pid_t lcid
);
/**
@brief Access control check for delivering signal
@param cred Subject credential
@param proc Object process
@param signum Signal number; see kill(2)
Determine whether the subject identified by the credential can deliver
the passed signal to the passed process.
@warning Programs typically expect to be able to send and receive
signals as part or their normal process lifecycle; caution should be
exercised when implementing access controls over signal events.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to limit visibility.
*/
typedef int mpo_proc_check_signal_t(
kauth_cred_t cred,
struct proc *proc,
int signum
);
/**
@brief Access control check for wait
@param cred Subject credential
@param proc Object process
Determine whether the subject identified by the credential can wait
for process termination.
@warning Caution should be exercised when implementing access
controls for wait, since programs often wait for child processes to
exit. Failure to be notified of a child process terminating may
cause the parent process to hang, or may produce zombie processes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_wait_t(
kauth_cred_t cred,
struct proc *proc
);
/**
@brief Destroy process label
@param label The label to be destroyed
Destroy a process label. Since the object is going
out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/
typedef void mpo_proc_label_destroy_t(
struct label *label
);
/**
@brief Initialize process label
@param label New label to initialize
@see mpo_cred_label_init_t
Initialize the label for a newly instantiated BSD process structure.
Normally, security policies will store the process label in the user
credential rather than here in the process structure. However,
there are some floating label policies that may need to temporarily
store a label in the process structure until it is safe to update
the user credential label. Sleeping is permitted.
*/
typedef void mpo_proc_label_init_t(
struct label *label
);
/**
@brief Access control check for socket accept
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
Determine whether the subject identified by the credential can accept()
a new connection on the socket from the host specified by addr.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_accept_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for a pending socket accept
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param addr Address of the listening socket (coming soon)
Determine whether the subject identified by the credential can accept()
a pending connection on the socket from the host specified by addr.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_accepted_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockaddr *addr
);
/**
@brief Access control check for socket bind
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param addr Name to assign to the socket
Determine whether the subject identified by the credential can bind()
the name (addr) to the socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_bind_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockaddr *addr
);
/**
@brief Access control check for socket connect
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param addr Name to assign to the socket
Determine whether the subject identified by the credential can
connect() the passed socket to the remote host specified by addr.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_connect_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockaddr *addr
);
/**
@brief Access control check for socket() system call.
@param cred Subject credential
@param domain communication domain
@param type socket type
@param protocol socket protocol
Determine whether the subject identified by the credential can
make the socket() call.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_create_t(
kauth_cred_t cred,
int domain,
int type,
int protocol
);
/**
@brief Access control check for delivering data to a user's receieve queue
@param so The socket data is being delivered to
@param so_label The label of so
@param m The mbuf whose data will be deposited into the receive queue
@param m_label The label of the sender of the data.
A socket has a queue for receiving incoming data. When a packet arrives
on the wire, it eventually gets deposited into this queue, which the
owner of the socket drains when they read from the socket's file descriptor.
This function determines whether the socket can receive data from
the sender specified by m_label.
@warning There is an outstanding design issue surrounding the placement
of this function. The check must be placed either before or after the
TCP sequence and ACK counters are updated. Placing the check before
the counters are updated causes the incoming packet to be resent by
the remote if the check rejects it. Placing the check after the counters
are updated results in a completely silent drop. As far as each TCP stack
is concerned the packet was received, however, the data will not be in the
socket's receive queue. Another consideration is that the current design
requires using the "failed label" occasionally. In that case, on rejection,
we want the remote TCP to resend the data. Because of this, we chose to
place this check before the counters are updated, so rejected packets will be
resent by the remote host.
If a policy keeps rejecting the same packet, eventually the connection will
be dropped. Policies have several options if this design causes problems.
For example, one options is to sanitize the mbuf such that it is acceptable,
then accept it. That may require negotiation between policies as the
Framework will not know to re-check the packet.
The policy must handle NULL MBUF labels. This will likely be the case
for non-local TCP sockets for example.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_deliver_t(
socket_t so,
struct label *so_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Access control check for socket kqfilter
@param cred Subject credential
@param kn Object knote
@param so Object socket
@param socklabel Policy label for socket
Determine whether the subject identified by the credential can
receive the knote on the passed socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_kqfilter_t(
kauth_cred_t cred,
struct knote *kn,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for socket relabel
@param cred Subject credential
@param so Object socket
@param so_label The current label of so
@param newlabel The label to be assigned to so
Determine whether the subject identified by the credential can
change the label on the socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_label_update_t(
kauth_cred_t cred,
socket_t so,
struct label *so_label,
struct label *newlabel
);
/**
@brief Access control check for socket listen
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
Determine whether the subject identified by the credential can
listen() on the passed socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_listen_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for socket receive
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
Determine whether the subject identified by the credential can
receive data from the socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_receive_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for socket receive
@param cred Subject credential
@param sock Object socket
@param socklabel Policy label for socket
@param saddr Name of the remote socket
Determine whether the subject identified by the credential can
receive data from the remote host specified by addr.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_received_t(
kauth_cred_t cred,
struct socket *sock,
struct label *socklabel,
struct sockaddr *saddr
);
/**
@brief Access control check for socket select
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param which The operation selected on: FREAD or FWRITE
Determine whether the subject identified by the credential can use the
socket in a call to select().
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_select_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
int which
);
/**
@brief Access control check for socket send
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param addr Address being sent to
Determine whether the subject identified by the credential can send
data to the socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_send_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockaddr *addr
);
/**
@brief Access control check for retrieving socket status
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for so
Determine whether the subject identified by the credential can
execute the stat() system call on the given socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_stat_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for setting socket options
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for so
@param sopt The options being set
Determine whether the subject identified by the credential can
execute the setsockopt system call on the given socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_setsockopt_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockopt *sopt
);
/**
@brief Access control check for getting socket options
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for so
@param sopt The options to get
Determine whether the subject identified by the credential can
execute the getsockopt system call on the given socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_socket_check_getsockopt_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockopt *sopt
);
/**
@brief Label a socket
@param oldsock Listening socket
@param oldlabel Policy label associated with oldsock
@param newsock New socket
@param newlabel Policy label associated with newsock
A new socket is created when a connection is accept(2)ed. This
function labels the new socket based on the existing listen(2)ing
socket.
*/
typedef void mpo_socket_label_associate_accept_t(
socket_t oldsock,
struct label *oldlabel,
socket_t newsock,
struct label *newlabel
);
/**
@brief Assign a label to a new socket
@param cred Credential of the owning process
@param so The socket being labeled
@param solabel The label
@warning cred can be NULL
Set the label on a newly created socket from the passed subject
credential. This call is made when a socket is created. The
credentials may be null if the socket is being created by the
kernel.
*/
typedef void mpo_socket_label_associate_t(
kauth_cred_t cred,
socket_t so,
struct label *solabel
);
/**
@brief Copy a socket label
@param src Source label
@param dest Destination label
Copy the socket label information in src into dest.
*/
typedef void mpo_socket_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy socket label
@param label The label to be destroyed
Destroy a socket label. Since the object is going out of
scope, policy modules should free any internal storage associated
with the label so that it may be destroyed.
*/
typedef void mpo_socket_label_destroy_t(
struct label *label
);
/**
@brief Externalize a socket label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of label
Produce an externalized socket label based on the label structure passed.
An externalized label consists of a text representation of the label
contents that can be used with userland applications and read by the
user. If element_name does not match a namespace managed by the policy,
simply return 0. Only return nonzero if an error occurs while externalizing
the label data.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/
typedef int mpo_socket_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize socket label
@param label New label to initialize
@param waitok Malloc flags
Initialize the label of a newly instantiated socket. The waitok
field may be one of M_WAITOK and M_NOWAIT, and should be employed to
avoid performing a sleeping malloc(9) during this initialization
call. It it not always safe to sleep during this entry point.
@warning Since it is possible for the waitok flags to be set to
M_NOWAIT, the malloc operation may fail.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/
typedef int mpo_socket_label_init_t(
struct label *label,
int waitok
);
/**
@brief Internalize a socket label
@param label Label to be filled in
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce an internal socket label structure based on externalized label
data in text format.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/
typedef int mpo_socket_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Relabel socket
@param cred Subject credential
@param so Object; socket
@param so_label Current label of the socket
@param newlabel The label to be assigned to so
The subject identified by the credential has previously requested
and was authorized to relabel the socket; this entry point allows
policies to perform the actual label update operation.
@warning XXX This entry point will likely change in future versions.
*/
typedef void mpo_socket_label_update_t(
kauth_cred_t cred,
socket_t so,
struct label *so_label,
struct label *newlabel
);
/**
@brief Set the peer label on a socket from mbuf
@param m Mbuf chain received on socket so
@param m_label Label for m
@param so Current label for the socket
@param so_label Policy label to be filled out for the socket
Set the peer label of a socket based on the label of the sender of the
mbuf.
This is called for every TCP/IP packet received. The first call for a given
socket operates on a newly initialized label, and subsequent calls operate
on existing label data.
@warning Because this can affect performance significantly, it has
different sematics than other 'set' operations. Typically, 'set' operations
operate on newly initialzed labels and policies do not need to worry about
clobbering existing values. In this case, it is too inefficient to
initialize and destroy a label every time data is received for the socket.
Instead, it is up to the policies to determine how to replace the label data.
Most policies should be able to replace the data inline.
*/
typedef void mpo_socketpeer_label_associate_mbuf_t(
struct mbuf *m,
struct label *m_label,
socket_t so,
struct label *so_label
);
/**
@brief Set the peer label on a socket from socket
@param source Local socket
@param sourcelabel Policy label for source
@param target Peer socket
@param targetlabel Policy label to fill in for target
Set the peer label on a stream UNIX domain socket from the passed
remote socket endpoint. This call will be made when the socket pair
is connected, and will be made for both endpoints.
Note that this call is only made on connection; it is currently not updated
during communication.
*/
typedef void mpo_socketpeer_label_associate_socket_t(
socket_t source,
struct label *sourcelabel,
socket_t target,
struct label *targetlabel
);
/**
@brief Destroy socket peer label
@param label The peer label to be destroyed
Destroy a socket peer label. Since the object is going out of
scope, policy modules should free any internal storage associated
with the label so that it may be destroyed.
*/
typedef void mpo_socketpeer_label_destroy_t(
struct label *label
);
/**
@brief Externalize a socket peer label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of label
Produce an externalized socket peer label based on the label structure
passed. An externalized label consists of a text representation of the
label contents that can be used with userland applications and read by the
user. If element_name does not match a namespace managed by the policy,
simply return 0. Only return nonzero if an error occurs while externalizing
the label data.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/
typedef int mpo_socketpeer_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize socket peer label
@param label New label to initialize
@param waitok Malloc flags
Initialize the peer label of a newly instantiated socket. The
waitok field may be one of M_WAITOK and M_NOWAIT, and should be
employed to avoid performing a sleeping malloc(9) during this
initialization call. It it not always safe to sleep during this
entry point.
@warning Since it is possible for the waitok flags to be set to
M_NOWAIT, the malloc operation may fail.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/
typedef int mpo_socketpeer_label_init_t(
struct label *label,
int waitok
);
/**
@brief Access control check for enabling accounting
@param cred Subject credential
@param vp Accounting file
@param vlabel Label associated with vp
Determine whether the subject should be allowed to enable accounting,
based on its label and the label of the accounting log file. See
acct(5) for more information.
