Symbol present in mach_kernel but not in any kpi

Question

I am trying to develop a MAC(Mandatory Access Control) policy module where I am trying to implement the MAC API "mac_iokit_check_device".I am able to build a MAC policy module kext which implements mac_iokit_check_device API and I am able to load the kext. But, the driver kext which makes use of this policy module API has problem. It is compiling properly. But is unable to resolve the symbol "_mac_iokit_check_device".The dependency libraries of the driver kext that I have used is as below.

<key>OSBundleLibraries</key>
    <dict>
        <key>com.apple.iokit.IOUSBFamily</key>
        <string>5.5.5</string>
        <key>com.apple.kpi.mach</key>
        <string>12.3</string>
        <key>com.apple.kpi.unsupported</key>
        <string>12.3</string>
        <key>com.apple.kpi.iokit</key>
        <string>12.3</string>
        <key>com.apple.kpi.libkern</key>
        <string>12.3</string>
        <key>com.apple.kpi.bsd</key>
        <string>12.3</string>
        <key>com.apple.kpi.dsep</key>
        <string>12.3</string>
    </dict>

Curiously, none of the kpi libraries seems to define the symbol _mac_iokit_check_device. I inferred this by running the command

find /System/Library/Extensions/System.kext/PlugIns -type f |
    grep -v plist | xargs nm | sort | uniq | grep _mac_iokit_check_device

However the kernel image seems to have the symbol, as inferred by

nm /mach_kernel|grep mac_iokit_check

Is there any way to solve this unresolved symbol issue in the driver kext? Any help/pointer in this issue would be greatly appreciated.

Answer 1

The reason why this isn't exported is because you're not supposed to use it. MACF exports the policy_register and unregister:

bash-3.2# nm /System/Library/Extensions/System.kext/PlugIns/MACFramework.kext/MACFramework  | grep mac_po
                 U _mac_policy_register
                 U _mac_policy_unregister

and you should implement your iokit_ calls as callbacks in the given policy. Specifically, implement:

typedef int mpo_iokit_check_device_t(
        char *devtype,
        struct mac_module_data *mdata
);

as:

struct mac_policy_ops {
 ...
   mpo_iokit_check_device_t                *mpo_iokit_check_device;
...

The driver doesn't call this function: I/O Kit gets MACF to (security/mac_iokit.c)

mac_iokit_check_device(char *devtype, struct mac_module_data *mdata)
{
        int error;

        MAC_CHECK(iokit_check_device, devtype, mdata);
        return (error);
}

FYI, the kernel code doesn't directly call check_device - it does call iokit_check_open (iokit/Kernel/IOUserClient.cpp), but not check_device (at least not in the core IOKit - it might from some IO Family). The former is also warned to be experimental, whereas the latter isn't - so we'd suggest using it.

Be it what may, just implement it as part of your policy, mac_register_policy() it, and you'll be done.