Mac Developer Library

Developer

mac_policy.h Reference

Options
Deployment Target:

On This Page

mac_policy.h Reference

Kernel Interfaces for MAC policy modules

This header defines the list of operations that are defined by the TrustedBSD MAC Framwork on Darwin. MAC Policy modules register with the framework to declare interest in a specific set of operations. If interest in an entry point is not declared, then the policy will be ignored when the Framework evaluates that entry point.

Included Headers

  • <security/_label.h>

Functions

These are the entry points corresponding to the life cycle events for kernel objects, such as initialization, creation, and destruction.

Most policies (that use labels) will initialize labels by allocating space for policy-specific data. In most cases, it is permitted to sleep during label initialization operations; it will be noted when it is not permitted.

Initialization usually will not require doing more than allocating a generic label for the given object. What follows initialization is creation, where a label is made specific to the object it is associated with. Destruction occurs when the label is no longer needed, such as when the corresponding object is destroyed. All necessary cleanup should be performed in label destroy operations.

Where possible, the label entry points have identical parameters. If the policy module does not require structure-specific label information, the same function may be registered in the policy operation vector. Many policies will implement two such generic allocation calls: one to handle sleepable requests, and one to handle potentially non-sleepable requests.

  • mac_policy_register mac_policy_register Available in OS X v10.5 through OS X v10.5

    MAC policy module registration routine

    Declaration

    Objective-C

    int mac_policy_register ( struct mac_policy_conf *mpc, mac_policy_handle_t *handlep, void *xd );

    Discussion

    This function is called to register a policy with the MAC framework. A policy module will typically call this from the Darwin KEXT registration routine.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • mac_policy_unregister mac_policy_unregister Available in OS X v10.5 through OS X v10.5

    MAC policy module de-registration routine

    Declaration

    Objective-C

    int mac_policy_unregister ( mac_policy_handle_t handle );

    Discussion

    This function is called to de-register a policy with theD MAC framework. A policy module will typically call this from the Darwin KEXT de-registration routine.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

Callbacks

These are the entry points corresponding to the life cycle events for kernel objects, such as initialization, creation, and destruction.

Most policies (that use labels) will initialize labels by allocating space for policy-specific data. In most cases, it is permitted to sleep during label initialization operations; it will be noted when it is not permitted.

Initialization usually will not require doing more than allocating a generic label for the given object. What follows initialization is creation, where a label is made specific to the object it is associated with. Destruction occurs when the label is no longer needed, such as when the corresponding object is destroyed. All necessary cleanup should be performed in label destroy operations.

Where possible, the label entry points have identical parameters. If the policy module does not require structure-specific label information, the same function may be registered in the policy operation vector. Many policies will implement two such generic allocation calls: one to handle sleepable requests, and one to handle potentially non-sleepable requests.

  • Audit event postselection

    Declaration

    Objective-C

    typedef int mpo_audit_check_postselect_t( kauth_cred_t cred, unsigned short syscode, void *args, int error, int retval );

    Parameters

    cred

    Subject credential

    syscode

    Syscall number

    args

    Syscall arguments

    error

    Syscall errno

    retval

    Syscall return value

    This is the MAC Framework audit postselect, which is called before exiting a syscall to determine if an audit event should be committed. A return value of MAC_AUDIT_NO forces the audit record to be suppressed. Any other return value results in the audit record being committed.

    Return Value

    Return MAC_AUDIT_NO to force suppression of the audit record. Any other value results in the audit record being committed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Audit event preselection

    Declaration

    Objective-C

    typedef int mpo_audit_check_preselect_t( kauth_cred_t cred, unsigned short syscode, void *args );

    Parameters

    cred

    Subject credential

    syscode

    Syscall number

    args

    Syscall arguments

    This is the MAC Framework audit preselect, which is called before a syscall is entered to determine if an audit event should be created. If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be returned. A return value of MAC_AUDIT_NO causes the audit record to be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants to defer to the system's existing preselection mechanism.

    When policies return different preferences, the Framework decides what action to take based on the following policy. If any policy returns MAC_AUDIT_YES, then create an audit record, else if any policy returns MAC_AUDIT_NO, then suppress the creations of an audit record, else defer to the system's existing preselection mechanism.

    Return Value

    Return MAC_AUDIT_YES to force auditing of the syscall, MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT to allow auditing mechanisms to determine if the syscall is audited.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Check whether BPF can read from a network interface

    Declaration

    Objective-C

    typedef int mpo_bpfdesc_check_receive_t( struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifp, struct label *ifnetlabel );

    Parameters

    bpf_d

    Subject; the BPF descriptor

    bpflabel

    Policy label for bpf_d

    ifp

    Object; the network interface

    ifnetlabel

    Policy label for ifp

    Determine whether the MAC framework should permit datagrams from the passed network interface to be delivered to the buffers of the passed BPF descriptor. Return (0) for success, or an errno value for failure. Suggested failure: EACCES for label mismatches, EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a BPF descriptor with a label

    Declaration

    Objective-C

    typedef void mpo_bpfdesc_label_associate_t( kauth_cred_t cred, struct bpf_d *bpf_d, struct label *bpflabel );

    Parameters

    cred

    User credential creating the BPF descriptor

    bpf_d

    The BPF descriptor

    bpflabel

    The new label

    Set the label on a newly created BPF descriptor from the passed subject credential. This call will be made when a BPF device node is opened by a process with the passed subject credential.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy BPF descriptor label

    Declaration

    Objective-C

    typedef void mpo_bpfdesc_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a BPF descriptor label. Since the BPF descriptor is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize BPF descriptor label

    Declaration

    Objective-C

    typedef void mpo_bpfdesc_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated BPF descriptor. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Indicate desire to change the process label at exec time

    Declaration

    Objective-C

    typedef int mpo_cred_check_label_update_execve_t( kauth_cred_t old, struct vnode *vp, struct vnode *scriptvp, struct label *vnodelabel, struct label *scriptvnodelabel, struct label *execlabel, struct proc *p, void *macpolicyattr, size_t macpolicyattrlen );

    Parameters

    old

    Existing subject credential

    vp

    File being executed

    vnodelabel

    Label corresponding to vp

    scriptvnodelabel

    Script vnode label

    execlabel

    Userspace provided execution label

    proc

    Object process

    macpolicyattr

    MAC policy-specific spawn attribute data

    macpolicyattrlen

    Length of policy-specific spawn attribute data

    Return Value

    Non-zero if a transition is required, 0 otherwise.

    Discussion

    Indicate whether this policy intends to update the label of a newly created credential from the existing subject credential (old). This call occurs when a process executes the passed vnode. If a policy returns success from this entry point, the mpo_cred_label_update_execve entry point will later be called with the same parameters. Access has already been checked via the mpo_vnode_check_exec entry point, this entry point is necessary to preserve kernel locking constraints during program execution.

    The supplied vnode and vnodelabel correspond with the file actually being executed; in the case that the file is interpreted (for example, a script), the label of the original exec-time vnode has been preserved in scriptvnodelabel.

    The final label, execlabel, corresponds to a label supplied by a user space application through the use of the mac_execve system call.

    The vnode lock is held during this operation. No changes should be made to the old credential structure.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mac_execve
    mpo_cred_label_update_execve_t
    mpo_vnode_check_exec_t

  • Access control check for relabelling processes

    Declaration

    Objective-C

    typedef int mpo_cred_check_label_update_t( kauth_cred_t cred, struct label *newlabel );

    Parameters

    cred

    Subject credential

    newlabel

    New label to apply to the user credential

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Discussion

    Determine whether the subject identified by the credential can relabel itself to the supplied new label (newlabel). This access control check is called when the mac_set_proc system call is invoked. A user space application will supply a new value, the value will be internalized and provided in newlabel.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_cred_label_update_t
    mac_set_proc

  • Access control check for visibility of other subjects

    Declaration

    Objective-C

    typedef int mpo_cred_check_visible_t( kauth_cred_t u1, kauth_cred_t u2 );

    Parameters

    u1

    Subject credential

    u2

    Object credential

    Determine whether the subject identified by the credential u1 can "see" other subjects with the passed subject credential u2. This call may be made in a number of situations, including inter-process status sysctls used by ps, and in procfs lookups.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a credential with a new process at fork

    Declaration

    Objective-C

    typedef void mpo_cred_label_associate_fork_t( kauth_cred_t cred, proc_t proc );

    Parameters

    cred

    credential to inherited by new process

    proc

    the new process

    Allow a process to associate the credential with a new process for reference countng purposes. NOTE: the credential can be dis-associated in ways other than exit - so this strategy is flawed - should just catch label destroy callback.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create the first process

    Declaration

    Objective-C

    typedef void mpo_cred_label_associate_kernel_t( kauth_cred_t cred );

    Parameters

    cred

    Subject credential to be labeled

    Create the subject credential of process 0, the parent of all BSD kernel processes. Policies should update the label in the previously initialized credential structure.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a credential label

    Declaration

    Objective-C

    typedef void mpo_cred_label_associate_t( kauth_cred_t parent_cred, kauth_cred_t child_cred );

    Parameters

    parent_cred

    Parent credential

    child_cred

    Child credential

    Set the label of a newly created credential, most likely using the information in the supplied parent credential.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create the first process

    Declaration

    Objective-C

    typedef void mpo_cred_label_associate_user_t( kauth_cred_t cred );

    Parameters

    cred

    Subject credential to be labeled

    Create the subject credential of process 1, the parent of all BSD user processes. Policies should update the label in the previously initialized credential structure. This is the 'init' process.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy credential label

    Declaration

    Objective-C

    typedef void mpo_cred_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a user credential label. Since the user credential is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a user credential label for auditing

    Declaration

    Objective-C

    typedef int mpo_cred_label_externalize_audit_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of the label

    Produce an external representation of the label on a user credential for inclusion in an audit record. An externalized label consists of a text representation of the label contents that will be added to the audit record as part of a text token. Policy-agnostic user space tools will display this externalized version.

    Return Value

    0 on success, return non-zero if an error occurs while externalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a user credential label

    Declaration

    Objective-C

    typedef int mpo_cred_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of the label

    Produce an external representation of the label on a user credential. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

    Return Value

    0 on success, return non-zero if an error occurs while externalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize user credential label

    Declaration

    Objective-C

    typedef void mpo_cred_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated user credential. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Internalize a user credential label

    Declaration

    Objective-C

    typedef int mpo_cred_label_internalize_t( struct label *label, char *element_name, char *element_data );

    Parameters

    label

    Label to be internalized

    element_name

    Name of the label namespace for which the label should be internalized

    element_data

    Text data to be internalized

    Produce a user credential label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

    The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update credential at exec time

    Declaration

    Objective-C

    typedef void mpo_cred_label_update_execve_t( kauth_cred_t old_cred, kauth_cred_t new_cred, struct proc *p, struct vnode *vp, struct vnode *scriptvp, struct label *vnodelabel, struct label *scriptvnodelabel, struct label *execlabel, void *macpolicyattr, size_t macpolicyattrlen, int *disjointp );

    Parameters

    old_cred

    Existing subject credential

    new_cred

    New subject credential to be labeled

    p

    Object process.

    vp

    File being executed

    vnodelabel

    Label corresponding to vp

    scriptvnodelabel

    Script vnode label

    execlabel

    Userspace provided execution label

    macpolicyattr

    MAC policy-specific spawn attribute data.

    macpolicyattrlen

    Length of policy-specific spawn attribute data.

    Discussion

    Update the label of a newly created credential (new) from the existing subject credential (old). This call occurs when a process executes the passed vnode and one of the loaded policy modules has returned success from the mpo_cred_check_label_update_execve entry point. Access has already been checked via the mpo_vnode_check_exec entry point, this entry point is only used to update any policy state.

    The supplied vnode and vnodelabel correspond with the file actually being executed; in the case that the file is interpreted (for example, a script), the label of the original exec-time vnode has been preserved in scriptvnodelabel.

    The final label, execlabel, corresponds to a label supplied by a user space application through the use of the mac_execve system call.

    If non-NULL, the value pointed to by disjointp will be set to 0 to indicate that the old and new credentials are not disjoint, or 1 to indicate that they are.

    The vnode lock is held during this operation. No changes should be made to the old credential structure.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mac_execve
    mpo_cred_check_label_update_execve_t
    mpo_vnode_check_exec_t

  • Update a credential label

    Declaration

    Objective-C

    typedef void mpo_cred_label_update_t( kauth_cred_t cred, struct label *newlabel );

    Parameters

    cred

    The existing credential

    newlabel

    A new label to apply to the credential

    Discussion

    Update the label on a user credential, using the supplied new label. This is called as a result of a process relabel operation. Access control was already confirmed by mpo_cred_check_label_update.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_cred_check_label_update_t
    mac_set_proc

  • Create a new devfs device

    Declaration

    Objective-C

    typedef void mpo_devfs_label_associate_device_t( dev_t dev, struct devnode *de, struct label *label, const char *fullpath );

    Parameters

    dev

    Major and minor numbers of special file

    de

    "inode" of new device file

    label

    Destination label

    fullpath

    Path relative to mount (e.g. /dev) of new device file

    This entry point labels a new devfs device. The label will likely be based on the path to the device, or the major and minor numbers. The policy should store an appropriate label into 'label'.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a new devfs directory

    Declaration

    Objective-C

    typedef void mpo_devfs_label_associate_directory_t( const char *dirname, int dirnamelen, struct devnode *de, struct label *label, const char *fullpath );

    Parameters

    dirname

    Name of new directory

    dirnamelen

    Length of 'dirname'

    de

    "inode" of new directory

    label

    Destination label

    fullpath

    Path relative to mount (e.g. /dev) of new directory

    This entry point labels a new devfs directory. The label will likely be based on the path of the new directory. The policy should store an appropriate label into 'label'. The devfs root directory is labelled in this way.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Copy a devfs label

    Declaration

    Objective-C

    typedef void mpo_devfs_label_copy_t( struct label *src, struct label *dest );

    Parameters

    src

    Source devfs label

    dest

    Destination devfs label

    Copy the label information from src to dest. The devfs file system often duplicates (splits) existing device nodes rather than creating new ones.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy devfs label

    Declaration

    Objective-C

    typedef void mpo_devfs_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a devfs entry label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize devfs label

    Declaration

    Objective-C

    typedef void mpo_devfs_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated devfs entry. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update a devfs label after relabelling its vnode

    Declaration

    Objective-C

    typedef void mpo_devfs_label_update_t( struct mount *mp, struct devnode *de, struct label *delabel, struct vnode *vp, struct label *vnodelabel );

    Parameters

    mp

    Devfs mount point

    de

    Affected devfs directory entry

    delabel

    Label of devfs directory entry

    vp

    Vnode associated with de

    vnodelabel

    New label of vnode

    Update a devfs label when its vnode is manually relabelled, for example with setfmac(1). Typically, this will simply copy the vnode label into the devfs label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control for changing the offset of a file descriptor

    Declaration

    Objective-C

    typedef int mpo_file_check_change_offset_t( kauth_cred_t cred, struct fileglob *fg, struct label *label );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    label

    Policy label for fg

    Determine whether the subject identified by the credential can change the offset of the file represented by fg.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control for creating a file descriptor

    Declaration

    Objective-C

    typedef int mpo_file_check_create_t( kauth_cred_t cred );

    Parameters

    cred

    Subject credential

    Determine whether the subject identified by the credential can allocate a new file descriptor.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control for duplicating a file descriptor

    Declaration

    Objective-C

    typedef int mpo_file_check_dup_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int newfd );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    label