As accounting is disabled by passing NULL to the acct(2) system call,
the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_acct_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Access control check for audit
@param cred Subject credential
@param record Audit record
@param length Audit record length
Determine whether the subject identified by the credential can submit
an audit record for inclusion in the audit log via the audit() system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_audit_t(
kauth_cred_t cred,
void *record,
int length
);
/**
@brief Access control check for controlling audit
@param cred Subject credential
@param vp Audit file
@param vl Label associated with vp
Determine whether the subject should be allowed to enable auditing using
the auditctl() system call, based on its label and the label of the proposed
audit file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_auditctl_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vl
);
/**
@brief Access control check for manipulating auditing
@param cred Subject credential
@param cmd Audit control command
Determine whether the subject identified by the credential can perform
the audit subsystem control operation cmd via the auditon() system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_auditon_t(
kauth_cred_t cred,
int cmd
);
/**
@brief Access control check for using CHUD facilities
@param cred Subject credential
Determine whether the subject identified by the credential can perform
performance-related tasks using the CHUD system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_chud_t(
kauth_cred_t cred
);
/**
@brief Access control check for obtaining the host control port
@param cred Subject credential
Determine whether the subject identified by the credential can
obtain the host control port.
@return Return 0 if access is granted, or non-zero otherwise.
*/
typedef int mpo_system_check_host_priv_t(
kauth_cred_t cred
);
/**
@brief Access control check for obtaining system information
@param cred Subject credential
@param info_type A description of the information requested
Determine whether the subject identified by the credential should be
allowed to obtain information about the system.
This is a generic hook that can be used in a variety of situations where
information is being returned that might be considered sensitive.
Rather than adding a new MAC hook for every such interface, this hook can
be called with a string identifying the type of information requested.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_info_t(
kauth_cred_t cred,
const char *info_type
);
/**
@brief Access control check for calling NFS services
@param cred Subject credential
Determine whether the subject identified by the credential should be
allowed to call nfssrv(2).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_nfsd_t(
kauth_cred_t cred
);
/**
@brief Access control check for reboot
@param cred Subject credential
@param howto howto parameter from reboot(2)
Determine whether the subject identified by the credential should be
allowed to reboot the system in the specified manner.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_reboot_t(
kauth_cred_t cred,
int howto
);
/**
@brief Access control check for setting system clock
@param cred Subject credential
Determine whether the subject identified by the credential should be
allowed to set the system clock.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_settime_t(
kauth_cred_t cred
);
/**
@brief Access control check for removing swap devices
@param cred Subject credential
@param vp Swap device
@param label Label associated with vp
Determine whether the subject identified by the credential should be
allowed to remove vp as a swap device.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_swapoff_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for adding swap devices
@param cred Subject credential
@param vp Swap device
@param label Label associated with vp
Determine whether the subject identified by the credential should be
allowed to add vp as a swap device.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_swapon_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for sysctl
@param cred Subject credential
@param namestring String representation of sysctl name.
@param name Integer name; see sysctl(3)
@param namelen Length of name array of integers; see sysctl(3)
@param old 0 or address where to store old value; see sysctl(3)
@param oldlen Length of old buffer; see sysctl(3)
@param newvalue 0 or address of new value; see sysctl(3)
@param newlen Length of new buffer; see sysctl(3)
Determine whether the subject identified by the credential should be
allowed to make the specified sysctl(3) transaction.
The sysctl(3) call specifies that if the old value is not desired,
oldp and oldlenp should be set to NULL. Likewise, if a new value is
not to be set, newp should be set to NULL and newlen set to 0.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_sysctlbyname_t(
kauth_cred_t cred,
const char *namestring,
int *name,
u_int namelen,
user_addr_t old, /* NULLOK */
size_t oldlen,
user_addr_t newvalue, /* NULLOK */
size_t newlen
);
/**
@brief Access control check for kas_info
@param cred Subject credential
@param selector Category of information to return. See kas_info.h
Determine whether the subject identified by the credential can perform
introspection of the kernel address space layout for
debugging/performance analysis.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_system_check_kas_info_t(
kauth_cred_t cred,
int selector
);
/**
@brief Create a System V message label
@param cred Subject credential
@param msqptr The message queue the message will be placed in
@param msqlabel The label of the message queue
@param msgptr The message
@param msglabel The label of the message
Label the message as its placed in the message queue.
*/
typedef void mpo_sysvmsg_label_associate_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel,
struct msg *msgptr,
struct label *msglabel
);
/**
@brief Destroy System V message label
@param label The label to be destroyed
Destroy a System V message label. Since the object is
going out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/
typedef void mpo_sysvmsg_label_destroy_t(
struct label *label
);
/**
@brief Initialize System V message label
@param label New label to initialize
Initialize the label for a newly instantiated System V message.
*/
typedef void mpo_sysvmsg_label_init_t(
struct label *label
);
/**
@brief Clean up a System V message label
@param label The label to be destroyed
Clean up a System V message label. Darwin pre-allocates
messages at system boot time and re-uses them rather than
allocating new ones. Before messages are returned to the "free
pool", policies can cleanup or overwrite any information present in
the label.
*/
typedef void mpo_sysvmsg_label_recycle_t(
struct label *label
);
/**
@brief Access control check for System V message enqueuing
@param cred Subject credential
@param msgptr The message
@param msglabel The message's label
@param msqptr The message queue
@param msqlabel The message queue's label
Determine whether the subject identified by the credential can add the
given message to the given message queue.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvmsq_check_enqueue_t(
kauth_cred_t cred,
struct msg *msgptr,
struct label *msglabel,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Access control check for System V message reception
@param cred The credential of the intended recipient
@param msgptr The message
@param msglabel The message's label
Determine whether the subject identified by the credential can receive
the given message.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvmsq_check_msgrcv_t(
kauth_cred_t cred,
struct msg *msgptr,
struct label *msglabel
);
/**
@brief Access control check for System V message queue removal
@param cred The credential of the caller
@param msgptr The message
@param msglabel The message's label
System V message queues are removed using the msgctl() system call.
The system will iterate over each messsage in the queue, calling this
function for each, to determine whether the caller has the appropriate
credentials.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvmsq_check_msgrmid_t(
kauth_cred_t cred,
struct msg *msgptr,
struct label *msglabel
);
/**
@brief Access control check for msgctl()
@param cred The credential of the caller
@param msqptr The message queue
@param msqlabel The message queue's label
This access check is performed to validate calls to msgctl().
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvmsq_check_msqctl_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel,
int cmd
);
/**
@brief Access control check to get a System V message queue
@param cred The credential of the caller
@param msqptr The message queue requested
@param msqlabel The message queue's label
On a call to msgget(), if the queue requested already exists,
and it is a public queue, this check will be performed before the
queue's ID is returned to the user.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvmsq_check_msqget_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Access control check to receive a System V message from the given queue
@param cred The credential of the caller
@param msqptr The message queue to receive from
@param msqlabel The message queue's label
On a call to msgrcv(), this check is performed to determine whether the
caller has receive rights on the given queue.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvmsq_check_msqrcv_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Access control check to send a System V message to the given queue
@param cred The credential of the caller
@param msqptr The message queue to send to
@param msqlabel The message queue's label
On a call to msgsnd(), this check is performed to determine whether the
caller has send rights on the given queue.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvmsq_check_msqsnd_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Create a System V message queue label
@param cred Subject credential
@param msqptr The message queue
@param msqlabel The label of the message queue
*/
typedef void mpo_sysvmsq_label_associate_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Destroy System V message queue label
@param label The label to be destroyed
Destroy a System V message queue label. Since the object is
going out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/
typedef void mpo_sysvmsq_label_destroy_t(
struct label *label
);
/**
@brief Initialize System V message queue label
@param label New label to initialize
Initialize the label for a newly instantiated System V message queue.
*/
typedef void mpo_sysvmsq_label_init_t(
struct label *label
);
/**
@brief Clean up a System V message queue label
@param label The label to be destroyed
Clean up a System V message queue label. Darwin pre-allocates
message queues at system boot time and re-uses them rather than
allocating new ones. Before message queues are returned to the "free
pool", policies can cleanup or overwrite any information present in
the label.
*/
typedef void mpo_sysvmsq_label_recycle_t(
struct label *label
);
/**
@brief Access control check for System V semaphore control operation
@param cred Subject credential
@param semakptr Pointer to semaphore identifier
@param semaklabel Label associated with semaphore
@param cmd Control operation to be performed; see semctl(2)
Determine whether the subject identified by the credential can perform
the operation indicated by cmd on the System V semaphore semakptr.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvsem_check_semctl_t(
kauth_cred_t cred,
struct semid_kernel *semakptr,
struct label *semaklabel,
int cmd
);
/**
@brief Access control check for obtaining a System V semaphore
@param cred Subject credential
@param semakptr Pointer to semaphore identifier
@param semaklabel Label to associate with the semaphore
Determine whether the subject identified by the credential can
obtain a System V semaphore.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvsem_check_semget_t(
kauth_cred_t cred,
struct semid_kernel *semakptr,
struct label *semaklabel
);
/**
@brief Access control check for System V semaphore operations
@param cred Subject credential
@param semakptr Pointer to semaphore identifier
@param semaklabel Label associated with the semaphore
@param accesstype Flags to indicate access (read and/or write)
Determine whether the subject identified by the credential can
perform the operations on the System V semaphore indicated by
semakptr. The accesstype flags hold the maximum set of permissions
from the sem_op array passed to the semop system call. It may
contain SEM_R for read-only operations or SEM_A for read/write
operations.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvsem_check_semop_t(
kauth_cred_t cred,
struct semid_kernel *semakptr,
struct label *semaklabel,
size_t accesstype
);
/**
@brief Create a System V semaphore label
@param cred Subject credential
@param semakptr The semaphore being created
@param semalabel Label to associate with the new semaphore
Label a new System V semaphore. The label was previously
initialized and associated with the semaphore. At this time, an
appropriate initial label value should be assigned to the object and
stored in semalabel.
*/
typedef void mpo_sysvsem_label_associate_t(
kauth_cred_t cred,
struct semid_kernel *semakptr,
struct label *semalabel
);
/**
@brief Destroy System V semaphore label
@param label The label to be destroyed
Destroy a System V semaphore label. Since the object is
going out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/
typedef void mpo_sysvsem_label_destroy_t(
struct label *label
);
/**
@brief Initialize System V semaphore label
@param label New label to initialize
Initialize the label for a newly instantiated System V semaphore. Sleeping
is permitted.
*/
typedef void mpo_sysvsem_label_init_t(
struct label *label
);
/**
@brief Clean up a System V semaphore label
@param label The label to be cleaned
Clean up a System V semaphore label. Darwin pre-allocates
semaphores at system boot time and re-uses them rather than
allocating new ones. Before semaphores are returned to the "free
pool", policies can cleanup or overwrite any information present in
the label.
