Begin committing support for Mandatory Access Control and extensible

kernel access control.  The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy.  This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported.  Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.

Label vnodes, permitting security information to maintained at the
granularity of the individual file, directory (et al).  This data is
protected by the vnode lock and may be read only when holding a shared
lock, or modified only when holding an exclusive lock.  Label
information may be considered either the primary copy, or a cached
copy.  Individual file systems or kernel services may use the
VCACHEDLABEL flag for accounting purposes to determine which it is.
New VOPs will be introduced to refresh this label on demand, or to
set the label value.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 2 insertions, 0 deletions

diff --git a/sys/sys/vnode.h b/sys/sys/vnode.h
index ddcae4199161..6f1857c07d3e 100644
--- a/sys/sys/vnode.h
+++ b/sys/sys/vnode.h
@@ -49,6 +49,7 @@
 #include <sys/selinfo.h>
 #include <sys/uio.h>
 #include <sys/acl.h>
+#include <sys/mac.h>
 #include <vm/uma.h>
 
 /*
@@ -140,6 +141,7 @@ struct vnode {
 	u_long	v_ddid;				/* .. capability identifier */
 	struct vpollinfo *v_pollinfo;
 	struct thread *v_vxproc;		/* thread owning VXLOCK */
+	struct label v_label;			/* MAC label for vnode */
 #ifdef	DEBUG_LOCKS
 	const char *filename;			/* Source file doing locking */
 	int line;				/* Line number doing locking */