security.defs Reference

Declared in
security.h

Overview

Included Headers

  • <mach/std_types.defs>

  • <mach/mach_types.defs>

Functions

See the Overview section above for header-level documentation.

mach_get_label

Retrieve a port label as a label handle

routine mach_get_label(
   task : ipc_space_t;
   port : mach_port_name_t;
   out label : mach_port_name_t);
Parameters
task

Issuer's task port

port

Port to query label from

label

Returned label handle

This call retrieves a new label handle for the specified port. If the port represents a label handle, KERN_INVALID_ARGUMENT is returned.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h

mach_get_label_text

Retrieve a port label in textual form

routine mach_get_label_text(
   task : ipc_space_t;
   name : mach_port_name_t;
   policies : labelstr_t;
   out label : labelstr_t);
Parameters
task

Issuer's task port

name

Port to query label from

policies

Comma-delimited list of policies to query

label

Returned label text

This call retrieves an externalized port label for the specified port, with respect to the specified policies. If the port represents a label handle, the returned label text refers to the stored label and not the access control label.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h

mach_get_task_label

Retrieve a task label as a label handle

routine mach_get_task_label(
   task : ipc_space_t;
   out label : mach_port_name_t);
Parameters
task

Target's task port

label

Returned label handle

This call retrieves the label handle of the specified task.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h

mach_get_task_label_text

Retrieve a task label in textual form

routine mach_get_task_label_text(
   task : ipc_space_t;
   policies : labelstr_t;
   out label : labelstr_t);
Parameters
task

Target's task port

policies

Comma-delimited list of policies to query

label

Returned label text

This call retrieves an externalized task label for the specified task, with respect to the specified policies.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h

mach_set_port_label

Relabel a port

routine mach_set_port_label(
   task : ipc_space_t;
   name : mach_port_name_t;
   label : labelstr_t);
Parameters
task

Task containing specified ports

name

Port to relabel

label

String representation of new label

This call attempts to relabel the specified port to the label specified. For label handles, it changes the access control label and not the stored label.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h

mac_check_service

Generic access control check

routine mac_check_service(
   task : ipc_space_t;
   subject : labelstr_t;
   object : labelstr_t;
   service : labelstr_t;
   perm : labelstr_t);
Parameters
task

Any task port

subj

subject label in textual form

obj

object label in textual form

serv

Service or object class name

perm

Permission, or method, within the specified service

This function provides a general way for a user process to query an arbitrary access control decision from the system's security policies. Currently, there are no standards for the format of the service and permission names.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h

mac_label_new

Create a new label handle

routine mac_label_new(
   task : ipc_space_t;
   out name : mach_port_name_t;
   label : labelstr_t);
Parameters
task

Task to receive new ports (usually caller's)

name

Returned label handle port

label

String representation of new label

Creates a new label handle, with the stored label defined by the given text. Any task may create a label handle with any valid label, not necessarily one that it has permission to access. A port right for the new label handle is inserted into the specified task. Posession of label handles should not imply any security properties.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h

mac_port_check_access

Generic access control check

routine mac_port_check_access(
   task : ipc_space_t;
   subject : mach_port_name_t;
   object : mach_port_name_t;
   service : labelstr_t;
   perm : labelstr_t);
Parameters
task

Task containing specified ports (usually caller's)

subj

port containing subject label

obj

port containing object label

serv

Service or object class name

perm

Permission, or method, within the specified service

This function provides a general way for a user process to query an arbitrary access control decision from the system's security policies. Currently, there are no standards for the format of the service and permission names. If any ports are label handles, the stored label is used. Otherwise, the access control labels are used.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h

mac_port_check_service_obj

Generic access control check

routine mac_port_check_service_obj(
   task : ipc_space_t;
   subject : labelstr_t;
   object : mach_port_name_t;
   service : labelstr_t;
   perm : labelstr_t);
Parameters
task

Task containing specified ports (usually caller's)

subj

subject label in textual form

obj

port containing object label

serv

Service or object class name

perm

Permission, or method, within the specified service

This function provides a general way for a user process to query an arbitrary access control decision from the system's security policies. Currently, there are no standards for the format of the service and permission names. If the port is a label handle, the stored label is used. Otherwise, its access control label is used.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h

mac_request_label

Request a computed label

routine mac_request_label(
   task : ipc_space_t;
   subject : mach_port_name_t;
   object : mach_port_name_t;
   service : labelstr_t;
   out newlabel : mach_port_name_t);
Parameters
task

subj,obj,newlabel relative to this task (usually caller's)

subj

port containing subject label

obj

port containing object label

serv

Service or object class name

newlabel

Returned label handle port

Ask the loaded policies to compute a label based on the two input labels and the service name. There is currently no standard for the service name, or even what the input labels represent (Subject and parent object are only a suggestion). If any ports are label handles, the stored label is used. Otherwise, the access control labels are used. A new label handle is created to contain the computed label, and is stored into the specified task.

Return Value

Standard MiG return values (0 for success)

Availability
  • Available in OS X v10.5 and later.
Declared In
security.h