*/
typedef void mpo_sysvsem_label_recycle_t(
struct label *label
);
/**
@brief Access control check for mapping System V shared memory
@param cred Subject credential
@param shmsegptr Pointer to shared memory segment identifier
@param shmseglabel Label associated with the shared memory segment
@param shmflg shmat flags; see shmat(2)
Determine whether the subject identified by the credential can map
the System V shared memory segment associated with shmsegptr.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvshm_check_shmat_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmseglabel,
int shmflg
);
/**
@brief Access control check for System V shared memory control operation
@param cred Subject credential
@param shmsegptr Pointer to shared memory segment identifier
@param shmseglabel Label associated with the shared memory segment
@param cmd Control operation to be performed; see shmctl(2)
Determine whether the subject identified by the credential can perform
the operation indicated by cmd on the System V shared memory segment
shmsegptr.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvshm_check_shmctl_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmseglabel,
int cmd
);
/**
@brief Access control check for unmapping System V shared memory
@param cred Subject credential
@param shmsegptr Pointer to shared memory segment identifier
@param shmseglabel Label associated with the shared memory segment
Determine whether the subject identified by the credential can unmap
the System V shared memory segment associated with shmsegptr.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvshm_check_shmdt_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmseglabel
);
/**
@brief Access control check obtaining System V shared memory identifier
@param cred Subject credential
@param shmsegptr Pointer to shared memory segment identifier
@param shmseglabel Label associated with the shared memory segment
@param shmflg shmget flags; see shmget(2)
Determine whether the subject identified by the credential can get
the System V shared memory segment address.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_sysvshm_check_shmget_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmseglabel,
int shmflg
);
/**
@brief Create a System V shared memory region label
@param cred Subject credential
@param shmsegptr The shared memory region being created
@param shmlabel Label to associate with the new shared memory region
Label a new System V shared memory region. The label was previously
initialized and associated with the shared memory region. At this
time, an appropriate initial label value should be assigned to the
object and stored in shmlabel.
*/
typedef void mpo_sysvshm_label_associate_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmlabel
);
/**
@brief Destroy System V shared memory label
@param label The label to be destroyed
Destroy a System V shared memory region label. Since the
object is going out of scope, policy modules should free any
internal storage associated with the label so that it may be
destroyed.
*/
typedef void mpo_sysvshm_label_destroy_t(
struct label *label
);
/**
@brief Initialize System V Shared Memory region label
@param label New label to initialize
Initialize the label for a newly instantiated System V Shared Memory
region. Sleeping is permitted.
*/
typedef void mpo_sysvshm_label_init_t(
struct label *label
);
/**
@brief Clean up a System V Share Memory Region label
@param shmlabel The label to be cleaned
Clean up a System V Shared Memory Region label. Darwin
pre-allocates these objects at system boot time and re-uses them
rather than allocating new ones. Before the memory regions are
returned to the "free pool", policies can cleanup or overwrite any
information present in the label.
*/
typedef void mpo_sysvshm_label_recycle_t(
struct label *shmlabel
);
/**
@brief Access control check for getting a process's task name
@param cred Subject credential
@param p Object process
Determine whether the subject identified by the credential can get
the passed process's task name port.
This call is used by the task_name_for_pid(2) API.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to hide visibility of the target.
*/
typedef int mpo_proc_check_get_task_name_t(
kauth_cred_t cred,
struct proc *p
);
/**
@brief Access control check for getting a process's task port
@param cred Subject credential
@param p Object process
Determine whether the subject identified by the credential can get
the passed process's task control port.
This call is used by the task_for_pid(2) API.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to hide visibility of the target.
*/
typedef int mpo_proc_check_get_task_t(
kauth_cred_t cred,
struct proc *p
);
/**
@brief Access control check for exposing a process's task port
@param cred Subject credential
@param p Object process
Determine whether the subject identified by the credential can expose
the passed process's task control port.
This call is used by the accessor APIs like processor_set_tasks() and
processor_set_threads().
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to hide visibility of the target.
*/
typedef int mpo_proc_check_expose_task_t(
kauth_cred_t cred,
struct proc *p
);
/**
@brief Check whether task's IPC may inherit across process exec
@param p current process instance
@param cur_vp vnode pointer to current instance
@param cur_offset offset of binary of currently executing image
@param img_vp vnode pointer to to be exec'ed image
@param img_offset offset into file which is selected for execution
@param scriptvp vnode pointer of script file if any.
@return Return 0 if access is granted.
EPERM if parent does not have any entitlements.
EACCESS if mismatch in entitlements
*/
typedef int mpo_proc_check_inherit_ipc_ports_t(
struct proc *p,
struct vnode *cur_vp,
off_t cur_offset,
struct vnode *img_vp,
off_t img_offset,
struct vnode *scriptvp
);
/**
@brief Privilege check for a process to run invalid
@param p Object process
Determine whether the process may execute even though the system determined
that it is untrusted (eg unidentified / modified code).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_proc_check_run_cs_invalid_t(
struct proc *p
);
/**
@brief Perform MAC-related events when a thread returns to user space
@param thread Mach (not BSD) thread that is returning
This entry point permits policy modules to perform MAC-related
events when a thread returns to user space, via a system call
return or trap return.
*/
typedef void mpo_thread_userret_t(
struct thread *thread
);
/**
@brief Check vnode access
@param cred Subject credential
@param vp Object vnode
@param label Label for vp
@param acc_mode access(2) flags
Determine how invocations of access(2) and related calls by the
subject identified by the credential should return when performed
on the passed vnode using the passed access flags. This should
generally be implemented using the same semantics used in
mpo_vnode_check_open.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_access_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
int acc_mode
);
/**
@brief Access control check for changing working directory
@param cred Subject credential
@param dvp Object; vnode to chdir(2) into
@param dlabel Policy label for dvp
Determine whether the subject identified by the credential can change
the process working directory to the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_chdir_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel
);
/**
@brief Access control check for changing root directory
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label associated with dvp
@param cnp Component name for dvp
Determine whether the subject identified by the credential should be
allowed to chroot(2) into the specified directory (dvp).
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/
typedef int mpo_vnode_check_chroot_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp
);
/**
@brief Access control check for creating clone
@param cred Subject credential
@param dvp Vnode of directory to create the clone in
@param dlabel Policy label associated with dvp
@param vp Vnode of the file to clone from
@param label Policy label associated with vp
@param cnp Component name for the clone being created
Determine whether the subject identified by the credential should be
allowed to create a clone of the vnode vp with the name specified by cnp.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_clone_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *label,
struct componentname *cnp
);
/**
@brief Access control check for creating vnode
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label for dvp
@param cnp Component name for dvp
@param vap vnode attributes for vap
Determine whether the subject identified by the credential can create
a vnode with the passed parent directory, passed name information,
and passed attribute information. This call may be made in a number of
situations, including as a result of calls to open(2) with O_CREAT,
mknod(2), mkfifo(2), and others.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_create_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp,
struct vnode_attr *vap
);
/**
@brief Access control check for deleting extended attribute
@param cred Subject credential
@param vp Object vnode
@param vlabel Label associated with vp
@param name Extended attribute name
Determine whether the subject identified by the credential can delete
the extended attribute from the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_deleteextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
const char *name
);
/**
@brief Access control check for exchanging file data
@param cred Subject credential
@param v1 vnode 1 to swap
@param vl1 Policy label for v1
@param v2 vnode 2 to swap
@param vl2 Policy label for v2
Determine whether the subject identified by the credential can swap the data
in the two supplied vnodes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_exchangedata_t(
kauth_cred_t cred,
struct vnode *v1,
struct label *vl1,
struct vnode *v2,
struct label *vl2
);
/**
@brief Access control check for executing the vnode
@param cred Subject credential
@param vp Object vnode to execute
@param scriptvp Script being executed by interpreter, if any.
@param vnodelabel Label corresponding to vp
@param scriptlabel Script vnode label
@param execlabel Userspace provided execution label
@param cnp Component name for file being executed
@param macpolicyattr MAC policy-specific spawn attribute data.
@param macpolicyattrlen Length of policy-specific spawn attribute data.
Determine whether the subject identified by the credential can execute
the passed vnode. Determination of execute privilege is made separately
from decisions about any process label transitioning event.
The final label, execlabel, corresponds to a label supplied by a
user space application through the use of the mac_execve system call.
This label will be NULL if the user application uses the the vendor
execve(2) call instead of the MAC Framework mac_execve() call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_exec_t(
kauth_cred_t cred,
struct vnode *vp,
struct vnode *scriptvp,
struct label *vnodelabel,
struct label *scriptlabel,
struct label *execlabel, /* NULLOK */
struct componentname *cnp,
u_int *csflags,
void *macpolicyattr,
size_t macpolicyattrlen
);
/**
@brief Access control check for fsgetpath
@param cred Subject credential
@param vp Vnode for which a path will be returned
@param label Label associated with the vnode
Determine whether the subject identified by the credential can get the path
of the given vnode with fsgetpath.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_fsgetpath_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for retrieving file attributes
@param active_cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param vlabel Policy label for vp
@param va Vnode attributes to retrieve
Determine whether the subject identified by the credential can
get information about the passed vnode. The active_cred hold
the credentials of the subject performing the operation, and
file_cred holds the credentials of the subject that originally
opened the file. This check happens during stat(), lstat(),
fstat(), and getattrlist() syscalls. See for
definitions of the attributes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
@note Policies may change the contents of va to alter the list of
file attributes returned.
*/
typedef int mpo_vnode_check_getattr_t(
kauth_cred_t active_cred,
kauth_cred_t file_cred, /* NULLOK */
struct vnode *vp,
struct label *vlabel,
struct vnode_attr *va
);
/**
@brief Access control check for retrieving file attributes
@param cred Subject credential
@param vp Object vnode
@param vlabel Policy label for vp
@param alist List of attributes to retrieve
Determine whether the subject identified by the credential can read
various attributes of the specified vnode, or the filesystem or volume on
which that vnode resides. See for definitions of the
attributes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege. Access control covers all attributes requested
with this call; the security policy is not permitted to change the set of
attributes requested.
*/
typedef int mpo_vnode_check_getattrlist_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct attrlist *alist
);
/**
@brief Access control check for retrieving an extended attribute
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param name Extended attribute name
@param uio I/O structure pointer
Determine whether the subject identified by the credential can retrieve
the extended attribute from the passed vnode. The uio parameter
will be NULL when the getxattr(2) call has been made with a NULL data
value; this is done to request the size of the data only.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_getextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label, /* NULLOK */
const char *name,
struct uio *uio /* NULLOK */
);
/**
@brief Access control check for ioctl
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param cmd Device-dependent request code; see ioctl(2)
Determine whether the subject identified by the credential can perform
the ioctl operation indicated by com.
