aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml')
-rw-r--r--en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml7819
1 files changed, 0 insertions, 7819 deletions
diff --git a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
deleted file mode 100644
index ccd16eaf70..0000000000
--- a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
+++ /dev/null
@@ -1,7819 +0,0 @@
-<!--
- Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
- All rights reserved.
-
- This software was developed for the FreeBSD Project by
- Chris Costello at Safeport Network Services and Network Associates Labs,
- the Security Research Division of Network Associates, Inc. under
- DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
- DARPA CHATS research program.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
- $FreeBSD$
--->
-
-<chapter id="mac">
- <chapterinfo>
- <authorgroup>
- <author>
- <firstname>Chris</firstname>
- <surname>Costello</surname>
-
- <affiliation>
- <orgname>TrustedBSD Project</orgname>
- <address><email>chris@FreeBSD.org</email></address>
- </affiliation>
- </author>
-
- <author>
- <firstname>Robert</firstname>
- <surname>Watson</surname>
-
- <affiliation>
- <orgname>TrustedBSD Project</orgname>
- <address><email>rwatson@FreeBSD.org</email></address>
- </affiliation>
- </author>
- </authorgroup>
- </chapterinfo>
-
- <title>The TrustedBSD MAC Framework</title>
-
- <sect1 id="mac-copyright">
- <title>MAC Documentation Copyright</title>
-
- <para>This documentation was developed for the FreeBSD Project by
- Chris Costello at Safeport Network Services and Network
- Associates Laboratories, the Security Research Division of
- Network Associates, Inc. under DARPA/SPAWAR contract
- N66001-01-C-8035 (<quote>CBOSS</quote>), as part of the DARPA
- CHATS research program.</para>
-
- <para>Redistribution and use in source (SGML DocBook) and
- 'compiled' forms (SGML, HTML, PDF, PostScript, RTF and so forth)
- with or without modification, are permitted provided that the
- following conditions are met:</para>
-
- <orderedlist>
- <listitem>
- <para>Redistributions of source code (SGML DocBook) must
- retain the above copyright notice, this list of conditions
- and the following disclaimer as the first lines of this file
- unmodified.</para>
- </listitem>
-
- <listitem>
- <para>Redistributions in compiled form (transformed to other
- DTDs, converted to PDF, PostScript, RTF and other formats)
- must reproduce the above copyright notice, this list of
- conditions and the following disclaimer in the documentation
- and/or other materials provided with the
- distribution.</para>
- </listitem>
- </orderedlist>
-
- <important>
- <para>THIS DOCUMENTATION IS PROVIDED BY THE NETWORKS ASSOCIATES
- TECHNOLOGY, INC "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL NETWORKS ASSOCIATES TECHNOLOGY,
- INC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
- OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN
- IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</para>
- </important>
- </sect1>
-
- <sect1 id="mac-synopsis">
- <title>Synopsis</title>
-
- <para>FreeBSD includes experimental support for several
- mandatory access control policies, as well as a framework
- for kernel security extensibility, the TrustedBSD MAC
- Framework. The MAC Framework provides a pluggable access
- control framework, permitting new security policies to
- be easily linked into the kernel, loaded at boot, or loaded
- dynamically at run-time. The framework provides a variety
- of features to make it easier to implement new policies,
- including the ability to easily tag security labels (such as
- confidentiality information) onto system objects.</para>
-
- <para>This chapter introduces the MAC policy framework and
- provides documentation for a sample MAC policy module.</para>
- </sect1>
-
-
- <sect1 id="mac-introduction">
- <title>Introduction</title>
-
- <para>The TrustedBSD MAC framework provides a mechanism to allow
- the compile-time or run-time extension of the kernel access
- control model. New system policies may be implemented as
- kernel modules and linked to the kernel; if multiple policy
- modules are present, their results will be composed. The
- MAC Framework provides a variety of access control infrastructure
- services to assist policy writers, including support for
- transient and persistent policy-agnostic object security
- labels. This support is currently considered experimental.</para>
- </sect1>
-
- <sect1>
- <title>Policy Background</title>
-
- <para>Mandatory Access Control (MAC), refers to a set of
- access control policies that are mandatorily enforced on
- users by the operating system. MAC policies may be contrasted
- with Discretionary Access Control (DAC) protections, by which
- non-administrative users may (at their discretion) protect
- objects. In traditional UNIX systems, DAC protections include
- file permissions and access control lists; MAC protections include
- process controls preventing inter-user debugging and firewalls.
- A variety of MAC policies have been formulated by operating system
- designers and security researches, including the Multi-Level
- Security (MLS) confidentiality policy, the Biba integrity policy,
- Role-Based Access Control (RBAC), and Type Enforcement (TE). Each
- model bases decisions on a variety of factors, including user
- identity, role, and security clearance, as well as security labels
- on objects representing concepts such as data sensitivity and
- integrity.</para>
-
- <para>The TrustedBSD MAC Framework is capable of supporting policy
- modules that implement all of these policies, as well as a broad
- class of system hardening policies. In addition, despite the
- name, the MAC Framework can also be used to implement purely
- discretionary policies, as policy modules are given substantial
- flexibility in how they authorize protections.</para>
- </sect1>
-
- <sect1 id="mac-framework-kernel-arch">
- <title>MAC Framework Kernel Architecture</title>
-
- <para>The TrustedBSD MAC Framework permits kernel modules to
- extend the operating system security policy, as well as
- providing infrastructure functionality required by many
- access control modules. If multiple policies are
- simultaneously loaded, the MAC Framework will usefully (for
- some definition of useful) compose the results of the
- policies.</para>
-
- <sect2 id="mac-framework-kernel-arch-elements">
- <title>Kernel Elements</title>
-
- <para>The MAC Framework contains a number of kernel elements:</para>
-
- <itemizedlist>
- <listitem><para>Framework management interfaces</para></listitem>
- <listitem><para>Concurrency and synchronization
- primitives.</para></listitem>
- <listitem><para>Policy registration</para></listitem>
- <listitem><para>Extensible security label for kernel
- objects</para></listitem>
- <listitem><para>Policy entry point composition
- operators</para></listitem>
- <listitem><para>Label management primitives</para></listitem>
- <listitem><para>Entry point API invoked by kernel
- services</para></listitem>
- <listitem><para>Entry point API to policy modules</para></listitem>
- <listitem><para>Entry points implementations (policy life cycle,
- object life cycle/label management, access control
- checks).</para></listitem>
- <listitem><para>Policy-agnostic label-management system
- calls</para></listitem>
- <listitem><para><function>mac_syscall()</function> multiplex
- system call</para></listitem>
- <listitem><para>Various security policies implemented as MAC
- policy modules</para></listitem>
- </itemizedlist>
- </sect2>
-
- <sect2 id="mac-framework-kernel-arch-management">
- <title>Management Interfaces</title>
-
- <para>The TrustedBSD MAC Framework may be directly managed using
- sysctls, loader tunables, and system calls.</para>
-
- <para>In most cases, sysctls and loader tunables modify the same
- parameters, and control behavior such as enforcement of
- protections relating to various kernel subsystems. In addition,
- if MAC debugging support is compiled into the kernel, a variety
- of counters will be maintained tracking label allocation. In
- most cases, it is advised that per-subsystem enforcement
- controls not be used to control policy behavior in production
- environments, as they broadly impact the operation of all
- active policies. Instead, per-policy controls should be
- preferred to ensure proper policy operation.</para>
-
- <para>Loading and unloading of policy modules is performed
- using the system module management system calls and other
- system interfaces, including loader variables.</para>
- </sect2>
-
- <sect2 id="mac-framework-kernel-arch-synchronization">
- <title>Concurrency and Synchronization</title>
-
- <para>As the set of active policies may change at run-time,
- and the invocation of entry points is non-atomic,
- synchronization is required to prevent unloading or
- loading of new policies while an entry point invocation
- is progress, freezing the list of policies for the
- duration. This is accomplished by means of a Framework
- busy count. Whenever an entry point is entered, the
- busy count is incremented; whenever it is exited, the
- busy count is decremented. While the busy count is
- elevated, policy list changes are not permitted, and
- threads attempting to modify the policy list will sleep
- until the list is not busy. The busy count is protected
- by a mutex, and a condition variable is used to wake up
- sleepers waiting on policy list modifications.</para>
-
- <para>Various optimizations are used to reduce the overhead
- of the busy count, including avoiding the full cost of
- incrementing and decrementing if the list is empty or
- contains only static entries (policies that are loaded
- before the system starts, and cannot be unloaded).</para>
- </sect2>
-
- <sect2 id="mac-framework-kernel-arch-registration">
- <title>Policy Registration</title>
-
- <para>The MAC Framework maintains two lists of active
- policies: a static list, and a dynamic list. The lists
- differ only with regards to their locking semantics: an
- elevated reference count is not required to make use of
- the static list. When kernel modules containing MAC
- Framework policies are loaded, the policy module will
- use <literal>SYSINIT</literal> to invoke a registration
- function; when a policy module is unloaded,
- <literal>SYSINIT</literal> will likewise invoke a
- de-registration function. Registration may fail if a
- policy module is loaded more than once, if insufficient
- resources are available for the registration (for
- example, the policy might require labeling and
- insufficient labeling state might be available), or
- other policy prerequisites might not be met (some
- policies may only be loaded prior to boot). Likewise,
- de-registration may fail if a policy refuses an
- unload.</para>
- </sect2>
-
- <sect2 id="mac-framework-kernel-arch-entrypoints">
- <title>Entry Points</title>
-
- <para>Kernel services interact with the MAC Framework in two ways:
- they invoke a series of APIs to notify the framework of relevant
- events, and they a policy-agnostic label structure in
- security-relevant objects. This label structure is maintained by
- the MAC Framework via label management entry points, and permits
- the Framework to offer a labeling service to policy modules
- through relatively non-invasive changes to the kernel subsystem
- maintaining the object. For example, label structures have been
- added to processes, process credentials, sockets, pipes, vnodes,
- Mbufs, network interfaces, IP reassembly queues, and a variety
- of other security-relevant structures. Kernel services also
- invoke the MAC Framework when they perform important security
- decisions, permitting policy modules to augment those decisions
- based on their own criteria (possibly including data stored in
- security labels).</para>
- </sect2>
-
- <sect2 id="mac-framework-kernel-arch-composition">
- <title>Policy Composition</title>
-
- <para>When more than one policy module is loaded into the kernel
- at a time, the results of the policy modules will be composed
- by the framework using a composition operator. This operator
- is currently hard-coded, and requires that all active policies
- must approve a request for it to occur. As policies may
- return a variety of error conditions (success, access denied,
- object doesn't exist, ...), a precedence operator selects the
- resulting error from the set of errors returned by policies.