    Policy label for fg

    newfd

    New file descriptor number

    Determine whether the subject identified by the credential can duplicate the fileglob structure represented by fg and as file descriptor number newfd.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for fcntl

    Declaration

    Objective-C

    typedef int mpo_file_check_fcntl_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int cmd, user_long_t arg );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    label

    Policy label for fg

    cmd

    Control operation to be performed; see fcntl(2)

    arg

    fcnt arguments; see fcntl(2)

    Determine whether the subject identified by the credential can perform the file control operation indicated by cmd.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control for getting the offset of a file descriptor

    Declaration

    Objective-C

    typedef int mpo_file_check_get_offset_t( kauth_cred_t cred, struct fileglob *fg, struct label *label );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    label

    Policy label for fg

    Determine whether the subject identified by the credential can get the offset of the file represented by fg.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for mac_get_fd

    Declaration

    Objective-C

    typedef int mpo_file_check_get_t( kauth_cred_t cred, struct fileglob *fg, char *elements, int len );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    elements

    Element buffer

    len

    Length of buffer

    Determine whether the subject identified by the credential should be allowed to get an externalized version of the label on the object indicated by fd.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control for inheriting a file descriptor

    Declaration

    Objective-C

    typedef int mpo_file_check_inherit_t( kauth_cred_t cred, struct fileglob *fg, struct label *label );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    label

    Policy label for fg

    Determine whether the subject identified by the credential can inherit the fileglob structure represented by fg.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for file ioctl

    Declaration

    Objective-C

    typedef int mpo_file_check_ioctl_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, unsigned int cmd );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    label

    Policy label for fg

    cmd

    The ioctl command; see ioctl(2)

    Determine whether the subject identified by the credential can perform the ioctl operation indicated by cmd.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for file locking

    Declaration

    Objective-C

    typedef int mpo_file_check_lock_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int op, struct flock *fl );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    label

    Policy label for fg

    op

    The lock operation (F_GETLK, F_SETLK, F_UNLK)

    fl

    The flock structure

    Determine whether the subject identified by the credential can perform the lock operation indicated by op and fl on the file represented by fg.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Downgrade the mmap protections

    Declaration

    Objective-C

    typedef void mpo_file_check_mmap_downgrade_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int *prot );

    Parameters

    cred

    Subject credential

    fg

    file to map

    label

    Policy label associated with vp

    prot

    mmap protections to be downgraded

    Downgrade the mmap protections based on the subject and object labels.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for mapping a file

    Declaration

    Objective-C

    typedef int mpo_file_check_mmap_t( kauth_cred_t cred, struct fileglob *fg, struct label *label, int prot, int flags, int *maxprot );

    Parameters

    cred

    Subject credential

    fg

    fileglob representing file to map

    label

    Policy label associated with vp

    prot

    mmap protections; see mmap(2)

    flags

    Type of mapped object; see mmap(2)

    maxprot

    Maximum rights

    Determine whether the subject identified by the credential should be allowed to map the file represented by fg with the protections specified in prot. The maxprot field holds the maximum permissions on the new mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. To avoid overriding prior access control checks, a policy should only remove flags from maxprot.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control for receiving a file descriptor

    Declaration

    Objective-C

    typedef int mpo_file_check_receive_t( kauth_cred_t cred, struct fileglob *fg, struct label *label );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    label

    Policy label for fg

    Determine whether the subject identified by the credential can receive the fileglob structure represented by fg.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for mac_set_fd

    Declaration

    Objective-C

    typedef int mpo_file_check_set_t( kauth_cred_t cred, struct fileglob *fg, char *elements, int len );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    elements

    Elements buffer

    len

    Length of elements buffer

    Determine whether the subject identified by the credential can perform the mac_set_fd operation. The mac_set_fd operation is used to associate a MAC label with a file.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create file label

    Declaration

    Objective-C

    typedef void mpo_file_label_associate_t( kauth_cred_t cred, struct fileglob *fg, struct label *label );

    Parameters

    cred

    Subject credential

    fg

    Fileglob structure

    label

    Policy label for fg

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy file label

    Declaration

    Objective-C

    typedef void mpo_file_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy the label on a file descriptor. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize file label

    Declaration

    Objective-C

    typedef void mpo_file_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for relabeling network interfaces

    Declaration

    Objective-C

    typedef int mpo_ifnet_check_label_update_t( kauth_cred_t cred, struct ifnet *ifp, struct label *ifnetlabel, struct label *newlabel );

    Parameters

    cred

    Subject credential

    ifp

    network interface being relabeled

    ifnetlabel

    Current label of the network interfaces

    newlabel

    New label to apply to the network interfaces

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Discussion

    Determine whether the subject identified by the credential can relabel the network interface represented by ifp to the supplied new label (newlabel).

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_ifnet_label_update_t

  • Access control check for relabeling network interfaces

    Declaration

    Objective-C

    typedef int mpo_ifnet_check_transmit_t( struct ifnet *ifp, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel, int family, int type );

    Parameters

    ifp

    Network interface mbuf will be transmitted through

    ifnetlabel

    Label of the network interfaces

    m

    The mbuf to be transmitted

    mbuflabel

    Label of the mbuf to be transmitted

    family

    Address Family, AF_*

    type

    Type of socket, SOCK_{STREAM,DGRAM,RAW}

    Determine whether the mbuf with label mbuflabel may be transmitted through the network interface represented by ifp that has the label ifnetlabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a network interface label

    Declaration

    Objective-C

    typedef void mpo_ifnet_label_associate_t( struct ifnet *ifp, struct label *ifnetlabel );

    Parameters

    ifp

    Network interface labeled

    ifnetlabel

    Label for the network interface

    Set the label of a newly created network interface, most likely using the information in the supplied network interface struct.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Copy an ifnet label

    Declaration

    Objective-C

    typedef void mpo_ifnet_label_copy_t( struct label *src, struct label *dest );

    Parameters

    src

    Source ifnet label

    dest

    Destination ifnet label

    Copy the label information from src to dest.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy ifnet label

    Declaration

    Objective-C

    typedef void mpo_ifnet_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy the label on an ifnet label. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize an ifnet label

    Declaration

    Objective-C

    typedef int mpo_ifnet_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of the label

    Produce an external representation of the label on an interface. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

    Return Value

    0 on success, return non-zero if an error occurs while externalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize ifnet label

    Declaration

    Objective-C

    typedef void mpo_ifnet_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Internalize an interface label

    Declaration

    Objective-C

    typedef int mpo_ifnet_label_internalize_t( struct label *label, char *element_name, char *element_data );

    Parameters

    label

    Label to be internalized

    element_name

    Name of the label namespace for which the label should be internalized

    element_data

    Text data to be internalized

    Produce an interface label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

    The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Recycle up a network interface label

    Declaration

    Objective-C

    typedef void mpo_ifnet_label_recycle_t( struct label *label );

    Parameters

    label

    The label to be recycled

    Recycle a network interface label. Darwin caches the struct ifnet of detached ifnets in a "free pool". Before ifnets are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update a network interface label

    Declaration

    Objective-C

    typedef void mpo_ifnet_label_update_t( kauth_cred_t cred, struct ifnet *ifp, struct label *ifnetlabel, struct label *newlabel );

    Parameters

    cred

    Subject credential

    ifp

    The network interface to be relabeled

    ifnetlabel

    The current label of the network interface

    newlabel

    A new label to apply to the network interface

    Discussion

    Update the label on a network interface, using the supplied new label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_ifnet_check_label_update_t

  • Access control check for delivering a packet to a socket

    Declaration

    Objective-C

    typedef int mpo_inpcb_check_deliver_t( struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mbuflabel, int family, int type );

    Parameters

    inp

    inpcb the socket is associated with

    inplabel

    Label of the inpcb

    m

    The mbuf being received

    mbuflabel

    Label of the mbuf being received

    family

    Address family, AF_*

    type

    Type of socket, SOCK_{STREAM,DGRAM,RAW}

    Determine whether the mbuf with label mbuflabel may be received by the socket associated with inpcb that has the label inplabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create an inpcb label

    Declaration

    Objective-C

    typedef void mpo_inpcb_label_associate_t( struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel );

    Parameters

    so

    Socket containing the inpcb to be labeled

    solabel

    Label of the socket

    inp

    inpcb to be labeled

    inplabel

    Label for the inpcb

    Set the label of a newly created inpcb, most likely using the information in the socket and/or socket label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy inpcb label

    Declaration

    Objective-C

    typedef void mpo_inpcb_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy the label on an inpcb label. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize inpcb label

    Declaration

    Objective-C

    typedef int mpo_inpcb_label_init_t( struct label *label, int flag );

    Parameters

    label

    New label to initialize

    flag

    M_WAITOK or M_NOWAIT

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Recycle up an inpcb label

    Declaration

    Objective-C

    typedef void mpo_inpcb_label_recycle_t( struct label *label );

    Parameters

    label

    The label to be recycled

    Recycle an inpcb label. Darwin allocates the inpcb as part of the socket structure in some cases. For this case we must recycle rather than destroy the inpcb as it will be reused later.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update an inpcb label from a socket label

    Declaration

    Objective-C

    typedef void mpo_inpcb_label_update_t( struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel );

    Parameters

    so

    Socket containing the inpcb to be relabeled

    solabel

    New label of the socket

    inp

    inpcb to be labeled

    inplabel

    Label for the inpcb

    Set the label of a newly created inpcb due to a change in the underlying socket label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Device hardware access control

    Declaration

    Objective-C

    typedef int mpo_iokit_check_device_t( char *devtype, struct mac_module_data *mdata );

    Parameters

    devtype

    Type of device connected

    properties

    XML-formatted property list

    proplen

    Length of the property list

    This is the MAC Framework device access control, which is called by the I/O Kit when a new device is connected to the system to determine whether that device should be trusted. A list of properties associated with the device is passed as an XML-formatted string. The routine should examine these properties to determine the trustworthiness of the device. A return value of EPERM forces the device to be claimed by a special device driver that will prevent its operation.

    Return Value

    Return EPERM to indicate that the device is untrusted and should not be allowed to operate. Return zero to indicate that the device is trusted and should be allowed to operate normally.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create an IP reassembly queue label

    Declaration

    Objective-C

    typedef void mpo_ipq_label_associate_t( struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel );

    Parameters

    fragment

    First received IP fragment

    fragmentlabel

    Policy label for fragment

    ipq

    IP reassembly queue to be labeled

    ipqlabel

    Policy label to be filled in for ipq

    Set the label on a newly created IP reassembly queue from the mbuf header of the first received fragment.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Compare an mbuf header label to an ipq label

    Declaration

    Objective-C

    typedef int mpo_ipq_label_compare_t( struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel );

    Parameters

    fragment

    IP datagram fragment

    fragmentlabel

    Policy label for fragment

    ipq

    IP fragment reassembly queue

    ipqlabel

    Policy label for ipq

    Compare the label of the mbuf header containing an IP datagram (fragment) fragment with the label of the passed IP fragment reassembly queue (ipq). Return (1) for a successful match, or (0) for no match. This call is made when the IP stack attempts to find an existing fragment reassembly queue for a newly received fragment; if this fails, a new fragment reassembly queue may be instantiated for the fragment. Policies may use this entry point to prevent the reassembly of otherwise matching IP fragments if policy does not permit them to be reassembled based on the label or other information.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy IP reassembly queue label

    Declaration

    Objective-C

    typedef void mpo_ipq_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy the label on an IP fragment queue. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize IP reassembly queue label

    Declaration

    Objective-C

    typedef int mpo_ipq_label_init_t( struct label *label, int flag );

    Parameters

    label

    New label to initialize

    flag

    M_WAITOK or M_NOWAIT

    Initialize the label on a newly instantiated IP fragment reassembly queue. The flag field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. IP fragment reassembly queue allocation frequently occurs in performance sensitive environments, and the implementation should be careful to avoid sleeping or long-lived operations. This entry point is permitted to fail resulting in the failure to allocate the IP fragment reassembly queue.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update the label on an IP fragment reassembly queue

    Declaration

    Objective-C

    typedef void mpo_ipq_label_update_t( struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel );

    Parameters

    fragment

    IP fragment

    fragmentlabel

    Policy label for fragment

    ipq

    IP fragment reassembly queue

    ipqlabel

    Policy label to be updated for ipq

    Update the label on an IP fragment reassembly queue (ipq) based on the acceptance of the passed IP fragment mbuf header (fragment).

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for relabelling Login Context

    Declaration

    Objective-C

    typedef int mpo_lctx_check_label_update_t( struct lctx *l, struct label *newlabel );

    Parameters

    l

    Subject credential

    newlabel

    New label to apply to the Login Context

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Discussion

    Determine whether the subject identified by the credential can relabel itself to the supplied new label (newlabel). This access control check is called when the mac_set_lctx/lcid system call is invoked. A user space application will supply a new value, the value will be internalized and provided in newlabel.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_lctx_label_update_t
    mac_set_lcid
    mac_set_lctx

  • Destroy Login Context label

    Declaration

    Objective-C

    typedef void mpo_lctx_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a Login Context label

    Declaration

    Objective-C

    typedef int mpo_lctx_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of the label

    Produce an external representation of the label on a Login Context. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

    Return Value

    0 on success, return non-zero if an error occurs while externalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize Login Context label

    Declaration

    Objective-C

    typedef void mpo_lctx_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Internalize a Login Context label

    Declaration

    Objective-C

    typedef int mpo_lctx_label_internalize_t( struct label *label, char *element_name, char *element_data );

    Parameters

    label

    Label to be internalized

    element_name

    Name of the label namespace for which the label should be internalized

    element_data

    Text data to be internalized

    Produce a Login Context label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

    The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update a Login Context label

    Declaration

    Objective-C

    typedef void mpo_lctx_label_update_t( struct lctx *l, struct label *newlabel );

    Parameters

    l
    newlabel

    A new label to apply to the Login Context

    Discussion

    Update the label on a login context, using the supplied new label. This is called as a result of a login context relabel operation. Access control was already confirmed by mpo_lctx_check_label_update.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_lctx_check_label_update_t
    mac_set_lcid
    mac_set_lctx

  • A process has created a login context

    Declaration

    Objective-C

    typedef void mpo_lctx_notify_create_t( struct proc *p, struct lctx *l );

    Parameters

    p

    Subject

    l

    Login Context

    When a process creates a login context (via setlcid()) this entrypoint is called to notify the policy that the process 'p' has created login context 'l'.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • A process has joined a login context

    Declaration

    Objective-C

    typedef void mpo_lctx_notify_join_t( struct proc *p, struct lctx *l );

    Parameters

    p

    Subject

    l

    Login Context

    When a process joins a login context, either via setlcid() or via fork() this entrypoint is called to notify the policy that process 'p' is now a member of login context 'l'.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • A process has left a login context

    Declaration

    Objective-C

    typedef void mpo_lctx_notify_leave_t( struct proc *p, struct lctx *l );

    Parameters

    p

    Subject

    l

    Login Context

    When a process leaves a login context either via setlcid() or as a result of the process exiting this entrypoint is called to notify the policy that the process 'p' is no longer a member of login context 'l'.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new mbuf

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_associate_bpfdesc_t( struct bpf_d *bpf_d, struct label *b_label, struct mbuf *m, struct label *m_label );

    Parameters

    bpf_d

    BPF descriptor

    b_label

    Policy label for bpf_d

    m

    Object; mbuf

    m_label

    Policy label to fill in for m

    Set the label on the mbuf header of a newly created datagram generated using the passed BPF descriptor. This call is made when a write is performed to the BPF device associated with the passed BPF descriptor.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new mbuf