@warning Since ioctl data is opaque from the standpoint of the MAC
framework, and since ioctls can affect many aspects of system
operation, policies must exercise extreme care when implementing
access control checks.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_ioctl_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
unsigned int cmd
);
/**
@brief Access control check for vnode kqfilter
@param active_cred Subject credential
@param kn Object knote
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can
receive the knote on the passed vnode.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/
typedef int mpo_vnode_check_kqfilter_t(
kauth_cred_t active_cred,
kauth_cred_t file_cred, /* NULLOK */
struct knote *kn,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for relabel
@param cred Subject credential
@param vp Object vnode
@param vnodelabel Existing policy label for vp
@param newlabel Policy label update to later be applied to vp
@see mpo_relable_vnode_t
Determine whether the subject identified by the credential can relabel
the passed vnode to the passed label update. If all policies permit
the label change, the actual relabel entry point (mpo_vnode_label_update)
will follow.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_label_update_t(
struct ucred *cred,
struct vnode *vp,
struct label *vnodelabel,
struct label *newlabel
);
/**
@brief Access control check for creating link
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label associated with dvp
@param vp Link destination vnode
@param label Policy label associated with vp
@param cnp Component name for the link being created
Determine whether the subject identified by the credential should be
allowed to create a link to the vnode vp with the name specified by cnp.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_link_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *label,
struct componentname *cnp
);
/**
@brief Access control check for listing extended attributes
@param cred Subject credential
@param vp Object vnode
@param vlabel Policy label associated with vp
Determine whether the subject identified by the credential can retrieve
a list of named extended attributes from a vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_listextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Access control check for lookup
@param cred Subject credential
@param dvp Object vnode
@param dlabel Policy label for dvp
@param cnp Component name being looked up
Determine whether the subject identified by the credential can perform
a lookup in the passed directory vnode for the passed name (cnp).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_lookup_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp
);
/**
@brief Access control check for open
@param cred Subject credential
@param vp Object vnode
@param label Policy label associated with vp
@param acc_mode open(2) access mode
Determine whether the subject identified by the credential can perform
an open operation on the passed vnode with the passed access mode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_open_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
int acc_mode
);
/**
@brief Access control check for read
@param active_cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can perform
a read operation on the passed vnode. The active_cred hold the credentials
of the subject performing the operation, and file_cred holds the
credentials of the subject that originally opened the file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_read_t(
kauth_cred_t active_cred, /* SUBJECT */
kauth_cred_t file_cred, /* NULLOK */
struct vnode *vp, /* OBJECT */
struct label *label /* LABEL */
);
/**
@brief Access control check for read directory
@param cred Subject credential
@param dvp Object directory vnode
@param dlabel Policy label for dvp
Determine whether the subject identified by the credential can
perform a readdir operation on the passed directory vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_readdir_t(
kauth_cred_t cred, /* SUBJECT */
struct vnode *dvp, /* OBJECT */
struct label *dlabel /* LABEL */
);
/**
@brief Access control check for read link
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can perform
a readlink operation on the passed symlink vnode. This call can be made
in a number of situations, including an explicit readlink call by the
user process, or as a result of an implicit readlink during a name
lookup by the process.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_readlink_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for rename
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label associated with dvp
@param vp vnode to be renamed
@param label Policy label associated with vp
@param cnp Component name for vp
@param tdvp Destination directory vnode
@param tdlabel Policy label associated with tdvp
@param tvp Overwritten vnode
@param tlabel Policy label associated with tvp
@param tcnp Destination component name
Determine whether the subject identified by the credential should be allowed
to rename the vnode vp to something else.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_rename_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *label,
struct componentname *cnp,
struct vnode *tdvp,
struct label *tdlabel,
struct vnode *tvp,
struct label *tlabel,
struct componentname *tcnp
);
/**
@brief Access control check for rename from
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label associated with dvp
@param vp vnode to be renamed
@param label Policy label associated with vp
@param cnp Component name for vp
@see mpo_vnode_check_rename_t
@see mpo_vnode_check_rename_to_t
Determine whether the subject identified by the credential should be
allowed to rename the vnode vp to something else.
Due to VFS locking constraints (to make sure proper vnode locks are
held during this entry point), the vnode relabel checks had to be
split into two parts: relabel_from and relabel to.
This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_rename_from_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *label,
struct componentname *cnp
);
/**
@brief Access control check for rename to
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label associated with dvp
@param vp Overwritten vnode
@param label Policy label associated with vp
@param samedir Boolean; 1 if the source and destination directories are the same
@param cnp Destination component name
@see mpo_vnode_check_rename_t
@see mpo_vnode_check_rename_from_t
Determine whether the subject identified by the credential should be
allowed to rename to the vnode vp, into the directory dvp, or to the
name represented by cnp. If there is no existing file to overwrite,
vp and label will be NULL.
Due to VFS locking constraints (to make sure proper vnode locks are
held during this entry point), the vnode relabel checks had to be
split into two parts: relabel_from and relabel to.
This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_rename_to_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp, /* NULLOK */
struct label *label, /* NULLOK */
int samedir,
struct componentname *cnp
);
/**
@brief Access control check for revoke
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can revoke
access to the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_revoke_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for searchfs
@param cred Subject credential
@param vp Object vnode
@param vlabel Policy label for vp
@param alist List of attributes used as search criteria
Determine whether the subject identified by the credential can search the
vnode using the searchfs system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_searchfs_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct attrlist *alist
);
/**
@brief Access control check for select
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param which The operation selected on: FREAD or FWRITE
Determine whether the subject identified by the credential can select
the vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_select_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
int which
);
/**
@brief Access control check for setting ACL
@param cred Subject credential
@param vp Object node
@param label Policy label for vp
@param acl ACL structure pointer
Determine whether the subject identified by the credential can set an ACL
on the specified vnode. The ACL pointer will be NULL when removing an ACL.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_setacl_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
struct kauth_acl *acl
);
/**
@brief Access control check for setting file attributes
@param cred Subject credential
@param vp Object vnode
@param vlabel Policy label for vp
@param alist List of attributes to set
Determine whether the subject identified by the credential can set
various attributes of the specified vnode, or the filesystem or volume on
which that vnode resides. See for definitions of the
attributes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege. Access control covers all attributes requested
with this call.
*/
typedef int mpo_vnode_check_setattrlist_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct attrlist *alist
);
/**
@brief Access control check for setting extended attribute
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param name Extended attribute name
@param uio I/O structure pointer
Determine whether the subject identified by the credential can set the
extended attribute of passed name and passed namespace on the passed
vnode. Policies implementing security labels backed into extended
attributes may want to provide additional protections for those
attributes. Additionally, policies should avoid making decisions based
on the data referenced from uio, as there is a potential race condition
between this check and the actual operation. The uio may also be NULL
if a delete operation is being performed.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_setextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
const char *name,
struct uio *uio
);
/**
@brief Access control check for setting flags
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param flags File flags; see chflags(2)
Determine whether the subject identified by the credential can set
the passed flags on the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_setflags_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
u_long flags
);
/**
@brief Access control check for setting mode
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param mode File mode; see chmod(2)
Determine whether the subject identified by the credential can set
the passed mode on the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_setmode_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
mode_t mode
);
/**
@brief Access control check for setting uid and gid
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param uid User ID
@param gid Group ID
Determine whether the subject identified by the credential can set
the passed uid and passed gid as file uid and file gid on the passed
vnode. The IDs may be set to (-1) to request no update.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_setowner_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
uid_t uid,
gid_t gid
);
/**
@brief Access control check for setting timestamps
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param atime Access time; see utimes(2)
@param mtime Modification time; see utimes(2)
Determine whether the subject identified by the credential can set
the passed access timestamps on the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_setutimes_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
struct timespec atime,
struct timespec mtime
);
/**
@brief Access control check after determining the code directory hash
@param vp vnode vnode to combine into proc
@param label label associated with the vnode
@param cs_blob the code signature to check
@param cs_flags update code signing flags if needed
@param flags operational flag to mpo_vnode_check_signature
@param fatal_failure_desc description of fatal failure
@param fatal_failure_desc_len failure description len, failure is fatal if non-0
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/
typedef int mpo_vnode_check_signature_t(
struct vnode *vp,
struct label *label,
struct cs_blob *cs_blob,
unsigned int *cs_flags,
int flags,
char **fatal_failure_desc, size_t *fatal_failure_desc_len
);
/**
@brief Access control check for stat
@param active_cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can stat
the passed vnode. See stat(2) for more information. The active_cred
hold the credentials of the subject performing the operation, and
file_cred holds the credentials of the subject that originally
opened the file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_stat_t(
struct ucred *active_cred,
struct ucred *file_cred, /* NULLOK */
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for truncate/ftruncate
@param active_cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can
perform a truncate operation on the passed vnode. The active_cred hold
the credentials of the subject performing the operation, and
file_cred holds the credentials of the subject that originally
opened the file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_truncate_t(
kauth_cred_t active_cred,
kauth_cred_t file_cred, /* NULLOK */
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for binding UNIX domain socket
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label for dvp
@param cnp Component name for dvp
@param vap vnode attributes for vap
Determine whether the subject identified by the credential can perform a
bind operation on a UNIX domain socket with the passed parent directory,
passed name information, and passed attribute information.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_uipc_bind_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp,
struct vnode_attr *vap
);
/**
@brief Access control check for connecting UNIX domain socket
@param cred Subject credential
@param vp Object vnode
@param label Policy label associated with vp
@param so Socket
Determine whether the subject identified by the credential can perform a
connect operation on the passed UNIX domain socket vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_uipc_connect_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
socket_t so
);
/**
@brief Access control check for deleting vnode
@param cred Subject credential
@param dvp Parent directory vnode
@param dlabel Policy label for dvp
@param vp Object vnode to delete
@param label Policy label for vp
@param cnp Component name for vp
@see mpo_check_rename_to_t
Determine whether the subject identified by the credential can delete
a vnode from the passed parent directory and passed name information.
This call may be made in a number of situations, including as a
results of calls to unlink(2) and rmdir(2). Policies implementing
this entry point should also implement mpo_check_rename_to to
authorize deletion of objects as a result of being the target of a rename.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_unlink_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *label,
struct componentname *cnp
);
/**
@brief Access control check for write
@param active_cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can
perform a write operation on the passed vnode. The active_cred hold
the credentials of the subject performing the operation, and
file_cred holds the credentials of the subject that originally
opened the file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/
typedef int mpo_vnode_check_write_t(
kauth_cred_t active_cred,
kauth_cred_t file_cred, /* NULLOK */
struct vnode *vp,
struct label *label
);
/**
@brief Associate a vnode with a devfs entry
@param mp Devfs mount point
@param mntlabel Devfs mount point label
@param de Devfs directory entry
@param delabel Label associated with de
@param vp vnode associated with de
@param vlabel Label associated with vp
Fill in the label (vlabel) for a newly created devfs vnode. The
label is typically derived from the label on the devfs directory
entry or the label on the filesystem, supplied as parameters.
*/
typedef void mpo_vnode_label_associate_devfs_t(
struct mount *mp,
struct label *mntlabel,
struct devnode *de,
struct label *delabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a label with a vnode
@param mp File system mount point
@param mntlabel File system mount point label
@param vp Vnode to label
@param vlabel Label associated with vp
Attempt to retrieve label information for the vnode, vp, from the
file system extended attribute store. The label should be stored in
the supplied vlabel parameter. If a policy cannot retrieve an
extended attribute, sometimes it is acceptible to fallback to using
the mntlabel.
If the policy requires vnodes to have a valid label elsewhere it
MUST NOT return other than temporary errors, and must always provide
a valid label of some sort. Returning an error will cause vnode
labeling to be retried at a later access. Failure to handle policy
centric errors internally (corrupt labels etc.) will result in
inaccessible files.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/
typedef int mpo_vnode_label_associate_extattr_t(
struct mount *mp,
struct label *mntlabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a file label with a vnode
@param cred User credential
@param mp Fdesc mount point
@param mntlabel Fdesc mount point label
@param fg Fileglob structure
@param label Policy label for fg
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the open file descriptor described by fg.