- While it is not guaranteed that the resulting composition will
- be useful or secure, we've found that it is for many useful
- selections of policies.</para>
- </sect2>
-
- <sect2 id="mac-framework-kernel-arch-labels">
- <title>Labeling Support</title>
-
- <para>As many interesting access control extensions rely on
- security labels on objects, the MAC Framework provides a set
- of policy-agnostic label management system calls covering
- a variety of user-exposed objects. Common label types
- include partition identifiers, sensitivity labels, integrity
- labels, compartments, domains, roles, and types. Policy
- modules participate in the internalization and externalization
- of string-based labels provides by user applications, and can
- expose multiple label elements to applications if desired.</para>
-
- <para>In-memory labels are stored in <structname>struct
- label</structname>, which consists of a fixed-length array
- of unions, each holding a <literal>void *</literal> pointer
- and a <literal>long</literal>. Policies registering for
- label storage will be assigned a "slot" identifier, which
- may be used to dereference the label storage. The semantics
- of the storage are left entirely up to the policy module:
- modules are provided with a variety of entry points
- associated with the kernel object life cycle, including
- initialization, association/creation, and destruction. Using
- these interfaces, it is possible to implement reference
- counting and other storage mechanisms. Direct access to
- the kernel object is generally not required by policy
- modules to retrieve a label, as the MAC Framework generally
- passes both a pointer to the object and a direct pointer
- to the object's label into entry points.</para>
-
- <para>Initialization entry points frequently include a blocking
- disposition flag indicating whether or not an initialization
- is permitted to block; if blocking is not permitted, a failure
- may be returned to cancel allocation of the label. This may
- occur, for example, in the network stack during interrupt
- handling, where blocking is not permitted. Due to the
- performance cost of maintaining labels on in-flight network
- packets (Mbufs), policies must specifically declare a
- requirement that Mbuf labels be allocated. Dynamically
- loaded policies making use of labels must be able to handle
- the case where their init function has not been called on
- an object, as objects may already exist when the policy is
- loaded.</para>
-
- <para>In the case of file system labels, special support is
- provided for the persistent storage of security labels in
- extended attributes. Where available, EA transactions
- are used to permit consistent compound updates of
- security labels on vnodes.</para>
-
- <note><para>Currently, if a labeled policy permits dynamic
- unloading, its state slot cannot be reclaimed.</para></note>
- </sect2>
-
- <sect2 id="mac-framework-kernel-arch-syscalls">
- <title>System Calls</title>
-
- <para>The MAC Framework implements a number of system calls:
- most of these calls support the policy-agnostic label
- retrieval and manipulation APIs exposed to user
- applications.</para>
-
- <para>The label management calls accept a label description
- structure, <structname>struct mac</structname>, which
- contains a series of MAC label elements. Each element
- contains a character string name, and character string
- value. Each policy will be given the chance to claim a
- particular element name, permitting policies to expose
- multiple independent elements if desired. Policy modules
- perform the internalization and externalization between
- kernel labels and user-provided labels via entry points,
- permitting a variety of semantics. Label management system
- calls are generally wrapped by user library functions to
- perform memory allocation and error handling.</para>
-
- <para>In addition, <function>mac_syscall()</function>
- permits policy modules to create new system calls without
- allocating system calls. <function>mac_execve()</function>
- permits an atomic process credential label change when
- executing a new image.</para>
- </sect2>
- </sect1>
-
- <sect1 id="mac-policy-architecture">
- <title>MAC Policy Architecture</title>
-
- <para>Security policies are either linked directly into the kernel,
- or compiled into loadable kernel modules that may be loaded at
- boot, or dynamically using the module loading system calls at
- runtime. Policy modules interact with the system through a
- set of declared entry points, providing access to a stream of
- system events and permitting the policy to influence access
- control decisions. Each policy contains a number of elements:</para>
-
- <itemizedlist>
- <listitem><para>Optional configuration parameters for
- policy.</para></listitem>
- <listitem><para>Centralized implementation of the policy
- logic and parameters.</para></listitem>
- <listitem><para>Optional implementation of policy life cycle
- events, such as initialization and destruction.</para></listitem>
- <listitem><para>Optional support for initializing, maintaining, and
- destroying labels on selected kernel objects.</para></listitem>
- <listitem><para>Optional support for user process inspection and
- modification of labels on selected objects.</para></listitem>
- <listitem><para>Implementation of selected access control
- entry points that are of interest to the policy.</para></listitem>
- <listitem><para>Declaration of policy identity, module entry
- points, and policy properties.</para></listitem>
- </itemizedlist>
-
- <sect2 id="mac-policy-declaration">
- <title>Policy Declaration</title>
-
- <para>Modules may be declared using the
- <function>MAC_POLICY_SET()</function> macro, which names the
- policy, provides a reference to the MAC entry point vector,
- provides load-time flags determining how the policy framework
- should handle the policy, and optionally requests the
- allocation of label state by the framework.</para>
-
- <programlisting>static struct mac_policy_ops mac_<replaceable>policy</replaceable>_ops =
-{
- .mpo_destroy = mac_<replaceable>policy</replaceable>_destroy,
- .mpo_init = mac_<replaceable>policy</replaceable>_init,
- .mpo_init_bpfdesc_label = mac_<replaceable>policy</replaceable>_init_bpfdesc_label,
- .mpo_init_cred_label = mac_<replaceable>policy</replaceable>_init_label,
-/* ... */
- .mpo_check_vnode_setutimes = mac_<replaceable>policy</replaceable>_check_vnode_setutimes,
- .mpo_check_vnode_stat = mac_<replaceable>policy</replaceable>_check_vnode_stat,
- .mpo_check_vnode_write = mac_<replaceable>policy</replaceable>_check_vnode_write,
-};</programlisting>
-
- <para>The MAC policy entry point vector,
- <varname>mac_<replaceable>policy</replaceable>_ops</varname> in this example, associates
- functions defined in the module with specific entry points. A
- complete listing of available entry points and their
- prototypes may be found in the MAC entry point reference
- section. Of specific interest during module registration are
- the <symbol>.mpo_destroy</symbol> and <symbol>.mpo_init</symbol>
- entry points. <symbol>.mpo_init</symbol> will be invoked once a
- policy is successfully registered with the module framework
- but prior to any other entry points becoming active. This
- permits the policy to perform any policy-specific allocation
- and initialization, such as initialization of any data or
- locks. <symbol>.mpo_destroy</symbol> will be invoked when a
- policy module is unloaded to permit releasing of any allocated
- memory and destruction of locks. Currently, these two entry
- points are invoked with the MAC policy list mutex held to
- prevent any other entry points from being invoked: this will
- be changed, but in the mean time, policies should be careful
- about what kernel primitives they invoke so as to avoid lock
- ordering or sleeping problems.</para>
-
- <para>The policy declaration's module name field exists so that
- the module may be uniquely identified for the purposes of
- module dependencies. An appropriate string should be selected.
- The full string name of the policy is displayed to the user
- via the kernel log during load and unload events, and also
- exported when providing status information to userland
- processes.</para>
- </sect2>
-
- <sect2 id="mac-policy-flags">
- <title>Policy Flags</title>
-
- <para>The policy declaration flags field permits the module to
- provide the framework with information about its capabilities at
- the time the module is loaded. Currently, three flags are
- defined:</para>
-
- <variablelist>
- <varlistentry>
- <term>MPC_LOADTIME_FLAG_UNLOADOK</term>
-
- <listitem>
- <para>This flag indicates that the policy module may be
- unloaded. If this flag is not provided, then the policy
- framework will reject requests to unload the module.
- This flag might be used by modules that allocate label
- state and are unable to free that state at
- runtime.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>MPC_LOADTIME_FLAG_NOTLATE</term>
-
- <listitem>
- <para>This flag indicates that the policy module
- must be loaded and initialized early in the boot
- process. If the flag is specified, attempts to register
- the module following boot will be rejected. The flag
- may be used by policies that require pervasive labeling
- of all system objects, and cannot handle objects that
- have not been properly initialized by the policy.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>MPC_LOADTIME_FLAG_LABELMBUFS</term>
-
- <listitem>
- <para>This flag indicates that the policy module requires
- labeling of Mbufs, and that memory should always be
- allocated for the storage of Mbuf labels. By default,
- the MAC Framework will not allocate label storage for
- Mbufs unless at least one loaded policy has this flag
- set. This measurably improves network performance when
- policies do not require Mbuf labeling. A kernel option,
- <literal>MAC_ALWAYS_LABEL_MBUF</literal>, exists to
- force the MAC Framework to allocate Mbuf label storage
- regardless of the setting of this flag, and may be
- useful in some environments.</para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- <note><para>Policies using the
- <literal>MPC_LOADTIME_FLAG_LABELMBUFS</literal> without the
- <literal>MPC_LOADTIME_FLAG_NOTLATE</literal> flag set
- must be able to correctly handle <literal>NULL</literal>
- Mbuf label pointers passed into entry points. This is necessary
- as in-flight Mbufs without label storage may persist after a
- policy enabling Mbuf labeling has been loaded. If a policy
- is loaded before the network subsystem is active (i.e., the
- policy is not being loaded late), then all Mbufs are guaranteed
- to have label storage.</para></note>
- </sect2>
-
- <sect2 id="mac-policy-entry-points">
- <title>Policy Entry Points</title>
-
- <para>Four classes of entry points are offered to policies
- registered with the framework: entry points associated with
- the registration and management of policies, entry points
- denoting initialization, creation, destruction, and other life
- cycle events for kernel objects, events associated with access
- control decisions that the policy module may influence, and
- calls associated with the management of labels on objects. In
- addition, a <function>mac_syscall()</function> entry point is
- provided so that policies may extend the kernel interface
- without registering new system calls.</para>
-
- <para>Policy module writers should be aware of the kernel
- locking strategy, as well as what object locks are available
- during which entry points. Writers should attempt to avoid
- deadlock scenarios by avoiding grabbing non-leaf locks inside
- of entry points, and also follow the locking protocol for
- object access and modification. In particular, writers should
- be aware that while necessary locks to access objects and
- their labels are generally held, sufficient locks to modify an
- object or its label may not be present for all entry points.
- Locking information for arguments is documented in the MAC
- framework entry point document.</para>
-
- <para>Policy entry points will pass a reference to the object
- label along with the object itself. This permits labeled
- policies to be unaware of the internals of the object yet
- still make decisions based on the label. The exception to this
- is the process credential, which is assumed to be understood
- by policies as a first class security object in the kernel.
- Policies that do not implement labels on kernel objects will
- be passed NULL pointers for label arguments to entry
- points.</para>
- </sect2>
- </sect1>
-
- <sect1 id="mac-entry-point-reference">
- <title>MAC Policy Entry Point Reference</title>
-
- <sect2 id="mac-mpo-general">
- <title>General-Purpose Module Entry Points</title>
-
- <sect3 id="mac-mpo-init">
- <title><function>&mac.mpo;_init</function</title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init</function></funcdef>
-
- <paramdef>struct mac_policy_conf
- *<parameter>conf</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>conf</parameter></entry>
- <entry>MAC policy definition</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Policy load event. The policy list mutex is held, so
- caution should be applied.</para>
- </sect3>
-
- <sect3 id="mpo-destroy">
- <title><function>&mac.mpo;_destroy</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy</function></funcdef>
-
- <paramdef>struct mac_policy_conf
- *<parameter>conf</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>conf</parameter></entry>
- <entry>MAC policy definition</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Policy load event. The policy list mutex is held, so
- caution should be applied.</para>
- </sect3>
-
- <sect3 id="mac-mpo-syscall">
- <title><function>&mac.mpo;_syscall</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_syscall</function></funcdef>
-
- <paramdef>struct thread
- *<parameter>td</parameter></paramdef>
- <paramdef>int <parameter>call</parameter></paramdef>
- <paramdef>void *<parameter>arg</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>td</parameter></entry>
- <entry>Calling thread</entry>
- </row>
-
- <row>
- <entry><parameter>call</parameter></entry>
- <entry>Syscall number</entry>
- </row>
-
- <row>
- <entry><parameter>arg</parameter></entry>
- <entry>Pointer to syscall arguments</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>This entry point provides a policy-multiplexed system
- call so that policies may provide additional services to
- user processes without registering specific system calls.
- The policy name provided during registration is used to
- demux calls from userland, and the arguments will be
- forwarded to this entry point. When implementing new
- services, security modules should be sure to invoke
- appropriate access control checks from the MAC framework as
- needed. For example, if a policy implements an augmented
- signal functionality, it should call the necessary signal
- access control checks to invoke the MAC framework and other
- registered policies.</para>
-
- <note><para>Modules must currently perform the
- <function>copyin()</function> of the syscall data on their
- own.</para></note>
- </sect3>
-
- <sect3 id="mac-mpo-thread-userret">
- <title><function>&mac.mpo;_thread_userret</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_thread_userret</function></funcdef>
-
- <paramdef>struct thread
- *<parameter>td</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>td</parameter></entry>
- <entry>Returning thread</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <!-- XXX: Maybe rewrite this section. -->
- <para>This entry point permits policy modules to perform
- MAC-related events when a thread returns to user space.