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_associate_ifnet_t( struct ifnet *ifp, struct label *i_label, struct mbuf *m, struct label *m_label );

    Parameters

    ifp

    Interface descriptor

    i_label

    Existing label of ifp

    m

    Object; mbuf

    m_label

    Policy label to fill in for m

    Label an mbuf based on the interface from which it was received.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new mbuf

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_associate_inpcb_t( struct inpcb *inp, struct label *i_label, struct mbuf *m, struct label *m_label );

    Parameters

    inp

    inpcb structure

    i_label

    Existing label of inp

    m

    Object; mbuf

    m_label

    Policy label to fill in for m

    Label an mbuf based on the inpcb from which it was derived.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Set the label on a newly reassembled IP datagram

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_associate_ipq_t( struct ipq *ipq, struct label *ipqlabel, struct mbuf *mbuf, struct label *mbuflabel );

    Parameters

    ipq

    IP fragment reassembly queue

    ipqlabel

    Policy label for ipq

    mbuf

    IP datagram to be labeled

    mbuflabel

    Policy label to be filled in for mbuf

    Set the label on a newly reassembled IP datagram (mbuf) from the IP fragment reassembly queue (ipq) from which it was generated.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new mbuf

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_associate_linklayer_t( struct ifnet *ifp, struct label *i_label, struct mbuf *m, struct label *m_label );

    Parameters

    ifp

    Subject; network interface

    i_label

    Existing label of ifp

    m

    Object; mbuf

    m_label

    Policy label to fill in for m

    Set the label on the mbuf header of a newly created datagram generated for the purposes of a link layer response for the passed interface. This call may be made in a number of situations, including for ARP or ND6 responses in the IPv4 and IPv6 stacks.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new mbuf

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_associate_multicast_encap_t( struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *newmbuf, struct label *newmbuflabel );

    Parameters

    oldmbuf

    mbuf headerder for existing datagram for existing datagram

    oldmbuflabel

    Policy label for oldmbuf

    ifp

    Network interface

    ifplabel

    Policy label for ifp

    newmbuf

    mbuf header to be labeled for new datagram

    newmbuflabel

    Policy label for newmbuf

    Set the label on the mbuf header of a newly created datagram generated from the existing passed datagram when it is processed by the passed multicast encapsulation interface. This call is made when an mbuf is to be delivered using the virtual interface.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new mbuf

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_associate_netlayer_t( struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel );

    Parameters

    oldmbuf

    Received datagram

    oldmbuflabel

    Policy label for oldmbuf

    newmbuf

    Newly created datagram

    newmbuflabel

    Policy label for newmbuf

    Set the label on the mbuf header of a newly created datagram generated by the IP stack in response to an existing received datagram (oldmbuf). This call may be made in a number of situations, including when responding to ICMP request datagrams.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new mbuf

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_associate_socket_t( socket_t so, struct label *so_label, struct mbuf *m, struct label *m_label );

    Parameters

    so

    Socket to label

    so_label

    Policy label for socket

    m

    Object; mbuf

    m_label

    Policy label to fill in for m

    An mbuf structure is used to store network traffic in transit. When an application sends data to a socket or a pipe, it is wrapped in an mbuf first. This function sets the label on a newly created mbuf header based on the socket sending the data. The contents of the label should be suitable for performing an access check on the receiving side of the communication.

    Only labeled MBUFs will be presented to the policy via this entrypoint.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Copy a mbuf label

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_copy_t( struct label *src, struct label *dest );

    Parameters

    src

    Source label

    dest

    Destination label

    Copy the mbuf label information in src into dest.

    Only called when both source and destination mbufs have labels.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy mbuf label

    Declaration

    Objective-C

    typedef void mpo_mbuf_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a mbuf label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize mbuf label

    Declaration

    Objective-C

    typedef int mpo_mbuf_label_init_t( struct label *label, int flag );

    Parameters

    label

    New label to initialize

    flag

    Malloc flags

    Initialize the label for a newly instantiated mbuf.

    Return Value

    On success, 0, otherwise, an appropriate errno return value.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for fsctl

    Declaration

    Objective-C

    typedef int mpo_mount_check_fsctl_t( kauth_cred_t cred, struct mount *mp, struct label *label, unsigned int cmd );

    Parameters

    cred

    Subject credential

    mp

    The mount point

    label

    Label associated with the mount point

    com

    Filesystem-dependent request code; see fsctl(2)

    Determine whether the subject identified by the credential can perform the volume operation indicated by com.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for the retrieval of file system attributes

    Declaration

    Objective-C

    typedef int mpo_mount_check_getattr_t( kauth_cred_t cred, struct mount *mp, struct label *mp_label, struct vfs_attr *vfa );

    Parameters

    cred

    Subject credential

    mp

    The mount structure of the file system

    vfa

    The attributes requested

    This entry point determines whether given subject can get information about the given file system. This check happens during statfs() syscalls, but is also used by other parts within the kernel such as the audit system.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for mount point relabeling

    Declaration

    Objective-C

    typedef int mpo_mount_check_label_update_t( kauth_cred_t cred, struct mount *mp, struct label *mntlabel );

    Parameters

    cred

    Subject credential

    mp

    Object file system mount point

    mntlabel

    Policy label for fle system mount point

    Determine whether the subject identified by the credential can relabel the mount point. This call is made when a file system mount is updated.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for mounting a file system

    Declaration

    Objective-C

    typedef int mpo_mount_check_mount_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, struct componentname *cnp, const char *vfc_name );

    Parameters

    cred

    Subject credential

    vp

    Vnode that is to be the mount point

    vlabel

    Label associated with the vnode

    cnp

    Component name for vp

    vfc_name

    Filesystem type name

    Determine whether the subject identified by the credential can perform the mount operation on the target vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check remounting a filesystem

    Declaration

    Objective-C

    typedef int mpo_mount_check_remount_t( kauth_cred_t cred, struct mount *mp, struct label *mlabel );

    Parameters

    cred

    Subject credential

    mp

    The mount point

    mlabel

    Label currently associated with the mount point

    Determine whether the subject identified by the credential can perform the remount operation on the target vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for the settting of file system attributes

    Declaration

    Objective-C

    typedef int mpo_mount_check_setattr_t( kauth_cred_t cred, struct mount *mp, struct label *mp_label, struct vfs_attr *vfa );

    Parameters

    cred

    Subject credential

    mp

    The mount structure of the file system

    vfa

    The attributes requested

    This entry point determines whether given subject can set information about the given file system, for example the volume name.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for file system statistics

    Declaration

    Objective-C

    typedef int mpo_mount_check_stat_t( kauth_cred_t cred, struct mount *mp, struct label *mntlabel );

    Parameters

    cred

    Subject credential

    mp

    Object file system mount

    mntlabel

    Policy label for mp

    Determine whether the subject identified by the credential can see the results of a statfs performed on the file system. This call may be made in a number of situations, including during invocations of statfs(2) and related calls, as well as to determine what file systems to exclude from listings of file systems, such as when getfsstat(2) is invoked.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for unmounting a filesystem

    Declaration

    Objective-C

    typedef int mpo_mount_check_umount_t( kauth_cred_t cred, struct mount *mp, struct label *mlabel );

    Parameters

    cred

    Subject credential

    mp

    The mount point

    mlabel

    Label associated with the mount point

    Determine whether the subject identified by the credential can perform the unmount operation on the target vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create mount labels

    Declaration

    Objective-C

    typedef void mpo_mount_label_associate_t( kauth_cred_t cred, struct mount *mp, struct label *mntlabel );

    Parameters

    cred

    Subject credential

    mp

    Mount point of file system being mounted

    mntlabel

    Label to associate with the new mount point

    Discussion

    Fill out the labels on the mount point being created by the supplied user credential. This call is made when file systems are first mounted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_mount_label_init_t

  • Destroy mount label

    Declaration

    Objective-C

    typedef void mpo_mount_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a file system mount label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a mount point label

    Declaration

    Objective-C

    typedef int mpo_mount_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of the label

    Produce an external representation of the mount point label. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

    The policy's externalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    0 on success, return non-zero if an error occurs while externalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize mount point label

    Declaration

    Objective-C

    typedef void mpo_mount_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated mount structure. This label is typically used to store a default label in the case that the file system has been mounted singlelabel. Since some file systems do not support persistent labels (extended attributes) or are read-only (such as CD-ROMs), it is often necessary to store a default label separately from the label of the mount point itself. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Internalize a mount point label

    Declaration

    Objective-C

    typedef int mpo_mount_label_internalize_t( struct label *label, char *element_name, char *element_data );

    Parameters

    label

    Label to be internalized

    element_name

    Name of the label namespace for which the label should be internalized

    element_data

    Text data to be internalized

    Produce a mount point file system label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

    The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Set the label on an IPv4 datagram fragment

    Declaration

    Objective-C

    typedef void mpo_netinet_fragment_t( struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel );

    Parameters

    datagram

    Datagram being fragmented

    datagramlabel

    Policy label for datagram

    fragment

    New fragment

    fragmentlabel

    Policy label for fragment

    Called when an IPv4 datagram is fragmented into several smaller datagrams. Policies implementing mbuf labels will typically copy the label from the source datagram to the new fragment.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Set the label on an ICMP reply

    Declaration

    Objective-C

    typedef void mpo_netinet_icmp_reply_t( struct mbuf *m, struct label *mlabel );

    Parameters

    m

    mbuf containing the ICMP reply

    mlabel

    Policy label for m

    A policy may wish to update the label of an mbuf that refers to an ICMP packet being sent in response to an IP packet. This may be called in response to a bad packet or an ICMP request.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Set the label on a TCP reply

    Declaration

    Objective-C

    typedef void mpo_netinet_tcp_reply_t( struct mbuf *m, struct label *mlabel );

    Parameters

    m

    mbuf containing the TCP reply

    mlabel

    Policy label for m

    Called for outgoing TCP packets not associated with an actual socket.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for pipe ioctl

    Declaration

    Objective-C

    typedef int mpo_pipe_check_ioctl_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel, unsigned int cmd );

    Parameters

    cred

    Subject credential

    cpipe

    Object to be accessed

    pipelabel

    The label on the pipe

    cmd

    The ioctl command; see ioctl(2)

    Determine whether the subject identified by the credential can perform the ioctl operation indicated by cmd.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for pipe kqfilter

    Declaration

    Objective-C

    typedef int mpo_pipe_check_kqfilter_t( kauth_cred_t cred, struct knote *kn, struct pipe *cpipe, struct label *pipelabel );

    Parameters

    cred

    Subject credential

    kn

    Object knote

    cpipe

    Object to be accessed

    pipelabel

    Policy label for the pipe

    Determine whether the subject identified by the credential can receive the knote on the passed pipe.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for pipe relabel

    Declaration

    Objective-C

    typedef int mpo_pipe_check_label_update_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel, struct label *newlabel );

    Parameters

    cred

    Subject credential

    cpipe

    Object to be accessed

    pipelabel

    The current label on the pipe

    newlabel

    The new label to be used

    Determine whether the subject identified by the credential can perform a relabel operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for pipe read

    Declaration

    Objective-C

    typedef int mpo_pipe_check_read_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel );

    Parameters

    cred

    Subject credential

    cpipe

    Object to be accessed

    pipelabel

    The label on the pipe

    Determine whether the subject identified by the credential can perform a read operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for pipe select

    Declaration

    Objective-C

    typedef int mpo_pipe_check_select_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel, int which );

    Parameters

    cred

    Subject credential

    cpipe

    Object to be accessed

    pipelabel

    The label on the pipe

    which

    The operation selected on: FREAD or FWRITE

    Determine whether the subject identified by the credential can perform a select operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for pipe stat

    Declaration

    Objective-C

    typedef int mpo_pipe_check_stat_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel );

    Parameters

    cred

    Subject credential

    cpipe

    Object to be accessed

    pipelabel

    The label on the pipe

    Determine whether the subject identified by the credential can perform a stat operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for pipe write

    Declaration

    Objective-C

    typedef int mpo_pipe_check_write_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel );

    Parameters

    cred

    Subject credential

    cpipe

    Object to be accessed

    pipelabel

    The label on the pipe

    Determine whether the subject identified by the credential can perform a write operation on the passed pipe. The cred object holds the credentials of the subject performing the operation.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a pipe label

    Declaration

    Objective-C

    typedef void mpo_pipe_label_associate_t( kauth_cred_t cred, struct pipe *cpipe, struct label *pipelabel );

    Parameters

    cred

    Subject credential

    cpipe

    object to be labeled

    label

    Label for the pipe object

    Create a label for the pipe object being created by the supplied user credential. This call is made when the pipe is being created XXXPIPE(for one or both sides of the pipe?).

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Copy a pipe label

    Declaration

    Objective-C

    typedef void mpo_pipe_label_copy_t( struct label *src, struct label *dest );

    Parameters

    src

    Source pipe label

    dest

    Destination pipe label

    Copy the pipe label associated with src to dest. XXXPIPE Describe when this is used: most likely during pipe creation to copy from rpipe to wpipe.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy pipe label

    Declaration

    Objective-C

    typedef void mpo_pipe_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a pipe label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a pipe label

    Declaration

    Objective-C

    typedef int mpo_pipe_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of the label

    Produce an external representation of the label on a pipe. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

    The policy's externalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    0 on success, return non-zero if an error occurs while externalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize pipe label

    Declaration

    Objective-C

    typedef void mpo_pipe_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize label storage for use with a newly instantiated pipe object. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Internalize a pipe label

    Declaration

    Objective-C

    typedef int mpo_pipe_label_internalize_t( struct label *label, char *element_name, char *element_data );

    Parameters

    label

    Label to be internalized

    element_name

    Name of the label namespace for which the label should be internalized

    element_data

    Text data to be internalized

    Produce a pipe label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

    The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update a pipe label

    Declaration

    Objective-C

    typedef void mpo_pipe_label_update_t( kauth_cred_t cred, struct pipe *cpipe, struct label *oldlabel, struct label *newlabel );

    Parameters

    cred

    Subject credential

    cpipe

    Object to be labeled

    oldlabel

    Existing pipe label

    newlabel

    New label to replace existing label

    Discussion

    The subject identified by the credential has previously requested and was authorized to relabel the pipe; this entry point allows policies to perform the actual relabel operation. Policies should update oldlabel using the label stored in the newlabel parameter.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_pipe_check_label_update_t

  • Policy unload event

    Declaration

    Objective-C

    typedef void mpo_policy_destroy_t( struct mac_policy_conf *mpc );

    Parameters

    mpc

    MAC policy configuration

    This is the MAC Framework policy unload event. This entry point will only be called if the module's policy configuration allows unload (if the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't want to be unloaded; they should set their flags to prevent this entry point from being called.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    MPC_LOADTIME_FLAG_UNLOADOK

  • Policy initialization event

    Declaration

    Objective-C

    typedef void mpo_policy_init_t( struct mac_policy_conf *mpc );

    Parameters

    mpc

    MAC policy configuration

    Discussion

    This is the MAC Framework policy initialization event. This entry point is called during mac_policy_register, when the policy module is first registered with the MAC Framework. This is often done very early in the boot process, after the kernel Mach subsystem has been initialized, but prior to the BSD subsystem being initialized. Since the kernel BSD services are not yet available, it is possible that some initialization must occur later, possibly in the mpo_policy_initbsd_t policy entry point, such as registering BSD system controls (sysctls). Policy modules loaded at boot time will be registered and initialized before labeled Mach objects are created.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mac_policy_register
    mpo_policy_initbsd_t

  • Policy BSD initialization event

    Declaration

    Objective-C

    typedef void mpo_policy_initbsd_t( struct mac_policy_conf *mpc );

    Parameters

    mpc

    MAC policy configuration

    Discussion

    This entry point is called after the kernel BSD subsystem has been initialized. By this point, the module should already be loaded, registered, and initialized. Since policy modules are initialized before kernel BSD services are available, this second initialization phase is necessary. At this point, BSD services (memory management, synchronization primitives, vfs, etc.) are available, but the first process has not yet been created. Mach-related objects and tasks will already be fully initialized and may be in use--policies requiring ubiquitous labeling may also want to implement mpo_policy_init_t.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_policy_init_t

  • Policy extension service

    Declaration

    Objective-C

    typedef int mpo_policy_syscall_t( struct proc *p, int call, user_addr_t arg );

    Parameters

    p

    Calling process

    call

    Policy-specific syscall number

    arg

    Pointer to syscall arguments

    This entry point provides a policy-multiplexed system call so that policies may provide additional services to user processes without registering specific system calls. The policy name provided during registration is used to demux calls from userland, and the arguments will be forwarded to this entry point. When implementing new services, security modules should be sure to invoke appropriate access control checks from the MAC framework as needed. For example, if a policy implements an augmented signal functionality, it should call the necessary signal access control checks to invoke the MAC framework and other registered policies.

