diff options
Diffstat (limited to 'en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml')
-rw-r--r-- | en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml | 5716 |
1 files changed, 0 insertions, 5716 deletions
diff --git a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml deleted file mode 100644 index 898c2423c3..0000000000 --- a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml +++ /dev/null @@ -1,5716 +0,0 @@ -<!-- - Copyright (c) 2002 Networks Associates Technology, Inc. - All rights reserved. - - This software was developed for the FreeBSD Project by Chris - Costello at Safeport Network Services and NAI Labs, the Security - Research Division of Network Associates, Inc. under DARPA/SPAWAR - contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS - research program. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - 3. The names of the authors may not be used to endorse or promote - products derived from this software without specific prior written - permission. - - THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - SUCH DAMAGE. - - $FreeBSD$ ---> - -<chapter id="mac"> - <chapterinfo> - <authorgroup> - <author> - <firstname>Chris</firstname> - <surname>Costello</surname> - - <affiliation> - <orgname>TrustedBSD Project</orgname> - <address><email>chris@FreeBSD.org</email></address> - </affiliation> - </author> - - <author> - <firstname>Robert</firstname> - <surname>Watson</surname> - - <affiliation> - <orgname>TrustedBSD Project</orgname> - <address><email>rwatson@FreeBSD.org</email></address> - </affiliation> - </author> - </authorgroup> - </chapterinfo> - - <title>Writing MAC Policies</title> - - <sect1 id="mac-synopsis"> - <title>Synopsis</title> - - <para>Mandatory Access Control (MAC) is a security feature frequently - found in commercial trusted operating systems. MAC supplements - existing Discretionary Access Control (DAC) protections (such as - file system permissions and access control lists) by allowing the - security administrator to define mandatory protections for - system objects. Mandatory protections may be distinguished from - discretionary protections in that DAC is applied at the discretion - of the object owner, whereas MAC protections are defined by the - administrator and applied to all users and objects in the system - and may not be bypassed even by object owners. A variety of - MAC policies have been explored in security research literature - as well as the commercial trusted operating system space. These - include policies such as the Multi-Level Security (MLS) - confidentiality policy, used to prevent inappropriate sharing of - information on multi-user systems, and the Biba integrity policy, - typically used to protect the integrity of system and user - services.</para> - - <para>The implementation of MAC found in FreeBSD was developed by - the TrustedBSD Project, and includes support for both a number of - specific MAC policies, and for a flexible and extensible security - framework to support the easy creation of new kernel security - policies. This framework isolates the internals of specific MAC - policies from the implementation of kernel services, and - encapsulates the policies in policy modules. Policy modules may - be added to the system without changes to the base kernel, and can - augment the kernel security policy in a variety of ways. In - addition, policies may provide a shared object implementation - of common MAC interfaces for userland applications, permitting - applications to be easily extended to manage labels for new - policies. Support is provided for setting labels on user - processes at login, as well as in a number of other locations where - user context management occurs.</para> - - <para>This chapter introduces the MAC policy userland and kernel - policy frameworks and provides documentation for a sample MAC - policy module.</para> - </sect1> - - - <sect1 id="mac-introduction"> - <title>Introduction</title> - - <para>The TrustedBSD MAC framework provides a mechanism to allow - the compile-time or run-time extension of the kernel access - control model. New system policies may be implemented as - kernel modules and linked to the kernel; if multiple policy - modules are present, their results will be composed. While the - framework is intended to support a variety of access control - models, its design was derived from the requirements of a set - of specific access control models required for the TrustedBSD - and CBOSS Projects. This includes support for fixed and - floating label Biba integrity policies, the MLS - confidentiality policy, the Type Enforcement rule-based access - control policy, and the ability to support layering of the NSA - FLASK framework above the TrustedBSD MAC framework. This - document describes the rough architecture of the framework, - with the understanding that this is a work-in-progress and may - change subtantially as requirements evolve.</para> - </sect1> - - <sect1 id="mac-kernel-arch"> - <title>Kernel Architecture</title> - - <para>The TrustedBSD MAC framework provides the opportunity for - policy modules to be augment system access control decisions. - Policies are permitted the opportunity to restrict the set of - rights available for processes at a variety of relevant points - in the kernel. In addition, they are provided the opportunity - to tag processes and various kernel objects with labels storing - access control information. Policy modules may register - interest in a subset of the total available events or objects, - and are not required to implement events or objects that are not - relevant to the policy. Multiple modules may be loaded at once, - and the results of the modules are composed as necessary to - build an over-all system policy. Policy modules may be - implemented such that they can be loaded on-demand at run-time, - or such that they may only be loaded early in the boot process. - This permits policies requiring pervasive labeling of all - objects to prevent improper use.</para> - </sect1> - - <sect1 id="mac-userland-arch"> - <title>Userland Architecture</title> - - <para>...</para> - </sect1> - - <sect1 id="mac-entry-point"> - <title>Entry Point Framework</title> - - <para>Four classes of entry points are offered to policies - registered with the framework: entry points associated with - the registration and management of policies, entry points - denoting initialization, creation, destruction, and other life - cycle events for kernel objects, events assocated with access - control decisions that the policy module may influence, and - calls associated with the management of labels on objects. In - addition, a <function>mac_syscall()</function> entry point is - provided so that policies may extend the kernel interface - without registering new system calls.</para> - - <para>Policy module writers should be aware of the kernel - locking strategy, as well as what object locks are available - during which entry points. Writers should attempt to avoid - deadlock scenarios by avoiding grabbing non-leaf locks inside - of entry points, and also follow the locking protocol for - object access and modification. In particular, writers should - be aware that while necessary locks to access objects and - their labels are generally held, sufficient locks to modify an - object or its label may not be present for all entry points. - Locking information for arguments is documented in the MAC - framework entry point document.</para> - - <para>Policy entry points will pass a reference to the object - label along with the object itself. This permits labeled - policies to be unaware of the internals of the object yet - still make decisions based on the label. The exception to this - is the process credential, which is assumed to be understood - by policies as a first class security object in the kernel. - Policies that do not implement labels on kernel objects will - be passed NULL pointers for label arguments to entry - points.</para> - - <sect2 id="policy-module-registration"> - <title>Policy Module Registration</title> - - <para>Modules may be declared using the - <function>MAC_POLICY_SET()</function> macro, which names the - policy, provides a reference to the MAC entry point vector, - provides load-time flags determining how the policy framework - should handle the policy, and optionally requests the - allocation of label state by the framework:</para> - - <programlisting>static struct mac_policy_op_entry mac_none_ops[] = -{ - { MAC_DESTROY, - (macop_t)mac_none_destroy }, - { MAC_INIT, - (macop_t)mac_none_init }, - { MAC_INIT_BPFDESC, - (macop_t)mac_none_init_bpfdesc }, -/* ... */ - { MAC_CHECK_VNODE_STAT, - (macop_t)mac_none_check_vnode_stat }, - { MAC_CHECK_VNODE_WRITE, - (macop_t)mac_none_check_vnode_write }, - { MAC_OP_LAST, NULL } -};</programlisting> - - <para>The MAC policy entry point vector, - <varname>mac_none_ops</varname> in this example, associates - functions defined in the module with specific entry points. A - complete listing of available entry points and their - prototypes may be found in the MAC entry point reference - section. Of specific interest during module registration are - the <symbol>MAC_DESTROY</symbol> and <symbol>MAC_INIT</symbol> - entry points. <symbol>MAC_INIT</symbol> will be invoked once a - policy is successfully registered with the module framework - but prior to any other entry points becoming active. This - permits the policy to perform any policy-specific allocation - and initialization, such as initialization of any data or - locks. <symbol>MAC_DESTROY</symbol> will be invoked when a - policy module is unloaded to permit releasing of any allocated - memory and destruction of locks. Currently, these two entry - points are invoked with the MAC policy list mutex held to - prevent any other entry points from being invoked: this will - be changed, but in the mean time, policies should be careful - about what kernel primitives they invoke so as to avoid lock - ordering or sleeping problems.</para> - - <para>The policy declaration's module name field exists so that - the module may be uniquely identified for the purposes of - module dependencies. An appropriate string should be selected. - The full string name of the policy is displayed to the user - via the kernel log during load and unload events, and also - exported when providing status information to userland - processes.</para> - - <para>The policy flags field permits the module to provide the - framework with information about its loader-related - capabilities. Currently, two flags are defined:</para> - - <variablelist> - <varlistentry> - <term>MPC_LOADTIME_FLAG_UNLOADOK</term> - - <listitem> - <para>This flag indicates that the policy module may be - unloaded. If this flag is not provided, then the policy - framework will reject requests to unload the module. - This flag might be used by modules that allocate label - state and are unable to free that state at - runtime.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>MPC_LOADTIME_FLAG_NOTLATE</term> - - <listitem><para>This flag indicates that the policy module - must be loaded and initialized early in the boot - process. If the flag is specified, attempts to register - the module following boot will be rejected. The flag - may be used by policies that require pervasive labeling - of all system objects, and cannot handle objects that - have not been properly initialized by the policy.</para> - </listitem> - </varlistentry> - </variablelist> - - <sect3 id="mac-mpo-init"> - <title><function>&mac.mpo;_init</function</title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init</function></funcdef> - - <paramdef>struct mac_policy_conf - *<parameter>conf</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>conf</parameter></entry> - <entry>MAC policy definition</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Policy load event. The policy list mutex is held, so - caution should be applied.</para> - </sect3> - - <sect3 id="mpo-destroy"> - <title><function>&mac.mpo;_destroy</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy</function></funcdef> - - <paramdef>struct mac_policy_conf - *<parameter>conf</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>conf</parameter></entry> - <entry>MAC policy definition</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Policy load event. The policy list mutex is held, so - caution should be applied.</para> - </sect3> - </sect2> - - <sect2 id="mac-label-events"> - <title>Label Events</title> - - <para>This class of entry points is used by the MAC framework to - permit policies to maintain label information on kernel - objects. For each labeled kernel object of interest to a MAC - policy, entry points may be registered for relevant life cycle - events. All objects implement initialization, creation, and - destruction hooks. Some objects will also implement - relabeling, allowing user processes to change the labels on - objects. Some objects will also implement object-specific - events, such as label events associated with IP reassembly. A - typical labeled object will have the following life cycle of - entry points:</para> - - <programlisting>Label initialization o -(object-specific wait) \ -Label creation o - \ -Relabel events, o--<--. -Various object-specific, | | -Access control events ~-->--o - \ -Label destruction o</programlisting> - - <para>Label initialization permits policies to allocate memory - and set initial values for labels without context for the use - of the object. The label slot allocated to a policy will be - zero'd by default, so some policies may not need to perform - initialization.