src/sandbox/sandbox.h at fixPythonPipStalling

this repo has no description
darling-nix / src / sandbox / sandbox.h
at fixPythonPipStalling 186 lines 6.2 kB view raw
wrap content
Thomas A [sandbox] Add sandbox_query_approval_policy_for_path stub. Add sandbox_check_by_audit_token declaration and SANDBOX_FILTER_DESCRIPTOR in header. 3y ago
0fb58c73
  1/*
  2 * Copyright (c) 2006-2010 Apple Inc. All rights reserved.
  3 *
  4 * @APPLE_LICENSE_HEADER_START@
  5 * 
  6 * This file contains Original Code and/or Modifications of Original Code
  7 * as defined in and that are subject to the Apple Public Source License
  8 * Version 2.0 (the 'License'). You may not use this file except in
  9 * compliance with the License. Please obtain a copy of the License at
 10 * http://www.opensource.apple.com/apsl/ and read it before using this
 11 * file.
 12 * 
 13 * The Original Code and all software distributed under the License are
 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 18 * Please see the License for the specific language governing rights and
 19 * limitations under the License.
 20 * 
 21 * @APPLE_LICENSE_HEADER_END@
 22 */
 23#ifndef _SANDBOX_H_
 24#define _SANDBOX_H_
 25
 26#include <sys/cdefs.h>
 27#include <stdint.h>
 28#include <unistd.h>
 29#include <mach/message.h>
 30
 31__BEGIN_DECLS
 32/*
 33 * @function sandbox_init
 34 * Places the current process in a sandbox with a profile as
 35 * specified.  If the process is already in a sandbox, the new profile
 36 * is ignored and sandbox_init() returns an error.
 37 *
 38 * @param profile (input)   The Sandbox profile to be used.  The format
 39 * and meaning of this parameter is modified by the `flags' parameter.
 40 *
 41 * @param flags (input)   Must be SANDBOX_NAMED.  All other
 42 * values are reserved.
 43 *
 44 * @param errorbuf (output)   In the event of an error, sandbox_init
 45 * will set `*errorbuf' to a pointer to a NUL-terminated string
 46 * describing the error. This string may contain embedded newlines.
 47 * This error information is suitable for developers and is not
 48 * intended for end users.
 49 *
 50 * If there are no errors, `*errorbuf' will be set to NULL.  The
 51 * buffer `*errorbuf' should be deallocated with `sandbox_free_error'.
 52 *
 53 * @result 0 on success, -1 otherwise.
 54 */
 55int sandbox_init(const char *profile, uint64_t flags, char **errorbuf);
 56
 57/*
 58 * @define SANDBOX_NAMED  The `profile' argument specifies a Sandbox
 59 * profile named by one of the kSBXProfile* string constants.
 60 */
 61#define SANDBOX_NAMED		0x0001
 62
 63#ifdef __APPLE_API_PRIVATE
 64
 65/* The following flags are reserved for Mac OS X.  Developers should not
 66 * depend on their availability.
 67 */
 68
 69/*
 70 * @define SANDBOX_NAMED_BUILTIN   The `profile' argument specifies the
 71 * name of a builtin profile that is statically compiled into the
 72 * system.
 73 */
 74#define SANDBOX_NAMED_BUILTIN	0x0002
 75
 76/*
 77 * @define SANDBOX_NAMED_EXTERNAL   The `profile' argument specifies the
 78 * pathname of a Sandbox profile.  The pathname may be abbreviated: If
 79 * the name does not start with a `/' it is treated as relative to
 80 * /usr/share/sandbox and a `.sb' suffix is appended.
 81 */
 82#define SANDBOX_NAMED_EXTERNAL	0x0003
 83
 84/*
 85 * @define SANDBOX_NAMED_MASK   Mask for name types: 4 bits, 15 possible
 86 * name types, 3 currently defined.