    Return Value

    In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for copying a send right to another task

    Declaration

    Objective-C

    typedef int mpo_port_check_copy_send_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the sender task

    port

    Label of the affected port

    Access control check for copying send rights to the port from the specified task. A complementary entry point, mpo_port_check_hold_send, handles the receiving task. port_check_copy_send is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

    The task label and the port are locked. Sleeping is permitted.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for obtaining a receive right

    Declaration

    Objective-C

    typedef int mpo_port_check_hold_receive_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the receiving task

    port

    Label of the affected port

    Access control check for a task obtaining receive rights to a port. Usually, these are port rights that were obtained with a call to mach_port_allocate. This entry point is called as part of a group of policy invocations when messages with port rights are received. All of these access control checks must succeed in order to receive the message.

    The task label and the port are locked. Sleeping is permitted.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for obtaining a send once right

    Declaration

    Objective-C

    typedef int mpo_port_check_hold_send_once_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the receiving task

    port

    Label of the affected port

    Access control check for a task obtaining send once rights to a port. Usually, these are port rights that were part of a message sent by another userspace task. port_check_hold_send_once is called as part of a group of policy invocations when messages with port rights are received. All of these access control checks must succeed in order to receive the message.

    The task label and the port are locked. Sleeping is permitted.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for obtaining a send right

    Declaration

    Objective-C

    typedef int mpo_port_check_hold_send_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the receiving task

    port

    Label of the affected port

    Access control check for a task obtaining send rights to a port. Usually, these are port rights that were part of a message sent by another userspace task. port_check_hold_send is called as part of a group of policy invocations when messages with port rights are received. All of these access control checks must succeed in order to receive the message.

    The task label and the port are locked. Sleeping is permitted.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for relabelling ports

    Declaration

    Objective-C

    typedef int mpo_port_check_label_update_t( struct label *task, struct label *oldlabel, struct label *newlabel );

    Parameters

    task

    Subject's task label

    oldlabel

    Original label of port

    newlabel

    New label for port

    Access control check for relabelling ports. The policy should indicate whether the subject is permitted to change the label of a port from oldlabel to newlabel. The port is locked, but the subject's task label is not locked.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for producing a send once right from a receive right

    Declaration

    Objective-C

    typedef int mpo_port_check_make_send_once_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the sender task

    port

    Label of the affected port

    Access control check for obtaining send once rights from receive rights. The new send once right may be destined for the calling task, or a different task. In either case the mpo_port_check_hold_send_once entry point handles the receiving task. port_check_make_send_once may be called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

    The task label and the port are locked. Sleeping is permitted.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for producing a send right from a receive right

    Declaration

    Objective-C

    typedef int mpo_port_check_make_send_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the sender task

    port

    Label of the affected port

    Access control check for obtaining send rights from receive rights. The new send right may be destined for the calling task, or a different task. In either case the mpo_port_check_hold_send entry point handles the receiving task. port_check_make_send may be called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

    The task label and the port are locked. Sleeping is permitted.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Compute access control check for a Mach message-based service

    Declaration

    Objective-C

    typedef int mpo_port_check_method_t( struct proc *proc, struct label *task, struct label *port, int msgid );

    Parameters

    proc

    Sender's process structure (may be NULL)

    task

    Sender's task label

    port

    Destination port label

    msgid

    Message id

    Access control computation for message-based services. This entry point computes permission to the service requested by the specified port and message id, for example a single MiG server routine, and is unrelated to the access check for sending messages to ports (but that check must succeed for the message to be sent to the destination). The result of this access computation is stored in the message trailer field msgh_ad (only if requested by the recipient); it does not actually inhibit the message from being sent or received.

    Return Value

    0 for access granted, nonzero for access denied.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for transferring a receive right

    Declaration

    Objective-C

    typedef int mpo_port_check_move_receive_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the sender task

    port

    Label of the affected port

    Access control check for transferring the receive right to a port out of the specified task. A complementary entry point, mpo_port_check_hold_receive, handles the receiving task. port_check_move_receive is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

    The task label and the port are locked. Sleeping is permitted.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for transferring a send once right

    Declaration

    Objective-C

    typedef int mpo_port_check_move_send_once_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the sender task

    port

    Label of the affected port

    Access control check for transferring a send once right from one task to the task listening to the specified port. A complementary entry point, mpo_port_check_hold_send_once, handles the receiving task. port_check_move_send_once is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

    The task label and the port are locked. Sleeping is permitted.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for transferring a send right

    Declaration

    Objective-C

    typedef int mpo_port_check_move_send_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the sender task

    port

    Label of the affected port

    Access control check for transferring a send right from one task to the task listening to the specified port. A complementary entry point, mpo_port_check_hold_send, handles the receiving task. port_check_move_send is called as part of a group of policy invocations when messages with port rights are sent. All access control checks made for a particular message must be successful for the message to be sent.

    The task label and the port are locked. Sleeping is permitted.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for receiving Mach messsages

    Declaration

    Objective-C

    typedef int mpo_port_check_receive_t( struct label *task, struct label *sender );

    Parameters

    task

    Label of the receiving task

    sender

    Label of the sending task

    Access control check for receiving messages. The two labels are locked.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for sending Mach messsages

    Declaration

    Objective-C

    typedef int mpo_port_check_send_t( struct label *task, struct label *port );

    Parameters

    task

    Label of the sender task

    port

    Label of the destination port

    Access control check for sending messages. The task label and the port are locked.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Generic access control check

    Declaration

    Objective-C

    typedef int mpo_port_check_service_t( struct label *subj, struct label *obj, const char *serv, const char *perm );

    Parameters

    subj

    Caller-provided subject label

    obj

    Caller-provided object label

    serv

    Service or object class name

    perm

    Permission, or method, within the specified service

    This function provides a general way for a user process to query an arbitrary access control decision from the system's security policies. Currently, there are no standards for the format of the service and permission names. Labels may be either cred or port labels; the policy must accept either. The userspace interfaces to this entry point allow label strings or label handles (ports) to be provided.

    Return Value

    Return 0 if access is granted, non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new Mach port created by the kernel

    Declaration

    Objective-C

    typedef void mpo_port_label_associate_kernel_t( struct label *portlabel, int isreply );

    Parameters

    portlabel

    Label for the new port

    isreply

    True if the port is for a reply message from the kernel

    Assign a label to a new port created by the kernel. If the port is being used to reply to a message, isreply is 1 (0 otherwise). The port is locked.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new Mach port

    Declaration

    Objective-C

    typedef void mpo_port_label_associate_t( struct label *it, struct label *st, struct label *portlabel );

    Parameters

    it

    Task label of issuer

    st

    Task label of target

    portlabel

    Label for the new port

    Assign a label to a new port. The policy can base this label on the label of the calling task, as well as the label of the target task. The target task is the one which recieves the first right for this port. Both task labels and the port are locked.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Request label for new (userspace) object

    Declaration

    Objective-C

    typedef int mpo_port_label_compute_t( struct label *subj, struct label *obj, const char *serv, struct label *out );

    Parameters

    subj

    Subject label

    obj

    Parent or existing object label

    serv

    Name of service

    out

    Computed label

    Ask the loaded policies to compute a label based on the two input labels and the service name. There is currently no standard for the service name, or even what the input labels represent (Subject and parent object are only a suggestion). If successful, the computed label is stored in out. All labels must be port (or task) labels. The userspace interfaces to this entry point allow label handles (ports) to be provided.

    Return Value

    0 on success, or an errno value for failure.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Copy a Mach port label

    Declaration

    Objective-C

    typedef void mpo_port_label_copy_t( struct label *src, struct label *dest );

    Parameters

    src

    Source port label

    dest

    Destination port label

    Copy the Mach port label information from src to dest. This is used to copy user-suplied labels into an existing port.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy Mach port label

    Declaration

    Objective-C

    typedef void mpo_port_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a Mach port label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize Mach port label

    Declaration

    Objective-C

    typedef void mpo_port_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated Mach port. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update a Mach task port label

    Declaration

    Objective-C

    typedef void mpo_port_label_update_cred_t( struct label *cred, struct label *task );

    Parameters

    cred

    User credential label to be used as the source

    task

    Mach port label to be used as the destination

    Discussion

    Update the label on a Mach task port, using the supplied user credential label. When a mac_cred_label_update_execve or a mac_cred_label_update operation causes the label on a user credential to change, the Mach task port label also needs to be updated to reflect the change. Both labels are already valid (initialized and created).

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_cred_label_update_t
    mpo_cred_label_update_execve_t

  • Assign a label to a Mach port connected to a kernel object

    Declaration

    Objective-C

    typedef void mpo_port_label_update_kobject_t( struct label *portlabel, int kotype );

    Parameters

    portlabel

    Label for the port

    kotype

    Type of kernel object

    Label a kernel port based on the type of object behind it. The kotype parameter is one of the IKOT constants in <kern/ipc_kobject.h>. The port already has a valid label from either mpo_port_label_associate_kernel, or because it is a task port and has a label derived from the process and task labels. The port is locked.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX semaphore create

    Declaration

    Objective-C

    typedef int mpo_posixsem_check_create_t( kauth_cred_t cred, const char *name );

    Parameters

    cred

    Subject credential

    name

    String name of the semaphore

    Determine whether the subject identified by the credential can create a POSIX semaphore specified by name.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX semaphore open

    Declaration

    Objective-C

    typedef int mpo_posixsem_check_open_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel );

    Parameters

    cred

    Subject credential

    ps

    Pointer to semaphore information structure

    semlabel

    Label associated with the semaphore

    Determine whether the subject identified by the credential can open the named POSIX semaphore with label semlabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX semaphore post

    Declaration

    Objective-C

    typedef int mpo_posixsem_check_post_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel );

    Parameters

    cred

    Subject credential

    ps

    Pointer to semaphore information structure

    semlabel

    Label associated with the semaphore

    Determine whether the subject identified by the credential can unlock the named POSIX semaphore with label semlabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX semaphore unlink

    Declaration

    Objective-C

    typedef int mpo_posixsem_check_unlink_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel, const char *name );

    Parameters

    cred

    Subject credential

    ps

    Pointer to semaphore information structure

    semlabel

    Label associated with the semaphore

    name

    String name of the semaphore

    Determine whether the subject identified by the credential can remove the named POSIX semaphore with label semlabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX semaphore wait

    Declaration

    Objective-C

    typedef int mpo_posixsem_check_wait_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel );

    Parameters

    cred

    Subject credential

    ps

    Pointer to semaphore information structure

    semlabel

    Label associated with the semaphore

    Determine whether the subject identified by the credential can lock the named POSIX semaphore with label semlabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a POSIX semaphore label

    Declaration

    Objective-C

    typedef void mpo_posixsem_label_associate_t( kauth_cred_t cred, struct pseminfo *ps, struct label *semlabel, const char *name );

    Parameters

    cred

    Subject credential

    ps

    Pointer to semaphore information structure

    semlabel

    Label to associate with the new semaphore

    name

    String name of the semaphore

    Label a new POSIX semaphore. The label was previously initialized and associated with the semaphore. At this time, an appropriate initial label value should be assigned to the object and stored in semalabel.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy POSIX semaphore label

    Declaration

    Objective-C

    typedef void mpo_posixsem_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a POSIX semaphore label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize POSIX semaphore label

    Declaration

    Objective-C

    typedef void mpo_posixsem_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated POSIX semaphore. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX shared memory region create

    Declaration

    Objective-C

    typedef int mpo_posixshm_check_create_t( kauth_cred_t cred, const char *name );

    Parameters

    cred

    Subject credential

    name

    String name of the shared memory region

    Determine whether the subject identified by the credential can create the POSIX shared memory region referenced by name.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for mapping POSIX shared memory

    Declaration

    Objective-C

    typedef int mpo_posixshm_check_mmap_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, int prot, int flags );

    Parameters

    cred

    Subject credential

    ps

    Pointer to shared memory information structure

    shmlabel

    Label associated with the shared memory region

    prot

    mmap protections; see mmap(2)

    flags

    shmat flags; see shmat(2)

    Determine whether the subject identified by the credential can map the POSIX shared memory segment associated with shmlabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX shared memory region open

    Declaration

    Objective-C

    typedef int mpo_posixshm_check_open_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, int fflags );

    Parameters

    cred

    Subject credential

    ps

    Pointer to shared memory information structure

    shmlabel

    Label associated with the shared memory region

    fflags

    shm_open(2) open flags ('fflags' encoded)

    Determine whether the subject identified by the credential can open the POSIX shared memory region.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX shared memory stat

    Declaration

    Objective-C

    typedef int mpo_posixshm_check_stat_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel );

    Parameters

    cred

    Subject credential

    ps

    Pointer to shared memory information structure

    shmlabel

    Label associated with the shared memory region

    Determine whether the subject identified by the credential can obtain status for the POSIX shared memory segment associated with shmlabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX shared memory truncate

    Declaration

    Objective-C

    typedef int mpo_posixshm_check_truncate_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, off_t len );

    Parameters

    cred

    Subject credential

    ps

    Pointer to shared memory information structure

    shmlabel

    Label associated with the shared memory region

    len

    Length to truncate or extend shared memory segment

    Determine whether the subject identified by the credential can truncate or extend (to len) the POSIX shared memory segment associated with shmlabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for POSIX shared memory unlink

    Declaration

    Objective-C

    typedef int mpo_posixshm_check_unlink_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, const char *name );

    Parameters

    cred

    Subject credential

    ps

    Pointer to shared memory information structure

    shmlabel

    Label associated with the shared memory region

    name

    String name of the shared memory region

    Determine whether the subject identified by the credential can delete the POSIX shared memory segment associated with shmlabel.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a POSIX shared memory region label

    Declaration

    Objective-C

    typedef void mpo_posixshm_label_associate_t( kauth_cred_t cred, struct pshminfo *ps, struct label *shmlabel, const char *name );

    Parameters

    cred

    Subject credential

    ps

    Pointer to shared memory information structure

    shmlabel

    Label to associate with the new shared memory region

    name

    String name of the shared memory region

    Label a new POSIX shared memory region. The label was previously initialized and associated with the shared memory region. At this time, an appropriate initial label value should be assigned to the object and stored in shmlabel.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy POSIX shared memory label