- This is required for policies that have floating process
- labels, as it's not always possible to acquire the process
- lock at arbitrary points in the stack during system call
- processing; process labels might represent traditional
- authentication data, process history information, or other
- data.</para>
- </sect3>
- </sect2>
-
- <sect2 id="mac-label-ops">
- <title>Label Operations</title>
-
- <sect3 id="mac-mpo-init-bpfdesc">
- <title><function>&mac.mpo;_init_bpfdesc_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_bpfdesc_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to apply</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated bpfdesc (BPF
- descriptor)</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-cred-label">
- <title><function>&mac.mpo;_init_cred_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_cred_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to initialize</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label for a newly instantiated
- user credential.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-devfsdirent">
- <title><function>&mac.mpo;_init_devfsdirent_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_devfsdirent_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to apply</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated devfs
- entry.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-ifnet">
- <title><function>&mac.mpo;_init_ifnet_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_ifnet_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to apply</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated network
- interface.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-ipq">
- <title><function>&mac.mpo;_init_ipq_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_ipq_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int <parameter>flag</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to apply</entry>
- </row>
-
- <row>
- <entry><parameter>flag</parameter></entry>
- <entry>Blocking/non-blocking &man.malloc.9;; see
- below</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated IP fragment
- reassembly queue. The <parameter>flag</parameter> field may
- be one of <symbol>M_WAITOK</symbol> and <symbol>M_NOWAIT</symbol>,
- and should be employed to avoid performing a blocking
- &man.malloc.9; during this initialization call. IP fragment
- reassembly queue allocation frequently occurs in performance
- sensitive environments, and the implementation should be careful
- to avoid blocking or long-lived operations. This entry point
- is permitted to fail resulting in the failure to allocate
- the IP fragment reassembly queue.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-mbuf">
- <title><function>&mac.mpo;_init_mbuf_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_mbuf_label</function></funcdef>
-
- <paramdef>int <parameter>flag</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>flag</parameter></entry>
- <entry>Blocking/non-blocking &man.malloc.9;; see
- below</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label to initialize</entry>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated mbuf packet
- header (<parameter>mbuf</parameter>). The
- <parameter>flag</parameter> field may be one of
- <symbol>M_WAITOK</symbol> and <symbol>M_NOWAIT</symbol>, and
- should be employed to avoid performing a blocking
- &man.malloc.9; during this initialization call. Mbuf
- allocation frequently occurs in performance sensitive
- environments, and the implementation should be careful to
- avoid blocking or long-lived operations. This entry point
- is permitted to fail resulting in the failure to allocate
- the mbuf header.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-mount">
- <title><function>&mac.mpo;_init_mount_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_mount_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>mntlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <!-- XXX: Wording on label descriptions. -->
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mntlabel</parameter></entry>
- <entry>Policy label to be initialized for the mount
- itself</entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>Policy label to be initialized for the file
- system</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the labels on a newly instantiated mount
- point.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-mount-fs-label">
- <title><function>&mac.mpo;_init_mount_fs_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_mount_fs_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label to be initialized</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly mounted file
- system.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-pipe-label">
- <title><function>&mac.mpo;_init_pipe_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_pipe_label</function></funcdef>
-
- <paramdef>struct
- label*<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label to be filled in</entry>
- </row>
- </tbody>
- </informaltable>
-
- <para>Initialize a label for a newly instantiated pipe.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-socket">
- <title><function>&mac.mpo;_init_socket_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_socket_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int <parameter>flag</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to initialize</entry>
- </row>
-
- <row>
- <entry><parameter>flag</parameter></entry>
- <entry>&man.malloc.9; flags</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize a label for a newly instantiated
- socket.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-socket-peer-label">
- <title><function>&mac.mpo;_init_socket_peer_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_socket_peer_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int <parameter>flag</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to initialize</entry>
- </row>
-
- <row>
- <entry><parameter>flag</parameter></entry>
- <entry>&man.malloc.9; flags</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the peer label for a newly instantiated
- socket.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-proc-label">
- <title><function>&mac.mpo;_init_proc_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_proc_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to initialize</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label for a newly instantiated
- process.</para>
- </sect3>
-
-
- <sect3 id="mac-mpo-init-vnode">
- <title><function>&mac.mpo;_init_vnode_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_vnode_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to initialize</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated vnode.</para>
- </sect3>
- <sect3 id="mac-mpo-destroy-bpfdesc">
- <title><function>&mac.mpo;_destroy_bpfdesc_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_bpfdesc_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>bpfdesc label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a BPF descriptor. In this entry
- point a policy should free any internal storage associated
- with <parameter>label</parameter> so that it may be
- destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-cred">
- <title><function>&mac.mpo;_destroy_cred_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_cred_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a credential. In this entry point,
- a policy module should free any internal storage associated
- with <parameter>label</parameter> so that it may be
- destroyed.</para>
- </sect3>
-
-
- <sect3 id="mac-mpo-destroy-devfsdirent">
- <title><function>&mac.mpo;_destroy_devfsdirent_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_devfsdirent_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a devfs entry. In this entry
- point, a policy module should free any internal storage
- associated with <parameter>label</parameter> so that it may
- be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-ifnet-label">
- <title><function>&mac.mpo;_destroy_ifnet_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_ifnet_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a removed interface. In this entry
- point, a policy module should free any internal storage
- associated with <parameter>label</parameter> so that it may
- be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-ipq-label">
- <title><function>&mac.mpo;_destroy_ipq_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_ipq_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on an IP fragment queue. In this
- entry point, a policy module should free any internal
- storage associated with <parameter>label</parameter> so that
- it may be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-mbuf-label">
- <title><function>&mac.mpo;_destroy_mbuf_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_mbuf_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on an mbuf header. In this entry
- point, a policy module should free any internal storage
- associated with <parameter>label</parameter> so that it may
- be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-mount-label">
- <title><function>&mac.mpo;_destroy_mount_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_mount_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Mount point label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the labels on a mount point. In this entry
- point, a policy module should free the internal storage
- associated with <parameter>mntlabel</parameter> so that they
- may be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-mount">
- <title><function>&mac.mpo;_destroy_mount_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_mount_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>mntlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mntlabel</parameter></entry>
- <entry>Mount point label being destroyed</entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>File system label being destroyed>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the labels on a mount point. In this entry
- point, a policy module should free the internal storage
- associated with <parameter>mntlabel</parameter> and
- <parameter>fslabel</parameter> so that they may be
- destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-socket">
- <title><function>&mac.mpo;_destroy_socket_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_socket_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
-
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Socket label being destroyed</entry>
- </row>
-
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a socket. In this entry point, a
- policy module should free any internal storage associated
- with <parameter>label</parameter> so that it may be
- destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-socket-peer-label">
- <title><function>&mac.mpo;_destroy_socket_peer_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_socket_peer_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>peerlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>peerlabel</parameter></entry>
- <entry>Socket peer label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the peer label on a socket. In this entry
- point, a policy module should free any internal storage
- associated with <parameter>label</parameter> so that it may
- be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-pipe-label">
- <title><function>&mac.mpo;_destroy_pipe_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_pipe_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Pipe label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a pipe. In this entry point, a
- policy module should free any internal storage associated
- with <parameter>label</parameter> so that it may be
- destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-proc-label">
- <title><function>&mac.mpo;_destroy_proc_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_proc_label</function></funcdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Process label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a process. In this entry point, a
- policy module should free any internal storage associated
- with <parameter>label</parameter> so that it may be
- destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-vnode-label">
- <title><function>&mac.mpo;_destroy_vnode_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_vnode_label</function></funcdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Process label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a vnode. In this entry point, a
- policy module should free any internal storage associated
- with <parameter>label</parameter> so that it may be
- destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-copy-mbuf-label">
- <title><function>&mac.mpo;_copy_mbuf_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_copy_mbuf_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>src</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dest</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>src</parameter></entry>
- <entry>Source label</entry>
- </row>
-
- <row>
- <entry><parameter>dest</parameter></entry>
- <entry>Destination label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Copy the label information in
- <parameter>src</parameter> into
- <parameter>dest</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-copy-pipe-label">
- <title><function>&mac.mpo;_copy_pipe_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_copy_pipe_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>src</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dest</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>src</parameter></entry>
- <entry>Source label</entry>
- </row>
-
- <row>
- <entry><parameter>dest</parameter></entry>
- <entry>Destination label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Copy the label information in
- <parameter>src</parameter> into
- <parameter>dest</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-copy-vnode-label">
- <title><function>&mac.mpo;_copy_vnode_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_copy_vnode_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>src</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dest</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>src</parameter></entry>
- <entry>Source label</entry>
- </row>
-
- <row>
- <entry><parameter>dest</parameter></entry>
- <entry>Destination label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Copy the label information in
- <parameter>src</parameter> into
- <parameter>dest</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-externalize-cred-label">
- <title><function>&mac.mpo;_externalize_cred_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_externalize_cred_label</function></funcdef>
-
- &mac.externalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.externalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.externalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-externalize-ifnet-label">
- <title><function>&mac.mpo;_externalize_ifnet_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_externalize_ifnet_label</function></funcdef>
-
- &mac.externalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.externalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.externalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-externalize-pipe-label">
- <title><function>&mac.mpo;_externalize_pipe_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_externalize_pipe_label</function></funcdef>
-
- &mac.externalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.externalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.externalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-externalize-socket-label">
- <title><function>&mac.mpo;_externalize_socket_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_externalize_socket_label</function></funcdef>
-
- &mac.externalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.externalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.externalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-externalize-socket-peer-label">
- <title><function>&mac.mpo;_externalize_socket_peer_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_externalize_socket_peer_label</function></funcdef>
-
- &mac.externalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.externalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.externalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-externalize-vnode-label">
- <title><function>&mac.mpo;_externalize_vnode_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_externalize_vnode_label</function></funcdef>
-
- &mac.externalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.externalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.externalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-internalize-cred-label">
- <title><function>&mac.mpo;_internalize_cred_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_internalize_cred_label</function></funcdef>
-
- &mac.internalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.internalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.internalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-internalize-ifnet-label">
- <title><function>&mac.mpo;_internalize_ifnet_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_internalize_ifnet_label</function></funcdef>
-
- &mac.internalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.internalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.internalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-internalize-pipe-label">
- <title><function>&mac.mpo;_internalize_pipe_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_internalize_pipe_label</function></funcdef>
-
- &mac.internalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.internalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.internalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-internalize-socket-label">
- <title><function>&mac.mpo;_internalize_socket_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_internalize_socket_label</function></funcdef>
-
- &mac.internalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.internalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.internalize.para;
- </sect3>
-
- <sect3 id="mac-mpo-internalize-vnode-label">
- <title><function>&mac.mpo;_internalize_vnode_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_internalize_vnode_label</function></funcdef>
-
- &mac.internalize.paramdefs;
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- &mac.internalize.tbody;
- </tgroup>
- </informaltable>
-
- &mac.internalize.para;
- </sect3>
- </sect2>
-
- <sect2 id="mac-label-events">
- <title>Label Events</title>
-
- <para>This class of entry points is used by the MAC framework to
- permit policies to maintain label information on kernel
- objects. For each labeled kernel object of interest to a MAC
- policy, entry points may be registered for relevant life cycle
- events. All objects implement initialization, creation, and
- destruction hooks. Some objects will also implement
- relabeling, allowing user processes to change the labels on
- objects. Some objects will also implement object-specific
- events, such as label events associated with IP reassembly. A
- typical labeled object will have the following life cycle of
- entry points:</para>
-
- <programlisting>Label initialization o
-(object-specific wait) \
-Label creation o
- \
-Relabel events, o--<--.
-Various object-specific, | |
-Access control events ~-->--o
- \
-Label destruction o</programlisting>
-
- <para>Label initialization permits policies to allocate memory
- and set initial values for labels without context for the use
- of the object. The label slot allocated to a policy will be
- zeroed by default, so some policies may not need to perform
- initialization.</para>
-
- <para>Label creation occurs when the kernel structure is
- associated with an actual kernel object. For example, Mbufs
- may be allocated and remain unused in a pool until they are
- required. mbuf allocation causes label initialization on the
- mbuf to take place, but mbuf creation occurs when the mbuf is
- associated with a datagram. Typically, context will be
- provided for a creation event, including the circumstances of
- the creation, and labels of other relevant objects in the
- creation process. For example, when an mbuf is created from a
- socket, the socket and its label will be presented to
- registered policies in addition to the new mbuf and its label.
