Mac Developer Library

Developer

security.defs Reference

Options
Deployment Target:

On This Page

security.defs Reference

Included Headers

  • <mach/std_types.defs>

  • <mach/mach_types.defs>

Functions

  • Generic access control check

    Declaration

    routine mac_check_service( task : ipc_space_t; subject : labelstr_t; object : labelstr_t; service : labelstr_t; perm : labelstr_t);

    Parameters

    task

    Any task port

    subj

    subject label in textual form

    obj

    object label in textual form

    serv

    Service or object class name

    perm

    Permission, or method, within the specified service

    This function provides a general way for a user process to query an arbitrary access control decision from the system's security policies. Currently, there are no standards for the format of the service and permission names.

    Return Value

    Standard MiG return values (0 for success)

  • Create a new label handle

    Declaration

    routine mac_label_new( task : ipc_space_t; out name : mach_port_name_t; label : labelstr_t);

    Parameters

    task

    Task to receive new ports (usually caller's)

    name

    Returned label handle port

    label

    String representation of new label

    Creates a new label handle, with the stored label defined by the given text. Any task may create a label handle with any valid label, not necessarily one that it has permission to access. A port right for the new label handle is inserted into the specified task. Posession of label handles should not imply any security properties.

    Return Value

    Standard MiG return values (0 for success)

  • Generic access control check

    Declaration

    routine mac_port_check_access( task : ipc_space_t; subject : mach_port_name_t; object : mach_port_name_t; service : labelstr_t; perm : labelstr_t);

    Parameters

    task

    Task containing specified ports (usually caller's)

    subj

    port containing subject label

    obj

    port containing object label

    serv

    Service or object class name

    perm

    Permission, or method, within the specified service

    This function provides a general way for a user process to query an arbitrary access control decision from the system's security policies. Currently, there are no standards for the format of the service and permission names. If any ports are label handles, the stored label is used. Otherwise, the access control labels are used.

    Return Value

    Standard MiG return values (0 for success)

  • Generic access control check

    Declaration

    routine mac_port_check_service_obj( task : ipc_space_t; subject : labelstr_t; object : mach_port_name_t; service : labelstr_t; perm : labelstr_t);

    Parameters

    task

    Task containing specified ports (usually caller's)

    subj

    subject label in textual form

    obj

    port containing object label

    serv

    Service or object class name

    perm

    Permission, or method, within the specified service

    This function provides a general way for a user process to query an arbitrary access control decision from the system's security policies. Currently, there are no standards for the format of the service and permission names. If the port is a label handle, the stored label is used. Otherwise, its access control label is used.

    Return Value

    Standard MiG return values (0 for success)

  • Request a computed label

    Declaration

    routine mac_request_label( task : ipc_space_t; subject : mach_port_name_t; object : mach_port_name_t; service : labelstr_t; out newlabel : mach_port_name_t);

    Parameters

    task

    subj,obj,newlabel relative to this task (usually caller's)

    subj

    port containing subject label

    obj

    port containing object label

    serv

    Service or object class name

    newlabel

    Returned label handle port

    Ask the loaded policies to compute a label based on the two input labels and the service name. There is currently no standard for the service name, or even what the input labels represent (Subject and parent object are only a suggestion). If any ports are label handles, the stored label is used. Otherwise, the access control labels are used. A new label handle is created to contain the computed label, and is stored into the specified task.

    Return Value

    Standard MiG return values (0 for success)

  • Retrieve a port label as a label handle

    Declaration

    routine mach_get_label( task : ipc_space_t; port : mach_port_name_t; out label : mach_port_name_t);

    Parameters

    task

    Issuer's task port

    port

    Port to query label from

    label

    Returned label handle

    This call retrieves a new label handle for the specified port. If the port represents a label handle, KERN_INVALID_ARGUMENT is returned.

    Return Value

    Standard MiG return values (0 for success)

  • Retrieve a port label in textual form

    Declaration

    routine mach_get_label_text( task : ipc_space_t; name : mach_port_name_t; policies : labelstr_t; out label : labelstr_t);

    Parameters

    task

    Issuer's task port

    name

    Port to query label from

    policies

    Comma-delimited list of policies to query

    label

    Returned label text

    This call retrieves an externalized port label for the specified port, with respect to the specified policies. If the port represents a label handle, the returned label text refers to the stored label and not the access control label.

    Return Value

    Standard MiG return values (0 for success)

  • Retrieve a task label as a label handle

    Declaration

    routine mach_get_task_label( task : ipc_space_t; out label : mach_port_name_t);

    Parameters

    task

    Target's task port

    label

    Returned label handle

    This call retrieves the label handle of the specified task.

    Return Value

    Standard MiG return values (0 for success)

  • Retrieve a task label in textual form

    Declaration

    routine mach_get_task_label_text( task : ipc_space_t; policies : labelstr_t; out label : labelstr_t);

    Parameters

    task

    Target's task port

    policies

    Comma-delimited list of policies to query

    label

    Returned label text

    This call retrieves an externalized task label for the specified task, with respect to the specified policies.

    Return Value

    Standard MiG return values (0 for success)

  • Relabel a port

    Declaration

    routine mach_set_port_label( task : ipc_space_t; name : mach_port_name_t; label : labelstr_t);

    Parameters

    task

    Task containing specified ports

    name

    Port to relabel

    label

    String representation of new label

    This call attempts to relabel the specified port to the label specified. For label handles, it changes the access control label and not the stored label.

    Return Value

    Standard MiG return values (0 for success)