    Declaration

    Objective-C

    typedef void mpo_posixshm_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a POSIX shared memory region label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize POSIX Shared Memory region label

    Declaration

    Objective-C

    typedef void mpo_posixshm_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for newly a instantiated POSIX Shared Memory region. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for debugging process

    Declaration

    Objective-C

    typedef int mpo_proc_check_debug_t( kauth_cred_t cred, struct proc *proc );

    Parameters

    cred

    Subject credential

    proc

    Object process

    Determine whether the subject identified by the credential can debug the passed process. This call may be made in a number of situations, including use of the ptrace(2) and ktrace(2) APIs, as well as for some types of procfs operations.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility of the target.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control over fork

    Declaration

    Objective-C

    typedef int mpo_proc_check_fork_t( kauth_cred_t cred, struct proc *proc );

    Parameters

    cred

    Subject credential

    proc

    Subject process trying to fork

    Determine whether the subject identified is allowed to fork.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for getting a process's task name

    Declaration

    Objective-C

    typedef int mpo_proc_check_get_task_name_t( kauth_cred_t cred, struct proc *p );

    Parameters

    cred

    Subject credential

    proc

    Object process

    Determine whether the subject identified by the credential can get the passed process's task name port. This call is used by the task_name_for_pid(2) API.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility of the target.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for getting a process's task port

    Declaration

    Objective-C

    typedef int mpo_proc_check_get_task_t( kauth_cred_t cred, struct proc *p );

    Parameters

    cred

    Subject credential

    proc

    Object process

    Determine whether the subject identified by the credential can get the passed process's task control port. This call is used by the task_for_pid(2) API.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility of the target.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for retrieving audit information

    Declaration

    Objective-C

    typedef int mpo_proc_check_getaudit_t( kauth_cred_t cred );

    Parameters

    cred

    Subject credential

    Determine whether the subject identified by the credential can get audit information such as the audit user ID, the preselection mask, the terminal ID and the audit session ID, using the getaudit() system call.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for retrieving audit user ID

    Declaration

    Objective-C

    typedef int mpo_proc_check_getauid_t( kauth_cred_t cred );

    Parameters

    cred

    Subject credential

    Determine whether the subject identified by the credential can get the user identity being used by the auditing system, using the getauid() system call.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for retrieving Login Context ID

    Declaration

    Objective-C

    typedef int mpo_proc_check_getlcid_t( struct proc *p0, struct proc *p, pid_t pid );

    Parameters

    p0

    Calling process

    p

    Effected process

    pid

    syscall PID argument

    Determine if getlcid(2) system call is permitted.

    Information returned by this system call is similar to that returned via process listings etc.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting memory protections

    Declaration

    Objective-C

    typedef int mpo_proc_check_mprotect_t( kauth_cred_t cred, struct proc *proc, user_addr_t addr, user_size_t size, int prot );

    Parameters

    cred

    Subject credential

    proc

    User process requesting the change

    addr

    Start address of the memory range

    size

    Length address of the memory range

    prot

    Memory protections, see mmap(2)

    Determine whether the subject identified by the credential should be allowed to set the specified memory protections on memory mapped in the process proc.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for changing scheduling parameters

    Declaration

    Objective-C

    typedef int mpo_proc_check_sched_t( kauth_cred_t cred, struct proc *proc );

    Parameters

    cred

    Subject credential

    proc

    Object process

    Determine whether the subject identified by the credential can change the scheduling parameters of the passed process.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting audit information

    Declaration

    Objective-C

    typedef int mpo_proc_check_setaudit_t( kauth_cred_t cred, struct auditinfo_addr *ai );

    Parameters

    cred

    Subject credential

    ai

    Audit information

    Determine whether the subject identified by the credential can set audit information such as the the preselection mask, the terminal ID and the audit session ID, using the setaudit() system call.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting audit user ID

    Declaration

    Objective-C

    typedef int mpo_proc_check_setauid_t( kauth_cred_t cred, uid_t auid );

    Parameters

    cred

    Subject credential

    auid

    Audit user ID

    Determine whether the subject identified by the credential can set the user identity used by the auditing system, using the setauid() system call.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting the Login Context

    Declaration

    Objective-C

    typedef int mpo_proc_check_setlcid_t( struct proc *p0, struct proc *p, pid_t pid, pid_t lcid );

    Parameters

    p0

    Calling process

    p

    Effected process

    pid

    syscall PID argument

    lcid

    syscall LCID argument

    Determine if setlcid(2) system call is permitted.

    See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of decoding syscall arguments to determine action desired by caller.

    Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for delivering signal

    Declaration

    Objective-C

    typedef int mpo_proc_check_signal_t( kauth_cred_t cred, struct proc *proc, int signum );

    Parameters

    cred

    Subject credential

    proc

    Object process

    signum

    Signal number; see kill(2)

    Determine whether the subject identified by the credential can deliver the passed signal to the passed process.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for wait

    Declaration

    Objective-C

    typedef int mpo_proc_check_wait_t( kauth_cred_t cred, struct proc *proc );

    Parameters

    cred

    Subject credential

    proc

    Object process

    Determine whether the subject identified by the credential can wait for process termination.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy process label

    Declaration

    Objective-C

    typedef void mpo_proc_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a process label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize process label

    Declaration

    Objective-C

    typedef void mpo_proc_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Discussion

    Initialize the label for a newly instantiated BSD process structure. Normally, security policies will store the process label in the user credential rather than here in the process structure. However, there are some floating label policies that may need to temporarily store a label in the process structure until it is safe to update the user credential label. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_cred_label_init_t

  • Access control check for socket accept

    Declaration

    Objective-C

    typedef int mpo_socket_check_accept_t( kauth_cred_t cred, socket_t so, struct label *socklabel );

    Parameters

    cred

    Subject credential

    socket

    Object socket

    socklabel

    Policy label for socket

    Determine whether the subject identified by the credential can accept() a new connection on the socket from the host specified by addr.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for a pending socket accept

    Declaration

    Objective-C

    typedef int mpo_socket_check_accepted_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockaddr *addr );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for socket

    addr

    Address of the listening socket (coming soon)

    Determine whether the subject identified by the credential can accept() a pending connection on the socket from the host specified by addr.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket bind

    Declaration

    Objective-C

    typedef int mpo_socket_check_bind_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockaddr *addr );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for socket

    addr

    Name to assign to the socket

    Determine whether the subject identified by the credential can bind() the name (addr) to the socket.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket connect

    Declaration

    Objective-C

    typedef int mpo_socket_check_connect_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockaddr *addr );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for socket

    addr

    Name to assign to the socket

    Determine whether the subject identified by the credential can connect() the passed socket to the remote host specified by addr.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket() system call.

    Declaration

    Objective-C

    typedef int mpo_socket_check_create_t( kauth_cred_t cred, int domain, int type, int protocol );

    Parameters

    cred

    Subject credential

    domain

    communication domain

    type

    socket type

    protocol

    socket protocol

    Determine whether the subject identified by the credential can make the socket() call.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for delivering data to a user's receieve queue

    Declaration

    Objective-C

    typedef int mpo_socket_check_deliver_t( socket_t so, struct label *so_label, struct mbuf *m, struct label *m_label );

    Parameters

    so

    The socket data is being delivered to

    so_label

    The label of so

    m

    The mbuf whose data will be deposited into the receive queue

    m_label

    The label of the sender of the data.

    A socket has a queue for receiving incoming data. When a packet arrives on the wire, it eventually gets deposited into this queue, which the owner of the socket drains when they read from the socket's file descriptor.

    This function determines whether the socket can receive data from the sender specified by m_label.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for getting socket options

    Declaration

    Objective-C

    typedef int mpo_socket_check_getsockopt_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockopt *sopt );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for so

    sopt

    The options to get

    Determine whether the subject identified by the credential can execute the getsockopt system call on the given socket.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket kqfilter

    Declaration

    Objective-C

    typedef int mpo_socket_check_kqfilter_t( kauth_cred_t cred, struct knote *kn, socket_t so, struct label *socklabel );

    Parameters

    cred

    Subject credential

    kn

    Object knote

    so

    Object socket

    socklabel

    Policy label for socket

    Determine whether the subject identified by the credential can receive the knote on the passed socket.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket relabel

    Declaration

    Objective-C

    typedef int mpo_socket_check_label_update_t( kauth_cred_t cred, socket_t so, struct label *so_label, struct label *newlabel );

    Parameters

    cred

    Subject credential

    so

    Object socket

    so_label

    The current label of so

    newlabel

    The label to be assigned to so

    Determine whether the subject identified by the credential can change the label on the socket.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket listen

    Declaration

    Objective-C

    typedef int mpo_socket_check_listen_t( kauth_cred_t cred, socket_t so, struct label *socklabel );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for socket

    Determine whether the subject identified by the credential can listen() on the passed socket.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket receive

    Declaration

    Objective-C

    typedef int mpo_socket_check_receive_t( kauth_cred_t cred, socket_t so, struct label *socklabel );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for socket

    Determine whether the subject identified by the credential can receive data from the socket.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket receive

    Declaration

    Objective-C

    typedef int mpo_socket_check_received_t( kauth_cred_t cred, struct socket *sock, struct label *socklabel, struct sockaddr *saddr );

    Parameters

    cred

    Subject credential

    socket

    Object socket

    socklabel

    Policy label for socket

    addr

    Name of the remote socket

    Determine whether the subject identified by the credential can receive data from the remote host specified by addr.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket select

    Declaration

    Objective-C

    typedef int mpo_socket_check_select_t( kauth_cred_t cred, socket_t so, struct label *socklabel, int which );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for socket

    which

    The operation selected on: FREAD or FWRITE

    Determine whether the subject identified by the credential can use the socket in a call to select().

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for socket send

    Declaration

    Objective-C

    typedef int mpo_socket_check_send_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockaddr *addr );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for socket

    addr

    Address being sent to

    Determine whether the subject identified by the credential can send data to the socket.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting socket options

    Declaration

    Objective-C

    typedef int mpo_socket_check_setsockopt_t( kauth_cred_t cred, socket_t so, struct label *socklabel, struct sockopt *sopt );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for so

    sopt

    The options being set

    Determine whether the subject identified by the credential can execute the setsockopt system call on the given socket.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for retrieving socket status

    Declaration

    Objective-C

    typedef int mpo_socket_check_stat_t( kauth_cred_t cred, socket_t so, struct label *socklabel );

    Parameters

    cred

    Subject credential

    so

    Object socket

    socklabel

    Policy label for so

    Determine whether the subject identified by the credential can execute the stat() system call on the given socket.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Label a socket

    Declaration

    Objective-C

    typedef void mpo_socket_label_associate_accept_t( socket_t oldsock, struct label *oldlabel, socket_t newsock, struct label *newlabel );

    Parameters

    oldsock

    Listening socket

    oldlabel

    Policy label associated with oldsock

    newsock

    New socket

    newlabel

    Policy label associated with newsock

    A new socket is created when a connection is accept(2)ed. This function labels the new socket based on the existing listen(2)ing socket.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new socket

    Declaration

    Objective-C

    typedef void mpo_socket_label_associate_t( kauth_cred_t cred, socket_t so, struct label *solabel );

    Parameters

    cred

    Credential of the owning process

    so

    The socket being labeled

    solabel

    The label

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Copy a socket label

    Declaration

    Objective-C

    typedef void mpo_socket_label_copy_t( struct label *src, struct label *dest );

    Parameters

    src

    Source label

    dest

    Destination label

    Copy the socket label information in src into dest.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy socket label

    Declaration

    Objective-C

    typedef void mpo_socket_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a socket label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a socket label

    Declaration

    Objective-C

    typedef int mpo_socket_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of label

    Produce an externalized socket label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. If element_name does not match a namespace managed by the policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data.

    Return Value

    In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize socket label

    Declaration

    Objective-C

    typedef int mpo_socket_label_init_t( struct label *label, int waitok );

    Parameters

    label

    New label to initialize

    waitok

    Malloc flags

    Initialize the label of a newly instantiated socket. The waitok field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. It it not always safe to sleep during this entry point.

    Return Value

    In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Internalize a socket label

    Declaration

    Objective-C

    typedef int mpo_socket_label_internalize_t( struct label *label, char *element_name, char *element_data );

    Parameters

    label

    Label to be filled in

    element_name

    Name of the label namespace for which the label should be internalized

    element_data

    Text data to be internalized

    Produce an internal socket label structure based on externalized label data in text format.

    The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Relabel socket

    Declaration

    Objective-C

    typedef void mpo_socket_label_update_t( kauth_cred_t cred, socket_t so, struct label *so_label, struct label *newlabel );

    Parameters

    cred

    Subject credential

    so

    Object; socket

    so_label

    Current label of the socket

    newlabel

    The label to be assigned to so

    The subject identified by the credential has previously requested and was authorized to relabel the socket; this entry point allows policies to perform the actual label update operation.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Set the peer label on a socket from mbuf

    Declaration

    Objective-C

    typedef void mpo_socketpeer_label_associate_mbuf_t( struct mbuf *m, struct label *m_label, socket_t so, struct label *so_label );

    Parameters

    m

    Mbuf chain received on socket so

    m_label

    Label for m

    so

    Current label for the socket

    so_label

    Policy label to be filled out for the socket

    Set the peer label of a socket based on the label of the sender of the mbuf.

    This is called for every TCP/IP packet received. The first call for a given socket operates on a newly initialized label, and subsequent calls operate on existing label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Set the peer label on a socket from socket

    Declaration

    Objective-C

    typedef void mpo_socketpeer_label_associate_socket_t( socket_t source, struct label *sourcelabel, socket_t target, struct label *targetlabel );

    Parameters

    source

    Local socket

    sourcelabel

    Policy label for source

    target

    Peer socket

    targetlabel

    Policy label to fill in for target

    Set the peer label on a stream UNIX domain socket from the passed remote socket endpoint. This call will be made when the socket pair is connected, and will be made for both endpoints.

    Note that this call is only made on connection; it is currently not updated during communication.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy socket peer label

    Declaration

    Objective-C

    typedef void mpo_socketpeer_label_destroy_t( struct label *label );

    Parameters

    label

    The peer label to be destroyed

    Destroy a socket peer label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a socket peer label

    Declaration

    Objective-C

    typedef int mpo_socketpeer_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of label

    Produce an externalized socket peer label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. If element_name does not match a namespace managed by the policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data.

    Return Value

    In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize socket peer label

    Declaration

    Objective-C

    typedef int mpo_socketpeer_label_init_t( struct label *label, int waitok );

    Parameters

    label

    New label to initialize

    waitok

    Malloc flags

    Initialize the peer label of a newly instantiated socket. The waitok field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. It it not always safe to sleep during this entry point.

    Return Value

    In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for enabling accounting

    Declaration

    Objective-C

    typedef int mpo_system_check_acct_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel );

    Parameters

    cred

    Subject credential

    vp

    Accounting file

    vlabel

    Label associated with vp

    Determine whether the subject should be allowed to enable accounting, based on its label and the label of the accounting log file. See acct(5) for more information.