The label should be stored in the supplied vlabel parameter.
*/
typedef void mpo_vnode_label_associate_file_t(
struct ucred *cred,
struct mount *mp,
struct label *mntlabel,
struct fileglob *fg,
struct label *label,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a pipe label with a vnode
@param cred User credential for the process that opened the pipe
@param cpipe Pipe structure
@param pipelabel Label associated with pipe
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the pipe described by the pipe structure cpipe.
The label should be stored in the supplied vlabel parameter.
*/
typedef void mpo_vnode_label_associate_pipe_t(
struct ucred *cred,
struct pipe *cpipe,
struct label *pipelabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a POSIX semaphore label with a vnode
@param cred User credential for the process that create psem
@param psem POSIX semaphore structure
@param psemlabel Label associated with psem
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the POSIX semaphore described by psem.
The label should be stored in the supplied vlabel parameter.
*/
typedef void mpo_vnode_label_associate_posixsem_t(
struct ucred *cred,
struct pseminfo *psem,
struct label *psemlabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a POSIX shared memory label with a vnode
@param cred User credential for the process that created pshm
@param pshm POSIX shared memory structure
@param pshmlabel Label associated with pshm
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the POSIX shared memory region described by pshm.
The label should be stored in the supplied vlabel parameter.
*/
typedef void mpo_vnode_label_associate_posixshm_t(
struct ucred *cred,
struct pshminfo *pshm,
struct label *pshmlabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a label with a vnode
@param mp File system mount point
@param mntlabel File system mount point label
@param vp Vnode to label
@param vlabel Label associated with vp
On non-multilabel file systems, set the label for a vnode. The
label will most likely be based on the file system label.
*/
typedef void mpo_vnode_label_associate_singlelabel_t(
struct mount *mp,
struct label *mntlabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a socket label with a vnode
@param cred User credential for the process that opened the socket
@param so Socket structure
@param solabel Label associated with so
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the open socket described by the socket structure so.
The label should be stored in the supplied vlabel parameter.
*/
typedef void mpo_vnode_label_associate_socket_t(
kauth_cred_t cred,
socket_t so,
struct label *solabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Copy a vnode label
@param src Source vnode label
@param dest Destination vnode label
Copy the vnode label information from src to dest. On Darwin, this
is currently only necessary when executing interpreted scripts, but
will later be used if vnode label externalization cannot be an
atomic operation.
*/
typedef void mpo_vnode_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy vnode label
@param label The label to be destroyed
Destroy a vnode label. Since the object is going out of scope,
policy modules should free any internal storage associated with the
label so that it may be destroyed.
*/
typedef void mpo_vnode_label_destroy_t(
struct label *label
);
/**
@brief Externalize a vnode label for auditing
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a vnode suitable for
inclusion in an audit record. An externalized label consists of a text
representation of the label contents that will be added to the audit record
as part of a text token. Policy-agnostic user space tools will display
this externalized version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/
typedef int mpo_vnode_label_externalize_audit_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Externalize a vnode label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a vnode. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will display this externalized version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/
typedef int mpo_vnode_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize vnode label
@param label New label to initialize
Initialize label storage for use with a newly instantiated vnode, or
for temporary storage associated with the copying in or out of a
vnode label. While it is necessary to allocate space for a
kernel-resident vnode label, it is not yet necessary to link this vnode
with persistent label storage facilities, such as extended attributes.
Sleeping is permitted.
*/
typedef void mpo_vnode_label_init_t(
struct label *label
);
/**
@brief Internalize a vnode label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a vnode label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/
typedef int mpo_vnode_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Clean up a vnode label
@param label The label to be cleaned for re-use
Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
typically never frees them. Before vnodes are placed back on free lists for
re-use, policies can cleanup or overwrite any information present in the label.
*/
typedef void mpo_vnode_label_recycle_t(
struct label *label
);
/**
@brief Write a label to a extended attribute
@param cred Subject credential
@param vp The vnode for which the label is being stored
@param vlabel Label associated with vp
@param intlabel The new label to store
Store a new label in the extended attribute corresponding to the
supplied vnode. The policy has already authorized the operation;
this call must be implemented in order to perform the actual
operation.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
@warning XXX After examining the extended attribute implementation on
Apple's future release, this entry point may be changed.
*/
typedef int mpo_vnode_label_store_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct label *intlabel
);
/**
@brief Update vnode label from extended attributes
@param mp File system mount point
@param mntlabel Mount point label
@param vp Vnode to label
@param vlabel Label associated with vp
@param name Name of the xattr
@see mpo_vnode_check_setextattr_t
When an extended attribute is updated via the Vendor attribute management
functions, the MAC vnode label might also require an update.
Policies should first determine if 'name' matches their xattr label
name. If it does, the kernel is has either replaced or removed the
named extended attribute that was previously associated with the
vnode. Normally labels should only be modified via MAC Framework label
management calls, but sometimes the user space components will directly
modify extended attributes. For example, 'cp', 'tar', etc. manage
extended attributes in userspace, not the kernel.
This entry point is called after the label update has occurred, so
it cannot return a failure. However, the operation is preceded by
the mpo_vnode_check_setextattr() access control check.
If the vnode label needs to be updated the policy should return
a non-zero value. The vnode label will be marked for re-association
by the framework.
*/
typedef int mpo_vnode_label_update_extattr_t(
struct mount *mp,
struct label *mntlabel,
struct vnode *vp,
struct label *vlabel,
const char *name
);
/**
@brief Update a vnode label
@param cred Subject credential
@param vp The vnode to relabel
@param vnodelabel Existing vnode label
@param label New label to replace existing label
@see mpo_vnode_check_label_update_t
The subject identified by the credential has previously requested
and was authorized to relabel the vnode; this entry point allows
policies to perform the actual relabel operation. Policies should
update vnodelabel using the label stored in the label parameter.
*/
typedef void mpo_vnode_label_update_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vnodelabel,
struct label *label
);
/**
@brief Find deatched signatures for a shared library
@param p file trying to find the signature
@param vp The vnode to relabel
@param offset offset in the macho that the signature is requested for (for fat binaries)
@param label Existing vnode label
*/
typedef int mpo_vnode_find_sigs_t(
struct proc *p,
struct vnode *vp,
off_t offset,
struct label *label
);
/**
@brief Create a new vnode, backed by extended attributes
@param cred User credential for the creating process
@param mp File system mount point
@param mntlabel File system mount point label
@param dvp Parent directory vnode
@param dlabel Parent directory vnode label
@param vp Newly created vnode
@param vlabel Label to associate with the new vnode
@param cnp Component name for vp
Write out the label for the newly created vnode, most likely storing
the results in a file system extended attribute. Most policies will
derive the new vnode label using information from a combination
of the subject (user) credential, the file system label, the parent
directory label, and potentially the path name component.
@return If the operation succeeds, store the new label in vlabel and
return 0. Otherwise, return an appropriate errno value.
*/
typedef int mpo_vnode_notify_create_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mntlabel,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *vlabel,
struct componentname *cnp
);
/**
@brief Inform MAC policies that a vnode has been opened
@param cred User credential for the creating process
@param vp vnode opened
@param label Policy label for the vp
@param acc_mode open(2) access mode used
Inform Mac policies that a vnode have been successfully opened
(passing all MAC polices and DAC).
*/
typedef void mpo_vnode_notify_open_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
int acc_mode
);
/**
@brief Inform MAC policies that a vnode has been renamed
@param cred User credential for the renaming process
@param vp Vnode that's being renamed
@param label Policy label for vp
@param dvp Parent directory for the destination
@param dlabel Policy label for dvp
@param cnp Component name for the destination
Inform MAC policies that a vnode has been renamed.
*/
typedef void mpo_vnode_notify_rename_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp
);
/**
@brief Inform MAC policies that a vnode has been linked
@param cred User credential for the renaming process
@param dvp Parent directory for the destination
@param dlabel Policy label for dvp
@param vp Vnode that's being linked
@param vlabel Policy label for vp
@param cnp Component name for the destination
Inform MAC policies that a vnode has been linked.
*/
typedef void mpo_vnode_notify_link_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *vlabel,
struct componentname *cnp
);
/**
@brief Inform MAC policies that an extended attribute has been removed from a vnode
@param cred Subject credential
@param vp Object node
@param label Policy label for vp
@param name Extended attribute name
Inform MAC policies that an extended attribute has been removed from a vnode.
*/
typedef void mpo_vnode_notify_deleteextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
const char *name
);
/**
@brief Inform MAC policies that an ACL has been set on a vnode
@param cred Subject credential
@param vp Object node
@param label Policy label for vp
@param acl ACL structure pointer
Inform MAC policies that an ACL has been set on a vnode.
*/
typedef void mpo_vnode_notify_setacl_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
struct kauth_acl *acl
);
/**
@brief Inform MAC policies that an attributes have been set on a vnode
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param alist List of attributes to set
Inform MAC policies that an attributes have been set on a vnode.
*/
typedef void mpo_vnode_notify_setattrlist_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
struct attrlist *alist
);
/**
@brief Inform MAC policies that an extended attribute has been set on a vnode
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param name Extended attribute name
@param uio I/O structure pointer
Inform MAC policies that an extended attribute has been set on a vnode.
*/
typedef void mpo_vnode_notify_setextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
const char *name,
struct uio *uio
);
/**
@brief Inform MAC policies that flags have been set on a vnode
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param flags File flags; see chflags(2)
Inform MAC policies that flags have been set on a vnode.
*/
typedef void mpo_vnode_notify_setflags_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
u_long flags
);
/**
@brief Inform MAC policies that a new mode has been set on a vnode
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param mode File mode; see chmod(2)
Inform MAC policies that a new mode has been set on a vnode.
*/
typedef void mpo_vnode_notify_setmode_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
mode_t mode
);
/**
@brief Inform MAC policies that new uid/gid have been set on a vnode
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param uid User ID
@param gid Group ID
Inform MAC policies that new uid/gid have been set on a vnode.
*/
typedef void mpo_vnode_notify_setowner_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
uid_t uid,
gid_t gid
);
/**
@brief Inform MAC policies that new timestamps have been set on a vnode
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param atime Access time; see utimes(2)
@param mtime Modification time; see utimes(2)
Inform MAC policies that new timestamps have been set on a vnode.
*/
typedef void mpo_vnode_notify_setutimes_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
struct timespec atime,
struct timespec mtime
);
/**
@brief Inform MAC policies that a vnode has been truncated
@param cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param label Policy label for vp
Inform MAC policies that a vnode has been truncated.
*/
typedef void mpo_vnode_notify_truncate_t(
kauth_cred_t cred,
kauth_cred_t file_cred,
struct vnode *vp,
struct label *label
);
/**
@brief Inform MAC policies that a pty slave has been granted
@param p Responsible process
@param tp tty data structure
@param dev Major and minor numbers of device
@param label Policy label for tp
Inform MAC policies that a pty slave has been granted.
*/
typedef void mpo_pty_notify_grant_t(
proc_t p,
struct tty *tp,
dev_t dev,
struct label *label
);
/**
@brief Inform MAC policies that a pty master has been closed
@param p Responsible process
@param tp tty data structure
@param dev Major and minor numbers of device
@param label Policy label for tp
Inform MAC policies that a pty master has been closed.