</para> - - <para>Label creation occurs when the kernel structure is - associated with an actual kernel object. For example, mbufs - may be allocated and remain unused in a pool until they are - required. mbuf allocation causes label initialization on the - mbuf to take place, but mbuf creation occurs when the mbuf is - associated with a datagram. Typically, context will be - provided for a creation event, including the circumstances of - the creation, and labels of other relevant objects in the - creation process. For example, when an mbuf is created from a - socket, the socket and its label will be presented to - registered policies in addition to the new mbuf and its label. - Memory allocation in creation events is discouraged, as it may - occur in performance sensitive ports of the kernel; in - addition, creation calls are not permitted to fail so a - failure to allocate memory cannot be reported.</para> - - <para>Object specific events do not generally fall into the - other broad classes of label events, but will generally - provide an opportunity to modify or update the label on an - object based on additional context. For example, the label on - an IP fragment reassembly queue may be updated during the - <symbol>MAC_UPDATE_IPQ</symbol> entry point as a result of the - acceptance of an additional mbuf to that queue.</para> - - <para>Access control events are discussed in detail in the - following section.</para> - - <para>Label destruction permits policies to release storage or - state associated with a label during its association with an - object so that the kernel data structures supporting the - object may be reused or released.</para> - - <para>In addition to labels associated with specific kernel - objects, an additional class of labels exists: temporary - labels. These labels are used to store update information - submitted by user processes. These labels are initialized and - destroyed as with other label types, but the creation event is - <symbol>MAC_INTERNALIZE</symbol>, which accepts a user label - to be converted to an in-kernel representation.</para> - - <sect3 id="mac-fs-label-event-ops"> - <title>File System Object Labeling Event Operations</title> - - <sect4 id="mac-mpo-create-devfs-device"> - <title><function>&mac.mpo;_create_devfs_device</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_devfs_device</function></funcdef> - - <paramdef>dev_t <parameter>dev</parameter></paramdef> - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>dev</parameter></entry> - <entry>Device corresponding with - <parameter>devfs_dirent</parameter></entry> - </row> - - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Devfs directory entry to be labeled.</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Label for <parameter>devfs_dirent</parameter> - to be filled in.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the label on a devfs_dirent being created for - the passed device. This call will be made when the device - file system is mounted, regenerated, or a new device is made - available.</para> - </sect4> - - <sect4 id="mac-mpo-create-devfs-directory"> - <title><function>&mac.mpo;_create_devfs_directory</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_devfs_directory</function></funcdef> - - <paramdef>char *<parameter>dirname</parameter></paramdef> - <paramdef>int <parameter>dirnamelen</parameter></paramdef> - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>dirname</parameter></entry> - <entry>Name of directory being created</entry> - </row> - - <row> - <entry><parameter>namelen</parameter></entry> - <entry>Length of string - <parameter>dirname</parameter></entry> - </row> - - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Devfs directory entry for directory being - created.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the label on a devfs_dirent being created for - the passed directory. This call will be made when the device - file system is mounted, regenerated, or a new device - requiring a specific directory hierarchy is made - available.</para> - </sect4> - - <sect4 id="mac-mpo-create-devfs-vnode"> - <title><function>&mac.mpo;_create_devfs_vnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_devfs_vnode</function></funcdef> - - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>direntlabel</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Object; devfs directory entry</entry> - </row> - - <row> - <entry><parameter>direntlabel</parameter></entry> - <entry>Policy label for - <parameter>devfs_dirent</parameter></entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; file system object being labeled</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the label on the vnode being created for the - passed devfs_dirent. This call will be made when a vnode is - required to represent the specified devfs_dirent in a - mounted devfs instance.</para> - </sect4> - - <sect4 id="mac-mpo-vnode-create-from-vnode"> - <title><function>&mac.mpo;_vnode_create_from_vnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_vnode_create_from_vnode</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>parent</parameter></paramdef> - <paramdef>struct label - *<parameter>parentlabel</parameter></paramdef> - <paramdef>struct vnode - *<parameter>child</parameter></paramdef> - <paramdef>struct label - *<parameter>childlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>parent</parameter></entry> - <entry>Parent vnode; the directory in which - <parameter>child</parameter> is being - created</entry> - </row> - - <row> - <entry><parameter>parentlabel</parameter></entry> - <entry>Policy label for - <parameter>parent</parameter></entry> - </row> - - <row> - <entry><parameter>child</parameter></entry> - <entry>New vnode</entry> - </row> - - <row> - <entry><parameter>childlabel</parameter></entry> - <entry>Label to be filled in for - <parameter>child</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the label on the vnode being created in the - passed vnode parent by the passed subject credential. This - call will be made when a vnode is allocated during a vnode - creation operation. For example, this call is made by - multi-label file systems during the creation of a new file - or directory.</para> - </sect4> - - <sect4 id="mac-mpo-create-mount"> - <title><function>&mac.mpo;_create_mount</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mount</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>mnt</parameter></paramdef> - <paramdef>struct label - *<parameter>fslabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>mp</parameter></entry> - <entry>Object; file system being mounted</entry> - </row> - - <row> - <entry><parameter>mntlabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>mp</parameter></entry> - </row> - - <row> - <entry><parameter>fslabel</parameter></entry> - <entry>Policy label for the file system - <parameter>mp</parameter> mounts.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the labels on the mount point being created by - the passed subject credential. This call will be made when - a new file system is mounted.</para> - </sect4> - - <sect4 id="mac-mpo-create-root-mount"> - <title><function>&mac.mpo;_create_root_mount</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_root_mount</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>mntlabel</parameter></paramdef> - <paramdef>struct label - *<parameter>fslabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry namest="first" nameend="last">See <xref - linkend="mac-mpo-create-mount">.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the labels on the mount point being created by - the passed subject credential. This call will be made when - the root file system is mounted, after - &mac.mpo;_create_mount;.</para> - </sect4> - - <sect4 id="mac-mpo-vnode-relabel"> - <title><function>&mac.mpo;_vnode_relabel</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_vnode_relabel</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>vnode to relabel</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Existing policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>New, possibly partial label to replace - <parameter>vnodelabel</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the label on the passed vnode given the passed - update vnode label and the passed subject credential.</para> - </sect4> - - <sect4 id="mac-mpo-stdcreatevnode-ea"> - <title><function>&mac.mpo;_stdcreatevnode_ea</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_stdcreatevnode_ea</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>vnode to commit</entry> - <entry>Locked on entry, locked on exit</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Label associated with - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <!-- XXX extattr.9 probably needs updating... --> - <para>This entry point is called when a vnode is to be - committed to disk via the extended attribute service (see - &man.extattr.9;). If committing to the disk is successful, - a value of <returnvalue>0</returnvalue> should be returned; - otherwise, an appropriate error code should be - returned.</para> - - <note><para>The current implementation as of July 24, 2002 - commits the data to disk from within the architecture. - The implementation will be updated to be closer to the - above documentation as development progresses.</para></note> - </sect4> - - <sect4 id="mac-mpo-update-devfsdirent"> - <title><function>&mac.mpo;_update_devfsdirent</function></title> - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_update_devfsdirent</function></funcdef> - - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>direntlabel</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Object; devfs directory entry</entry> - </row> - - <row> - <entry><parameter>direntlabel</parameter></entry> - <entry>Policy label for - <parameter>devfs_dirent</parameter> to be - updated.</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Parent vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the <parameter>devfs_dirent</parameter> label - from the passed devfs vnode label. This call will be made - when a devfs vnode has been successfully relabeled to commit - the label change such that it lasts even if the vnode is - recycled. It will also be made when when a symlink is - created in devfs, following a call to - <function>mac_vnode_create_from_vnode</function> to - initialize the vnode label.</para> - </sect4> - - <sect4 id="mac-mpo-update-procfsvnode"> - <title><function>&mac.mpo;_update_procfsvnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_update_procfsvnode</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; procfs vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject; credential for the process - entry</entry> - <entry>Immutable</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the procfs vnode label from the passed subject - credential. This call will be made when an operation on a - procfs vnode requires a fresh label on a process-derived - vnode.</para> - </sect4> - - <sect4 id="mac-mpo-update-vnode-from-extattr"> - <title><function>&mac.mpo;_update_vnode_from_extattr</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_update_vnode_from_extattr</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>fslabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode whose label is being updated</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label to refresh</entry> - </row> - - <row> - <entry><parameter>mp</parameter></entry> - <entry>Mount point for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>fslabel</parameter></entry> - <entry>Policy label for <parameter>vp</parameter>'s - file system.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the vnode label by refreshing the label data from - the extended attribute service for the vnode. The mount - point <parameter>fslabel</parameter> is also made available - so that the <parameter>fslabel</parameter> may be used as a - labeling source if fallback is appropriate for the policy. - This call is permitted to fail; if the call fails, the - associated label refresh will also fail, causing the failure - of the operation requiring the MAC check and vnode label - refresh, permitting a <quote>fail closed</quote> policy if - labeling data is not available.</para> - </sect4> - - <sect4 id="mac-mpo-update-from-externalized"> - <title><function>&mac.mpo;_update_from_externalized</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_update_from_externalized</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct mac - *<parameter>extmac</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>extmac</parameter></entry> - <entry>Externalized MAC policy label</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the vnode label from the passed externalized - label loaded from disk by the MAC framework. This call is - permitted to fail; if the call fails, the associated label - refresh will also fail, causing the failure of the operation - requiring the MAC check and vnode label refresh, permitting - a <quote>fail closed</quote> policy if labeling data is not - available. This call will be obsoleted by the new extended - attribute labeling interface.