- Memory allocation in creation events is discouraged, as it may
- occur in performance sensitive ports of the kernel; in
- addition, creation calls are not permitted to fail so a
- failure to allocate memory cannot be reported.</para>
-
- <para>Object specific events do not generally fall into the
- other broad classes of label events, but will generally
- provide an opportunity to modify or update the label on an
- object based on additional context. For example, the label on
- an IP fragment reassembly queue may be updated during the
- <symbol>MAC_UPDATE_IPQ</symbol> entry point as a result of the
- acceptance of an additional mbuf to that queue.</para>
-
- <para>Access control events are discussed in detail in the
- following section.</para>
-
- <para>Label destruction permits policies to release storage or
- state associated with a label during its association with an
- object so that the kernel data structures supporting the
- object may be reused or released.</para>
-
- <para>In addition to labels associated with specific kernel
- objects, an additional class of labels exists: temporary
- labels. These labels are used to store update information
- submitted by user processes. These labels are initialized and
- destroyed as with other label types, but the creation event is
- <symbol>MAC_INTERNALIZE</symbol>, which accepts a user label
- to be converted to an in-kernel representation.</para>
-
- <sect3 id="mac-fs-label-event-ops">
- <title>File System Object Labeling Event Operations</title>
-
- <sect4 id="mac-mpo-associate-vnode-devfs">
- <title><function>&mac.mpo;_associate_vnode_devfs</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_associate_vnode_devfs</function></funcdef>
-
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- <paramdef>struct devfs_dirent
- *<parameter>de</parameter></paramdef>
- <paramdef>struct label
- *<parameter>delabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Devfs mount point</entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>Devfs file system label
- (<varname>mp->mnt_fslabel</varname>)</entry>
- </row>
-
- <row>
- <entry><parameter>de</parameter></entry>
- <entry>Devfs directory entry</entry>
- </row>
-
- <row>
- <entry><parameter>delabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>de</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>vnode associated with
- <parameter>de</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill in the label (<parameter>vlabel</parameter>) for
- a newly created devfs vnode based on the devfs directory
- entry passed in <parameter>de</parameter> and its
- label.</para>
- </sect4>
-
- <sect4 id="mac-mpo-associate-vnode-extattr">
- <title><function>&mac.mpo;_associate_vnode_extattr</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_associate_vnode_extattr</function></funcdef>
-
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>File system mount point</entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>File system label</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Vnode to label</entry>
- </row>
-
- <row>
- <entry><parameter>vlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Attempt to retrieve the label for
- <parameter>vp</parameter> from the file system extended
- attributes. Upon success, the value <literal>0</literal>
- is returned. Should extended attribute retrieval not be
- supported, an accepted fallback is to copy
- <parameter>fslabel</parameter> into
- <parameter>vlabel</parameter>. In the event of an error,
- an appropriate value for <varname>errno</varname> should
- be returned.</para>
- </sect4>
-
- <sect4 id="mac-mpo-associate-vnode-singlelabel">
- <title><function>&mac.mpo;_associate_vnode_singlelabel</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_associate_vnode_singlelabel</function></funcdef>
-
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>File system mount point</entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>File system label</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Vnode to label</entry>
- </row>
-
- <row>
- <entry><parameter>vlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>On non-multilabel file systems, this entry point is
- called to set the policy label for
- <parameter>vp</parameter> based on the file system label,
- <parameter>fslabel</parameter>.</para>
- </sect4>
-
-
- <sect4 id="mac-mpo-create-devfs-device">
- <title><function>&mac.mpo;_create_devfs_device</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_devfs_device</function></funcdef>
-
- <paramdef>dev_t <parameter>dev</parameter></paramdef>
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>dev</parameter></entry>
- <entry>Device corresponding with
- <parameter>devfs_dirent</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Devfs directory entry to be labeled.</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label for <parameter>devfs_dirent</parameter>
- to be filled in.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the label on a devfs_dirent being created for
- the passed device. This call will be made when the device
- file system is mounted, regenerated, or a new device is made
- available.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-devfs-directory">
- <title><function>&mac.mpo;_create_devfs_directory</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_devfs_directory</function></funcdef>
-
- <paramdef>char *<parameter>dirname</parameter></paramdef>
- <paramdef>int <parameter>dirnamelen</parameter></paramdef>
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>dirname</parameter></entry>
- <entry>Name of directory being created</entry>
- </row>
-
- <row>
- <entry><parameter>namelen</parameter></entry>
- <entry>Length of string
- <parameter>dirname</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Devfs directory entry for directory being
- created.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the label on a devfs_dirent being created for
- the passed directory. This call will be made when the device
- file system is mounted, regenerated, or a new device
- requiring a specific directory hierarchy is made
- available.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-devfs-symlink">
- <title><function>&mac.mpo;_create_devfs_symlink</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_devfs_symlink</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct devfs_dirent
- *<parameter>dd</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ddlabel</parameter></paramdef>
- <paramdef>struct devfs_dirent
- *<parameter>de</parameter></paramdef>
- <paramdef>struct label
- *<parameter>delabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Devfs mount point</entry>
- </row>
-
- <row>
- <entry><parameter>dd</parameter></entry>
- <entry>Link destination</entry>
- </row>
-
- <row>
- <entry><parameter>ddlabel</parameter></entry>
- <entry>Label associated with
- <parameter>dd</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>de</parameter></entry>
- <entry>Symlink entry</entry>
- </row>
-
- <row>
- <entry><parameter>delabel</parameter></entry>
- <entry>Label associated with
- <parameter>de</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill in the label (<parameter>delabel</parameter>) for
- a newly created &man.devfs.5; symbolic link entry.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-vnode-extattr">
- <title><function>&mac.mpo;_create_vnode_extattr</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_create_vnode_extattr</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>dvp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vlabel</parameter></paramdef>
- <paramdef>struct componentname
- *<parameter>cnp</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>mount</parameter></entry>
- <entry>File system mount point</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>File system label</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Parent directory vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Label associated with
- <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Newly created vnode</entry>
- </row>
-
- <row>
- <entry><parameter>vlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cnp</parameter></entry>
- <entry>Component name for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Write out the label for <parameter>vp</parameter> to
- the appropriate extended attribute. If the write
- succeeds, fill in <parameter>vlabel</parameter> with the
- label, and return <returnvalue>0</returnvalue>. Otherwise,
- return an appropriate error.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-mount">
- <title><function>&mac.mpo;_create_mount</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mount</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mnt</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Object; file system being mounted</entry>
- </row>
-
- <row>
- <entry><parameter>mntlabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>mp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>Policy label for the file system
- <parameter>mp</parameter> mounts.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the labels on the mount point being created by
- the passed subject credential. This call will be made when
- a new file system is mounted.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-root-mount">
- <title><function>&mac.mpo;_create_root_mount</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_root_mount</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mntlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry namest="first" nameend="last">See <xref
- linkend="mac-mpo-create-mount">.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the labels on the mount point being created by
- the passed subject credential. This call will be made when
- the root file system is mounted, after
- &mac.mpo;_create_mount;.</para>
- </sect4>
-
- <sect4 id="mac-mpo-relabel-vnode">
- <title><function>&mac.mpo;_relabel_vnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_relabel_vnode</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>vnode to relabel</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Existing policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>New, possibly partial label to replace
- <parameter>vnodelabel</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the label on the passed vnode given the passed
- update vnode label and the passed subject credential.</para>
- </sect4>
-
- <sect4 id="mac-mpo-setlabel-vnode-extattr">
- <title><function>&mac.mpo;_setlabel_vnode_extattr</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_setlabel_vnode_extattr</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>intlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Vnode for which the label is being
- written</entry>
- </row>
-
- <row>
- <entry><parameter>vlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>intlabel</parameter></entry>
- <entry>Label to write out</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Write out the policy from
- <parameter>intlabel</parameter> to an extended
- attribute. This is called from
- <function>vop_stdcreatevnode_ea</function>.</para>
- </sect4>
-
- <sect4 id="mac-mpo-update-devfsdirent">
- <title><function>&mac.mpo;_update_devfsdirent</function></title>
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_update_devfsdirent</function></funcdef>
-
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>direntlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Object; devfs directory entry</entry>
- </row>
-
- <row>
- <entry><parameter>direntlabel</parameter></entry>
- <entry>Policy label for
- <parameter>devfs_dirent</parameter> to be
- updated.</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Parent vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the <parameter>devfs_dirent</parameter> label
- from the passed devfs vnode label. This call will be made
- when a devfs vnode has been successfully relabeled to commit
- the label change such that it lasts even if the vnode is
- recycled. It will also be made when when a symlink is
- created in devfs, following a call to
- <function>mac_vnode_create_from_vnode</function> to
- initialize the vnode label.</para>
- </sect4>
- </sect3>
-
- <sect3 id="mac-ipc-label-ops">
- <title>IPC Object Labeling Event Operations</title>
-
-
- <sect4 id="mac-mpo-create-mbuf-from-socket">
- <title><function>&mac.mpo;_create_mbuf_from_socket</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mbuf_from_socket</function></funcdef>
-
- <paramdef>struct socket
- *<parameter>so</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- <paramdef>struct mbuf *<parameter>m</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>socket</parameter></entry>
- <entry>Socket</entry>
- <entry>Socket locking WIP</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Policy label for
- <parameter>socket</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>m</parameter></entry>
- <entry>Object; mbuf</entry>
- </row>
-
- <row>
- <entry><parameter>mbuflabel</parameter></entry>
- <entry>Policy label to fill in for
- <parameter>m</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on a newly created mbuf header from the
- passed socket label. This call is made when a new datagram
- or message is generated by the socket and stored in the
- passed mbuf.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-pipe">
- <title><function>&mac.mpo;_create_pipe</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_pipe</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct pipe
- *<parameter>pipe</parameter></paramdef>
- <paramdef>struct label
- *<parameter>pipelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>pipe</parameter></entry>
- <entry>Pipe</entry>
- </row>
-
- <row>
- <entry><parameter>pipelabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>pipe</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on a newly created pipe from the passed
- subject credential. This call is made when a new pipe is
- created.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-socket">
- <title><function>&mac.mpo;_create_socket</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_socket</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>so</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- <entry>Immutable</entry>
- </row>
-
- <row>
- <entry><parameter>so</parameter></entry>
- <entry>Object; socket to label</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Label to fill in for
- <parameter>so</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on a newly created socket from the passed
- subject credential. This call is made when a socket is
- created.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-socket-from-socket">
- <title><function>&mac.mpo;_create_socket_from_socket</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_socket_from_socket</function></funcdef>
-
- <paramdef>struct socket
- *<parameter>oldsocket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>oldsocketlabel</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>newsocket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newsocketlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>oldsocket</parameter></entry>
- <entry>Listening socket</entry>
- </row>
-
- <row>
- <entry><parameter>oldsocketlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>oldsocket</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newsocket</parameter></entry>
- <entry>New socket</entry>
- </row>
-
- <row>
- <entry><parameter>newsocketlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>newsocketlabel</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Label a socket, <parameter>newsocket</parameter>,
- newly &man.accept.2;ed, based on the &man.listen.2;
- socket, <parameter>oldsocket</parameter>.</para>
- </sect4>
-
- <sect4 id="mac-mpo-relabel-pipe">
- <title><function>&mac.mpo;_relabel_pipe</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_relabel_pipe</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct pipe
- *<parameter>pipe</parameter></paramdef>
- <paramdef>struct label
- *<parameter>oldlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>pipe</parameter></entry>
- <entry>Pipe</entry>
- </row>
-
- <row>
- <entry><parameter>oldlabel</parameter></entry>
- <entry>Current policy label associated with
- <parameter>pipe</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Policy label update to apply to
- <parameter>pipe</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Apply a new label, <parameter>newlabel</parameter>, to
- <parameter>pipe</parameter>.</para>
- </sect4>
-
- <sect4 id="mac-mpo-relabel-socket">
- <title><function>&mac.mpo;_relabel_socket</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_relabel_socket</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>so</parameter></paramdef>
- <paramdef>struct label
- *<parameter>oldlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- <entry>Immutable</entry>
- </row>
-
- <row>
- <entry><parameter>so</parameter></entry>
- <entry>Object; socket</entry>
- </row>
-
- <row>
- <entry><parameter>oldlabel</parameter></entry>
- <entry>Current label for
- <parameter>so</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Label update for
- <parameter>so</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the label on a socket from the passed socket
- label update.</para>
- </sect4>
-
- <sect4 id="mpo-set-socket-peer-from-mbuf">
- <title><function>&mac.mpo;_set_socket_peer_from_mbuf</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_set_socket_peer_from_mbuf</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>mbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mbuflabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>oldlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mbuf</parameter></entry>
- <entry>First datagram received over socket</entry>
- </row>
-
- <row>
- <entry><parameter>mbuflabel</parameter></entry>
- <entry>Label for <parameter>mbuf</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>oldlabel</parameter></entry>
- <entry>Current label for the socket</entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Policy label to be filled out for the
- socket</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the peer label on a stream socket from the passed
- mbuf label. This call will be made when the first datagram
- is received by the stream socket, with the exception of Unix
- domain sockets.</para>
- </sect4>
-
- <sect4 id="mac-mpo-set-socket-peer-from-socket">
- <title><function>&mac.mpo;_set_socket_peer_from_socket</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_set_socket_peer_from_socket</function></funcdef>