*/
typedef void mpo_pty_notify_close_t(
proc_t p,
struct tty *tp,
dev_t dev,
struct label *label
);
/**
@brief Access control check for kext loading
@param cred Subject credential
@param identifier Kext identifier
Determine whether the subject identified by the credential can load the
specified kext.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EPERM for lack of privilege.
*/
typedef int mpo_kext_check_load_t(
kauth_cred_t cred,
const char *identifier
);
/**
@brief Access control check for kext unloading
@param cred Subject credential
@param identifier Kext identifier
Determine whether the subject identified by the credential can unload the
specified kext.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EPERM for lack of privilege.
*/
typedef int mpo_kext_check_unload_t(
kauth_cred_t cred,
const char *identifier
);
/**
@brief Access control check for querying information about loaded kexts
@param cred Subject credential
Determine whether the subject identified by the credential can query
information about loaded kexts.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EPERM for lack of privilege.
*/
typedef int mpo_kext_check_query_t(
kauth_cred_t cred
);
/**
@brief Access control check for getting NVRAM variables.
@param cred Subject credential
@param name NVRAM variable to get
Determine whether the subject identifier by the credential can get the
value of the named NVRAM variable.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EPERM for lack of privilege.
*/
typedef int mpo_iokit_check_nvram_get_t(
kauth_cred_t cred,
const char *name
);
/**
@brief Access control check for setting NVRAM variables.
@param cred Subject credential
@param name NVRAM variable to set
@param value The new value for the NVRAM variable
Determine whether the subject identifier by the credential can set the
value of the named NVRAM variable.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EPERM for lack of privilege.
*/
typedef int mpo_iokit_check_nvram_set_t(
kauth_cred_t cred,
const char *name,
io_object_t value
);
/**
@brief Access control check for deleting NVRAM variables.
@param cred Subject credential
@param name NVRAM variable to delete
Determine whether the subject identifier by the credential can delete the
named NVRAM variable.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EPERM for lack of privilege.
*/
typedef int mpo_iokit_check_nvram_delete_t(
kauth_cred_t cred,
const char *name
);
/*
* Placeholder for future events that may need mac hooks.
*/
typedef void mpo_reserved_hook_t(void);
/*
* Policy module operations.
*
* Please note that this should be kept in sync with the check assumptions
* policy in bsd/kern/policy_check.c (policy_ops struct).
*/
#define MAC_POLICY_OPS_VERSION 47 /* inc when new reserved slots are taken */
struct mac_policy_ops {
mpo_audit_check_postselect_t *mpo_audit_check_postselect;
mpo_audit_check_preselect_t *mpo_audit_check_preselect;
mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
mpo_cred_check_label_update_t *mpo_cred_check_label_update;
mpo_cred_check_visible_t *mpo_cred_check_visible;
mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
mpo_cred_label_associate_t *mpo_cred_label_associate;
mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
mpo_cred_label_destroy_t *mpo_cred_label_destroy;
mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
mpo_cred_label_externalize_t *mpo_cred_label_externalize;
mpo_cred_label_init_t *mpo_cred_label_init;
mpo_cred_label_internalize_t *mpo_cred_label_internalize;
mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
mpo_cred_label_update_t *mpo_cred_label_update;
mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
mpo_devfs_label_copy_t *mpo_devfs_label_copy;
mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
mpo_devfs_label_init_t *mpo_devfs_label_init;
mpo_devfs_label_update_t *mpo_devfs_label_update;
mpo_file_check_change_offset_t *mpo_file_check_change_offset;
mpo_file_check_create_t *mpo_file_check_create;
mpo_file_check_dup_t *mpo_file_check_dup;
mpo_file_check_fcntl_t *mpo_file_check_fcntl;
mpo_file_check_get_offset_t *mpo_file_check_get_offset;
mpo_file_check_get_t *mpo_file_check_get;
mpo_file_check_inherit_t *mpo_file_check_inherit;
mpo_file_check_ioctl_t *mpo_file_check_ioctl;
mpo_file_check_lock_t *mpo_file_check_lock;
mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
mpo_file_check_mmap_t *mpo_file_check_mmap;
mpo_file_check_receive_t *mpo_file_check_receive;
mpo_file_check_set_t *mpo_file_check_set;
mpo_file_label_init_t *mpo_file_label_init;
mpo_file_label_destroy_t *mpo_file_label_destroy;
mpo_file_label_associate_t *mpo_file_label_associate;
mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
mpo_ifnet_label_init_t *mpo_ifnet_label_init;
mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
mpo_ifnet_label_update_t *mpo_ifnet_label_update;
mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
mpo_inpcb_label_init_t *mpo_inpcb_label_init;
mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
mpo_inpcb_label_update_t *mpo_inpcb_label_update;
mpo_iokit_check_device_t *mpo_iokit_check_device;
mpo_ipq_label_associate_t *mpo_ipq_label_associate;
mpo_ipq_label_compare_t *mpo_ipq_label_compare;
mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
mpo_ipq_label_init_t *mpo_ipq_label_init;
mpo_ipq_label_update_t *mpo_ipq_label_update;
mpo_file_check_library_validation_t *mpo_file_check_library_validation;
mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl;
mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist;
mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr;
mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags;
mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode;
mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner;
mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes;
mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate;
mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
mpo_mbuf_label_init_t *mpo_mbuf_label_init;
mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
mpo_mount_check_getattr_t *mpo_mount_check_getattr;
mpo_mount_check_label_update_t *mpo_mount_check_label_update;
mpo_mount_check_mount_t *mpo_mount_check_mount;
mpo_mount_check_remount_t *mpo_mount_check_remount;
mpo_mount_check_setattr_t *mpo_mount_check_setattr;
mpo_mount_check_stat_t *mpo_mount_check_stat;
mpo_mount_check_umount_t *mpo_mount_check_umount;
mpo_mount_label_associate_t *mpo_mount_label_associate;
mpo_mount_label_destroy_t *mpo_mount_label_destroy;
mpo_mount_label_externalize_t *mpo_mount_label_externalize;
mpo_mount_label_init_t *mpo_mount_label_init;
mpo_mount_label_internalize_t *mpo_mount_label_internalize;
mpo_netinet_fragment_t *mpo_netinet_fragment;
mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
mpo_pipe_check_read_t *mpo_pipe_check_read;
mpo_pipe_check_select_t *mpo_pipe_check_select;
mpo_pipe_check_stat_t *mpo_pipe_check_stat;
mpo_pipe_check_write_t *mpo_pipe_check_write;
mpo_pipe_label_associate_t *mpo_pipe_label_associate;
mpo_pipe_label_copy_t *mpo_pipe_label_copy;
mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
mpo_pipe_label_init_t *mpo_pipe_label_init;
mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
mpo_pipe_label_update_t *mpo_pipe_label_update;
mpo_policy_destroy_t *mpo_policy_destroy;
mpo_policy_init_t *mpo_policy_init;
mpo_policy_initbsd_t *mpo_policy_initbsd;
mpo_policy_syscall_t *mpo_policy_syscall;
mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname;
mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports;
mpo_vnode_check_rename_t *mpo_vnode_check_rename;
mpo_kext_check_query_t *mpo_kext_check_query;
mpo_iokit_check_nvram_get_t *mpo_iokit_check_nvram_get;
mpo_iokit_check_nvram_set_t *mpo_iokit_check_nvram_set;
mpo_iokit_check_nvram_delete_t *mpo_iokit_check_nvram_delete;
mpo_proc_check_expose_task_t *mpo_proc_check_expose_task;
mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port;
mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port;
mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send;
mpo_exc_action_label_associate_t *mpo_exc_action_label_associate;
mpo_exc_action_label_copy_t *mpo_exc_action_label_copy;
mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy;
mpo_exc_action_label_init_t *mpo_exc_action_label_init;
mpo_exc_action_label_update_t *mpo_exc_action_label_update;
mpo_reserved_hook_t *mpo_reserved1;
mpo_reserved_hook_t *mpo_reserved2;
mpo_reserved_hook_t *mpo_reserved3;
mpo_reserved_hook_t *mpo_reserved4;
mpo_reserved_hook_t *mpo_reserved5;
mpo_reserved_hook_t *mpo_reserved6;
mpo_posixsem_check_create_t *mpo_posixsem_check_create;
mpo_posixsem_check_open_t *mpo_posixsem_check_open;
mpo_posixsem_check_post_t *mpo_posixsem_check_post;
mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
mpo_posixsem_label_init_t *mpo_posixsem_label_init;
mpo_posixshm_check_create_t *mpo_posixshm_check_create;
mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
mpo_posixshm_check_open_t *mpo_posixshm_check_open;
mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
mpo_posixshm_label_init_t *mpo_posixshm_label_init;
mpo_proc_check_debug_t *mpo_proc_check_debug;
mpo_proc_check_fork_t *mpo_proc_check_fork;
mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
mpo_proc_check_get_task_t *mpo_proc_check_get_task;
mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
mpo_proc_check_getauid_t *mpo_proc_check_getauid;
mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
mpo_proc_check_sched_t *mpo_proc_check_sched;
mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
mpo_proc_check_setauid_t *mpo_proc_check_setauid;
mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
mpo_proc_check_signal_t *mpo_proc_check_signal;
mpo_proc_check_wait_t *mpo_proc_check_wait;
mpo_proc_label_destroy_t *mpo_proc_label_destroy;
mpo_proc_label_init_t *mpo_proc_label_init;
mpo_socket_check_accept_t *mpo_socket_check_accept;
mpo_socket_check_accepted_t *mpo_socket_check_accepted;
mpo_socket_check_bind_t *mpo_socket_check_bind;
mpo_socket_check_connect_t *mpo_socket_check_connect;
mpo_socket_check_create_t *mpo_socket_check_create;
mpo_socket_check_deliver_t *mpo_socket_check_deliver;
mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
mpo_socket_check_label_update_t *mpo_socket_check_label_update;
mpo_socket_check_listen_t *mpo_socket_check_listen;
mpo_socket_check_receive_t *mpo_socket_check_receive;
mpo_socket_check_received_t *mpo_socket_check_received;
mpo_socket_check_select_t *mpo_socket_check_select;
mpo_socket_check_send_t *mpo_socket_check_send;
mpo_socket_check_stat_t *mpo_socket_check_stat;
mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
mpo_socket_label_associate_t *mpo_socket_label_associate;
mpo_socket_label_copy_t *mpo_socket_label_copy;
mpo_socket_label_destroy_t *mpo_socket_label_destroy;
mpo_socket_label_externalize_t *mpo_socket_label_externalize;
mpo_socket_label_init_t *mpo_socket_label_init;
mpo_socket_label_internalize_t *mpo_socket_label_internalize;
mpo_socket_label_update_t *mpo_socket_label_update;
mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
mpo_system_check_acct_t *mpo_system_check_acct;
mpo_system_check_audit_t *mpo_system_check_audit;
mpo_system_check_auditctl_t *mpo_system_check_auditctl;
mpo_system_check_auditon_t *mpo_system_check_auditon;
mpo_system_check_host_priv_t *mpo_system_check_host_priv;
mpo_system_check_nfsd_t *mpo_system_check_nfsd;
mpo_system_check_reboot_t *mpo_system_check_reboot;
mpo_system_check_settime_t *mpo_system_check_settime;
mpo_system_check_swapoff_t *mpo_system_check_swapoff;
mpo_system_check_swapon_t *mpo_system_check_swapon;
mpo_reserved_hook_t *mpo_reserved7;
mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
mpo_reserved_hook_t *mpo_reserved8;
mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert;
mpo_vnode_check_getattr_t *mpo_vnode_check_getattr;
mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create;
mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete;
mpo_vnode_check_clone_t *mpo_vnode_check_clone;
mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info;
mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info;
mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
mpo_vnode_check_access_t *mpo_vnode_check_access;
mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
mpo_vnode_check_create_t *mpo_vnode_check_create;
mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
mpo_vnode_check_exec_t *mpo_vnode_check_exec;
mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
mpo_vnode_check_link_t *mpo_vnode_check_link;
mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
mpo_vnode_check_open_t *mpo_vnode_check_open;
mpo_vnode_check_read_t *mpo_vnode_check_read;
mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
mpo_vnode_check_select_t *mpo_vnode_check_select;
mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
mpo_vnode_check_stat_t *mpo_vnode_check_stat;
mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
mpo_vnode_check_write_t *mpo_vnode_check_write;
mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
mpo_vnode_label_copy_t *mpo_vnode_label_copy;
mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
mpo_vnode_label_init_t *mpo_vnode_label_init;
mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
mpo_vnode_label_store_t *mpo_vnode_label_store;
mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
mpo_vnode_label_update_t *mpo_vnode_label_update;
mpo_vnode_notify_create_t *mpo_vnode_notify_create;
mpo_vnode_check_signature_t *mpo_vnode_check_signature;
mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
mpo_thread_userret_t *mpo_thread_userret;
mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
mpo_system_check_chud_t *mpo_system_check_chud;
mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
mpo_priv_check_t *mpo_priv_check;
mpo_priv_grant_t *mpo_priv_grant;
mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
mpo_iokit_check_open_t *mpo_iokit_check_open;
mpo_proc_check_ledger_t *mpo_proc_check_ledger;
mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
mpo_vnode_check_setacl_t *mpo_vnode_check_setacl;
mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr;
mpo_system_check_kas_info_t *mpo_system_check_kas_info;
mpo_proc_check_cpumon_t *mpo_proc_check_cpumon;
mpo_vnode_notify_open_t *mpo_vnode_notify_open;
mpo_system_check_info_t *mpo_system_check_info;
mpo_pty_notify_grant_t *mpo_pty_notify_grant;
mpo_pty_notify_close_t *mpo_pty_notify_close;
mpo_vnode_find_sigs_t *mpo_vnode_find_sigs;
mpo_kext_check_load_t *mpo_kext_check_load;
mpo_kext_check_unload_t *mpo_kext_check_unload;
mpo_proc_check_proc_info_t *mpo_proc_check_proc_info;
mpo_vnode_notify_link_t *mpo_vnode_notify_link;
mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties;
mpo_iokit_check_get_property_t *mpo_iokit_check_get_property;
};
/**
@brief MAC policy handle type
The MAC handle is used to uniquely identify a loaded policy within
the MAC Framework.