    As accounting is disabled by passing NULL to the acct(2) system call, the policy should be prepared for both 'vp' and 'vlabel' to be NULL.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for audit

    Declaration

    Objective-C

    typedef int mpo_system_check_audit_t( kauth_cred_t cred, void *record, int length );

    Parameters

    cred

    Subject credential

    record

    Audit record

    length

    Audit record length

    Determine whether the subject identified by the credential can submit an audit record for inclusion in the audit log via the audit() system call.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for controlling audit

    Declaration

    Objective-C

    typedef int mpo_system_check_auditctl_t( kauth_cred_t cred, struct vnode *vp, struct label *vl );

    Parameters

    cred

    Subject credential

    vp

    Audit file

    vl

    Label associated with vp

    Determine whether the subject should be allowed to enable auditing using the auditctl() system call, based on its label and the label of the proposed audit file.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for manipulating auditing

    Declaration

    Objective-C

    typedef int mpo_system_check_auditon_t( kauth_cred_t cred, int cmd );

    Parameters

    cred

    Subject credential

    cmd

    Audit control command

    Determine whether the subject identified by the credential can perform the audit subsystem control operation cmd via the auditon() system call.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for obtaining the host control port

    Declaration

    Objective-C

    typedef int mpo_system_check_host_priv_t( kauth_cred_t cred );

    Parameters

    cred

    Subject credential

    Determine whether the subject identified by the credential can obtain the host control port.

    Return Value

    Return 0 if access is granted, or non-zero otherwise.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for calling NFS services

    Declaration

    Objective-C

    typedef int mpo_system_check_nfsd_t( kauth_cred_t cred );

    Parameters

    cred

    Subject credential

    Determine whether the subject identified by the credential should be allowed to call nfssrv(2).

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for reboot

    Declaration

    Objective-C

    typedef int mpo_system_check_reboot_t( kauth_cred_t cred, int howto );

    Parameters

    cred

    Subject credential

    howto

    howto parameter from reboot(2)

    Determine whether the subject identified by the credential should be allowed to reboot the system in the specified manner.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting system clock

    Declaration

    Objective-C

    typedef int mpo_system_check_settime_t( kauth_cred_t cred );

    Parameters

    cred

    Subject credential

    Determine whether the subject identified by the credential should be allowed to set the system clock.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for removing swap devices

    Declaration

    Objective-C

    typedef int mpo_system_check_swapoff_t( kauth_cred_t cred, struct vnode *vp, struct label *label );

    Parameters

    cred

    Subject credential

    vp

    Swap device

    label

    Label associated with vp

    Determine whether the subject identified by the credential should be allowed to remove vp as a swap device.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for adding swap devices

    Declaration

    Objective-C

    typedef int mpo_system_check_swapon_t( kauth_cred_t cred, struct vnode *vp, struct label *label );

    Parameters

    cred

    Subject credential

    vp

    Swap device

    label

    Label associated with vp

    Determine whether the subject identified by the credential should be allowed to add vp as a swap device.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for sysctl

    Declaration

    Objective-C

    typedef int mpo_system_check_sysctl_t( kauth_cred_t cred, int *name, u_int namelen, user_addr_t old, /* NULLOK */ user_addr_t oldlenp, /* NULLOK */ int inkernel, user_addr_t newvalue, /* NULLOK */ size_t newlen );

    Parameters

    cred

    Subject credential

    name

    Integer name; see sysctl(3)

    namelen

    Length of name array of integers; see sysctl(3)

    old

    0 or address where to store old value; see sysctl(3)

    oldlenp

    Pointer to length of old buffer; see sysctl(3)

    inkernel

    Boolean; 1 if called from kernel

    newvalue

    0 or address of new value; see sysctl(3)

    newlen

    Length of new buffer; see sysctl(3)

    Determine whether the subject identified by the credential should be allowed to make the specified sysctl(3) transaction.

    The sysctl(3) call specifies that if the old value is not desired, oldp and oldlenp should be set to NULL. Likewise, if a new value is not to be set, newp should be set to NULL and newlen set to 0.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a System V message label

    Declaration

    Objective-C

    typedef void mpo_sysvmsg_label_associate_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel );

    Parameters

    cred

    Subject credential

    msqkptr

    The message queue the message will be placed in

    msqlabel

    The label of the message queue

    msgptr

    The message

    msglabel

    The label of the message

    Label the message as its placed in the message queue.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy System V message label

    Declaration

    Objective-C

    typedef void mpo_sysvmsg_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a System V message label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize System V message label

    Declaration

    Objective-C

    typedef void mpo_sysvmsg_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated System V message.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Clean up a System V message label

    Declaration

    Objective-C

    typedef void mpo_sysvmsg_label_recycle_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Clean up a System V message label. Darwin pre-allocates messages at system boot time and re-uses them rather than allocating new ones. Before messages are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for System V message enqueuing

    Declaration

    Objective-C

    typedef int mpo_sysvmsq_check_enqueue_t( kauth_cred_t cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqptr, struct label *msqlabel );

    Parameters

    cred

    Subject credential

    msgptr

    The message

    msglabel

    The message's label

    msqkptr

    The message queue

    msqlabel

    The message queue's label

    Determine whether the subject identified by the credential can add the given message to the given message queue.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for System V message reception

    Declaration

    Objective-C

    typedef int mpo_sysvmsq_check_msgrcv_t( kauth_cred_t cred, struct msg *msgptr, struct label *msglabel );

    Parameters

    cred

    The credential of the intended recipient

    msgptr

    The message

    msglabel

    The message's label

    Determine whether the subject identified by the credential can receive the given message.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for System V message queue removal

    Declaration

    Objective-C

    typedef int mpo_sysvmsq_check_msgrmid_t( kauth_cred_t cred, struct msg *msgptr, struct label *msglabel );

    Parameters

    cred

    The credential of the caller

    msgptr

    The message

    msglabel

    The message's label

    System V message queues are removed using the msgctl() system call. The system will iterate over each messsage in the queue, calling this function for each, to determine whether the caller has the appropriate credentials.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for msgctl()

    Declaration

    Objective-C

    typedef int mpo_sysvmsq_check_msqctl_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel, int cmd );

    Parameters

    cred

    The credential of the caller

    msqptr

    The message queue

    msqlabel

    The message queue's label

    This access check is performed to validate calls to msgctl().

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check to get a System V message queue

    Declaration

    Objective-C

    typedef int mpo_sysvmsq_check_msqget_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel );

    Parameters

    cred

    The credential of the caller

    msqptr

    The message queue requested

    msqlabel

    The message queue's label

    On a call to msgget(), if the queue requested already exists, and it is a public queue, this check will be performed before the queue's ID is returned to the user.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check to receive a System V message from the given queue

    Declaration

    Objective-C

    typedef int mpo_sysvmsq_check_msqrcv_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel );

    Parameters

    cred

    The credential of the caller

    msqptr

    The message queue to receive from

    msqlabel

    The message queue's label

    On a call to msgrcv(), this check is performed to determine whether the caller has receive rights on the given queue.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check to send a System V message to the given queue

    Declaration

    Objective-C

    typedef int mpo_sysvmsq_check_msqsnd_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel );

    Parameters

    cred

    The credential of the caller

    msqptr

    The message queue to send to

    msqlabel

    The message queue's label

    On a call to msgsnd(), this check is performed to determine whether the caller has send rights on the given queue.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a System V message queue label

    Declaration

    Objective-C

    typedef void mpo_sysvmsq_label_associate_t( kauth_cred_t cred, struct msqid_kernel *msqptr, struct label *msqlabel );

    Parameters

    cred

    Subject credential

    msqkptr

    The message queue

    msqlabel

    The label of the message queue

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy System V message queue label

    Declaration

    Objective-C

    typedef void mpo_sysvmsq_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a System V message queue label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize System V message queue label

    Declaration

    Objective-C

    typedef void mpo_sysvmsq_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated System V message queue.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Clean up a System V message queue label

    Declaration

    Objective-C

    typedef void mpo_sysvmsq_label_recycle_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Clean up a System V message queue label. Darwin pre-allocates message queues at system boot time and re-uses them rather than allocating new ones. Before message queues are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for System V semaphore control operation

    Declaration

    Objective-C

    typedef int mpo_sysvsem_check_semctl_t( kauth_cred_t cred, struct semid_kernel *semakptr, struct label *semaklabel, int cmd );

    Parameters

    cred

    Subject credential

    semakptr

    Pointer to semaphore identifier

    semaklabel

    Label associated with semaphore

    cmd

    Control operation to be performed; see semctl(2)

    Determine whether the subject identified by the credential can perform the operation indicated by cmd on the System V semaphore semakptr.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for obtaining a System V semaphore

    Declaration

    Objective-C

    typedef int mpo_sysvsem_check_semget_t( kauth_cred_t cred, struct semid_kernel *semakptr, struct label *semaklabel );

    Parameters

    cred

    Subject credential

    semakptr

    Pointer to semaphore identifier

    semaklabel

    Label to associate with the semaphore

    Determine whether the subject identified by the credential can obtain a System V semaphore.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for System V semaphore operations

    Declaration

    Objective-C

    typedef int mpo_sysvsem_check_semop_t( kauth_cred_t cred, struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype );

    Parameters

    cred

    Subject credential

    semakptr

    Pointer to semaphore identifier

    semaklabel

    Label associated with the semaphore

    accesstype

    Flags to indicate access (read and/or write)

    Determine whether the subject identified by the credential can perform the operations on the System V semaphore indicated by semakptr. The accesstype flags hold the maximum set of permissions from the sem_op array passed to the semop system call. It may contain SEM_R for read-only operations or SEM_A for read/write operations.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a System V semaphore label

    Declaration

    Objective-C

    typedef void mpo_sysvsem_label_associate_t( kauth_cred_t cred, struct semid_kernel *semakptr, struct label *semalabel );

    Parameters

    cred

    Subject credential

    semakptr

    The semaphore being created

    semalabel

    Label to associate with the new semaphore

    Label a new System V semaphore. The label was previously initialized and associated with the semaphore. At this time, an appropriate initial label value should be assigned to the object and stored in semalabel.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy System V semaphore label

    Declaration

    Objective-C

    typedef void mpo_sysvsem_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a System V semaphore label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize System V semaphore label

    Declaration

    Objective-C

    typedef void mpo_sysvsem_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated System V semaphore. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Clean up a System V semaphore label

    Declaration

    Objective-C

    typedef void mpo_sysvsem_label_recycle_t( struct label *label );

    Parameters

    label

    The label to be cleaned

    Clean up a System V semaphore label. Darwin pre-allocates semaphores at system boot time and re-uses them rather than allocating new ones. Before semaphores are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for mapping System V shared memory

    Declaration

    Objective-C

    typedef int mpo_sysvshm_check_shmat_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg );

    Parameters

    cred

    Subject credential

    shmsegptr

    Pointer to shared memory segment identifier

    shmseglabel

    Label associated with the shared memory segment

    shmflg

    shmat flags; see shmat(2)

    Determine whether the subject identified by the credential can map the System V shared memory segment associated with shmsegptr.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for System V shared memory control operation

    Declaration

    Objective-C

    typedef int mpo_sysvshm_check_shmctl_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd );

    Parameters

    cred

    Subject credential

    shmsegptr

    Pointer to shared memory segment identifier

    shmseglabel

    Label associated with the shared memory segment

    cmd

    Control operation to be performed; see shmctl(2)

    Determine whether the subject identified by the credential can perform the operation indicated by cmd on the System V shared memory segment shmsegptr.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for unmapping System V shared memory

    Declaration

    Objective-C

    typedef int mpo_sysvshm_check_shmdt_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel );

    Parameters

    cred

    Subject credential

    shmsegptr

    Pointer to shared memory segment identifier

    shmseglabel

    Label associated with the shared memory segment

    Determine whether the subject identified by the credential can unmap the System V shared memory segment associated with shmsegptr.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check obtaining System V shared memory identifier

    Declaration

    Objective-C

    typedef int mpo_sysvshm_check_shmget_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg );

    Parameters

    cred

    Subject credential

    shmsegptr

    Pointer to shared memory segment identifier

    shmseglabel

    Label associated with the shared memory segment

    shmflg

    shmget flags; see shmget(2)

    Determine whether the subject identified by the credential can get the System V shared memory segment address.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Create a System V shared memory region label

    Declaration

    Objective-C

    typedef void mpo_sysvshm_label_associate_t( kauth_cred_t cred, struct shmid_kernel *shmsegptr, struct label *shmlabel );

    Parameters

    cred

    Subject credential

    shmsegptr

    The shared memory region being created

    shmlabel

    Label to associate with the new shared memory region

    Label a new System V shared memory region. The label was previously initialized and associated with the shared memory region. At this time, an appropriate initial label value should be assigned to the object and stored in shmlabel.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy System V shared memory label

    Declaration

    Objective-C

    typedef void mpo_sysvshm_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a System V shared memory region label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize System V Shared Memory region label

    Declaration

    Objective-C

    typedef void mpo_sysvshm_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated System V Shared Memory region. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Clean up a System V Share Memory Region label

    Declaration

    Objective-C

    typedef void mpo_sysvshm_label_recycle_t( struct label *shmlabel );

    Parameters

    shmlabel

    The label to be cleaned

    Clean up a System V Shared Memory Region label. Darwin pre-allocates these objects at system boot time and re-uses them rather than allocating new ones. Before the memory regions are returned to the "free pool", policies can cleanup or overwrite any information present in the label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Assign a label to a new kernelspace Mach task

    Declaration

    Objective-C

    typedef void mpo_task_label_associate_kernel_t( struct task *kproc, struct label *tasklabel, struct label *portlabel );

    Parameters

    kproc

    New task

    tasklabel

    Label for new task

    portlabel

    Label for new task port

    Discussion

    Assign labels to a new kernel task and its task port. Both the task and task port labels should be specified. Both new labels are initialized. If there is an associated BSD process structure, it will be labelled with calls to mpo_cred_label_associate_kernel.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_cred_label_associate_kernel_t

  • Assign a label to a new (userspace) Mach task

    Declaration

    Objective-C

    typedef void mpo_task_label_associate_t( struct task *parent, struct task *child, struct label *parentlabel, struct label *childlabel, struct label *childportlabel );

    Parameters

    parent

    Parent task

    child

    New (child) task

    parentlabel

    Label of parent task

    childlabel

    Label for new task

    childportlabel

    Label for new task's task port

    Assign labels to a new task and its task port. Both the task and task port labels should be specified. Both new labels are initialized. If the task will have an associated BSD process, that information will be made available by the task_label_update and port_label_update_cred entry points.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Copy a Mach task label

    Declaration

    Objective-C

    typedef void mpo_task_label_copy_t( struct label *src, struct label *dest );

    Parameters

    src

    Source task label

    dest

    Destination task label

    Copy the Mach task label information from src to dest. This is used when duplicating label handles to implement copy-on-write semantics.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy Mach task label

    Declaration

    Objective-C

    typedef void mpo_task_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a Mach task label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a task label

    Declaration

    Objective-C

    typedef int mpo_task_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of the label

    Produce an external representation of the label on a task. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

    Return Value

    0 on success, return non-zero if an error occurs while externalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize Mach task label

    Declaration

    Objective-C

    typedef void mpo_task_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize the label for a newly instantiated Mach task. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Internalize a task label

    Declaration

    Objective-C

    typedef int mpo_task_label_internalize_t( struct label *label, char *element_name, char *element_data );

    Parameters

    label

    Label to be internalized

    element_name

    Name of the label namespace for which the label should be internalized

    element_data

    Text data to be internalized

    Produce a task label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

    The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update a Mach task label

    Declaration

    Objective-C

    typedef void mpo_task_label_update_t( struct label *cred, struct label *task );

    Parameters

    cred

    User credential label to be used as the source

    task

    Mach task label to be used as the destination

    Discussion

    Update the label on a Mach task, using the supplied user credential label. When a mac_cred_label_update_execve or a mac_cred_label_update operation causes the label on a user credential to change, the Mach task label also needs to be updated to reflect the change. Both labels are already valid (initialized and created).