 87 */
 88#define SANDBOX_NAMED_MASK	0x000f
 89
 90#endif /* __APPLE_API_PRIVATE */
 91
 92/*
 93 * Available Sandbox profiles.
 94 */
 95
 96/* TCP/IP networking is prohibited. */
 97extern const char kSBXProfileNoInternet[];
 98
 99/* All sockets-based networking is prohibited. */
100extern const char kSBXProfileNoNetwork[];
101
102/* File system writes are prohibited. */
103extern const char kSBXProfileNoWrite[];
104
105/* File system writes are restricted to temporary folders /var/tmp and
106 * confstr(_CS_DARWIN_USER_DIR, ...).
107 */
108extern const char kSBXProfileNoWriteExceptTemporary[];
109
110/* All operating system services are prohibited. */
111extern const char kSBXProfilePureComputation[];
112
113/*
114 * @function sandbox_free_error
115 * Deallocates an error string previously allocated by sandbox_init.
116 *
117 * @param errorbuf (input)   The buffer to be freed.  Must be a pointer
118 * previously returned by sandbox_init in the `errorbuf' argument, or NULL.
119 *
120 * @result void
121 */
122void sandbox_free_error(char *errorbuf);
123
124
125#ifdef __APPLE_API_PRIVATE
126
127/* The following definitions are reserved for Mac OS X.  Developers should not
128 * depend on their availability.
129 */
130
131int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
132
133int sandbox_init_with_extensions(const char *profile, uint64_t flags, const char *const extensions[], char **errorbuf);
134
135enum sandbox_filter_type {
136	SANDBOX_FILTER_NONE,
137	SANDBOX_FILTER_PATH,
138	SANDBOX_FILTER_GLOBAL_NAME,
139	SANDBOX_FILTER_LOCAL_NAME,
140	SANDBOX_FILTER_APPLEEVENT_DESTINATION,
141	SANDBOX_FILTER_RIGHT_NAME,
142	SANDBOX_FILTER_DESCRIPTOR,
143};
144
145extern const enum sandbox_filter_type SANDBOX_CHECK_NO_REPORT __attribute__((weak_import));
146
147enum sandbox_extension_flags {
148	FS_EXT_DEFAULTS =              0,
149	FS_EXT_FOR_PATH =       (1 << 0),
150	FS_EXT_FOR_FILE =       (1 << 1),
151	FS_EXT_READ =           (1 << 2),
152	FS_EXT_WRITE =          (1 << 3),
153	FS_EXT_PREFER_FILEID =  (1 << 4),
154};
155
156int sandbox_check(pid_t pid, const char *operation, enum sandbox_filter_type type, ...);
157int sandbox_check_by_audit_token(audit_token_t tok, const char* operation, enum sandbox_filter_type filt, ...);
158
159int sandbox_note(const char *note);
160
161int sandbox_suspend(pid_t pid);
162int sandbox_unsuspend(void);
163
164int sandbox_issue_extension(const char *path, char **ext_token);
165int sandbox_issue_fs_extension(const char *path, uint64_t flags, char **ext_token);
166int sandbox_issue_fs_rw_extension(const char *path, char **ext_token);
167int sandbox_issue_mach_extension(const char *name, char **ext_token);
168
169int sandbox_consume_extension(const char *path, const char *ext_token);
170int sandbox_consume_fs_extension(const char *ext_token, char **path);
171int sandbox_consume_mach_extension(const char *ext_token, char **name);
172
173int sandbox_release_fs_extension(const char *ext_token);
174
175int sandbox_container_path_for_pid(pid_t pid, char *buffer, size_t bufsize);
176
177int sandbox_wakeup_daemon(char **errorbuf);
178
179int sandbox_query_approval_policy_for_path(const char* query, const char* path, char **approval);
180
181const char *_amkrtemp(const char *);
182
183#endif /* __APPLE_API_PRIVATE */
184
185__END_DECLS
186#endif /* _SANDBOX_H_ */