A variable of this type is set by mac_policy_register().
*/
typedef unsigned int mac_policy_handle_t;
#define mpc_t struct mac_policy_conf *
/**
@brief Mac policy configuration
This structure specifies the configuration information for a
MAC policy module. A policy module developer must supply
a short unique policy name, a more descriptive full name, a list of label
namespaces and count, a pointer to the registered enty point operations,
any load time flags, and optionally, a pointer to a label slot identifier.
The Framework will update the runtime flags (mpc_runtime_flags) to
indicate that the module has been registered.
If the label slot identifier (mpc_field_off) is NULL, the Framework
will not provide label storage for the policy. Otherwise, the
Framework will store the label location (slot) in this field.
The mpc_list field is used by the Framework and should not be
modified by policies.
*/
/* XXX - reorder these for better aligment on 64bit platforms */
struct mac_policy_conf {
const char *mpc_name; /** policy name */
const char *mpc_fullname; /** full name */
char const * const *mpc_labelnames; /** managed label namespaces */
unsigned int mpc_labelname_count; /** number of managed label namespaces */
struct mac_policy_ops *mpc_ops; /** operation vector */
int mpc_loadtime_flags; /** load time flags */
int *mpc_field_off; /** label slot */
int mpc_runtime_flags; /** run time flags */
mpc_t mpc_list; /** List reference */
void *mpc_data; /** module data */
};
/**
@brief MAC policy module registration routine
This function is called to register a policy with the
MAC framework. A policy module will typically call this from the
Darwin KEXT registration routine.
*/
int mac_policy_register(struct mac_policy_conf *mpc,
mac_policy_handle_t *handlep, void *xd);
/**
@brief MAC policy module de-registration routine
This function is called to de-register a policy with theD
MAC framework. A policy module will typically call this from the
Darwin KEXT de-registration routine.
*/
int mac_policy_unregister(mac_policy_handle_t handle);
/*
* Framework entry points for the policies to add audit data.
*/
int mac_audit_text(char *text, mac_policy_handle_t handle);
/*
* Calls to assist with use of Apple XATTRs within policy modules.
*/
int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t);
int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t,
size_t *);
int mac_vnop_removexattr(struct vnode *, const char *);
/**
@brief Set an extended attribute on a vnode-based fileglob.
@param fg fileglob representing file to attach the extended attribute
@param name extended attribute name
@param buf buffer of data to use as the extended attribute value
@param len size of buffer
Sets the value of an extended attribute on a file.
Caller must hold an iocount on the vnode represented by the fileglob.
*/
int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len);
/**
@brief Get an extended attribute from a vnode-based fileglob.
@param fg fileglob representing file to read the extended attribute
@param name extended attribute name
@param buf buffer of data to hold the extended attribute value
@param len size of buffer
@param attrlen size of full extended attribute value
Gets the value of an extended attribute on a file.
Caller must hold an iocount on the vnode represented by the fileglob.
*/
int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len,
size_t *attrlen);
/**
@brief Remove an extended attribute from a vnode-based fileglob.
@param fg fileglob representing file to remove the extended attribute
@param name extended attribute name
Removes the named extended attribute from the file.
Caller must hold an iocount on the vnode represented by the fileglob.
*/
int mac_file_removexattr(struct fileglob *fg, const char *name);
/*
* Arbitrary limit on how much data will be logged by the audit
* entry points above.
*/
#define MAC_AUDIT_DATA_LIMIT 1024
/*
* Values returned by mac_audit_{pre,post}select. To combine the responses
* of the security policies into a single decision,
* mac_audit_{pre,post}select() choose the greatest value returned.
*/
#define MAC_AUDIT_DEFAULT 0 /* use system behavior */
#define MAC_AUDIT_NO 1 /* force not auditing this event */
#define MAC_AUDIT_YES 2 /* force auditing this event */
// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
/**
@name Flags for the mpc_loadtime_flags field
@see mac_policy_conf
This is the complete list of flags that are supported by the
mpc_loadtime_flags field of the mac_policy_conf structure. These
flags specify the load time behavior of MAC Framework policy
modules.
*/
/*@{*/
/**
@brief Flag to indicate registration preference
This flag indicates that the policy module must be loaded and
initialized early in the boot process. If the flag is specified,
attempts to register the module following boot will be rejected. The
flag may be used by policies that require pervasive labeling of all
system objects, and cannot handle objects that have not been
properly initialized by the policy.
*/
#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
/**
@brief Flag to indicate unload preference
This flag indicates that the policy module may be unloaded. If this
flag is not set, then the policy framework will reject requests to
unload the module. This flag might be used by modules that allocate
label state and are unable to free that state at runtime, or for
modules that simply do not want to permit unload operations.
*/
#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
/**
@brief Unsupported
XXX This flag is not yet supported.
*/
#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
/**
@brief Flag to indicate a base policy
This flag indicates that the policy module is a base policy. Only
one module can declare itself as base, otherwise the boot process
will be halted.
*/
#define MPC_LOADTIME_BASE_POLICY 0x00000008
/*@}*/
/**
@brief Policy registration flag
@see mac_policy_conf
This flag indicates that the policy module has been successfully
registered with the TrustedBSD MAC Framework. The Framework will
set this flag in the mpc_runtime_flags field of the policy's
mac_policy_conf structure after registering the policy.
*/
#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
/*
* Depends on POLICY_VER
*/
#ifndef POLICY_VER
#define POLICY_VER 1.0
#endif
#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
static struct mac_policy_conf mpname##_mac_policy_conf = { \
.mpc_name = #mpname, \
.mpc_fullname = mpfullname, \
.mpc_labelnames = lnames, \
.mpc_labelname_count = lcount, \
.mpc_ops = mpops, \
.mpc_loadtime_flags = lflags, \
.mpc_field_off = slot, \
.mpc_runtime_flags = rflags \
}; \
\
static kern_return_t \
kmod_start(kmod_info_t *ki, void *xd) \
{ \
return mac_policy_register(&mpname##_mac_policy_conf, \
&handle, xd); \
} \
\
static kern_return_t \
kmod_stop(kmod_info_t *ki, void *xd) \
{ \
return mac_policy_unregister(handle); \
} \
\
extern kern_return_t _start(kmod_info_t *ki, void *data); \
extern kern_return_t _stop(kmod_info_t *ki, void *data); \
\
KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
kmod_start_func_t *_realmain = kmod_start; \
kmod_stop_func_t *_antimain = kmod_stop; \
int _kext_apple_cc = __APPLE_CC__
#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
/*
* Policy interface to map a struct label pointer to per-policy data.
* Typically, policies wrap this in their own accessor macro that casts an
* intptr_t to a policy-specific data type.
*/
intptr_t mac_label_get(struct label *l, int slot);
void mac_label_set(struct label *l, int slot, intptr_t v);
#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
/**
@name Flags for MAC allocator interfaces
These flags are passed to the Darwin kernel allocator routines to
indicate whether the allocation is permitted to block or not.
Caution should be taken; some operations are not permitted to sleep,
and some types of locks cannot be held when sleeping.
*/
/*@{*/
/**
@brief Allocation operations may block
If memory is not immediately available, the allocation routine
will block (typically sleeping) until memory is available.
@warning Inappropriate use of this flag may cause kernel panics.
*/
#define MAC_WAITOK 0
/**
@brief Allocation operations may not block
Rather than blocking, the allocator may return an error if memory
is not immediately available. This type of allocation will not
sleep, preserving locking semantics.