</para> - </sect4> - - <sect4 id="mac-mpo-update-vnode-from-mount"> - <title><function>&mac.mpo;_update_vnode_from_mount</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_update_vnode_from_mount</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>mountlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>mp</parameter></entry> - <entry>Mount point where <parameter>vp</parameter> - resides</entry> - </row> - - <row> - <entry><parameter>fslabel</parameter></entry> - <entry>Policy label for the file system where - <parameter>vp</parameter> resides.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the vnode label from the passed mount point - label. This call is made when a single label file system - vnode requires a label, or if the obsoleted MAC framework - externalized extended attribute read fails.</para> - </sect4> - </sect3> - - <sect3 id="mac-ipc-label-ops"> - <title>IPC Object Labeling Event Operations</title> - - <sect4 id="mac-mpo-create-mbuf-from-socket"> - <title><function>&mac.mpo;_create_mbuf_from_socket</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mbuf_from_socket</function></funcdef> - - <paramdef>struct socket - *<parameter>so</parameter></paramdef> - <paramdef>struct label - *<parameter>socketlabel</parameter></paramdef> - <paramdef>struct mbuf *<parameter>m</parameter></paramdef> - <paramdef>struct label - *<parameter>mbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>socket</parameter></entry> - <entry>Socket</entry> - <entry>Socket locking WIP</entry> - </row> - - <row> - <entry><parameter>socketlabel</parameter></entry> - <entry>Policy label for - <parameter>socket</parameter></entry> - </row> - - <row> - <entry><parameter>m</parameter></entry> - <entry>Object; mbuf</entry> - </row> - - <row> - <entry><parameter>mbuflabel</parameter></entry> - <entry>Policy label to fill in for - <parameter>m</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on a newly created mbuf header from the - passed socket label. This call is made when a new datagram - or messsage is generated by the socket and stored in the - passed mbuf.</para> - </sect4> - - <sect4 id="mac-mpo-create-socket"> - <title><function>&mac.mpo;_create_socket</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_socket</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct socket - *<parameter>so</parameter></paramdef> - <paramdef>struct label - *<parameter>socketlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - <entry>Immutable</entry> - </row> - - <row> - <entry><parameter>so</parameter></entry> - <entry>Object; socket to label</entry> - </row> - - <row> - <entry><parameter>socketlabel</parameter></entry> - <entry>Label to fill in for - <parameter>so</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on a newly created socket from the passed - subject credential. This call is made when a socket is - created.</para> - </sect4> - - <sect4> - <title><function>&mac.mpo;_create_socket_from_socket</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_socket_from_socket</function></funcdef> - - <paramdef>struct socket - *<parameter>oldsocket</parameter></paramdef> - <paramdef>struct label - *<parameter>oldsocketlabel</parameter></paramdef> - <paramdef>struct socket - *<parameter>newsocket</parameter></paramdef> - <paramdef>struct label - *<parameter>newsocketlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>oldsocket</parameter></entry> - <entry>Object; parent socket; created from - &man.listen.2;</entry> - </row> - - <row> - <entry><parameter>oldsocketlabel</parameter></entry> - <entry>Label for - <parameter>oldsocket</parameter></entry> - </row> - - <row> - <entry><parameter>newsocket</parameter></entry> - <entry>Object; child socket; incoming connection</entry> - </row> - - <row> - <entry><parameter>newsocketlabel</parameter></entry> - <entry>Label to be filled in for - <parameter>newsocket</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on a newly created stream socket from the - passed listen socket. This call may occur during &man.accept.2;, - or prior to &man.accept.2;, depending on the protocol.</para> - </sect4> - - <sect4 id="mac-mpo-relabel-socekt"> - <title><function>&mac.mpo;_socket_relabel</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_socket_relabel</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct socket - *<parameter>so</parameter></paramdef> - <paramdef>struct label - *<parameter>oldlabel</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - <entry>Immutable</entry> - </row> - - <row> - <entry><parameter>so</parameter></entry> - <entry>Object; socket</entry> - </row> - - <row> - <entry><parameter>oldlabel</parameter></entry> - <entry>Current label for - <parameter>so</parameter></entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>Label update for - <parameter>so</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the label on a socket from the passed socket - label update.</para> - </sect4> - - <sect4 id="mpo-set-socket-peer-from-mbuf"> - <title><function>&mac.mpo;_set_socket_peer_from_mbuf</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_set_socket_peer_from_mbuf</function></funcdef> - - <paramdef>struct mbuf - *<parameter>mbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>mbuflabel</parameter></paramdef> - <paramdef>struct label - *<parameter>oldlabel</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>mbuf</parameter></entry> - <entry>First datagram received over socket</entry> - </row> - - <row> - <entry><parameter>mbuflabel</parameter></entry> - <entry>Label for <parameter>mbuf</parameter></entry> - </row> - - <row> - <entry><parameter>oldlabel</parameter></entry> - <entry>Current label for the socket</entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>Policy label to be filled out for the - socket</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the peer label on a stream socket from the passed - mbuf label. This call will be made when the first datagram - is received by the stream socket, with the exception of Unix - domain sockets.</para> - </sect4> - - <sect4 id="mac-mpo-set-socket-peer-from-socket"> - <title><function>&mac.mpo;_set_socket_peer_from_socket</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_set_socket_peer_from_socket</function></funcdef> - - <paramdef>struct socket - *<parameter>oldsocket</parameter></paramdef> - <paramdef>struct label - *<parameter>oldsocketlabel</parameter></paramdef> - <paramdef>struct socket - *<parameter>newsocket</parameter></paramdef> - <paramdef>struct label - *<parameter>newsocketpeerlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>oldsocket</parameter></entry> - <entry>Local socket</entry> - </row> - - <row> - <entry><parameter>oldsocketlabel</parameter></entry> - <entry>Policy label for - <parameter>oldsocket</parameter></entry> - </row> - - <row> - <entry><parameter>newsocket</parameter></entry> - <entry>Peer socket</entry> - </row> - - <row> - <entry><parameter>newsocketpeerlabel</parameter></entry> - <entry>Policy label to fill in for - <parameter>newsocket</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <!-- XXX Passed _remote_ socket endpoint ? --> - <para>Set the peer label on a stream UNIX domain socket from - the passed remote socket endpoint. This call will be made - when the socket pair is connected, and will be made for both - endpoints.</para> - </sect4> - </sect3> - - <sect3 id="mac-net-labeling-event-ops"> - <title>Network Object Labeling Event Operations</title> - - <sect4 id="mac-mpo-create-bpfdesc"> - <title><function>&mac.mpo;_create_bpfdesc</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_bpfdesc</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct bpf_d - *<parameter>bpf_d</parameter></paramdef> - <paramdef>struct label - *<parameter>bpflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - <entry>Immutable</entry> - </row> - - <row> - <entry><parameter>bpf_d</parameter></entry> - <entry>Object; bpf descriptor</entry> - </row> - - <row> - <entry><parameter>bpf</parameter></entry> - <entry>Policy label to be filled in for - <parameter>bpf_d</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on a newly created BPF descriptor from the - passed subject credential. This call will be made when a - BPF device node is opened by a process with the passed - subject credential.</para> - </sect4> - - <sect4 id="mac-mpo-create-ifnet"> - <title><function>&mac.mpo;_create_ifnet</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_ifnet</function></funcdef> - - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>ifnetlabel</parameter></paramdeF> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Network interface</entry> - </row> - - <row> - <entry><parameter>ifnetlabel</parameter></entry> - <entry>Policy label to fill in for - <parameter>ifnet</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on a newly created interface. This call - may be made when a new physical interface becomes available - to the system, or when a pseudo-interface is instantiated - during the boot or as a result of a user action.</para> - </sect4> - - <sect4 id="mac-mpo-create-ipq"> - <title><function>&mac.mpo;_create_ipq</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_ipq</function></funcdef> - - <paramdef>struct mbuf - *<parameter>fragment</parameter></paramdef> - <paramdef>struct label - *<parameter>fragmentlabel</parameter></paramdef> - <paramdef>struct ipq - *<parameter>ipq</parameter></paramdef> - <paramdef>struct label - *<parameter>ipqlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>fragment</parameter></entry> - <entry>First received IP fragment</entry> - </row> - - <row> - <entry><parameter>fragmentlabel</parameter></entry> - <entry>Policy label for - <parameter>fragment</parameter></entry> - </row> - - <row> - <entry><parameter>ipq</parameter></entry> - <entry>IP reassembly queue to be labeled</entry> - </row> - - <row> - <entry><parameter>ipqlabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>ipq</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on a newly created IP fragment reassembly - queue from the mbuf header of the first received - fragment.</para> - </sect4> - - <sect4 id="mac-mpo-create-datagram-from-ipq"> - <title><function>&mac.mpo;_create_datagram_from_ipq</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_create_datagram_from_ipq</function></funcdef> - - <paramdef>struct ipq - *<parameter>ipq</parameter></paramdef> - <paramdef>struct label - *<parameter>ipqlabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>datagram</parameter></paramdef> - <paramdef>struct label - *<parameter>datagramlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>ipq</parameter></entry> - <entry>IP reassembly queue</entry> - </row> - - <row> - <entry><parameter>ipqlabel</parameter></entry> - <entry>Policy label for - <parameter>ipq</parameter></entry> - </row> - - <row> - <entry><parameter>datagram</parameter></entry> - <entry>Datagram to be labeled</entry> - </row> - - <row> - <entry><parameter>datagramlabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>datagramlabel</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on a newly reassembled IP datagram from - the IP fragment reassembly queue from which it was - generated.</para> - </sect4> - - <sect4 id="mac-mpo-create-fragment"> - <title><function>&mac.mpo;_create_fragment</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_fragment</function></funcdef> - - <paramdef>struct mbuf - *<parameter>datagram</parameter></paramdef> - <paramdef>struct label - *<parameter>datagramlabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>fragment</parameter></paramdef> - <paramdef>struct label - *<parameter>fragmentlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>datagram</parameter></entry> - <entry>Datagram</entry> - </row> - - <row> - <entry><parameter>datagramlabel</parameter></entry> - <entry>Policy label for - <parameter>datagram</parameter></entry> - </row> - - <row> - <entry><parameter>fragment</parameter></entry> - <entry>Fragment to be labeled</entry> - </row> - - <row> - <entry><parameter>fragmentlabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>datagram</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on the mbuf header of a newly created IP - fragment from the label on the mbuf header of the datagram - it was generate from.</para> - </sect4> - - <sect4 id="mac-mpo-create-mbuf-from-mbuf"> - <title><function>&mac.mpo;_create_mbuf_from_mbuf</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mbuf_from_mbuf</function></funcdef> - - <paramdef>struct mbuf - *<parameter>oldmbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>oldmbuflabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>newmbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>newmbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>oldmbuf</parameter></entry> - <entry>Existing (source) mbuf</entry> - </row> - - <row> - <entry><parameter>oldmbuflabel</parameter></entry> - <entry>Policy label for - <parameter>oldmbuf</parameter></entry> - </row> - - <row> - <entry><parameter>newmbuf</parameter></entry> - <entry>New mbuf to be labeled</entry> - </row> - - <row> - <entry><parameter>newmbuflabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>newmbuf</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on the mbuf header of a newly created - datagram from the mbuf header of an existing datagram. This - call may be made in a number of situations, including when - an mbuf is re-allocated for alignment purposes.