-
- <paramdef>struct socket
- *<parameter>oldsocket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>oldsocketlabel</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>newsocket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newsocketpeerlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>oldsocket</parameter></entry>
- <entry>Local socket</entry>
- </row>
-
- <row>
- <entry><parameter>oldsocketlabel</parameter></entry>
- <entry>Policy label for
- <parameter>oldsocket</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newsocket</parameter></entry>
- <entry>Peer socket</entry>
- </row>
-
- <row>
- <entry><parameter>newsocketpeerlabel</parameter></entry>
- <entry>Policy label to fill in for
- <parameter>newsocket</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <!-- XXX Passed _remote_ socket endpoint ? -->
- <para>Set the peer label on a stream UNIX domain socket from
- the passed remote socket endpoint. This call will be made
- when the socket pair is connected, and will be made for both
- endpoints.</para>
- </sect4>
- </sect3>
-
- <sect3 id="mac-net-labeling-event-ops">
- <title>Network Object Labeling Event Operations</title>
-
- <sect4 id="mac-mpo-create-bpfdesc">
- <title><function>&mac.mpo;_create_bpfdesc</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_bpfdesc</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct bpf_d
- *<parameter>bpf_d</parameter></paramdef>
- <paramdef>struct label
- *<parameter>bpflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- <entry>Immutable</entry>
- </row>
-
- <row>
- <entry><parameter>bpf_d</parameter></entry>
- <entry>Object; bpf descriptor</entry>
- </row>
-
- <row>
- <entry><parameter>bpf</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>bpf_d</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on a newly created BPF descriptor from the
- passed subject credential. This call will be made when a
- BPF device node is opened by a process with the passed
- subject credential.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-ifnet">
- <title><function>&mac.mpo;_create_ifnet</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_ifnet</function></funcdef>
-
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ifnetlabel</parameter></paramdeF>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Network interface</entry>
- </row>
-
- <row>
- <entry><parameter>ifnetlabel</parameter></entry>
- <entry>Policy label to fill in for
- <parameter>ifnet</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on a newly created interface. This call
- may be made when a new physical interface becomes available
- to the system, or when a pseudo-interface is instantiated
- during the boot or as a result of a user action.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-ipq">
- <title><function>&mac.mpo;_create_ipq</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_ipq</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>fragment</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fragmentlabel</parameter></paramdef>
- <paramdef>struct ipq
- *<parameter>ipq</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ipqlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>fragment</parameter></entry>
- <entry>First received IP fragment</entry>
- </row>
-
- <row>
- <entry><parameter>fragmentlabel</parameter></entry>
- <entry>Policy label for
- <parameter>fragment</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>ipq</parameter></entry>
- <entry>IP reassembly queue to be labeled</entry>
- </row>
-
- <row>
- <entry><parameter>ipqlabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>ipq</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on a newly created IP fragment reassembly
- queue from the mbuf header of the first received
- fragment.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-datagram-from-ipq">
- <title><function>&mac.mpo;_create_datagram_from_ipq</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_create_datagram_from_ipq</function></funcdef>
-
- <paramdef>struct ipq
- *<parameter>ipq</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ipqlabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>datagram</parameter></paramdef>
- <paramdef>struct label
- *<parameter>datagramlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>ipq</parameter></entry>
- <entry>IP reassembly queue</entry>
- </row>
-
- <row>
- <entry><parameter>ipqlabel</parameter></entry>
- <entry>Policy label for
- <parameter>ipq</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>datagram</parameter></entry>
- <entry>Datagram to be labeled</entry>
- </row>
-
- <row>
- <entry><parameter>datagramlabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>datagramlabel</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on a newly reassembled IP datagram from
- the IP fragment reassembly queue from which it was
- generated.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-fragment">
- <title><function>&mac.mpo;_create_fragment</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_fragment</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>datagram</parameter></paramdef>
- <paramdef>struct label
- *<parameter>datagramlabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>fragment</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fragmentlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>datagram</parameter></entry>
- <entry>Datagram</entry>
- </row>
-
- <row>
- <entry><parameter>datagramlabel</parameter></entry>
- <entry>Policy label for
- <parameter>datagram</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>fragment</parameter></entry>
- <entry>Fragment to be labeled</entry>
- </row>
-
- <row>
- <entry><parameter>fragmentlabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>datagram</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on the mbuf header of a newly created IP
- fragment from the label on the mbuf header of the datagram
- it was generate from.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-mbuf-from-mbuf">
- <title><function>&mac.mpo;_create_mbuf_from_mbuf</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mbuf_from_mbuf</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>oldmbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>oldmbuflabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>newmbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newmbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>oldmbuf</parameter></entry>
- <entry>Existing (source) mbuf</entry>
- </row>
-
- <row>
- <entry><parameter>oldmbuflabel</parameter></entry>
- <entry>Policy label for
- <parameter>oldmbuf</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newmbuf</parameter></entry>
- <entry>New mbuf to be labeled</entry>
- </row>
-
- <row>
- <entry><parameter>newmbuflabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>newmbuf</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on the mbuf header of a newly created
- datagram from the mbuf header of an existing datagram. This
- call may be made in a number of situations, including when
- an mbuf is re-allocated for alignment purposes.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-mbuf-linklayer">
- <title><function>&mac.mpo;_create_mbuf_linklayer</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mbuf_linklayer</function></funcdef>
-
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ifnetlabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>mbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Network interface</entry>
- </row>
-
- <row>
- <entry><parameter>ifnetlabel</parameter></entry>
- <entry>Policy label for
- <parameter>ifnet</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>mbuf</parameter></entry>
- <entry>mbuf header for new datagram</entry>
- </row>
-
- <row>
- <entry><parameter>mbuflabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>mbuf</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on the mbuf header of a newly created
- datagram generated for the purposes of a link layer response
- for the passed interface. This call may be made in a number
- of situations, including for ARP or ND6 responses in the
- IPv4 and IPv6 stacks.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-mbuf-from-bpfdesc">
- <title><function>&mac.mpo;_create_mbuf_from_bpfdesc</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mbuf_from_bpfdesc</function></funcdef>
-
- <paramdef>struct bpf_d
- *<parameter>bpf_d</parameter></paramdef>
- <paramdef>struct label
- *<parameter>bpflabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>mbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>bpf_d</parameter></entry>
- <entry>BPF descriptor</entry>
- </row>
-
- <row>
- <entry><parameter>bpflabel</parameter></entry>
- <entry>Policy label for
- <parameter>bpflabel</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>mbuf</parameter></entry>
- <entry>New mbuf to be labeled</entry>
- </row>
-
- <row>
- <entry><parameter>mbuflabel</parameter></entry>
- <entry>Policy label to fill in for
- <parameter>mbuf</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on the mbuf header of a newly created
- datagram generated using the passed BPF descriptor. This
- call is made when a write is performed to the BPF device
- associated with the passed BPF descriptor.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-mbuf-from-ifnet">
- <title><function>&mac.mpo;_create_mbuf_from_ifnet</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mbuf_from_ifnet</function></funcdef>
-
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ifnetlabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>mbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Network interface</entry>
- </row>
-
- <row>
- <entry><parameter>ifnetlabel</parameter></entry>
- <entry>Policy label for
- <parameter>ifnetlabel</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>mbuf</parameter></entry>
- <entry>mbuf header for new datagram</entry>
- </row>
-
- <row>
- <entry><parameter>mbuflabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>mbuf</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on the mbuf header of a newly created
- datagram generated from the passed network interface.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-mbuf-multicast-encap">
- <title><function>&mac.mpo;_create_mbuf_multicast_encap</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mbuf_multicast_encap</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>oldmbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>oldmbuflabel</parameter></paramdef>
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ifnetlabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>newmbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newmbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>oldmbuf</parameter></entry>
- <entry>mbuf header for existing datagram</entry>
- </row>
-
- <row>
- <entry><parameter>oldmbuflabel</parameter></entry>
- <entry>Policy label for
- <parameter>oldmbuf</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Network interface</entry>
- </row>
-
- <row>
- <entry><parameter>ifnetlabel</parameter></entry>
- <entry>Policy label for
- <parameter>ifnet</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newmbuf</parameter></entry>
- <entry>mbuf header to be labeled for new
- datagram</entry>
- </row>
-
- <row>
- <entry><parameter>newmbuflabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>newmbuf</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on the mbuf header of a newly created
- datagram generated from the existing passed datagram when it
- is processed by the passed multicast encapsulation
- interface. This call is made when an mbuf is to be
- delivered using the virtual interface.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-mbuf-netlayer">
- <title><function>&mac.mpo;_create_mbuf_netlayer</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mbuf_netlayer</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>oldmbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>oldmbuflabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>newmbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newmbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>oldmbuf</parameter></entry>
- <entry>Received datagram</entry>
- </row>
-
- <row>
- <entry><parameter>oldmbuflabel</parameter></entry>
- <entry>Policy label for
- <parameter>oldmbuf</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newmbuf</parameter></entry>
- <entry>Newly created datagram</entry>
- </row>
-
- <row>
- <entry><parameter>newmbuflabel</parameter></entry>
- <entry>Policy label for
- <parameter>newmbuf</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label on the mbuf header of a newly created
- datagram generated by the IP stack in response to an
- existing received datagram (<parameter>oldmbuf</parameter>).
- This call may be made in a number of situations, including
- when responding to ICMP request datagrams.</para>
- </sect4>
-
- <sect4 id="mac-mpo-fragment-match">
- <title><function>&mac.mpo;_fragment_match</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_fragment_match</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>fragment</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fragmentlabel</parameter></paramdef>
- <paramdef>struct ipq
- *<parameter>ipq</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ipqlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>fragment</parameter></entry>
- <entry>IP datagram fragment</entry>
- </row>
-
- <row>
- <entry><parameter>fragmentlabel</parameter></entry>
- <entry>Policy label for
- <parameter>fragment</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>ipq</parameter></entry>
- <entry>IP fragment reassembly queue</entry>
- </row>
-
- <row>
- <entry><parameter>ipqlabel</parameter></entry>
- <entry>Policy label for
- <parameter>ipq</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether an mbuf header containing an IP
- datagram (<parameter>fragment</parameter>) fragment matches
- the label of the passed IP fragment reassembly queue
- (<parameter>ipq</parameter>). Return
- (<returnvalue>1</returnvalue>) for a successful match, or
- (<returnvalue>0</returnvalue>) for no match. This call is
- made when the IP stack attempts to find an existing fragment
- reassembly queue for a newly received fragment; if this
- fails, a new fragment reassembly queue may be instantiated
- for the fragment. Policies may use this entry point to
- prevent the reassembly of otherwise matching IP fragments if
- policy does not permit them to be reassembled based on the
- label or other information.</para>
- </sect4>
-
- <sect4 id="mac-mpo-ifnet-relabel">
- <title><function>&mac.mpo;_relabel_ifnet</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_relabel_ifnet</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ifnetlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Object; Network interface</entry>
- </row>
-
- <row>
- <entry><parameter>ifnetlabel</parameter></entry>
- <entry>Policy label for
- <parameter>ifnet</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Label update to apply to
- <parameter>ifnet</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the label of network interface,
- <parameter>ifnet</parameter>, based on the passed update
- label, <parameter>newlabel</parameter>, and the passed
- subject credential, <parameter>cred</parameter>.</para>
- </sect4>
-
- <sect4 id="mac-mpo-update-ipq">
- <title><function>&mac.mpo;_update_ipq</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_update_ipq</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>fragment</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fragmentlabel</parameter></paramdef>
- <paramdef>struct ipq
- *<parameter>ipq</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ipqlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mbuf</parameter></entry>
- <entry>IP fragment</entry>
- </row>
-
- <row>
- <entry><parameter>mbuflabel</parameter></entry>
- <entry>Policy label for
- <parameter>mbuf</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>ipq</parameter></entry>
- <entry>IP fragment reassembly queue</entry>
- </row>
-
- <row>
- <entry><parameter>ipqlabel</parameter></entry>
- <entry>Policy label to be updated for
- <parameter>ipq</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the label on an IP fragment reassembly queue
- (<parameter>ipq</parameter>) based on the acceptance of the
- passed IP fragment mbuf header
- (<parameter>mbuf</parameter>).</para>
- </sect4>
- </sect3>
-
- <sect3 id="mac-proc-labeling-event-ops">
- <title>Process Labeling Event Operations</title>
-
- <sect4 id="mac-mpo-create-cred">
- <title><function>&mac.mpo;_create_cred</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_cred</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>parent_cred</parameter></paramdef>
- <paramdef>struct ucred
- *<parameter>child_cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>parent_cred</parameter></entry>
- <entry>Parent subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>child_cred</parameter></entry>
- <entry>Child subject credential</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Set the label of a newly created subject credential from
- the passed subject credential. This call will be made when
- &man.crcopy.9; is invoked on a newly created <type>struct
- ucred</type>. This call should not be confused with a
- process forking or creation event.</para>
- </sect4>
-
- <sect4 id="mac-mpo-execve-transition">
- <title><function>&mac.mpo;_execve_transition</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_execve_transition</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>old</parameter></paramdef>
- <paramdef>struct ucred
- *<parameter>new</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>old</parameter></entry>
- <entry>Existing subject credential</entry>
- <entry>Immutable</entry>
- </row>
-
- <row>
- <entry><parameter>new</parameter></entry>
- <entry>New subject credential to be labeled</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>File to execute</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the label of a newly created subject credential
- (<parameter>new</parameter>) from the passed existing
- subject credential (<parameter>old</parameter>) based on a
- label transition caused by executing the passed vnode
- (<parameter>vp</parameter>). This call occurs when a
- process executes the passed vnode and one of the policies
- returns a success from the
- <function>mpo_execve_will_transition</function> entry point.
