xref: /xnu-11215/bsd/sys/kern_debug.h (revision 5c2921b0) 
1 /*
2  * Copyright (c) 2021 Apple Computer, Inc. All rights reserved.
3  *
4  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5  *
6  * This file contains Original Code and/or Modifications of Original Code
7  * as defined in and that are subject to the Apple Public Source License
8  * Version 2.0 (the 'License'). You may not use this file except in
9  * compliance with the License. The rights granted to you under the License
10  * may not be used to create, or enable the creation or redistribution of,
11  * unlawful or unlicensed copies of an Apple operating system, or to
12  * circumvent, violate, or enable the circumvention or violation of, any
13  * terms of an Apple operating system software license agreement.
14  *
15  * Please obtain a copy of the License at
16  * http://www.opensource.apple.com/apsl/ and read it before using this file.
17  *
18  * The Original Code and all software distributed under the License are
19  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23  * Please see the License for the specific language governing rights and
24  * limitations under the License.
25  *
26  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27  */
28 /*
29  * @OSF_COPYRIGHT@
30  */
31 
32 #ifndef _SYS_KERN_DEBUG_H_
33 #define _SYS_KERN_DEBUG_H_
34 
35 #include <mach/mach_types.h>
36 
37 #include <sys/types.h>
38 
39 __BEGIN_DECLS
40 
41 /*
42  * A selector is just made of an index into syscall_rejection_masks,
43  * with the exception of the highest bit, which indicates whether the
44  * mask is to be added as an "allow" mask or a "deny" mask.
45  */
46 typedef uint8_t syscall_rejection_selector_t;
47 
48 __END_DECLS
49 
50 #define SYSCALL_REJECTION_IS_ALLOW_MASK (1 << 6)
51 #define SYSCALL_REJECTION_NON_MASK_BITS 1
52 
53 #define SYSCALL_REJECTION_SELECTOR_BITS 7
54 #define SYSCALL_REJECTION_SELECTOR_MASK ((1 << SYSCALL_REJECTION_SELECTOR_BITS) - 1)
55 #define SYSCALL_REJECTION_SELECTOR_MASK_COUNT (1 << (SYSCALL_REJECTION_SELECTOR_BITS-SYSCALL_REJECTION_NON_MASK_BITS))
56 
57 #define SYSCALL_REJECTION_INDEX_MASK       (SYSCALL_REJECTION_SELECTOR_MASK & ~(syscall_rejection_selector_t)(SYSCALL_REJECTION_IS_ALLOW_MASK))
58 
59 #define SYSCALL_REJECTION_ALLOW(sc)     ((sc) | SYSCALL_REJECTION_IS_ALLOW_MASK)
60 #define SYSCALL_REJECTION_DENY(sc)      (sc)
61 
62 #define SYSCALL_REJECTION_NULL          0
63 #define SYSCALL_REJECTION_ALL           1
64 
65 //// Flags for debug_syscall_reject_config
66 
67 /*
68  * default (no special behavior)
69  */
70 #define SYSCALL_REJECTION_FLAGS_DEFAULT 0
71 
72 /*
73  * force fatal: Hitting a denied syscall in this thread will always go
74  * the fatal path, no matter what the global mode is set to.
75  */
76 #define SYSCALL_REJECTION_FLAGS_FORCE_FATAL 1
77 
78 /*
79  * once: Hitting a denied syscall or mach trap will be remembered for
80  * the rest of the lifetime of this thread, and iff the once flag is
81  * currently set, such a remembered system call/mach trap will never hit
82  * again. (Note: This means that by removing the ONCE flag, all system
83  * calls/mach traps will hit again).
84  */
85 #define SYSCALL_REJECTION_FLAGS_ONCE           2
86 
87 #ifndef KERNEL
88 
89 __BEGIN_DECLS
90 
91 /* Request that the syscall rejection mask of the current thread be changed to the
92  * one specified by the list of selectors provided, e.g.
93  * syscall_rejection_selector_t selectors[] =
94  *     [ SYSCALL_REJECTION_DENY(SYSCALL_REJECTION_ALL),
95  *       SYSCALL_REJECTION_ALLOW(MY_SELECTOR) ];
96  * ret = debug_syscall_reject_config(selectors, countof(selectors), SYSCALL_REJECTION_FLAGS_DEFAULT);
97  */
98 
99 int debug_syscall_reject_config(const syscall_rejection_selector_t *selectors, size_t len, uint64_t flags);
100 
101 /* Compatibility with old interface. */
102 int debug_syscall_reject(const syscall_rejection_selector_t *selectors, size_t len);
103 
104 __END_DECLS
105 
106 #else /* KERNEL */
107 
108 #include <stdbool.h>
109 
110 #include <kern/bits.h>
111 
112 #include <sys/sysproto.h>
113 
114 __BEGIN_DECLS
115 
116 typedef bitmap_t *syscall_rejection_mask_t;
117 
118 int sys_debug_syscall_reject_config(struct proc *p, struct debug_syscall_reject_config_args *args, int *ret);
119 
120 int debug_syscall_reject(struct proc *p, struct debug_syscall_reject_args *args, int *ret);
121 
122 bool debug_syscall_rejection_handle(int syscall_mach_trap_number);
123 
124 void reset_debug_syscall_rejection_mode(void);
125 
126 void rejected_syscall_guard_ast(thread_t thread, mach_exception_data_type_t code, mach_exception_data_type_t subcode);
127 
128 extern int debug_syscall_rejection_mode;
129 
130 __END_DECLS
131 
132 #endif /* KERNEL */
133 
134 #endif  /* _SYS_KERN_DEBUG_H_ */
135