</para> - </sect4> - - <sect4 id="mac-mpo-create-mbuf-linklayer"> - <title><function>&mac.mpo;_create_mbuf_linklayer</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mbuf_linklayer</function></funcdef> - - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>ifnetlabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>mbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>mbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Network interface</entry> - </row> - - <row> - <entry><parameter>ifnetlabel</parameter></entry> - <entry>Policy label for - <parameter>ifnet</parameter></entry> - </row> - - <row> - <entry><parameter>mbuf</parameter></entry> - <entry>mbuf header for new datagram</entry> - </row> - - <row> - <entry><parameter>mbuflabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>mbuf</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on the mbuf header of a newly created - datagram generated for the purposes of a link layer response - for the passed interface. This call may be made in a number - of situations, including for ARP or ND6 responses in the - IPv4 and IPv6 stacks.</para> - </sect4> - - <sect4 id="mac-mpo-create-mbuf-from-bpfdesc"> - <title><function>&mac.mpo;_create_mbuf_from_bpfdesc</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mbuf_from_bpfdesc</function></funcdef> - - <paramdef>struct bpf_d - *<parameter>bpf_d</parameter></paramdef> - <paramdef>struct label - *<parameter>bpflabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>mbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>mbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>bpf_d</parameter></entry> - <entry>BPF descriptor</entry> - </row> - - <row> - <entry><parameter>bpflabel</parameter></entry> - <entry>Policy label for - <parameter>bpflabel</parameter></entry> - </row> - - <row> - <entry><parameter>mbuf</parameter></entry> - <entry>New mbuf to be labeled</entry> - </row> - - <row> - <entry><parameter>mbuflabel</parameter></entry> - <entry>Policy label to fill in for - <parameter>mbuf</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on the mbuf header of a newly created - datagram generated using the passed BPF descriptor. This - call is made when a write is performed to the BPF device - associated with the passed BPF descriptor.</para> - </sect4> - - <sect4 id="mac-mpo-create-mbuf-from-ifnet"> - <title><function>&mac.mpo;_create_mbuf_from_ifnet</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mbuf_from_ifnet</function></funcdef> - - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>ifnetlabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>mbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>mbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Network interface</entry> - </row> - - <row> - <entry><parameter>ifnetlabel</parameter></entry> - <entry>Policy label for - <parameter>ifnetlabel</parameter></entry> - </row> - - <row> - <entry><parameter>mbuf</parameter></entry> - <entry>mbuf header for new datagram</entry> - </row> - - <row> - <entry><parameter>mbuflabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>mbuf</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on the mbuf header of a newly created - datagram generated from the passed network interface.</para> - </sect4> - - <sect4 id="mac-mpo-create-mbuf-multicast-encap"> - <title><function>&mac.mpo;_create_mbuf_multicast_encap</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mbuf_multicast_encap</function></funcdef> - - <paramdef>struct mbuf - *<parameter>oldmbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>oldmbuflabel</parameter></paramdef> - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>ifnetlabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>newmbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>newmbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>oldmbuf</parameter></entry> - <entry>mbuf header for existing datagram</entry> - </row> - - <row> - <entry><parameter>oldmbuflabel</parameter></entry> - <entry>Policy label for - <parameter>oldmbuf</parameter></entry> - </row> - - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Network interface</entry> - </row> - - <row> - <entry><parameter>ifnetlabel</parameter></entry> - <entry>Policy label for - <parameter>ifnet</parameter></entry> - </row> - - <row> - <entry><parameter>newmbuf</parameter></entry> - <entry>mbuf header to be labeled for new - datagram</entry> - </row> - - <row> - <entry><parameter>newmbuflabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>newmbuf</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on the mbuf header of a newly created - datagram generated from the existing passed datagram when it - is processed by the passed multicast encapsulation - interface. This call is made when an mbuf is to be - delivered using the virtual interface.</para> - </sect4> - - <sect4 id="mac-mpo-create-mbuf-netlayer"> - <title><function>&mac.mpo;_create_mbuf_netlayer</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mbuf_netlayer</function></funcdef> - - <paramdef>struct mbuf - *<parameter>oldmbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>oldmbuflabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>newmbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>newmbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>oldmbuf</parameter></entry> - <entry>Received datagram</entry> - </row> - - <row> - <entry><parameter>oldmbuflabel</parameter></entry> - <entry>Policy label for - <parameter>oldmbuf</parameter></entry> - </row> - - <row> - <entry><parameter>newmbuf</parameter></entry> - <entry>Newly created datagram</entry> - </row> - - <row> - <entry><parameter>newmbuflabel</parameter></entry> - <entry>Policy label for - <parameter>newmbuf</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Set the label on the mbuf header of a newly created - datagram generated by the IP stack in response to an - existing received datagram (<parameter>oldmbuf</parameter>). - This call may be made in a number of situations, including - when responding to ICMP request datagrams.</para> - </sect4> - - <sect4 id="mac-mpo-fragment-match"> - <title><function>&mac.mpo;_fragment_match</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_fragment_match</function></funcdef> - - <paramdef>struct mbuf - *<parameter>fragment</parameter></paramdef> - <paramdef>struct label - *<parameter>fragmentlabel</parameter></paramdef> - <paramdef>struct ipq - *<parameter>ipq</parameter></paramdef> - <paramdef>struct label - *<parameter>ipqlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>fragment</parameter></entry> - <entry>IP datagram fragment</entry> - </row> - - <row> - <entry><parameter>fragmentlabel</parameter></entry> - <entry>Policy label for - <parameter>fragment</parameter></entry> - </row> - - <row> - <entry><parameter>ipq</parameter></entry> - <entry>IP fragment reassembly queue</entry> - </row> - - <row> - <entry><parameter>ipqlabel</parameter></entry> - <entry>Policy label for - <parameter>ipq</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether an mbuf header containing an IP - datagram (<parameter>fragment</parameter>) fragment matches - the label of the passed IP fragment reassembly queue - (<parameter>ipq</parameter>). Return - (<returnvalue>1</returnvalue>) for a successful match, or - (<returnvalue>0</returnvalue>) for no match. This call is - made when the IP stack attempts to find an existing fragment - reassembly queue for a newly received fragment; if this - fails, a new fragment reassembly queue may be instantiated - for the fragment. Policies may use this entry point to - prevent the reassembly of otherwise matching IP fragments if - policy does not permit them to be reassembled based on the - label or other information.</para> - </sect4> - - <sect4 id="mac-mpo-ifnet-relabel"> - <title><function>&mac.mpo;_ifnet_relabel</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_ifnet_relabel</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>ifnetlabel</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Object; Network interface</entry> - </row> - - <row> - <entry><parameter>ifnetlabel</parameter></entry> - <entry>Policy label for - <parameter>ifnet</parameter></entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>Label update to apply to - <parameter>ifnet</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the label of network interface, - <parameter>ifnet</parameter>, based on the passed update - label, <parameter>newlabel</parameter>, and the passed - subject credential, <parameter>cred</parameter>.</para> - </sect4> - - <sect4 id="mac-mpo-update-ipq"> - <title><function>&mac.mpo;_update_ipq</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_update_ipq</function></funcdef> - - <paramdef>struct mbuf - *<parameter>fragment</parameter></paramdef> - <paramdef>struct label - *<parameter>fragmentlabel</parameter></paramdef> - <paramdef>struct ipq - *<parameter>ipq</parameter></paramdef> - <paramdef>struct label - *<parameter>ipqlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>mbuf</parameter></entry> - <entry>IP fragment</entry> - </row> - - <row> - <entry><parameter>mbuflabel</parameter></entry> - <entry>Policy label for - <parameter>mbuf</parameter></entry> - </row> - - <row> - <entry><parameter>ipq</parameter></entry> - <entry>IP fragment reassembly queue</entry> - </row> - - <row> - <entry><parameter>ipqlabel</parameter></entry> - <entry>Policy label to be updated for - <parameter>ipq</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the label on an IP fragment reassembly queue - (<parameter>ipq</parameter>) based on the acceptance of the - passed IP fragment mbuf header - (<parameter>mbuf</parameter>).</para> - </sect4> - </sect3> - - <sect3 id="mac-proc-labeling-event-ops"> - <title>Process Labeling Event Operations</title> - - <sect4 id="mac-mpo-create-cred"> - <title><function>&mac.mpo;_create_cred</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_cred</function></funcdef> - - <paramdef>struct ucred - *<parameter>parent_cred</parameter></paramdef> - <paramdef>struct ucred - *<parameter>child_cred</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>parent_cred</parameter></entry> - <entry>Parent subject credential</entry> - </row> - - <row> - <entry><parameter>child_cred</parameter></entry> - <entry>Child subject credential</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <!-- XXX manref --> - <para>Set the label of a newly created subject credential from - the passed subject credential. This call will be made when - crcopy(9) is invoked on a newly created <type>struct - ucred</type>. This call should not be confused with a - process forking or creation event.</para> - </sect4> - - <sect4 id="mac-mpo-execve-transition"> - <title><function>&mac.mpo;_execve_transition</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_execve_transition</function></funcdef> - - <paramdef>struct ucred - *<parameter>old</parameter></paramdef> - <paramdef>struct ucred - *<parameter>new</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>old</parameter></entry> - <entry>Existing subject credential</entry> - <entry>Immutable</entry> - </row> - - <row> - <entry><parameter>new</parameter></entry> - <entry>New subject credential to be labeled</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>File to execute</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the label of a newly created subject credential - (<parameter>new</parameter>) from the passed existing - subject credential (<parameter>old</parameter>) based on a - label transition caused by executing the passed vnode - (<parameter>vp</parameter>). This call occurs when a - process executes the passed vnode and one of the policies - returns a success from the - <function>mpo_execve_will_transition</function> entry point. - Policies may choose to implement this call simply by - invoking <function>mpo_create_cred</function> and passing - the two subject credentials so as not to implement a - transitioning event. Policies should not leave this entry - point unimplemented if they implement - <function>mpo_create_cred</function>, even if they do not - implement - <function>mpo_execve_will_transition</function>.</para> - </sect4> - - <sect4 id="mac-mpo-execve-will-transition"> - <title><function>&mac.mpo;_execve_will_transition</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_execve_will_transition</function></funcdef> - - <paramdef>struct ucred - *<parameter>old</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>old</parameter></entry> - <entry>Subject credential prior to - &man.execve.2;</entry> - <entry>Immutable</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>File to execute</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the policy will want to perform a - transition event as a result of the execution of the passed - vnode by the passed subject credential. Return - <returnvalue>1</returnvalue> if a transition is required, - <returnvalue>0</returnvalue> if not. Even if a policy - returns <returnvalue>0</returnvalue>, it should behave - correctly in the presence of an unexpected invocation of - <function>mpo_execve_transition</function>, as that call may - happen as a result of another policy requesting a - transition.</para> - </sect4> - - <sect4 id="mac-mpo-create-proc0"> - <title><function>&mac.mpo;_create_proc0</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_proc0</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential to be filled in</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Create the subject credential of process 0, the parent - of all kernel processes.