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_cred_label_update_t
    mpo_cred_label_update_execve_t

  • Perform MAC-related events when a thread returns to user space

    Declaration

    Objective-C

    typedef void mpo_thread_userret_t( struct thread *thread );

    Parameters

    thread

    Mach (not BSD) thread that is returning

    This entry point permits policy modules to perform MAC-related events when a thread returns to user space, via a system call return or trap return.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Check vnode access

    Declaration

    Objective-C

    typedef int mpo_vnode_check_access_t( kauth_cred_t cred, struct vnode *vp, struct label *label, int acc_mode );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Label for vp

    acc_mode

    access(2) flags

    Determine how invocations of access(2) and related calls by the subject identified by the credential should return when performed on the passed vnode using the passed access flags. This should generally be implemented using the same semantics used in mpo_vnode_check_open.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for changing working directory

    Declaration

    Objective-C

    typedef int mpo_vnode_check_chdir_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel );

    Parameters

    cred

    Subject credential

    dvp

    Object; vnode to chdir(2) into

    dlabel

    Policy label for dvp

    Determine whether the subject identified by the credential can change the process working directory to the passed vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for changing root directory

    Declaration

    Objective-C

    typedef int mpo_vnode_check_chroot_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp );

    Parameters

    cred

    Subject credential

    dvp

    Directory vnode

    dlabel

    Policy label associated with dvp

    cnp

    Component name for dvp

    Determine whether the subject identified by the credential should be allowed to chroot(2) into the specified directory (dvp).

    Return Value

    In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for creating vnode

    Declaration

    Objective-C

    typedef int mpo_vnode_check_create_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vnode_attr *vap );

    Parameters

    cred

    Subject credential

    dvp

    Directory vnode

    dlabel

    Policy label for dvp

    cnp

    Component name for dvp

    vap

    vnode attributes for vap

    Determine whether the subject identified by the credential can create a vnode with the passed parent directory, passed name information, and passed attribute information. This call may be made in a number of situations, including as a result of calls to open(2) with O_CREAT, mknod(2), mkfifo(2), and others.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for deleting extended attribute

    Declaration

    Objective-C

    typedef int mpo_vnode_check_deleteextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, const char *name );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    vlabel

    Label associated with vp

    name

    Extended attribute name

    Determine whether the subject identified by the credential can delete the extended attribute from the passed vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for exchanging file data

    Declaration

    Objective-C

    typedef int mpo_vnode_check_exchangedata_t( kauth_cred_t cred, struct vnode *v1, struct label *vl1, struct vnode *v2, struct label *vl2 );

    Parameters

    cred

    Subject credential

    v1

    vnode 1 to swap

    vl1

    Policy label for v1

    v2

    vnode 2 to swap

    vl2

    Policy label for v2

    Determine whether the subject identified by the credential can swap the data in the two supplied vnodes.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for executing the vnode

    Declaration

    Objective-C

    typedef int mpo_vnode_check_exec_t( kauth_cred_t cred, struct vnode *vp, struct label *label, struct label *execlabel, /* NULLOK */ struct componentname *cnp, u_int *csflags, void *macpolicyattr, size_t macpolicyattrlen );

    Parameters

    cred

    Subject credential

    vp

    Object vnode to execute

    label

    Policy label for vp

    execlabel

    Userspace provided execution label

    cnp

    Component name for file being executed

    macpolicyattr

    MAC policy-specific spawn attribute data.

    macpolicyattrlen

    Length of policy-specific spawn attribute data.

    Determine whether the subject identified by the credential can execute the passed vnode. Determination of execute privilege is made separately from decisions about any process label transitioning event.

    The final label, execlabel, corresponds to a label supplied by a user space application through the use of the mac_execve system call. This label will be NULL if the user application uses the the vendor execve(2) call instead of the MAC Framework mac_execve() call.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for retrieving file attributes

    Declaration

    Objective-C

    typedef int mpo_vnode_check_getattrlist_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, struct attrlist *alist );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    vlabel

    Policy label for vp

    alist

    List of attributes to retrieve

    Determine whether the subject identified by the credential can read various attributes of the specified vnode, or the filesystem or volume on which that vnode resides. See <sys/attr.h> for definitions of the attributes.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege. Access control covers all attributes requested with this call; the security policy is not permitted to change the set of attributes requested.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for retrieving an extended attribute

    Declaration

    Objective-C

    typedef int mpo_vnode_check_getextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *label, /* NULLOK */ const char *name, struct uio * uio /* NULLOK */ );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    name

    Extended attribute name

    uio

    I/O structure pointer

    Determine whether the subject identified by the credential can retrieve the extended attribute from the passed vnode. The uio parameter will be NULL when the getxattr(2) call has been made with a NULL data value; this is done to request the size of the data only.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for ioctl

    Declaration

    Objective-C

    typedef int mpo_vnode_check_ioctl_t( kauth_cred_t cred, struct vnode *vp, struct label *label, unsigned int cmd );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    com

    Device-dependent request code; see ioctl(2)

    Determine whether the subject identified by the credential can perform the ioctl operation indicated by com.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for vnode kqfilter

    Declaration

    Objective-C

    typedef int mpo_vnode_check_kqfilter_t( kauth_cred_t active_cred, kauth_cred_t file_cred, /* NULLOK */ struct knote *kn, struct vnode *vp, struct label *label );

    Parameters

    cred

    Subject credential

    kn

    Object knote

    vp

    Object vnode

    label

    Policy label for vp

    Determine whether the subject identified by the credential can receive the knote on the passed vnode.

    Return Value

    Return 0 if access if granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for relabel

    Declaration

    Objective-C

    typedef int mpo_vnode_check_label_update_t( struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    vnodelabel

    Existing policy label for vp

    newlabel

    Policy label update to later be applied to vp

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Discussion

    Determine whether the subject identified by the credential can relabel the passed vnode to the passed label update. If all policies permit the label change, the actual relabel entry point (mpo_vnode_label_update) will follow.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_relable_vnode_t

  • Access control check for creating link

    Declaration

    Objective-C

    typedef int mpo_vnode_check_link_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp );

    Parameters

    cred

    Subject credential

    dvp

    Directory vnode

    dlabel

    Policy label associated with dvp

    vp

    Link destination vnode

    label

    Policy label associated with vp

    cnp

    Component name for the link being created

    Determine whether the subject identified by the credential should be allowed to create a link to the vnode vp with the name specified by cnp.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for listing extended attributes

    Declaration

    Objective-C

    typedef int mpo_vnode_check_listextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    vlabel

    Policy label associated with vp

    Determine whether the subject identified by the credential can retrieve a list of named extended attributes from a vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for lookup

    Declaration

    Objective-C

    typedef int mpo_vnode_check_lookup_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp );

    Parameters

    cred

    Subject credential

    dvp

    Object vnode

    dlabel

    Policy label for dvp

    cnp

    Component name being looked up

    Determine whether the subject identified by the credential can perform a lookup in the passed directory vnode for the passed name (cnp).

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for open

    Declaration

    Objective-C

    typedef int mpo_vnode_check_open_t( kauth_cred_t cred, struct vnode *vp, struct label *label, int acc_mode );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label associated with vp

    acc_mode

    open(2) access mode

    Determine whether the subject identified by the credential can perform an open operation on the passed vnode with the passed access mode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for read

    Declaration

    Objective-C

    typedef int mpo_vnode_check_read_t( kauth_cred_t active_cred, /* SUBJECT */ kauth_cred_t file_cred, /* NULLOK */ struct vnode *vp, /* OBJECT */ struct label * label /* LABEL */ );

    Parameters

    active_cred

    Subject credential

    file_cred

    Credential associated with the struct fileproc

    vp

    Object vnode

    label

    Policy label for vp

    Determine whether the subject identified by the credential can perform a read operation on the passed vnode. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for read directory

    Declaration

    Objective-C

    typedef int mpo_vnode_check_readdir_t( kauth_cred_t cred, /* SUBJECT */ struct vnode *dvp, /* OBJECT */ struct label * dlabel /* LABEL */ );

    Parameters

    cred

    Subject credential

    dvp

    Object directory vnode

    dlabel

    Policy label for dvp

    Determine whether the subject identified by the credential can perform a readdir operation on the passed directory vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for read link

    Declaration

    Objective-C

    typedef int mpo_vnode_check_readlink_t( kauth_cred_t cred, struct vnode *vp, struct label *label );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    Determine whether the subject identified by the credential can perform a readlink operation on the passed symlink vnode. This call can be made in a number of situations, including an explicit readlink call by the user process, or as a result of an implicit readlink during a name lookup by the process.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for rename from

    Declaration

    Objective-C

    typedef int mpo_vnode_check_rename_from_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp );

    Parameters

    cred

    Subject credential

    dvp

    Directory vnode

    dlabel

    Policy label associated with dvp

    vp

    vnode to be renamed

    label

    Policy label associated with vp

    cnp

    Component name for vp

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Discussion

    Determine whether the subject identified by the credential should be allowed to rename the vnode vp to something else.

    Due to VFS locking constraints (to make sure proper vnode locks are held during this entry point), the vnode relabel checks had to be split into two parts: relabel_from and relabel to.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_vnode_check_rename_to_t

  • Access control check for rename to

    Declaration

    Objective-C

    typedef int mpo_vnode_check_rename_to_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, /* NULLOK */ struct label *label, /* NULLOK */ int samedir, struct componentname *cnp );

    Parameters

    cred

    Subject credential

    dvp

    Directory vnode

    dlabel

    Policy label associated with dvp

    vp

    Overwritten vnode

    label

    Policy label associated with vp

    samedir

    Boolean; 1 if the source and destination directories are the same

    cnp

    Destination component name

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Discussion

    Determine whether the subject identified by the credential should be allowed to rename to the vnode vp, into the directory dvp, or to the name represented by cnp. If there is no existing file to overwrite, vp and label will be NULL.

    Due to VFS locking constraints (to make sure proper vnode locks are held during this entry point), the vnode relabel checks had to be split into two parts: relabel_from and relabel to.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_vnode_check_rename_from_t

  • Access control check for revoke

    Declaration

    Objective-C

    typedef int mpo_vnode_check_revoke_t( kauth_cred_t cred, struct vnode *vp, struct label *label );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    Determine whether the subject identified by the credential can revoke access to the passed vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for select

    Declaration

    Objective-C

    typedef int mpo_vnode_check_select_t( kauth_cred_t cred, struct vnode *vp, struct label *label, int which );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    which

    The operation selected on: FREAD or FWRITE

    Determine whether the subject identified by the credential can select the vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting file attributes

    Declaration

    Objective-C

    typedef int mpo_vnode_check_setattrlist_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, struct attrlist *alist );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    vlabel

    Policy label for vp

    alist

    List of attributes to set

    Determine whether the subject identified by the credential can set various attributes of the specified vnode, or the filesystem or volume on which that vnode resides. See <sys/attr.h> for definitions of the attributes.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege. Access control covers all attributes requested with this call.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting extended attribute

    Declaration

    Objective-C

    typedef int mpo_vnode_check_setextattr_t( kauth_cred_t cred, struct vnode *vp, struct label *label, const char *name, struct uio *uio );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    name

    Extended attribute name

    uio

    I/O structure pointer

    Determine whether the subject identified by the credential can set the extended attribute of passed name and passed namespace on the passed vnode. Policies implementing security labels backed into extended attributes may want to provide additional protections for those attributes. Additionally, policies should avoid making decisions based on the data referenced from uio, as there is a potential race condition between this check and the actual operation. The uio may also be NULL if a delete operation is being performed.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting flags

    Declaration

    Objective-C

    typedef int mpo_vnode_check_setflags_t( kauth_cred_t cred, struct vnode *vp, struct label *label, u_long flags );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    flags

    File flags; see chflags(2)

    Determine whether the subject identified by the credential can set the passed flags on the passed vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting mode

    Declaration

    Objective-C

    typedef int mpo_vnode_check_setmode_t( kauth_cred_t cred, struct vnode *vp, struct label *label, mode_t mode );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    mode

    File mode; see chmod(2)

    Determine whether the subject identified by the credential can set the passed mode on the passed vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting uid and gid

    Declaration

    Objective-C

    typedef int mpo_vnode_check_setowner_t( kauth_cred_t cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    uid

    User ID

    gid

    Group ID

    Determine whether the subject identified by the credential can set the passed uid and passed gid as file uid and file gid on the passed vnode. The IDs may be set to (-1) to request no update.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for setting timestamps

    Declaration

    Objective-C

    typedef int mpo_vnode_check_setutimes_t( kauth_cred_t cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime );

    Parameters

    cred

    Subject credential

    vp

    Object vnode

    label

    Policy label for vp

    atime

    Access time; see utimes(2)

    mtime

    Modification time; see utimes(2)

    Determine whether the subject identified by the credential can set the passed access timestamps on the passed vnode.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for stat

    Declaration

    Objective-C

    typedef int mpo_vnode_check_stat_t( struct ucred *active_cred, struct ucred *file_cred, /* NULLOK */ struct vnode *vp, struct label *label );

    Parameters

    active_cred

    Subject credential

    file_cred

    Credential associated with the struct fileproc

    vp

    Object vnode

    label

    Policy label for vp

    Determine whether the subject identified by the credential can stat the passed vnode. See stat(2) for more information. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for truncate/ftruncate

    Declaration

    Objective-C

    typedef int mpo_vnode_check_truncate_t( kauth_cred_t active_cred, kauth_cred_t file_cred, /* NULLOK */ struct vnode *vp, struct label *label );

    Parameters

    active_cred

    Subject credential

    file_cred

    Credential associated with the struct fileproc

    vp

    Object vnode

    label

    Policy label for vp

    Determine whether the subject identified by the credential can perform a truncate operation on the passed vnode. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Access control check for deleting vnode

    Declaration

    Objective-C

    typedef int mpo_vnode_check_unlink_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp );

    Parameters

    cred

    Subject credential

    dvp

    Parent directory vnode

    dlabel

    Policy label for dvp

    vp

    Object vnode to delete

    label

    Policy label for vp

    cnp

    Component name for vp

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Discussion

    Determine whether the subject identified by the credential can delete a vnode from the passed parent directory and passed name information. This call may be made in a number of situations, including as a results of calls to unlink(2) and rmdir(2). Policies implementing this entry point should also implement mpo_check_rename_to to authorize deletion of objects as a result of being the target of a rename.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_check_rename_to_t

  • Access control check for write

    Declaration

    Objective-C

    typedef int mpo_vnode_check_write_t( kauth_cred_t active_cred, kauth_cred_t file_cred, /* NULLOK */ struct vnode *vp, struct label *label );

    Parameters

    active_cred

    Subject credential

    file_cred

    Credential associated with the struct fileproc

    vp

    Object vnode

    label

    Policy label for vp

    Determine whether the subject identified by the credential can perform a write operation on the passed vnode. The active_cred hold the credentials of the subject performing the operation, and file_cred holds the credentials of the subject that originally opened the file.