- Policies may choose to implement this call simply by
- invoking <function>mpo_create_cred</function> and passing
- the two subject credentials so as not to implement a
- transitioning event. Policies should not leave this entry
- point unimplemented if they implement
- <function>mpo_create_cred</function>, even if they do not
- implement
- <function>mpo_execve_will_transition</function>.</para>
- </sect4>
-
- <sect4 id="mac-mpo-execve-will-transition">
- <title><function>&mac.mpo;_execve_will_transition</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_execve_will_transition</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>old</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>old</parameter></entry>
- <entry>Subject credential prior to
- &man.execve.2;</entry>
- <entry>Immutable</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>File to execute</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the policy will want to perform a
- transition event as a result of the execution of the passed
- vnode by the passed subject credential. Return
- <returnvalue>1</returnvalue> if a transition is required,
- <returnvalue>0</returnvalue> if not. Even if a policy
- returns <returnvalue>0</returnvalue>, it should behave
- correctly in the presence of an unexpected invocation of
- <function>mpo_execve_transition</function>, as that call may
- happen as a result of another policy requesting a
- transition.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-proc0">
- <title><function>&mac.mpo;_create_proc0</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_proc0</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential to be filled in</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Create the subject credential of process 0, the parent
- of all kernel processes.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-proc1">
- <title><function>&mac.mpo;_create_proc1</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_proc1</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential to be filled in</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Create the subject credential of process 1, the parent
- of all user processes.</para>
- </sect4>
-
- <sect4 id="mac-mpo-relabel-cred">
- <title><function>&mac.mpo;_relabel_cred</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_relabel_cred</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Label update to apply to
- <parameter>cred</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the label on a subject credential from the passed
- update label.</para>
- </sect4>
-
-
-
- </sect3>
- </sect2>
-
- <sect2 id="mac-access-control-checks">
- <title>Access Control Checks</title>
-
- <para>Access control entry points permit policy modules to
- influence access control decisions made by the kernel.
- Generally, although not always, arguments to an access control
- entry point will include one or more authorizing credentials,
- information (possibly including a label) for any other objects
- involved in the operation. An access control entry point may
- return 0 to permit the operation, or an &man.errno.2; error
- value. The results of invoking the entry point across various
- registered policy modules will be composed as follows: if all
- modules permit the operation to succeed, success will be
- returned. If one or modules returns a failure, a failure will
- be returned. If more than one module returns a failure, the
- errno value to return to the user will be selected using the
- following precedence, implemented by the
- <function>error_select()</function> function in
- <filename>kern_mac.c</filename>:</para>
-
- <informaltable>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>Most precedence</entry>
- <entry><errorcode>EDEADLK</errorcode></entry></row>
-
- <row>
- <entry></entry>
- <entry><errorcode>EINVAL</errorcode></entry>
- </row>
- <row>
- <entry></entry>
- <entry><errorcode>ESRCH</errorcode></entry>
- </row>
- <row>
- <entry></entry>
- <entry>EACCES</entry>
- </row>
- <row>
- <entry>Least precedence</entry>
- <entry>EPERM</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>If none of the error values returned by all modules are
- listed in the precedence chart then an arbitrarily selected
- value from the set will be returned. In general, the rules
- provide precedence to errors in the following order: kernel
- failures, invalid arguments, object not present, access not
- permitted, other.</para>
-
- <sect3 id="mac-mpo-bpfdesc-check-receive-from-ifnet">
- <title><function>&mac.mpo;_check_bpfdesc_receive</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_bpfdesc_receive</function></funcdef>
-
- <paramdef>struct bpf_d
- *<parameter>bpf_d</parameter></paramdef>
- <paramdef>struct label
- *<parameter>bpflabel</parameter></paramdef>
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ifnetlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>bpf_d</parameter></entry>
- <entry>Subject; BPF descriptor</entry>
- </row>
-
- <row>
- <entry><parameter>bpflabel</parameter></entry>
- <entry>Policy label for
- <parameter>bpf_d</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Object; network interface</entry>
- </row>
-
- <row>
- <entry><parameter>ifnetlabel</parameter></entry>
- <entry>Policy label for
- <parameter>ifnet</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the MAC framework should permit
- datagrams from the passed interface to be delivered to the
- buffers of the passed BPF descriptor. Return
- (<returnvalue>0</returnvalue>) for success, or an
- <varname>errno</varname> value for failure Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatches,
- <errorcode>EPERM</errorcode> for lack of privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-kenv-dump">
- <title><function>&mac.mpo;_check_kenv_dump</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_kenv_dump</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- retrieve the kernel environment (see &man.kenv.2;).</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-kenv-get">
- <title><function>&mac.mpo;_check_kenv_get</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_kenv_get</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>char *<parameter>name</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>name</parameter></entry>
- <entry>Kernel environment variable name</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- retrieve the value of the specified kernel environment
- variable.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-kenv-set">
- <title><function>&mac.mpo;_check_kenv_set</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_kenv_set</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>char *<parameter>name</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>name</parameter></entry>
- <entry>Kernel environment variable name</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to set
- the specified kernel environment variable.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-kenv-unset">
- <title><function>&mac.mpo;_check_kenv_unset</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_kenv_unset</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>char *<parameter>name</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>name</parameter></entry>
- <entry>Kernel environment variable name</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to unset
- the specified kernel environment variable.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-kld-load">
- <title><function>&mac.mpo;_check_kld_load</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_kld_load</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Kernel module vnode</entry>
- </row>
-
- <row>
- <entry><parameter>vlabel</parameter></entry>
- <entry>Label associated with
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to load
- the specified module file.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-kld-stat">
- <title><function>&mac.mpo;_check_kld_stat</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_kld_stat</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- retrieve a list of loaded kernel module files and associated
- statistics.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-kld-unload">
- <title><function>&mac.mpo;_check_kld_unload</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_kld_unload</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- unload a kernel module.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-pipe-ioctl">
- <title><function>&mac.mpo;_check_pipe_ioctl</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_pipe_ioctl</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct pipe
- *<parameter>pipe</parameter></paramdef>
- <paramdef>struct label
- *<parameter>pipelabel</parameter></paramdef>
- <paramdef>unsigned long
- <parameter>cmd</parameter></paramdef>
- <paramdef>void *<parameter>data</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>pipe</parameter></entry>
- <entry>Pipe</entry>
- </row>
-
- <row>
- <entry><parameter>pipelabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>pipe</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cmd</parameter></entry>
- <entry>&man.ioctl.2; command</entry>
- </row>
-
- <row>
- <entry><parameter>data</parameter></entry>
- <entry>&man.ioctl.2; data</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to make
- the specified &man.ioctl.2; call.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-pipe-poll">
- <title><function>&mac.mpo;_check_pipe_poll</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_pipe_poll</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct pipe
- *<parameter>pipe</parameter></paramdef>
- <paramdef>struct label
- *<parameter>pipelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>pipe</parameter></entry>
- <entry>Pipe</entry>
- </row>
-
- <row>
- <entry><parameter>pipelabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>pipe</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to poll
- <parameter>pipe</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-pipe-read">
- <title><function>&mac.mpo;_check_pipe_read</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_pipe_read</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct pipe
- *<parameter>pipe</parameter></paramdef>
- <paramdef>struct label
- *<parameter>pipelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>pipe</parameter></entry>
- <entry>Pipe</entry>
- </row>
-
- <row>
- <entry><parameter>pipelabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>pipe</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed read
- access to <parameter>pipe</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-pipe-relabel">
- <title><function>&mac.mpo;_check_pipe_relabel</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_pipe_relabel</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct pipe
- *<parameter>pipe</parameter></paramdef>
- <paramdef>struct label
- *<parameter>pipelabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>pipe</parameter></entry>
- <entry>Pipe</entry>
- </row>
-
- <row>
- <entry><parameter>pipelabel</parameter></entry>
- <entry>Current policy label associated with
- <parameter>pipe</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Label update to
- <parameter>pipelabel</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- relabel <parameter>pipe</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-pipe-stat">
- <title><function>&mac.mpo;_check_pipe_stat</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_pipe_stat</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct pipe
- *<parameter>pipe</parameter></paramdef>
- <paramdef>struct label
- *<parameter>pipelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>pipe</parameter></entry>
- <entry>Pipe</entry>
- </row>
-
- <row>
- <entry><parameter>pipelabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>pipe</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- retrieve statistics related to
- <parameter>pipe</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-pipe-write">
- <title><function>&mac.mpo;_check_pipe_write</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_pipe_write</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct pipe
- *<parameter>pipe</parameter></paramdef>
- <paramdef>struct label
- *<parameter>pipelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>pipe</parameter></entry>
- <entry>Pipe</entry>
- </row>
-
- <row>
- <entry><parameter>pipelabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>pipe</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to write
- to <parameter>pipe</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-socket-bind">
- <title><function>&mac.mpo;_check_socket_bind</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_socket_bind</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>socket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- <paramdef>struct sockaddr
- *<parameter>sockaddr</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>socket</parameter></entry>
- <entry>Socket to be bound</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Policy label for
- <parameter>socket</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>sockaddr</parameter></entry>
- <entry>Address of
- <parameter>socket</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- </sect3>
-
-
- <sect3 id="mac-mpo-cred-check-socket-connect">
- <title><function>&mac.mpo;_check_socket_connect</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_socket_connect</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>socket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- <paramdef>struct sockaddr
- *<parameter>sockaddr</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>socket</parameter></entry>
- <entry>Socket to be connected</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Policy label for
- <parameter>socket</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>sockaddr</parameter></entry>
- <entry>Address of
- <parameter>socket</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential
- (<parameter>cred</parameter>) can connect the passed socket
- (<parameter>socket</parameter>) to the passed socket address
- (<parameter>sockaddr</parameter>). Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatches,
- <errorcode>EPERM</errorcode> for lack of privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-socket-receive">
- <title><function>&mac.mpo;_check_socket_receive</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_socket_receive</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>so</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>so</parameter></entry>
- <entry>Socket</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>so</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- receive information from the socket
- <parameter>so</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-socket-send">
- <title><function>&mac.mpo;_check_socket_send</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_socket_send</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>so</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>so</parameter></entry>
- <entry>Socket</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>so</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to send
- information across the socket
- <parameter>so</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-cred-visible">
- <title><function>&mac.mpo;_check_cred_visible</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_cred_visible</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>u1</parameter></paramdef>
- <paramdef>struct ucred
- *<parameter>u2</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>u1</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>u2</parameter></entry>
- <entry>Object credential</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential
- <parameter>u1</parameter> can <quote>see</quote> other
- subjects with the passed subject credential
- <parameter>u2</parameter>. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatches,
- <errorcode>EPERM</errorcode> for lack of privilege, or
- <errorcode>ESRCH</errorcode> to hide visibility. This call
- may be made in a number of situations, including
- inter-process status sysctls used by <command>ps</command>,
- and in procfs lookups.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-socket-visible">
- <title><function>&mac.mpo;_check_socket_visible</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_socket_visible</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>socket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>socket</parameter></entry>
- <entry>Object; socket</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Policy label for
- <parameter>socket</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-ifnet-relabel">
- <title><function>&mac.mpo;_check_ifnet_relabel</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_ifnet_relabel</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ifnetlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Object; network interface</entry>
- </row>
-
- <row>
- <entry><parameter>ifnetlabel</parameter></entry>
- <entry>Existing policy label for
- <parameter>ifnet</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Policy label update to later be applied to
- <parameter>ifnet</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can relabel the
- passed network interface to the passed label update.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-socket-relabel">
- <title><function>&mac.mpo;_check_socket_relabel</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_socket_relabel</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>socket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>socket</parameter></entry>
- <entry>Object; socket</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Existing policy label for
- <parameter>socket</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Label update to later be applied to
- <parameter>socketlabel</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can relabel the
- passed socket to the passed label update.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-cred-relabel">
- <title><function>&mac.mpo;_check_cred_relabel</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_cred_relabel</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Label update to later be applied to
- <parameter>cred</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can relabel
- itself to the passed label update.</para>
- </sect3>
-
-
- <sect3 id="mac-mpo-cred-check-vnode-relabel">
- <title><function>&mac.mpo;_check_vnode_relabel</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_relabel</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- <entry>Immutable</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Existing policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>Policy label update to later be applied to
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can relabel the
- passed vnode to the passed label update.</para>
- </sect3>
-
- <sect3 id="mpo-cred-check-mount-stat">
- <title><function>&mac.mpo;_check_mount_stat</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int <function>&mac.mpo;_check_mount_stat</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mountlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Object; file system mount</entry>
- </row>
-
- <row>
- <entry><parameter>mountlabel</parameter></entry>
- <entry>Policy label for
- <parameter>mp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <!-- XXX Update ? -->
- <para>Determine whether the subject credential can see the
- results of a statfs performed on the file system. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatches
- or <errorcode>EPERM</errorcode> for lack of privilege. This
- call may be made in a number of situations, including during
- invocations of &man.statfs.2; and related calls, as well as to
- determine what file systems to exclude from listings of file
- systems, such as when &man.getfsstat.2; is invoked. </para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-proc-debug">
- <title><function>&mac.mpo;_check_proc_debug</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_proc_debug</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct proc
- *<parameter>proc</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- <entry>Immutable</entry>
- </row>
-
- <row>
- <entry><parameter>proc</parameter></entry>
- <entry>Object; process</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can debug the
- passed process. Return <returnvalue>0</returnvalue> for
- success, or an <varname>errno</varname> value for failure.