</para> - </sect4> - - <sect4 id="mac-mpo-create-proc1"> - <title><function>&mac.mpo;_create_proc1</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_proc1</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential to be filled in</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Create the subject credential of process 1, the parent - of all kernel processes.</para> - </sect4> - - <sect4 id="mac-mpo-cred-relabel"> - <title><function>&mac.mpo;_cred_relabel</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_cred_relabel</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>Label update to apply to - <parameter>cred</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the label on a subject credential from the passed - update label.</para> - </sect4> - </sect3> - </sect2> - - <sect2 id="mac-access-control-checks"> - <title>Access Control Checks</title> - - <para>Access control entry points permit policy modules to - influence access control decisions made by the kernel. - Generally, although not always, arguments to an access control - entry point will include one or more authorizing credentials, - information (possibly including a label) for any other objects - involved in the operation. An access control entry point may - return 0 to permit the operation, and an &man.errno.2; error - value. The results of invoking the entry point across various - registered policy modules will be composed as follows: if all - modules permit the operation to succeed, success will be - returned. If one or modules returns a failure, a failure will - be returned. If more than one module returns a failure, the - errno value to return to the user will be selected using the - following precedence, implemented by the - <function>error_select()</function> function in - <filename>kern_mac.c</filename>:</para> - - <informaltable> - <tgroup cols="2"> - <tbody> - <row> - <entry>Most precedence</entry> - <entry><errorcode>EDEADLK</errorcode></entry></row> - - <row> - <entry></entry> - <entry><errorcode>EINVAL</errorcode></entry> - </row> - <row> - <entry></entry> - <entry><errorcode>ESRCH</errorcode></entry> - </row> - <row> - <entry></entry> - <entry><errorcode>ENOENT</errorcode></entry> - </row> - <row> - <entry></entry> - <entry>EACCES</entry> - </row> - <row> - <entry>Least precedence</entry> - <entry>EPERM</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>If none of the error values returned by all modules are - listed in the precedence chart then an arbitrarily selected - value from the set will be returned. In general, the rules - provide precedence to errors in the following order: kernel - failures, invalid arguments, object not present, access not - permitted, other.</para> - - <sect3 id="mac-mpo-bpfdesc-check-receive-from-ifnet"> - <title><function>&mac.mpo;_check_bpfdesc_receive</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_bpfdesc_receive</function></funcdef> - - <paramdef>struct bpf_d - *<parameter>bpf_d</parameter></paramdef> - <paramdef>struct label - *<parameter>bpflabel</parameter></paramdef> - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>ifnetlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>bpf_d</parameter></entry> - <entry>Subject; BPF descriptor</entry> - </row> - - <row> - <entry><parameter>bpflabel</parameter></entry> - <entry>Policy label for - <parameter>bpf_d</parameter></entry> - </row> - - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Object; network interface</entry> - </row> - - <row> - <entry><parameter>ifnetlabel</parameter></entry> - <entry>Policy label for - <parameter>ifnet</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the MAC framework should permit - datagrams from the passed interface to be delivered to the - buffers of the passed BPF descriptor. Return - (<returnvalue>0</returnvalue>) for success, or an - <varname>errno</varname> value for failure Suggested - failure: <errorcode>EACCES</errorcode> for label mismatches, - <errorcode>EPERM</errorcode> for lack of privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-socket-bind"> - <title><function>&mac.mpo;_check_socket_bind</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_socket_bind</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct socket - *<parameter>socket</parameter></paramdef> - <paramdef>struct label - *<parameter>socketlabel</parameter></paramdef> - <paramdef>struct sockaddr - *<parameter>sockaddr</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>socket</parameter></entry> - <entry>Socket to be bound</entry> - </row> - - <row> - <entry><parameter>socketlabel</parameter></entry> - <entry>Policy label for - <parameter>socket</parameter></entry> - </row> - - <row> - <entry><parameter>sockaddr</parameter></entry> - <entry>Address of - <parameter>socket</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - </sect3> - - - <sect3 id="mac-mpo-cred-check-socket-connect"> - <title><function>&mac.mpo;_check_socket_connect</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_socket_connect</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct socket - *<parameter>socket</parameter></paramdef> - <paramdef>struct label - *<parameter>socketlabel</parameter></paramdef> - <paramdef>struct sockaddr - *<parameter>sockaddr</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>socket</parameter></entry> - <entry>Socket to be connected</entry> - </row> - - <row> - <entry><parameter>socketlabel</parameter></entry> - <entry>Policy label for - <parameter>socket</parameter></entry> - </row> - - <row> - <entry><parameter>sockaddr</parameter></entry> - <entry>Address of - <parameter>socket</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential - (<parameter>cred</parameter>) can connect the passed socket - (<parameter>socket</parameter>) to the passed socket address - (<parameter>sockaddr</parameter>). Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatches, - <errorcode>EPERM</errorcode> for lack of privilege.</para> - </sect3> - - <sect3 id="mac-mpo-check-cred-visible"> - <title><function>&mac.mpo;_check_cred_visible</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_cred_visible</function></funcdef> - - <paramdef>struct ucred - *<parameter>u1</parameter></paramdef> - <paramdef>struct ucred - *<parameter>u2</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>u1</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>u2</parameter></entry> - <entry>Object credential</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential - <parameter>u1</parameter> can <quote>see</quote> other - subjects with the passed subject credential - <parameter>u2</parameter>. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatches, - <errorcode>EPERM</errorcode> for lack of privilege, or - <errorcode>ESRCH</errorcode> to hide visibility. This call - may be made in a number of situations, including - inter-process status sysctls used by <command>ps</command>, - and in procfs lookups.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-socket-visible"> - <title><function>&mac.mpo;_check_socket_visible</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_socket_visible</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct socket - *<parameter>socket</parameter></paramdef> - <paramdef>struct label - *<parameter>socketlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>socket</parameter></entry> - <entry>Object; socket</entry> - </row> - - <row> - <entry><parameter>socketlabel</parameter></entry> - <entry>Policy label for - <parameter>socket</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - </sect3> - - <sect3 id="mac-mpo-cred-check-ifnet-relabel"> - <title><function>&mac.mpo;_check_ifnet_relabel</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_ifnet_relabel</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>ifnetlabel</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Object; network interface</entry> - </row> - - <row> - <entry><parameter>ifnetlabel</parameter></entry> - <entry>Existing policy label for - <parameter>ifnet</parameter></entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>Policy label update to later be applied to - <parameter>ifnet</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can relabel the - passed network interface to the passed label update.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-socket-relabel"> - <title><function>&mac.mpo;_check_socket_relabel</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_socket_relabel</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct socket - *<parameter>socket</parameter></paramdef> - <paramdef>struct label - *<parameter>socketlabel</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>socket</parameter></entry> - <entry>Object; socket</entry> - </row> - - <row> - <entry><parameter>socketlabel</parameter></entry> - <entry>Existing policy label for - <parameter>socket</parameter></entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>Label update to later be applied to - <parameter>socketlabel</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can relabel the - passed socket to the passed label update.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-cred-relabel"> - <title><function>&mac.mpo;_check_cred_relabel</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_cred_relabel</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>Label update to later be applied to - <parameter>cred</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can relabel - itself to the passed label update.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-relabel"> - <title><function>&mac.mpo;_check_vnode_relabel</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_relabel</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - <entry>Immutable</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Existing policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>Policy label update to later be applied to - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can relabel the - passed vnode to the passed label update.</para> - </sect3> - - <sect3 id="mpo-cred-check-mount-stat"> - <title><function>&mac.mpo;_check_mount_stat</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int <function>&mac.mpo;_check_mount_stat</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>mountlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>mp</parameter></entry> - <entry>Object; file system mount</entry> - </row> - - <row> - <entry><parameter>mountlabel</parameter></entry> - <entry>Policy label for - <parameter>mp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <!-- XXX Update ? --> - <para>Determine whether the subject credential can see the - results of a statfs performed on the file system. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatches - or <errorcode>EPERM</errorcode> for lack of privilege. This - call may be made in a number of situations, including during - invocations of &man.statfs.2; and related calls, as well as to - determine what file systems to exclude from listings of file - systems, such as when &man.getfsstat.2; is invoked. </para> - </sect3> - - <sect3 id="mac-mpo-cred-check-proc-debug"> - <title><function>&mac.mpo;_check_proc_debug</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_proc_debug</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct proc - *<parameter>proc</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - <entry>Immutable</entry> - </row> - - <row> - <entry><parameter>proc</parameter></entry> - <entry>Object; process</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can debug the - passed process. Return <returnvalue>0</returnvalue> for - success, or an <varname>errno</varname> value for failure. - Suggested failure: <errorcode>EACCES</errorcode> for label - mismatch, <errorcode>EPERM</errorcode> for lack of - privilege, or <errorcode>ESRCH</errorcode> to hide - visibility of the target. This call may be made in a number - of situations, including use of the &man.ptrace.2; and - &man.ktrace.2; APIs, as well as for some types of procfs - operations.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-access"> - <title><function>&mac.mpo;_check_vnode_access</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_access</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>flags</parameter></entry> - <entry>&man.access.2; flags</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine how invocations of &man.access.2; and related - calls by the subject credential should return when performed - on the passed vnode using the passed access flags. This - should generally be implemented using the same semantics - used in <function>&mac.mpo;_check_vnode_open</function>. - Return <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatches - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-chdir"> - <title><function>&mac.mpo;_check_vnode_chdir</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_chdir</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>dvp</parameter></paramdef> - <paramdef>struct label - *<parameter>dlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>dvp</parameter></entry> - <entry>Object; vnode to &man.chdir.2; into</entry> - </row> - - <row> - <entry><parameter>dlabel</parameter></entry> - <entry>Policy label for - <parameter>dvp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can change the - process working directory to the passed vnode. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-create"> - <title><function>&mac.mpo;_check_vnode_create</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_create</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>dvp</parameter></paramdef> - <paramdef>struct label - *<parameter>dlabel</parameter></paramdef> - <paramdef>struct componentname - *<parameter>cnp</parameter></paramdef> - <paramdef>struct vattr - *<parameter>vap</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>dvp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>dlabel</parameter></entry> - <entry>Policy label for - <parameter>dvp</parameter></entry> - </row> - - <row> - <entry><parameter>cnp</parameter></entry> - <entry>Component name for - <parameter>dvp</parameter></entry> - </row> - - <row> - <entry><parameter>vap</parameter></entry> - <entry>vnode attributes for <parameter>vap</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can create a - vnode with the passed parent directory, passed name - information, and passed attribute information. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode>. for label mismatch, - or <errorcode>EPERM</errorcode> for lack of privilege. - This call may be made in a number of situations, including - as a result of calls to &man.open.2; with - <symbol>O_CREAT</symbol>, &man.mknod.2;, &man.mkfifo.2;, and - others.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-delete"> - <title><function>&mac.mpo;_check_vnode_delete</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_delete</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>dvp</parameter></paramdef> - <paramdef>struct label - *<parameter>dlabel</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>void *<parameter>label</parameter></paramdef> - <paramdef>struct componentname - *<parameter>cnp</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>dvp</parameter></entry> - <entry>Parent directory vnode</entry> - </row> - - <row> - <entry><parameter>dlabel</parameter></entry> - <entry>Policy label for - <parameter>dvp</parameter></entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode to delete</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>cnp</parameter></entry> - <entry>Component name for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can delete a - vnode from the passed parent directory and passed name - information. Return <returnvalue>0</returnvalue> for - success, or an <varname>errno</varname> value for failure. - Suggested failure: <errorcode>EACCES</errorcode> for label - mismatch, or <errorcode>EPERM</errorcode> for lack of - privilege. This call may be made in a number of situations, - including as a result of calls to &man.unlink.2; and - &man.rmdir.2;. Policies implementing this entry point - should also implement - <function>mpo_check_rename_to</function> to authorize - deletion of objects as a result of being the target of a - rename.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-deleteacl"> - <title><function>&mac.mpo;_check_vnode_deleteacl</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_deleteacl</function></funcdef> - - <paramdef>struct ucred *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode *<parameter>vp</parameter></paramdef> - <paramdef>struct label *<parameter>label</parameter></paramdef> - <paramdef>acl_type_t <parameter>type</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - <entry>Immutable</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>type</parameter></entry> - <entry>ACL type</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can delete the - ACL of passed type from the passed vnode. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-exec"> - <title><function>&mac.mpo;_check_vnode_exec</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_exec</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode to execute</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can execute the - passed vnode. Determination of execute privilege is made - seperately from decisions about any transitioning event. - Return <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mpo-cred-check-vnode-getacl"> - <title><function>&mac.mpo;_check_vnode_getacl</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_getacl</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>acl_type_t - <parameter>type</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>type</parameter></entry> - <entry>ACL type</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credentical can retrieve - the ACL of passed type from the passed vnode. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-getextattr"> - <title><function>&mac.mpo;_check_vnode_getextattr</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_getextattr</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>int - <parameter>attrnamespace</parameter></paramdef> - <paramdef>const char - *<parameter>name</parameter></paramdef> - <paramdef>struct uio - *<parameter>uio</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>attrnamespace</parameter></entry> - <entry>Extended attribute namespace</entry> - </row> - - <row> - <entry><parameter>name</parameter></entry> - <entry>Extended attribute name</entry> - </row> - - <row> - <entry><parameter>uio</parameter></entry> - <entry>I/O structure pointer; see &man.uio.9;</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can retrieve - the extended attribute with the passed namespace and name - from the passed vnode. Policies implementing labeling using - extended attributes may be interested in special handling of - operations on those extended attributes. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-socket-listen"> - <title><function>&mac.mpo;_check_socket_listen</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_socket_listen</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct socket - *<parameter>socket</parameter></paramdef> - <paramdef>struct label - *<parameter>socketlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>socket</parameter></entry> - <entry>Object; socket</entry> - </row> - - <row> - <entry><parameter>socketlabel</parameter></entry> - <entry>Policy label for - <parameter>socket</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can listen on - the passed socket. Return <returnvalue>0</returnvalue> for - success, or an <varname>errno</varname> value for failure. - Suggested failure: <errorcode>EACCES</errorcode> for label - mismatch, or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-lookup"> - <title><function>&mac.mpo;_check_vnode_lookup</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_lookup</function></funcdef> - - <paramdef>struct ucred - *<parameter></parameter>cred</paramdef> - <paramdef>struct vnode - *<parameter></parameter>dvp</paramdef> - <paramdef>struct label - *<parameter></parameter>dlabel</paramdef> - <paramdef>struct componentname - *<parameter>cnp</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>dvp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>dlabel</parameter></entry> - <entry>Policy label for - <parameter>dvp</parameter></entry> - </row> - - <row> - <entry><parameter>cnp</parameter></entry> - <entry>Component name being looked up</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can perform a - lookup in the passed directory vnode for the passed name. - Return <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-open"> - <title><function>&mac.mpo;_check_vnode_open</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_open</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>mode_t - <parameter>acc_mode</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>acc_mode</parameter></entry> - <entry>&man.open.2; access mode</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can perform an - open operation on the passed vnode with the passed access - mode. Return <returnvalue>0</returnvalue> for success, or - an errno value for failure. Suggested failure: - <errorcode>EACCES</errorcode> for label mismatch, or - <errorcode>EPERM</errorcode> for lack of privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-readdir"> - <title><function>&mac.mpo;_check_vnode_readdir</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_readdir</function></funcdef> - - <paramdef>struct ucred - *<parameter></parameter>cred</paramdef> - <paramdef>struct vnode - *<parameter></parameter>dvp</paramdef> - <paramdef>struct label - *<parameter></parameter>dlabel</paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>dvp</parameter></entry> - <entry>Object; directory vnode</entry> - </row> - - <row> - <entry><parameter>dlabel</parameter></entry> - <entry>Policy label for - <parameter>dvp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can perform a - <function>readdir</function> operation on the passed - directory vnode. Return <returnvalue>0</returnvalue> for - success, or an <varname>errno</varname> value for failure. - Suggested failure: <errorcode>EACCES</errorcode> for label - mismatch, or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-readlink"> - <title><function>&mac.mpo;_check_vnode_readlink</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_readlink</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can perform a - <function>readlink</function> operation on the passed - symlink vnode. Return <returnvalue>0</returnvalue> for - success, or an <varname>errno</varname> value for failure. - Suggested failure: <errorcode>EACCES</errorcode> for label - mismatch, or <errorcode>EPERM</errorcode> for lack of - privilege. This call may be made in a number of situations, - including an explicit <function>readlink</function> call by - the user process, or as a result of an implicit - <function>readlink</function> during a name lookup by the - process.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-rename-from-vnode"> - <title><function>&mac.mpo;_check_rename_from_vnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_rename_from_vnode</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>dvp</parameter></paramdef> - <paramdef>struct label - *<parameter>dlabel</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>struct componentname - *<parameter>cnp</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>dvp</parameter></entry> - <entry>Directory vnode</entry> - </row> - - <row> - <entry><parameter>dlabel</parameter></entry> - <entry>Policy label for - <parameter>dvp</parameter></entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <!-- XXX ??? --> - <row> - <entry><parameter>cnp</parameter></entry> - <entry>Pathname</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can rename the - passed vnode (<parameter>vp</parameter>) in the passed - directory (<parameter>dvp</parameter>) using the passed name - (<parameter>cnp</parameter>). This call will be made in - combination with a follow-up call to - <function>mpo_check_rename_to_vnode</function>. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-rename-to-vnode"> - <title><function>&mac.mpo;_check_rename_to_vnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_rename_to_vnode</function></funcdef> - - <paramdef>struct ucred - *<parameter></parameter>cred</paramdef> - <paramdef>struct vnode - *<parameter></parameter>dvp</paramdef> - <paramdef>struct label - *<parameter></parameter>dlabel</paramdef> - <paramdef>struct vnode - *<parameter></parameter>vp</paramdef> - <paramdef>struct label - *<parameter></parameter>label</paramdef> - <paramdef>int <parameter></parameter>samedir</paramdef> - <paramdef>struct componentname - *<parameter>cnp</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>dvp</parameter></entry> - <entry>Directory vnode</entry> - </row> - - <row> - <entry><parameter>dlabel</parameter></entry> - <entry>Policy label for <parameter>dvp</parameter></entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>cnp</parameter></entry> - <entry>Pathname</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can rename to - the passed vnode (<parameter>vp</parameter>) and the passed - directory (<parameter>dvp</parameter>) with the passed name - (<parameter>cnp</parameter>). This call will be made in - combination with an earlier call to - <function>mpo_check_rename_from_vnode</function>. - Return <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-revoke"> - <title><function>&mac.mpo;_check_vnode_revoke</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_revoke</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can revoke - access to the passed vnode. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-setacl"> - <title><function>&mac.mpo;_check_vnode_setacl</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_setacl</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>acl_type_t - <parameter>type</parameter></paramdef> - <paramdef>struct acl - *<parameter>acl</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>type</parameter></entry> - <entry>ACL type</entry> - </row> - - <row> - <entry><parameter>acl</parameter></entry> - <entry>ACL</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can set the - passed ACL of passed type on the passed vnode. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-setextattr"> - <title><function>&mac.mpo;_check_vnode_setextattr</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_setextattr</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>int - <parameter>attrnamespace</parameter></paramdef> - <paramdef>const char - *<parameter>name</parameter></paramdef> - <paramdef>struct uio - *<parameter>uio</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>attrnamespace</parameter></entry> - <entry>Extended attribute namespace</entry> - </row> - - <row> - <entry><parameter>name</parameter></entry> - <entry>Extended attribute name</entry> - </row> - - <row> - <entry><parameter>uio</parameter></entry> - <entry>I/O structure pointer; see &man.uio.9;</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credentical can set the - extended attribute of passed name and passed namespace on - the passed vnode. Policies implementing security labels - backed into extended attributes may want to provide - additional protections for those attributes. Additionally, - policies should avoid making decisions based on the data - referenced from <parameter>uio</parameter>, as there is a - potential race condition between this check and the actual - operation. The <parameter>uio</parameter> may also be - <literal>NULL</literal> if a delete operation is being - performed. Return <returnvalue>0</returnvalue> for success, - or an <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-setflags"> - <title><function>&mac.mpo;_check_vnode_setflags</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_setflags</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>u_long <parameter>flags</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>flags</parameter></entry> - <entry>File flags; see &man.chflags.2;</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can set the - passed flags on the passed vnode. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-setmode"> - <title><function>&mac.mpo;_check_vnode_setmode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_setmode</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>mode_t <parameter>mode</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>mode</parameter></entry> - <entry>File mode; see &man.chmod.2;</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can set the - pased mode on the passed vnode. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-setowner"> - <title><function>&mac.mpo;_check_vnode_setowner</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_setowner</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>uid_t <parameter>uid</parameter></paramdef> - <paramdef>gid_t <parameter>gid</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>uid</parameter></entry> - <entry>User ID</entry> - </row> - - <row> - <entry><parameter>gid</parameter></entry> - <entry>Group ID</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can set the - passed uid and passed gid as file uid and file gid on the - passed vnode. The IDs may be set to (<literal>-1</literal>) - to request no update. Return <returnvalue>0</returnvalue> - for success, or an <varname>errno</varname> value for - failure. Suggested failure: <errorcode>EACCES</errorcode> - for label mismatch, or <errorcode>EPERM</errorcode> for lack - of privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-setutimes"> - <title><function>&mac.mpo;_check_vnode_setutimes</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_setutimes</function></funcdef> - - <paramdef>struct ucred - *<parameter></parameter>cred</paramdef> - <paramdef>struct vnode - *<parameter></parameter>vp</paramdef> - <paramdef>struct label - *<parameter></parameter>label</paramdef> - <paramdef>struct timespec - <parameter></parameter>atime</paramdef> - <paramdef>struct timespec - <parameter></parameter>mtime</paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vp</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>atime</parameter></entry> - <entry>Access time; see &man.utimes.2;</entry> - </row> - - <row> - <entry><parameter>mtime</parameter></entry> - <entry>Modification time; see &man.utimes.2;</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can set the - passed access timestamps on the passed vnode. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-proc-sched"> - <title><function>&mac.mpo;_check_proc_sched</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_proc_sched</function></funcdef> - - <paramdef>struct ucred - *<parameter>ucred</parameter></paramdef> - <paramdef>struct proc - *<parameter>proc</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>proc</parameter></entry> - <entry>Object; process</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can change the - scheduling parameters of the passed process. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - <errorcode>EPERM</errorcode> for lack of privilege, or - <errorcode>ESRCH</errorcode> to limit visibility.</para> - - <para>See &man.setpriority.2; for more information.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-proc-signal"> - <title><function>&mac.mpo;_check_proc_signal</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_proc_signal</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct proc - *<parameter>proc</parameter></paramdef> - <paramdef>int <parameter>signal</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>proc</parameter></entry> - <entry>Object; process</entry> - </row> - - <row> - <entry><parameter>signal</parameter></entry> - <entry>Signal; see &man.kill.2;</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can deliver the - passed signal to the passed process. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - <errorcode>EPERM</errorcode> for lack of privilege, or - <errorcode>ESRCH</errorcode> to limit visibility.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-vnode-stat"> - <title><function>&mac.mpo;_check_vnode_stat</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_vnode_stat</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential can - <function>stat</function> the passed vnode. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - - <para>See &man.stat.2; for more information.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-ifnet-transmit"> - <title><function>&mac.mpo;_check_ifnet_transmit</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_ifnet_transmit</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>ifnetlabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>mbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>mbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Network interface</entry> - </row> - - <row> - <entry><parameter>ifnetlabel</parameter></entry> - <entry>Policy label for - <parameter>ifnet</parameter></entry> - </row> - - <row> - <entry><parameter>mbuf</parameter></entry> - <entry>Object; mbuf to be sent</entry> - </row> - - <row> - <entry><parameter>mbuflabel</parameter></entry> - <entry>Policy label for - <parameter>mbuf</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the network interface can transmit the - passed mbuf. Return <returnvalue>0</returnvalue> for - success, or an <varname>errno</varname> value for failure. - Suggested failure: <errorcode>EACCES</errorcode> for label - mismatch, or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-cred-check-socket-receive"> - <title><function>&mac.mpo;_check_socket_receive</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_socket_receive</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>ifnetlabel</parameter></paramdef> - <paramdef>struct mbuf - *<parameter>mbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>mbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Network interface</entry> - </row> - - <row> - <entry><parameter>ifnetlabel</parameter></entry> - <entry>Policy label for - <parameter>ifnet</parameter></entry> - </row> - - <row> - <entry><parameter>mbuf</parameter></entry> - <entry>Object; mbuf to be received</entry> - </row> - - <row> - <entry><parameter>mbuflabel</parameter></entry> - <entry>Policy label for - <parameter>mbuf</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the socket may receive the datagram - stored in the passed mbuf header. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failures: <errorcode>EACCES</errorcode> for label mismatch, - or <errorcode>EPERM</errorcode> for lack of - privilege.</para> - </sect3> - - <sect3 id="mac-mpo-check-socket-visible"> - <title><function>&mac.mpo;_check_socket_visible</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_check_socket_visible</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct socket - *<parameter>so</parameter></paramdef> - <paramdef>struct label - *<parameter>socketlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - <entry>Immutable</entry> - </row> - - <row> - <entry><parameter>so</parameter></entry> - <entry>Object; socket</entry> - </row> - - <row> - <entry><parameter>socketlabel</parameter></entry> - <entry>Policy label for - <parameter>so</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Determine whether the subject credential cred can "see" - the passed socket (<parameter>socket</parameter>) using - system monitoring functions, such as those employed by - &man.netstat.8; and &man.sockstat.1;. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested - failure: <errorcode>EACCES</errorcode> for label mismatches, - <errorcode>EPERM</errorcode> for lack of privilege, or - <errorcode>ESRCH</errorcode> to hide visibility.</para> - </sect3> - </sect2> - - <sect2 id="mac-label-management"> - <title>Label Management Calls</title> - - <para>Relabel events occur when a user process has requested - that the label on an object be modified. A two-phase update - occurs: first, an access control check will be performed to - determine if the update is both valid and permitted, and then - the update itself is performed via a seperate entry point. - Relabel entry points typically accept the object, object label - reference, and an update label submitted by the process. - Memory allocation during relabel is discouraged, as relabel - calls are not permitted to fail (failure should be reported - earlier in the relabel check).</para> - - <sect3 id="mac-mpo-init-bpfdesc"> - <title><function>&mac.mpo;_init_bpfdesc</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_bpfdesc</function></funcdef> - - <paramdef>struct bpf_d - *<parameter>bpf_d</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>bpf_d</parameter></entry> - <entry>Object; bpf descriptor</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>New label to apply</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize the label on a newly instantiated bpfdesc (BPF - descriptor)</para> - </sect3> - - <sect3 id="mac-mpo-init-devfsdirent"> - <title><function>&mac.mpo;_init_devfsdirent</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_devfsdirent</function></funcdef> - - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Object; devfs directory entry</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>New label to apply</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize the label on a newly instantiated devfs - entry.</para> - </sect3> - - <sect3 id="mac-mpo-init-ifnet"> - <title><function>&mac.mpo;_init_ifnet</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_ifnet</function></funcdef> - - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Object; network interface</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>New label to apply</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize the label on a newly instantiated network - interface.</para> - </sect3> - - <sect3 id="mac-mpo-init-ipq"> - <title><function>&mac.mpo;_init_ipq</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_ipq</function></funcdef> - - <paramdef>struct ipq - *<parameter>ipq</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>ipq</parameter></entry> - <entry>Object; IP reassembly queue</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>New label to apply</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize the label on a newly instantiated IP fragment - reassembly queue.</para> - </sect3> - - <sect3 id="mac-mpo-init-mbuf"> - <title><function>&mac.mpo;_init_mbuf</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_mbuf</function></funcdef> - - <paramdef>struct mbuf - *<parameter>mbuf</parameter></paramdef> - <paramdef>int <parameter>how</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>mbuf</parameter></entry> - <entry>Object; mbuf</entry> - </row> - - <row> - <entry><parameter>how</parameter></entry> - <entry>Blocking/non-blocking &man.malloc.9; see - below</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Policy label to initialize</entry> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize the label on a newly instantiated mbuf packet - header (<parameter>mbuf</parameter>). The - <parameter>how</parameter> field may be one of - <symbol>M_WAITOK</symbol> and <symbol>M_NOWAIT</symbol>, and - should be employed to avoid performing a blocking - &man.malloc.9; during this initialization call. Mbuf - allocation frequently occurs in performance sensitive - environments, and the implementation should be careful to - avoid blocking or long-lived operations. This entry point - is permitted to fail resulting in the failure to allocate - the mbuf header.</para> - </sect3> - - <sect3 id="mac-mpo-init-mount"> - <title><function>&mac.mpo;_init_mount</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_mount</function></funcdef> - - <paramdef>struct mount - *<parameter>mount</parameter></paramdef> - <paramdef>struct label - *<parameter>mntlabel</parameter></paramdef> - <paramdef>struct label - *<parameter>fslabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <!-- XXX: Wording on label descriptions. --> - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>mount</parameter></entry> - <entry>Object; file system mount point</entry> - </row> - - <row> - <entry><parameter>mntlabel</parameter></entry> - <entry>Policy label to be initialized for the mount - itself</entry> - </row> - - <row> - <entry><parameter>fslabel</parameter></entry> - <entry>Policy label to be initialized for the file - system</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize the labels on a newly instantiated mount - point.</para> - </sect3> - - <sect3 id="mac-mpo-init-socket"> - <title><function>&mac.mpo;_init_socket</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_socket</function></funcdef> - - <paramdef>struct socket - *<parameter>socket</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>struct label - *<parameter>peerlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>socket</parameter></entry> - <entry>Object; socket</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>New label to apply to the socket</entry> - </row> - - <row> - <entry><parameter>peerlabel</parameter></entry> - <entry>New label to apply to the socket's peer</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize the labels on a newly instantiated - socket.</para> - </sect3> - - <sect3 id="mac-mpo-init-cred"> - <title><function>&mac.mpo;_init_cred</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_cred</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject; user credetial</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>New label</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize the labels on a newly instantiated subject.</para> - </sect3> - - <sect3 id="mac-mpo-init-temp"> - <title><function>&mac.mpo;_init_temp</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_temp</function></funcdef> - - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>label</parameter></entry> - <entry>Temporary label</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize a newly instantiated temporary label; - temporary labels are frequently used to hold label update - requests.</para> - </sect3> - - <sect3 id="mac-mpo-init-vnode"> - <title><function>&mac.mpo;_init_vnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_init_vnode</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; file system object</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>New label to initialize</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Initialize the label on a newly instantiated vnode.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-bpfdesc"> - <title><function>&mac.mpo;_destroy_bpfdesc</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_bpfdesc</function></funcdef> - - <paramdef>struct bpf_d - *<parameter>bpf_d</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>bpf_d</parameter></entry> - <entry>Object; bpf descriptor</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Label being destroyed</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy the label on a BPF descriptor. In this entry - point, a policy module should free any internal storage - associated with <parameter>label</parameter> so that it may - be destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-devfsdirent"> - <title><function>&mac.mpo;_destroy_devfsdirent</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_devfsdirent</function></funcdef> - - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Object; devfs directory entry</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Label being destroyed</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy the label on a devfs entry. In this entry - point, a policy module should free any internal storage - asociated with <parameter>label</parameter> so that it may - be destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-ifnet"> - <title><function>&mac.mpo;_destroy_ifnet</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_ifnet</function></funcdef> - - <paramdef>struct ifnet - *<parameter>ifnet</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>ifnet</parameter></entry> - <entry>Object; network interface</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Label being destroyed</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy the label on a removed interface. In this entry - point, a policy module should free any internal storage - associated with <parameter>label</parameter> so that it may - be destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-ipq"> - <title><function>&mac.mpo;_destroy_ipq</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_ipq</function></funcdef> - - <paramdef>struct ipq - *<parameter>ipq</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>ipq</parameter></entry> - <entry>Object; IP reassembly queue</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Label being destroyed</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy the label on an IP fragment queue. In this - entry point, a policy module should free any internal - storage associated with <parameter>label</parameter> so that - it may be destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-mbuf"> - <title><function>&mac.mpo;_destroy_mbuf</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_mbuf</function></funcdef> - - <paramdef>struct mbuf - *<parameter>mbuf</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>mbuf</parameter></entry> - <entry>Object; mbuf</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Label being destroyed</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy the label on an mbuf header. In this entry - point, a policy module should free any internal storage - associated with <parameter>label</parameter> so that it may - be destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-mount"> - <title><function>&mac.mpo;_destroy_mount</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_mount</function></funcdef> - - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>mntlabel</parameter></paramdef> - <paramdef>struct label - *<parameter>fslabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>mp</parameter></entry> - <entry>Object; file system mount point</entry> - </row> - - <row> - <entry><parameter>mntlabel</parameter></entry> - <entry>Mount point label being destroyed</entry> - </row> - - <row> - <entry><parameter>fslabel</parameter></entry> - <entry>File system label being destroyed> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy the labels on a mount point. In this entry - point, a policy module should free the internal storage - associated with <parameter>mntlabel</parameter> and - <parameter>fslabel</parameter> so that they may be - destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-socket"> - <title><function>&mac.mpo;_destroy_socket</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_socket</function></funcdef> - - <paramdef>struct socket - *<parameter>socket</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>struct label - *<parameter>peerlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>socket</parameter></entry> - <entry>Object; socket</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Socket label being destroyed</entry> - </row> - - <row> - <entry><parameter>peerlabel</parameter></entry> - <entry>Socket peer label being destroyed</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy the labels on a socket. In this entry point, a - policy module should free any internal storage associated - with <parameter>label</parameter> and - <parameter>peerlabel</parameter> so that they may be - destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-cred"> - <title><function>&mac.mpo;_destroy_cred</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_cred</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject; user credential</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Label being destroyed</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy the label on a credential. In this entry point, - a policy module should free any internal storage associated - with <parameter>label</parameter> so that it may be - destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-temp"> - <title><function>&mac.mpo;_destroy_temp</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_temp</function></funcdef> - - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>label</parameter></entry> - <entry>Temporary label being destroyed</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy a temporary label. In this entry point, a - policy module should free any internal storage associated - with the temporary label <parameter>label</parameter> so - that it may be destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-destroy-vnode"> - <title><function>&mac.mpo;_destroy_vnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_destroy_vnode</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; file system object</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Label being destroyed</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Destroy the label on a vnode. In this entry point, a - policy module should free any internal storage associated - with <parameter>label</parameter> so that it may be - destroyed.</para> - </sect3> - - <sect3 id="mac-mpo-externalize"> - <title><function>&mac.mpo;_externalize</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_externalize</function></funcdef> - - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>struct mac - *<parameter>extmac</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>label</parameter></entry> - <entry>Label to be externalized</entry> - </row> - - <row> - <entry><parameter>extmac</parameter></entry> - <entry>MAC structure to be filled in</entry> - </row> - </tbody> - </informaltable> - - <para>Given an internalized subject or object label, fill out - an externalized label. This call is permitted to fail. - This call will be obsoleted by the new userland and extended - attribute interfaces for the MAC framework.</para> - </sect3> - - <sect3 id="mac-mpo-internalize"> - <title><function>&mac.mpo;_internalize</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_internalize</function></funcdef> - - <paramdef>struct label - *<parameter>label</parameter></paramdef> - <paramdef>struct mac - *<parameter>extmac</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>label</parameter></entry> - <entry>Label to be filled in</entry> - </row> - - <row> - <entry><parameter>extmac</parameter></entry> - <entry>MAC structure to internalize</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Given an externalized subject or object label, likely - from userland, internalize the label. The entry point - implementation should handle incorrect or corrupted labels. - This call is permitted to fail. This call will be obsoleted - by the new userland and extended attribute interfaces for - the MAC framework.</para> - </sect3> - </sect2> - - <sect2 id="mac-framework-api"> - <title>Additional Framework API Calls</title> - - <para>The <symbol>MAC_SYSCALL</symbol> entry point provides a - policy-multiplexed system call so that policies may provide - additional services to user processes without registering - specific system calls. The policy name provided during - registration is used to demux calls from userland, and the - arguments will be forwarded to this entry point. When - implementing new services, security modules should be sure to - invoke appropriate access control checks from the MAC - framework as needed. For example, if a policy implements an - augmented signal functionality, it should call the necessary - signal access control checks to invoke the MAC framework and - other registered policies.</para> - </sect2> - </sect1> - - <sect1 id="mac-userland-api"> - <title>Userland APIs</title> - - <para>The userland API is still under development.</para> - </sect1> - - <sect1 id="mac-sample-modules"> - <title>Sample Policy Modules</title> - - <para>The <filename>mac_none</filename> policy provides sample - prototypes and registration of all available policy entry - points.</para> - - <para>The <filename>mac_seeotheruids</filename> policy provides - a simple access control policy without the use of labeling, - relying only on information already present in the kernel - objects.</para> - - <para>The <filename>mac_biba</filename> policy provides a sample - information flow based labeled access control policy, - assigning labels to all kernel objects.</para> - </sect1> - - <sect1 id="mac-system-integration"> - <title>System Integration</title> - <para>...</para> - </sect1> - - <sect1 id="mac-conclusion"> - <title>Conclusion</title> - - <para>The TrustedBSD MAC framework permits kernel modules to - augment the system security policy in a highly integrated - manner. They may do this based on existing object properties, - or based on label data that is maintained with the assistance of - the MAC framework. The framework is sufficiently flexible to - implement a variety of policy types, including information flow - security policies such as MLS and Biba, as well as policies - based on existing BSD credentials or file protections. Policy - authors may wish to consult this documentation as well as - existing security modules when implementing a new security - service.</para> - </sect1> -</chapter> - -<!-- - Local Variables: - mode: sgml - sgml-declaration: "../chapter.decl" - sgml-indent-data: t - sgml-omittag: nil - sgml-always-quote-attributes: t - sgml-parent-document: ("../book.sgml" "part" "chapter") - End: ---> |