    Return Value

    Return 0 if access is granted, otherwise an appropriate value for errno should be returned. Suggested failure: EACCES for label mismatch or EPERM for lack of privilege.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a vnode with a devfs entry

    Declaration

    Objective-C

    typedef void mpo_vnode_label_associate_devfs_t( struct mount *mp, struct label *mntlabel, struct devnode *de, struct label *delabel, struct vnode *vp, struct label *vlabel );

    Parameters

    mp

    Devfs mount point

    mntlabel

    Devfs mount point label

    de

    Devfs directory entry

    delabel

    Label associated with de

    vp

    vnode associated with de

    vlabel

    Label associated with vp

    Fill in the label (vlabel) for a newly created devfs vnode. The label is typically derived from the label on the devfs directory entry or the label on the filesystem, supplied as parameters.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a label with a vnode

    Declaration

    Objective-C

    typedef int mpo_vnode_label_associate_extattr_t( struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel );

    Parameters

    mp

    File system mount point

    mntlabel

    File system mount point label

    vp

    Vnode to label

    vlabel

    Label associated with vp

    Attempt to retrieve label information for the vnode, vp, from the file system extended attribute store. The label should be stored in the supplied vlabel parameter. If a policy cannot retrieve an extended attribute, sometimes it is acceptible to fallback to using the mntlabel.

    If the policy requires vnodes to have a valid label elsewhere it MUST NOT return other than temporary errors, and must always provide a valid label of some sort. Returning an error will cause vnode labeling to be retried at a later access. Failure to handle policy centric errors internally (corrupt labels etc.) will result in inaccessible files.

    Return Value

    In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a file label with a vnode

    Declaration

    Objective-C

    typedef void mpo_vnode_label_associate_file_t( struct ucred *cred, struct mount *mp, struct label *mntlabel, struct fileglob *fg, struct label *label, struct vnode *vp, struct label *vlabel );

    Parameters

    cred

    User credential

    mp

    Fdesc mount point

    mntlabel

    Fdesc mount point label

    fg

    Fileglob structure

    label

    Policy label for fg

    vp

    Vnode to label

    vlabel

    Label associated with vp

    Associate label information for the vnode, vp, with the label of the open file descriptor described by fg. The label should be stored in the supplied vlabel parameter.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a pipe label with a vnode

    Declaration

    Objective-C

    typedef void mpo_vnode_label_associate_pipe_t( struct ucred *cred, struct pipe *cpipe, struct label *pipelabel, struct vnode *vp, struct label *vlabel );

    Parameters

    cred

    User credential for the process that opened the pipe

    cpipe

    Pipe structure

    pipelabel

    Label associated with pipe

    vp

    Vnode to label

    vlabel

    Label associated with vp

    Associate label information for the vnode, vp, with the label of the pipe described by the pipe structure cpipe. The label should be stored in the supplied vlabel parameter.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a POSIX semaphore label with a vnode

    Declaration

    Objective-C

    typedef void mpo_vnode_label_associate_posixsem_t( struct ucred *cred, struct pseminfo *psem, struct label *psemlabel, struct vnode *vp, struct label *vlabel );

    Parameters

    cred

    User credential for the process that create psem

    psem

    POSIX semaphore structure

    psemlabel

    Label associated with psem

    vp

    Vnode to label

    vlabel

    Label associated with vp

    Associate label information for the vnode, vp, with the label of the POSIX semaphore described by psem. The label should be stored in the supplied vlabel parameter.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a POSIX shared memory label with a vnode

    Declaration

    Objective-C

    typedef void mpo_vnode_label_associate_posixshm_t( struct ucred *cred, struct pshminfo *pshm, struct label *pshmlabel, struct vnode *vp, struct label *vlabel );

    Parameters

    cred

    User credential for the process that created pshm

    pshm

    POSIX shared memory structure

    pshmlabel

    Label associated with pshm

    vp

    Vnode to label

    vlabel

    Label associated with vp

    Associate label information for the vnode, vp, with the label of the POSIX shared memory region described by pshm. The label should be stored in the supplied vlabel parameter.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a label with a vnode

    Declaration

    Objective-C

    typedef void mpo_vnode_label_associate_singlelabel_t( struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel );

    Parameters

    mp

    File system mount point

    mntlabel

    File system mount point label

    vp

    Vnode to label

    vlabel

    Label associated with vp

    On non-multilabel file systems, set the label for a vnode. The label will most likely be based on the file system label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Associate a socket label with a vnode

    Declaration

    Objective-C

    typedef void mpo_vnode_label_associate_socket_t( kauth_cred_t cred, socket_t so, struct label *solabel, struct vnode *vp, struct label *vlabel );

    Parameters

    cred

    User credential for the process that opened the socket

    so

    Socket structure

    solabel

    Label associated with so

    vp

    Vnode to label

    vlabel

    Label associated with vp

    Associate label information for the vnode, vp, with the label of the open socket described by the socket structure so. The label should be stored in the supplied vlabel parameter.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Copy a vnode label

    Declaration

    Objective-C

    typedef void mpo_vnode_label_copy_t( struct label *src, struct label *dest );

    Parameters

    src

    Source vnode label

    dest

    Destination vnode label

    Copy the vnode label information from src to dest. On Darwin, this is currently only necessary when executing interpreted scripts, but will later be used if vnode label externalization cannot be an atomic operation.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Destroy vnode label

    Declaration

    Objective-C

    typedef void mpo_vnode_label_destroy_t( struct label *label );

    Parameters

    label

    The label to be destroyed

    Destroy a vnode label. Since the object is going out of scope, policy modules should free any internal storage associated with the label so that it may be destroyed.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a vnode label for auditing

    Declaration

    Objective-C

    typedef int mpo_vnode_label_externalize_audit_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of the label

    Produce an external representation of the label on a vnode suitable for inclusion in an audit record. An externalized label consists of a text representation of the label contents that will be added to the audit record as part of a text token. Policy-agnostic user space tools will display this externalized version.

    Return Value

    0 on success, return non-zero if an error occurs while externalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Externalize a vnode label

    Declaration

    Objective-C

    typedef int mpo_vnode_label_externalize_t( struct label *label, char *element_name, struct sbuf *sb );

    Parameters

    label

    Label to be externalized

    element_name

    Name of the label namespace for which labels should be externalized

    sb

    String buffer to be filled with a text representation of the label

    Produce an external representation of the label on a vnode. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will display this externalized version.

    Return Value

    0 on success, return non-zero if an error occurs while externalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Initialize vnode label

    Declaration

    Objective-C

    typedef void mpo_vnode_label_init_t( struct label *label );

    Parameters

    label

    New label to initialize

    Initialize label storage for use with a newly instantiated vnode, or for temporary storage associated with the copying in or out of a vnode label. While it is necessary to allocate space for a kernel-resident vnode label, it is not yet necessary to link this vnode with persistent label storage facilities, such as extended attributes. Sleeping is permitted.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Internalize a vnode label

    Declaration

    Objective-C

    typedef int mpo_vnode_label_internalize_t( struct label *label, char *element_name, char *element_data );

    Parameters

    label

    Label to be internalized

    element_name

    Name of the label namespace for which the label should be internalized

    element_data

    Text data to be internalized

    Produce a vnode label from an external representation. An externalized label consists of a text representation of the label contents that can be used with user applications. Policy-agnostic user space tools will forward text version to the kernel for processing by individual policy modules.

    The policy's internalize entry points will be called only if the policy has registered interest in the label namespace.

    Return Value

    0 on success, Otherwise, return non-zero if an error occurs while internalizing the label data.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Clean up a vnode label

    Declaration

    Objective-C

    typedef void mpo_vnode_label_recycle_t( struct label *label );

    Parameters

    label

    The label to be cleaned for re-use

    Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but typically never frees them. Before vnodes are placed back on free lists for re-use, policies can cleanup or overwrite any information present in the label.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Write a label to a extended attribute

    Declaration

    Objective-C

    typedef int mpo_vnode_label_store_t( kauth_cred_t cred, struct vnode *vp, struct label *vlabel, struct label *intlabel );

    Parameters

    cred

    Subject credential

    vp

    The vnode for which the label is being stored

    vlabel

    Label associated with vp

    intlabel

    The new label to store

    Store a new label in the extended attribute corresponding to the supplied vnode. The policy has already authorized the operation; this call must be implemented in order to perform the actual operation.

    Return Value

    In the event of an error, an appropriate value for errno should be returned, otherwise return 0 upon success.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Update vnode label from extended attributes

    Declaration

    Objective-C

    typedef int mpo_vnode_label_update_extattr_t( struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel, const char *name );

    Parameters

    mp

    File system mount point

    mntlabel

    Mount point label

    vp

    Vnode to label

    vlabel

    Label associated with vp

    name

    Name of the xattr

    Discussion

    When an extended attribute is updated via the Vendor attribute management functions, the MAC vnode label might also require an update. Policies should first determine if 'name' matches their xattr label name. If it does, the kernel is has either replaced or removed the named extended attribute that was previously associated with the vnode. Normally labels should only be modified via MAC Framework label management calls, but sometimes the user space components will directly modify extended attributes. For example, 'cp', 'tar', etc. manage extended attributes in userspace, not the kernel.

    This entry point is called after the label update has occurred, so it cannot return a failure. However, the operation is preceded by the mpo_vnode_check_setextattr() access control check.

    If the vnode label needs to be updated the policy should return a non-zero value. The vnode label will be marked for re-association by the framework.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_vnode_check_setextattr_t

  • Update a vnode label

    Declaration

    Objective-C

    typedef void mpo_vnode_label_update_t( kauth_cred_t cred, struct vnode *vp, struct label *vnodelabel, struct label *label );

    Parameters

    cred

    Subject credential

    vp

    The vnode to relabel

    vnodelabel

    Existing vnode label

    label

    New label to replace existing label

    Discussion

    The subject identified by the credential has previously requested and was authorized to relabel the vnode; this entry point allows policies to perform the actual relabel operation. Policies should update vnodelabel using the label stored in the label parameter.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

    See Also

    mpo_vnode_check_label_update_t

  • Create a new vnode, backed by extended attributes

    Declaration

    Objective-C

    typedef int mpo_vnode_notify_create_t( kauth_cred_t cred, struct mount *mp, struct label *mntlabel, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp );

    Parameters

    cred

    User credential for the creating process

    mp

    File system mount point

    mntlabel

    File system mount point label

    dvp

    Parent directory vnode

    dlabel

    Parent directory vnode label

    vp

    Newly created vnode

    vlabel

    Label to associate with the new vnode

    cnp

    Component name for vp

    Write out the label for the newly created vnode, most likely storing the results in a file system extended attribute. Most policies will derive the new vnode label using information from a combination of the subject (user) credential, the file system label, the parent directory label, and potentially the path name component.

    Return Value

    If the operation succeeds, store the new label in vlabel and return 0. Otherwise, return an appropriate errno value.

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Inform MAC policies that a vnode has been linked

    Declaration

    Objective-C

    typedef void mpo_vnode_notify_link_t( kauth_cred_t cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp );

    Parameters

    cred

    User credential for the renaming process

    dvp

    Parent directory for the destination

    dlabel

    Policy label for dvp

    vp

    Vnode that's being linked

    vlabel

    Policy label for vp

    cnp

    Component name for the destination

    Inform MAC policies that a vnode has been linked.

    Import Statement

Data Types

See the Overview section above for header-level documentation.

  • Declaration

    Objective-C

    typedef struct ucred *kauth_cred_t;

    Import Statement

    Availability

    Available in OS X v10.4 and later.

  • Declaration

    Objective-C

    typedef struct ucred *kauth_cred_t;

    Import Statement

    Availability

    Available in OS X v10.4 and later.

  • MAC policy handle type

    Declaration

    Objective-C

    typedef unsigned int mac_policy_handle_t;

    Discussion

    The MAC handle is used to uniquely identify a loaded policy within the MAC Framework.

    A variable of this type is set by mac_policy_register().

    Import Statement

    Availability

    Available in OS X v10.5 through OS X v10.5.

  • Mac policy configuration

    Declaration

    Objective-C

    /* XXX - reorder these for better aligment on 64bit platforms */ struct mac_policy_conf { const char *mpc_name; /** policy name */ const char *mpc_fullname; /** full name */ const char **mpc_labelnames; /** managed label namespaces */ unsigned int mpc_labelname_count; /** number of managed label namespaces */ struct mac_policy_ops *mpc_ops; /** operation vector */ int mpc_loadtime_flags; /** load time flags */ int *mpc_field_off; /** label slot */ int mpc_runtime_flags; /** run time flags */ mpc_t mpc_list; /** List reference */ void *mpc_data; /** module data */ };

    Discussion

    This structure specifies the configuration information for a MAC policy module. A policy module developer must supply a short unique policy name, a more descriptive full name, a list of label namespaces and count, a pointer to the registered enty point operations, any load time flags, and optionally, a pointer to a label slot identifier.

    The Framework will update the runtime flags (mpc_runtime_flags) to indicate that the module has been registered.

    If the label slot identifier (mpc_field_off) is NULL, the Framework will not provide label storage for the policy. Otherwise, the Framework will store the label location (slot) in this field.

    The mpc_list field is used by the Framework and should not be modified by policies.

Constants

See the Overview section above for header-level documentation.

  • Declaration

    Objective-C

    #define _KAUTH_CRED_T #define _KAUTH_CRED_T #define MAC_NOWAIT 1 #define MAC_WAITOK 0 #define MPC_LOADTIME_BASE_POLICY 0x00000008 #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001

    Constants

    • _KAUTH_CRED_T

      _KAUTH_CRED_T

    • dummy

      dummy

    • MAC_NOWAIT

      MAC_NOWAIT

      Allocation operations may not block

      Rather than blocking, the allocator may return an error if memory is not immediately available. This type of allocation will not sleep, preserving locking semantics.

      Available in OS X v10.5 through OS X v10.5.

    • MAC_WAITOK

      MAC_WAITOK

      Allocation operations may block

      If memory is not immediately available, the allocation routine will block (typically sleeping) until memory is available.

      Available in OS X v10.5 through OS X v10.5.

    • MPC_LOADTIME_BASE_POLICY

      MPC_LOADTIME_BASE_POLICY

      Flag to indicate a base policy

      This flag indicates that the policy module is a base policy. Only one module can declare itself as base, otherwise the boot process will be halted.

      Available in OS X v10.5 through OS X v10.5.

    • MPC_LOADTIME_FLAG_LABELMBUFS

      MPC_LOADTIME_FLAG_LABELMBUFS

      Unsupported

      XXX This flag is not yet supported.

      Available in OS X v10.5 through OS X v10.5.

    • MPC_LOADTIME_FLAG_NOTLATE

      MPC_LOADTIME_FLAG_NOTLATE

      Flag to indicate registration preference

      This flag indicates that the policy module must be loaded and initialized early in the boot process. If the flag is specified, attempts to register the module following boot will be rejected. The flag may be used by policies that require pervasive labeling of all system objects, and cannot handle objects that have not been properly initialized by the policy.

      Available in OS X v10.5 through OS X v10.5.

    • MPC_LOADTIME_FLAG_UNLOADOK

      MPC_LOADTIME_FLAG_UNLOADOK

      Flag to indicate unload preference

      This flag indicates that the policy module may be unloaded. If this flag is not set, then the policy framework will reject requests to unload the module. This flag might be used by modules that allocate label state and are unable to free that state at runtime, or for modules that simply do not want to permit unload operations.

      Available in OS X v10.5 through OS X v10.5.

    • MPC_RUNTIME_FLAG_REGISTERED

      MPC_RUNTIME_FLAG_REGISTERED

      Policy registration flag

      This flag indicates that the policy module has been successfully registered with the TrustedBSD MAC Framework. The Framework will set this flag in the mpc_runtime_flags field of the policy's mac_policy_conf structure after registering the policy.

      Available in OS X v10.5 through OS X v10.5.

    Import Statement