- Suggested failure: <errorcode>EACCES</errorcode> for label
- mismatch, <errorcode>EPERM</errorcode> for lack of
- privilege, or <errorcode>ESRCH</errorcode> to hide
- visibility of the target. This call may be made in a number
- of situations, including use of the &man.ptrace.2; and
- &man.ktrace.2; APIs, as well as for some types of procfs
- operations.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-access">
- <title><function>&mac.mpo;_check_vnode_access</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_access</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int <parameter>flags</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>flags</parameter></entry>
- <entry>&man.access.2; flags</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine how invocations of &man.access.2; and related
- calls by the subject credential should return when performed
- on the passed vnode using the passed access flags. This
- should generally be implemented using the same semantics
- used in <function>&mac.mpo;_check_vnode_open</function>.
- Return <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatches
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-chdir">
- <title><function>&mac.mpo;_check_vnode_chdir</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_chdir</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>dvp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Object; vnode to &man.chdir.2; into</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label for
- <parameter>dvp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can change the
- process working directory to the passed vnode. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-vnode-chroot">
- <title><function>&mac.mpo;_check_vnode_chroot</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_chroot</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>dvp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Directory vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>dvp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- &man.chroot.2; into the specified directory
- (<parameter>dvp</parameter>).</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-create">
- <title><function>&mac.mpo;_check_vnode_create</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_create</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>dvp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dlabel</parameter></paramdef>
- <paramdef>struct componentname
- *<parameter>cnp</parameter></paramdef>
- <paramdef>struct vattr
- *<parameter>vap</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label for
- <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cnp</parameter></entry>
- <entry>Component name for
- <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vap</parameter></entry>
- <entry>vnode attributes for <parameter>vap</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can create a
- vnode with the passed parent directory, passed name
- information, and passed attribute information. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode>. for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of privilege.
- This call may be made in a number of situations, including
- as a result of calls to &man.open.2; with
- <symbol>O_CREAT</symbol>, &man.mknod.2;, &man.mkfifo.2;, and
- others.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-delete">
- <title><function>&mac.mpo;_check_vnode_delete</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_delete</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>dvp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>void *<parameter>label</parameter></paramdef>
- <paramdef>struct componentname
- *<parameter>cnp</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Parent directory vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label for
- <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode to delete</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cnp</parameter></entry>
- <entry>Component name for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can delete a
- vnode from the passed parent directory and passed name
- information. Return <returnvalue>0</returnvalue> for
- success, or an <varname>errno</varname> value for failure.
- Suggested failure: <errorcode>EACCES</errorcode> for label
- mismatch, or <errorcode>EPERM</errorcode> for lack of
- privilege. This call may be made in a number of situations,
- including as a result of calls to &man.unlink.2; and
- &man.rmdir.2;. Policies implementing this entry point
- should also implement
- <function>mpo_check_rename_to</function> to authorize
- deletion of objects as a result of being the target of a
- rename.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-deleteacl">
- <title><function>&mac.mpo;_check_vnode_deleteacl</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_deleteacl</function></funcdef>
-
- <paramdef>struct ucred *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode *<parameter>vp</parameter></paramdef>
- <paramdef>struct label *<parameter>label</parameter></paramdef>
- <paramdef>acl_type_t <parameter>type</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- <entry>Immutable</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>type</parameter></entry>
- <entry>ACL type</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can delete the
- ACL of passed type from the passed vnode. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-exec">
- <title><function>&mac.mpo;_check_vnode_exec</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_exec</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode to execute</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can execute the
- passed vnode. Determination of execute privilege is made
- separately from decisions about any transitioning event.
- Return <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mpo-cred-check-vnode-getacl">
- <title><function>&mac.mpo;_check_vnode_getacl</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_getacl</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>acl_type_t
- <parameter>type</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>type</parameter></entry>
- <entry>ACL type</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can retrieve
- the ACL of passed type from the passed vnode. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-getextattr">
- <title><function>&mac.mpo;_check_vnode_getextattr</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_getextattr</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int
- <parameter>attrnamespace</parameter></paramdef>
- <paramdef>const char
- *<parameter>name</parameter></paramdef>
- <paramdef>struct uio
- *<parameter>uio</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>attrnamespace</parameter></entry>
- <entry>Extended attribute namespace</entry>
- </row>
-
- <row>
- <entry><parameter>name</parameter></entry>
- <entry>Extended attribute name</entry>
- </row>
-
- <row>
- <entry><parameter>uio</parameter></entry>
- <entry>I/O structure pointer; see &man.uio.9;</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can retrieve
- the extended attribute with the passed namespace and name
- from the passed vnode. Policies implementing labeling using
- extended attributes may be interested in special handling of
- operations on those extended attributes. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-vnode-link">
- <title><function>&mac.mpo;_check_vnode_link</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_link</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>dvp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>struct componentname
- *<parameter>cnp</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Directory vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Link destination vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cnp</parameter></entry>
- <entry>Component name for the link being created</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- create a link to the vnode <parameter>vp</parameter> with
- the name specified by <parameter>cnp</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-vnode-mmap">
- <title><function>&mac.mpo;_check_vnode_mmap</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_mmap</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int <parameter>prot</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Vnode to map</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>prot</parameter></entry>
- <entry>Mmap protections (see &man.mmap.2;)</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to map
- the vnode <parameter>vp</parameter> with the protections
- specified in <parameter>prot</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-vnode-mmap-downgrade">
- <title><function>&mac.mpo;_check_vnode_mmap_downgrade</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_check_vnode_mmap_downgrade</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int *<parameter>prot</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry morerows="2">See
- <xref linkend="mac-mpo-check-vnode-mmap">.</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>prot</parameter></entry>
- <entry>Mmap protections to be downgraded</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Downgrade the mmap protections based on the subject and
- object labels.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-vnode-mprotect">
- <title><function>&mac.mpo;_check_vnode_mprotect</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_mprotect</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int <parameter>prot</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Mapped vnode</entry>
- </row>
-
- <row>
- <entry><parameter>prot</parameter></entry>
- <entry>Memory protections</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- set the specified memory protections on memory mapped from
- the vnode <parameter>vp</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-vnode-poll">
- <title><function>&mac.mpo;_check_vnode_poll</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_poll</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>active_cred</parameter></paramdef>
- <paramdef>struct ucred
- *<parameter>file_cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>active_cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>file_cred</parameter></entry>
- <entry>Credential associated with the <type>struct
- file</type></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Polled vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to poll
- the vnode <parameter>vp</parameter>.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-vnode-rename-from">
- <title><function>&mac.mpo;_check_vnode_rename_from</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_vnode_rename_from</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>dvp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>struct componentname
- *<parameter>cnp</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Directory vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Vnode to be renamed</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cnp</parameter></entry>
- <entry>Component name for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- rename the vnode <parameter>vp</parameter> to something
- else.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-vnode-rename-to">
- <title><function>&mac.mpo;_check_vnode_rename_to</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_rename_to</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>dvp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int <parameter>samedir</parameter></paramdef>
- <paramdef>struct componentname
- *<parameter>cnp</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Directory vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label associated with
- <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Overwritten vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label associated with
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>samedir</parameter></entry>
- <entry>Boolean; <literal>1</literal> if the source and
- destination directories are the same</entry>
- </row>
-
- <row>
- <entry><parameter>cnp</parameter></entry>
- <entry>Destination component name</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- rename to the vnode <parameter>vp</parameter>, into the
- directory <parameter>dvp</parameter>, or to the name
- represented by <parameter>cnp</parameter>. If there is no
- existing file to overwrite, <parameter>vp</parameter> and
- <parameter>label</parameter> will be NULL.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-socket-listen">
- <title><function>&mac.mpo;_check_socket_listen</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_socket_listen</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>socket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>socket</parameter></entry>
- <entry>Object; socket</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Policy label for
- <parameter>socket</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can listen on
- the passed socket. Return <returnvalue>0</returnvalue> for
- success, or an <varname>errno</varname> value for failure.
- Suggested failure: <errorcode>EACCES</errorcode> for label
- mismatch, or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-lookup">
- <title><function>&mac.mpo;_check_vnode_lookup</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_lookup</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter></parameter>cred</paramdef>
- <paramdef>struct vnode
- *<parameter></parameter>dvp</paramdef>
- <paramdef>struct label
- *<parameter></parameter>dlabel</paramdef>
- <paramdef>struct componentname
- *<parameter>cnp</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label for
- <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cnp</parameter></entry>
- <entry>Component name being looked up</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can perform a
- lookup in the passed directory vnode for the passed name.
- Return <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-open">
- <title><function>&mac.mpo;_check_vnode_open</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_open</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int
- <parameter>acc_mode</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>acc_mode</parameter></entry>
- <entry>&man.open.2; access mode</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can perform an
- open operation on the passed vnode with the passed access
- mode. Return <returnvalue>0</returnvalue> for success, or
- an errno value for failure. Suggested failure:
- <errorcode>EACCES</errorcode> for label mismatch, or
- <errorcode>EPERM</errorcode> for lack of privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-readdir">
- <title><function>&mac.mpo;_check_vnode_readdir</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_readdir</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter></parameter>cred</paramdef>
- <paramdef>struct vnode
- *<parameter></parameter>dvp</paramdef>
- <paramdef>struct label
- *<parameter></parameter>dlabel</paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Object; directory vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label for
- <parameter>dvp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can perform a
- <function>readdir</function> operation on the passed
- directory vnode. Return <returnvalue>0</returnvalue> for
- success, or an <varname>errno</varname> value for failure.
- Suggested failure: <errorcode>EACCES</errorcode> for label
- mismatch, or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-readlink">
- <title><function>&mac.mpo;_check_vnode_readlink</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_readlink</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can perform a
- <function>readlink</function> operation on the passed
- symlink vnode. Return <returnvalue>0</returnvalue> for
- success, or an <varname>errno</varname> value for failure.