*/
#define MAC_NOWAIT 1
/*@}*/
#ifdef __cplusplus
}
#endif
#endif /* !_SECURITY_MAC_POLICY_H_ */
================================================
FILE: EFI/CLOVER/kexts/Other/Lilu_v1.3.7.kext/Contents/Resources/Library/wrappers/build.tool
================================================
#!/bin/bash
#
# build.tool
# Lilu
#
# Copyright © 2018 vit9696. All rights reserved.
#
cd $(dirname "$0") || exit 1
rm -f *.o *.bin wrappers.inc entry32 entry64
clang -m32 -c entry32.S || exit 1
clang -m64 -c entry64.S || exit 1
clang -m32 entry32.o -o entry32 || exit 1
clang -m64 entry64.o -o entry64 || exit 1
if [ "$(nm entry32.o | grep '00000000 T _main')" == "" ] || [ "$(nm entry64.o | grep '0000000000000000 T _main')" == "" ]; then
echo "Invalid main address"
exit 1
fi
otool -t entry32 | grep -E '^0000' | sed 's#^[0-9a-f]*##' | xxd -r -p > entry32.bin
otool -t entry64 | grep -E '^0000' | sed 's#^[0-9a-f]*##' | xxd -r -p > entry64.bin
sz32=$(stat -f '%z' entry32.bin)
sz64=$(stat -f '%z' entry64.bin)
btr32=$(nm entry32.o | grep -E 't booter$' | cut -f1 -d' ')
btr64=$(nm entry64.o | grep -E 't booter$' | cut -f1 -d' ')
ep32=$(nm entry32.o | grep -E 't entrypoint$' | cut -f1 -d' ')
ep64=$(nm entry64.o | grep -E 't entrypoint$' | cut -f1 -d' ')
echo '//' > wrappers.inc
echo '// wrappers.inc' >> wrappers.inc
echo '// Lilu' >> wrappers.inc
echo '//' >> wrappers.inc
echo '// Copyright © 2018 vit9696. All rights reserved.' >> wrappers.inc
echo '//' >> wrappers.inc
echo '' >> wrappers.inc
echo '// This is an autogenerated file, do not edit!' >> wrappers.inc
echo 'static uint8_t entryWrapper32[] = {' >> wrappers.inc
cat entry32.bin | xxd -i >> wrappers.inc
echo '};' >> wrappers.inc
echo 'static uint8_t entryWrapper64[] = {' >> wrappers.inc
cat entry64.bin | xxd -i >> wrappers.inc
echo '};' >> wrappers.inc
echo "static_assert(sizeof(entryWrapper32) == ${sz32}, \"Invalid entryWrapper32 size\");" >> wrappers.inc
echo "static_assert(sizeof(entryWrapper64) == ${sz64}, \"Invalid entryWrapper64 size\");" >> wrappers.inc
echo "static constexpr size_t EntryWrapper32Booter {0x${btr32}};" >> wrappers.inc
echo "static constexpr size_t EntryWrapper64Booter {0x${btr64}};" >> wrappers.inc
echo "static constexpr size_t EntryWrapper32Entry {0x${ep32}};" >> wrappers.inc
echo "static constexpr size_t EntryWrapper64Entry {0x${ep64}};" >> wrappers.inc
rm -f *.o *.bin entry32 entry64
================================================
FILE: EFI/CLOVER/kexts/Other/Lilu_v1.3.7.kext/Contents/Resources/Library/wrappers/entry32.S
================================================
#
# entry32.S
# Lilu
#
# Copyright © 2018 vit9696. All rights reserved.
#
.text
.global _main
_main:
push %ebp
mov %esp, %ebp
# ensure 16-byte alignment
and $0xfffffff0, %esp
# int main(int argc, const char* argv[], const char* envp[], const char* apple[]);
push 20(%ebp)
push 16(%ebp)
push 12(%ebp)
push 8(%ebp)
call get_booter
# entrypoint-compatible wrapper
booter:
.word 0xFFFF
.word 0xFFFF
get_booter:
pop %edx
mov (%edx), %edx
call *%edx
xor %eax, %eax
mov %ebp, %esp
pop %ebp
call get_entrypoint
# original entrypoint (main)
entrypoint:
.word 0xFFFF
.word 0xFFFF
get_entrypoint:
pop %edx
mov (%edx), %edx
jmp *%edx
_end:
================================================
FILE: EFI/CLOVER/kexts/Other/Lilu_v1.3.7.kext/Contents/Resources/Library/wrappers/entry64.S
================================================
#
# entry64.S
# Lilu
#
# Copyright © 2018 vit9696. All rights reserved.
#
.text
.global _main
_main:
push %rbp
mov %rsp, %rbp
# ensure 16-byte alignment
and $0xfffffffffffffff0, %rsp
# int main(int argc, const char* argv[], const char* envp[], const char* apple[]);
push %rdi
push %rsi
push %rdx
push %rcx
call *booter(%rip)
xor %eax, %eax
pop %rcx
pop %rdx
pop %rsi
pop %rdi
mov %rbp, %rsp
pop %rbp
jmp *entrypoint(%rip)
# original entrypoint (main)
entrypoint:
.word 0xFFFF
.word 0xFFFF
.word 0xFFFF
.word 0xFFFF
# entrypoint-compatible wrapper
booter:
.word 0xFFFF
.word 0xFFFF
.word 0xFFFF
.word 0xFFFF
_end:
================================================
FILE: EFI/CLOVER/kexts/Other/Lilu_v1.3.7.kext/Contents/Resources/Library/wrappers/wrappers.inc
================================================
//
// wrappers.inc
// Lilu
//
// Copyright © 2018 vit9696. All rights reserved.
//
// This is an autogenerated file, do not edit!
static uint8_t entryWrapper32[] = {
0x55, 0x89, 0xe5, 0x83, 0xe4, 0xf0, 0xff, 0x75, 0x14, 0xff, 0x75, 0x10,
0xff, 0x75, 0x0c, 0xff, 0x75, 0x08, 0xe8, 0x04, 0x00, 0x00, 0x00, 0xff,
0xff, 0xff, 0xff, 0x5a, 0x8b, 0x12, 0xff, 0xd2, 0x31, 0xc0, 0x89, 0xec,
0x5d, 0xe8, 0x04, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x5a, 0x8b,
0x12, 0xff, 0xe2
};
static uint8_t entryWrapper64[] = {
0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xe4, 0xf0, 0x57, 0x56, 0x52, 0x51,
0xff, 0x15, 0x18, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x59, 0x5a, 0x5e, 0x5f,
0x48, 0x89, 0xec, 0x5d, 0xff, 0x25, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff
};
static_assert(sizeof(entryWrapper32) == 51, "Invalid entryWrapper32 size");
static_assert(sizeof(entryWrapper64) == 50, "Invalid entryWrapper64 size");
static constexpr size_t EntryWrapper32Booter {0x00000017};
static constexpr size_t EntryWrapper64Booter {0x000000000000002a};
static constexpr size_t EntryWrapper32Entry {0x0000002a};
static constexpr size_t EntryWrapper64Entry {0x0000000000000022};
================================================
FILE: EFI/CLOVER/kexts/Other/RealtekRTL8111.kext/Contents/Info.plist
================================================
BuildMachineOSBuild
16D32
CFBundleDevelopmentRegion
English
CFBundleExecutable
RealtekRTL8111
CFBundleIdentifier
com.insanelymac.RealtekRTL8111
CFBundleInfoDictionaryVersion
6.0
CFBundleName
RealtekRTL8111
CFBundlePackageType
KEXT
CFBundleShortVersionString
2.2.1
CFBundleSignature
????
CFBundleSupportedPlatforms
MacOSX
CFBundleVersion
2.2.1
DTCompiler
com.apple.compilers.llvm.clang.1_0
DTPlatformBuild
8C1002
DTPlatformVersion
GM
DTSDKBuild
15E60
DTSDKName
macosx10.11
DTXcode
0821
DTXcodeBuild
8C1002
IOKitPersonalities
RTL8111 PCIe Adapter
CFBundleIdentifier
com.insanelymac.RealtekRTL8111
Driver_Version
2.2.1
IOClass
RTL8111
IOPCIMatch
0x816810ec 0x81681186
IOProbeScore
1000
IOProviderClass
IOPCIDevice
Model
RTL8111
Vendor
Realtek
disableASPM
enableCSO6
enableEEE
enableTSO4
enableTSO6
intrMitigate
24401
rxPolling
NSHumanReadableCopyright
Copyright © 2013 Laura Müller. All rights reserved.
OSBundleLibraries
com.apple.iokit.IONetworkingFamily
1.1.0
com.apple.iokit.IOPCIFamily
1.7
com.apple.kpi.bsd
8.10.0
com.apple.kpi.iokit
8.10.0
com.apple.kpi.libkern
8.10.0
com.apple.kpi.mach
8.10.0
OSBundleRequired
Network-Root
================================================
FILE: EFI/CLOVER/kexts/Other/SMCBatteryManager.kext/Contents/Info.plist
================================================
BuildMachineOSBuild
18F132
CFBundleDevelopmentRegion
en
CFBundleExecutable
SMCBatteryManager
CFBundleIdentifier
ru.usrsse2.SMCBatteryManager
CFBundleInfoDictionaryVersion
6.0
CFBundleName
SMCBatteryManager
CFBundlePackageType
KEXT
CFBundleShortVersionString
1.0
CFBundleSupportedPlatforms
MacOSX
CFBundleVersion
1
DTCompiler
com.apple.compilers.llvm.clang.1_0
DTPlatformBuild
10E1001
DTPlatformVersion
GM
DTSDKBuild
18E219
DTSDKName
macosx10.14
DTXcode
1020
DTXcodeBuild
10E1001
IOKitPersonalities
IOSMBusController
CFBundleIdentifier
ru.usrsse2.SMCBatteryManager
IOClass
SMCSMBusController
IOProviderClass
IOResources
IOResourceMatch
IOKit
SMCBatteryManager
CFBundleIdentifier
ru.usrsse2.SMCBatteryManager
IOClass
SMCBatteryManager
IOMatchCategory
SMCBatteryManager
IOProviderClass
IOResources
IOResourceMatch
IOKit
NSHumanReadableCopyright
Copyright © 2018 usrsse2. All rights reserved.
OSBundleCompatibleVersion
1.0.0
OSBundleLibraries
as.vit9696.Lilu
1.2.0
as.vit9696.VirtualSMC
1.0.0
com.apple.iokit.IOACPIFamily
1.0.0d1
com.apple.iokit.IOSMBusFamily
1.0.0
com.apple.kpi.bsd
12.0.0
com.apple.kpi.dsep
12.0.0
com.apple.kpi.iokit
12.0.0
com.apple.kpi.libkern
12.0.0
com.apple.kpi.mach
12.0.0
com.apple.kpi.unsupported
12.0.0
OSBundleRequired
Root
================================================
FILE: EFI/CLOVER/kexts/Other/SMCProcessor.kext/Contents/Info.plist
================================================
BuildMachineOSBuild
18F132
CFBundleDevelopmentRegion
en
CFBundleExecutable
SMCProcessor
CFBundleIdentifier
as.vit9696.SMCProcessor
CFBundleInfoDictionaryVersion
6.0
CFBundleName
SMCProcessor
CFBundlePackageType
KEXT
CFBundleShortVersionString
1.0.5
CFBundleSignature
????
CFBundleSupportedPlatforms
MacOSX
CFBundleVersion
1.0.5
DTCompiler
com.apple.compilers.llvm.clang.1_0
DTPlatformBuild
10E1001
DTPlatformVersion
GM
DTSDKBuild
18E219
DTSDKName
macosx10.14
DTXcode
1020
DTXcodeBuild
10E1001
IOKitPersonalities
as.vit9696.SMCProcessor
CFBundleIdentifier
as.vit9696.SMCProcessor
IOClass
SMCProcessor
IOMatchCategory
SMCProcessor
IONameMatch
processor
IOPropertyMatch