- Suggested failure: <errorcode>EACCES</errorcode> for label
- mismatch, or <errorcode>EPERM</errorcode> for lack of
- privilege. This call may be made in a number of situations,
- including an explicit <function>readlink</function> call by
- the user process, or as a result of an implicit
- <function>readlink</function> during a name lookup by the
- process.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-revoke">
- <title><function>&mac.mpo;_check_vnode_revoke</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_revoke</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can revoke
- access to the passed vnode. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-setacl">
- <title><function>&mac.mpo;_check_vnode_setacl</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_setacl</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>acl_type_t
- <parameter>type</parameter></paramdef>
- <paramdef>struct acl
- *<parameter>acl</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>type</parameter></entry>
- <entry>ACL type</entry>
- </row>
-
- <row>
- <entry><parameter>acl</parameter></entry>
- <entry>ACL</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can set the
- passed ACL of passed type on the passed vnode. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-setextattr">
- <title><function>&mac.mpo;_check_vnode_setextattr</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_setextattr</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>int
- <parameter>attrnamespace</parameter></paramdef>
- <paramdef>const char
- *<parameter>name</parameter></paramdef>
- <paramdef>struct uio
- *<parameter>uio</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>attrnamespace</parameter></entry>
- <entry>Extended attribute namespace</entry>
- </row>
-
- <row>
- <entry><parameter>name</parameter></entry>
- <entry>Extended attribute name</entry>
- </row>
-
- <row>
- <entry><parameter>uio</parameter></entry>
- <entry>I/O structure pointer; see &man.uio.9;</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can set the
- extended attribute of passed name and passed namespace on
- the passed vnode. Policies implementing security labels
- backed into extended attributes may want to provide
- additional protections for those attributes. Additionally,
- policies should avoid making decisions based on the data
- referenced from <parameter>uio</parameter>, as there is a
- potential race condition between this check and the actual
- operation. The <parameter>uio</parameter> may also be
- <literal>NULL</literal> if a delete operation is being
- performed. Return <returnvalue>0</returnvalue> for success,
- or an <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-setflags">
- <title><function>&mac.mpo;_check_vnode_setflags</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_setflags</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>u_long <parameter>flags</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>flags</parameter></entry>
- <entry>File flags; see &man.chflags.2;</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can set the
- passed flags on the passed vnode. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-setmode">
- <title><function>&mac.mpo;_check_vnode_setmode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_setmode</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>mode_t <parameter>mode</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>mode</parameter></entry>
- <entry>File mode; see &man.chmod.2;</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can set the
- passed mode on the passed vnode. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-setowner">
- <title><function>&mac.mpo;_check_vnode_setowner</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_setowner</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>uid_t <parameter>uid</parameter></paramdef>
- <paramdef>gid_t <parameter>gid</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>uid</parameter></entry>
- <entry>User ID</entry>
- </row>
-
- <row>
- <entry><parameter>gid</parameter></entry>
- <entry>Group ID</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can set the
- passed uid and passed gid as file uid and file gid on the
- passed vnode. The IDs may be set to (<literal>-1</literal>)
- to request no update. Return <returnvalue>0</returnvalue>
- for success, or an <varname>errno</varname> value for
- failure. Suggested failure: <errorcode>EACCES</errorcode>
- for label mismatch, or <errorcode>EPERM</errorcode> for lack
- of privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-setutimes">
- <title><function>&mac.mpo;_check_vnode_setutimes</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_setutimes</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter></parameter>cred</paramdef>
- <paramdef>struct vnode
- *<parameter></parameter>vp</paramdef>
- <paramdef>struct label
- *<parameter></parameter>label</paramdef>
- <paramdef>struct timespec
- <parameter></parameter>atime</paramdef>
- <paramdef>struct timespec
- <parameter></parameter>mtime</paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vp</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>atime</parameter></entry>
- <entry>Access time; see &man.utimes.2;</entry>
- </row>
-
- <row>
- <entry><parameter>mtime</parameter></entry>
- <entry>Modification time; see &man.utimes.2;</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can set the
- passed access timestamps on the passed vnode. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-proc-sched">
- <title><function>&mac.mpo;_check_proc_sched</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_proc_sched</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>ucred</parameter></paramdef>
- <paramdef>struct proc
- *<parameter>proc</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>proc</parameter></entry>
- <entry>Object; process</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can change the
- scheduling parameters of the passed process. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- <errorcode>EPERM</errorcode> for lack of privilege, or
- <errorcode>ESRCH</errorcode> to limit visibility.</para>
-
- <para>See &man.setpriority.2; for more information.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-proc-signal">
- <title><function>&mac.mpo;_check_proc_signal</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_proc_signal</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct proc
- *<parameter>proc</parameter></paramdef>
- <paramdef>int <parameter>signal</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>proc</parameter></entry>
- <entry>Object; process</entry>
- </row>
-
- <row>
- <entry><parameter>signal</parameter></entry>
- <entry>Signal; see &man.kill.2;</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can deliver the
- passed signal to the passed process. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- <errorcode>EPERM</errorcode> for lack of privilege, or
- <errorcode>ESRCH</errorcode> to limit visibility.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-vnode-stat">
- <title><function>&mac.mpo;_check_vnode_stat</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_vnode_stat</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can
- <function>stat</function> the passed vnode. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
-
- <para>See &man.stat.2; for more information.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-ifnet-transmit">
- <title><function>&mac.mpo;_check_ifnet_transmit</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_ifnet_transmit</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ifnetlabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>mbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Network interface</entry>
- </row>
-
- <row>
- <entry><parameter>ifnetlabel</parameter></entry>
- <entry>Policy label for
- <parameter>ifnet</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>mbuf</parameter></entry>
- <entry>Object; mbuf to be sent</entry>
- </row>
-
- <row>
- <entry><parameter>mbuflabel</parameter></entry>
- <entry>Policy label for
- <parameter>mbuf</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the network interface can transmit the
- passed mbuf. Return <returnvalue>0</returnvalue> for
- success, or an <varname>errno</varname> value for failure.
- Suggested failure: <errorcode>EACCES</errorcode> for label
- mismatch, or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-socket-deliver">
- <title><function>&mac.mpo;_check_socket_deliver</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_socket_deliver</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>ifnetlabel</parameter></paramdef>
- <paramdef>struct mbuf
- *<parameter>mbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Network interface</entry>
- </row>
-
- <row>
- <entry><parameter>ifnetlabel</parameter></entry>
- <entry>Policy label for
- <parameter>ifnet</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>mbuf</parameter></entry>
- <entry>Object; mbuf to be delivered</entry>
- </row>
-
- <row>
- <entry><parameter>mbuflabel</parameter></entry>
- <entry>Policy label for
- <parameter>mbuf</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the socket may receive the datagram
- stored in the passed mbuf header. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failures: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-socket-visible">
- <title><function>&mac.mpo;_check_socket_visible</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_socket_visible</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct socket
- *<parameter>so</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- <entry>Immutable</entry>
- </row>
-
- <row>
- <entry><parameter>so</parameter></entry>
- <entry>Object; socket</entry>
- </row>
-
- <row>
- <entry><parameter>socketlabel</parameter></entry>
- <entry>Policy label for
- <parameter>so</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential cred can "see"
- the passed socket (<parameter>socket</parameter>) using
- system monitoring functions, such as those employed by
- &man.netstat.8; and &man.sockstat.1;. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatches,
- <errorcode>EPERM</errorcode> for lack of privilege, or
- <errorcode>ESRCH</errorcode> to hide visibility.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-system-acct">
- <title><function>&mac.mpo;_check_system_acct</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_system_acct</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>ucred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>ucred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Accounting file; &man.acct.5;</entry>
- </row>
-
- <row>
- <entry><parameter>vlabel</parameter></entry>
- <entry>Label associated with
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- enable accounting, based on its label and the label of the
- accounting log file.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-system-nfsd">
- <title><function>&mac.mpo;_check_system_nfsd</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_system_nfsd</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to call
- &man.nfssvc.2;.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-system-reboot">
- <title><function>&mac.mpo;_check_system_reboot</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_system_reboot</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>int <parameter>howto</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>howto</parameter></entry>
- <entry><parameter>howto</parameter> parameter from
- &man.reboot.2;</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to
- reboot the system in the specified manner.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-system-settime">
- <title><function>&mac.mpo;_check_system_settime</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_system_settime</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the user should be allowed to set the
- system clock.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-system-swapon">
- <title><function>&mac.mpo;_check_system_swapon</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_system_swapon</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Swap device</entry>
- </row>
-
- <row>
- <entry><parameter>vlabel</parameter></entry>
- <entry>Label associated with
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to add
- <parameter>vp</parameter> as a swap device.</para>
- </sect3>
-
- <sect3 id="mac-mpo-check-system-sysctl">
- <title><function>&mac.mpo;_check_system_sysctl</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_system_sysctl</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>int *<parameter>name</parameter></paramdef>
- <paramdef>u_int *<parameter>namelen</parameter></paramdef>
- <paramdef>void *<parameter>old</parameter></paramdef>
- <paramdef>size_t
- *<parameter>oldlenp</parameter></paramdef>
- <paramdef>int <parameter>inkernel</parameter></paramdef>
- <paramdef>void *<parameter>new</parameter></paramdef>
- <paramdef>size_t <parameter>newlen</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>name</parameter></entry>
- <entry morerows="3">See &man.sysctl.3;</entry>
- </row>
-
- <row>
- <entry><parameter>namelen</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>old</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>oldlenp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>inkernel</parameter></entry>
- <entry>Boolean; <literal>1</literal> if called from
- kernel</entry>
- </row>
-
- <row>
- <entry><parameter>new</parameter></entry>
- <entry morerows="1">See &man.sysctl.3;</entry>
- </row>
-
- <row>
- <entry><parameter>newlen</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject should be allowed to make
- the specified &man.sysctl.3; transaction.</para>
- </sect3>
- </sect2>
-
- <sect2 id="mac-label-management">
- <title>Label Management Calls</title>
-
- <para>Relabel events occur when a user process has requested
- that the label on an object be modified. A two-phase update
- occurs: first, an access control check will be performed to
- determine if the update is both valid and permitted, and then
- the update itself is performed via a separate entry point.
- Relabel entry points typically accept the object, object label
- reference, and an update label submitted by the process.
- Memory allocation during relabel is discouraged, as relabel
- calls are not permitted to fail (failure should be reported
- earlier in the relabel check).</para>
-
- </sect2>
- </sect1>
-
- <sect1 id="mac-userland-arch">
- <title>Userland Architecture</title>
-
- <para>The TrustedBSD MAC Framework includes a number of
- policy-agnostic elements, including MAC library interfaces
- for abstractly managing labels, modifications to the system
- credential management and login libraries to support the
- assignment of MAC labels to users, and a set of tools to
- monitor and modify labels on processes, files, and network
- interfaces. More details on the user architecture will
- be added to this section in the near future.</para>
-
- <sect2 id="mac-userland-labels">
- <title>APIs for Policy-Agnostic Label Management</title>
-
- <para>The TrustedBSD MAC Framework provides a number of
- library and system calls permitting applications to
- manage MAC labels on objects using a policy-agnostic
- interface. This permits applications to manipulate
- labels for a variety of policies without being
- written to support specific policies. These interfaces
- are used by general-purpose tools such as &man.ifconfig.8;,
- &man.ls.1; and &man.ps.1; to view labels on network
- interfaces, files, and processes. The APIs also support
- MAC management tools including &man.getfmac.8;,
- &man.getpmac.8;, &man.setfmac.8;, &man.setfsmac.8;,
- and &man.setpmac.8;. The MAC APIs are documented in
- &man.mac.3;.</para>
-
- <para>Applications handle MAC labels in two forms: an
- internalized form used to return and set labels on
- processes and objects (<literal>mac_t</literal>),
- and externalized form based on C strings appropriate for
- storage in configuration files, display to the user, or
- input from the user. Each MAC label contains a number of
- elements, each consisting of a name and value pair.
- Policy modules in the kernel bind to specific names
- and interpret the values in policy-specific ways. In
- the externalized string form, labels are represented
- by a comma-delimited list of name and value pairs separated
- by the <literal>/</literal> character. Labels may be
- directly converted to and from text using provided APIs;
- when retrieving labels from the kernel, internalized
- label storage must first be prepared for the desired
- label element set. Typically, this is done in one of
- two ways: using &man.mac.prepare.3; and an arbitrary
- list of desired label elements, or one of the variants
- of the call that loads a default element set from the
- &man.mac.conf.5; configuration file. Per-object
- defaults permit application writers to usefully display
- labels associated with objects without being aware of
- the policies present in the system.</para>
-
- <note><para>Currently, direct manipulation of label elements
- other than by conversion to a text string, string editing,
- and conversion back to an internalized label is not supported
- by the MAC library. Such interfaces may be added in the
- future if they prove necessary for application
- writers.</para></note>
- </sect2>
-
- <sect2 id="mac-userland-credentials">
- <title>Binding of Labels to Users</title>
-
- <para>The standard user context management interface,
- &man.setusercontext.3;, has been modified to retrieve
- MAC labels associated with a user's class from
- &man.login.conf.5;. These labels are then set along
- with other user context when either
- <literal>LOGIN_SETALL</literal> is specified, or when
- <literal>LOGIN_SETMAC</literal> is explicitly
- specified.</para>
-
- <note><para>It is expected that, in a future version of FreeBSD,
- the MAC label database will be separated from the
- <filename>login.conf</filename> user class abstraction,
- and be maintained in a separate database. However, the
- &man.setusercontext.3; API should remain the same
- following such a change.</para></note>
- </sect2>
- </sect1>
-
- <sect1 id="mac-conclusion">
- <title>Conclusion</title>
-
- <para>The TrustedBSD MAC framework permits kernel modules to
- augment the system security policy in a highly integrated
- manner. They may do this based on existing object properties,
- or based on label data that is maintained with the assistance of
- the MAC framework. The framework is sufficiently flexible to
- implement a variety of policy types, including information flow
- security policies such as MLS and Biba, as well as policies
- based on existing BSD credentials or file protections. Policy
- authors may wish to consult this documentation as well as
- existing security modules when implementing a new security
- service.</para>
- </sect1>
-</chapter>
-
-<!--
- Local Variables:
- mode: sgml
- sgml-declaration: "../chapter.decl"
- sgml-indent-data: t
- sgml-omittag: nil
- sgml-always-quote-attributes: t
- sgml-parent-document: ("../book.sgml" "part" "chapter")
- End:
--->
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 07:52:21 +0000