PERFORCE change 15659 for review
Chris Costello
chris at freebsd.org
Wed Aug 7 20:53:15 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15659
Change 15659 by chris at chris_holly on 2002/08/07 13:52:26
o Clarify create_root_mount vs. create_mount
o Minor spelling and markup fixes
o Fix one entry point missed in the action_object -> object_action
thing
o Note that the access(2) checks should be the same as in
mpo_check_open.
o Make note of race conditions involved in dealing with UIO_USERSPACE
uio, and that the `uio' parameter to mpo_check_setextattr might be
NULL.
o Add some man page references.
o `_' is an illegal character for section ids.
o Add mpo_check_socket_visible.
Affected files ...
.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#12 edit
Differences ...
==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#12 (text+ko) ====
@@ -1336,8 +1336,7 @@
<para>Fill out the labels on the mount point being created by
the passed subject credential. This call will be made when
- a new file system is mounted, other than the root file
- system.</para>
+ a new file system is mounted.</para>
</sect3>
<sect3 id="mac-mpo-create-root-mount">
@@ -1374,7 +1373,8 @@
<para>Fill out the labels on the mount point being created by
the passed subject credential. This call will be made when
- the root file system is mounted.</para>
+ the root file system is mounted, after
+ &mac.mpo;_create_mount;.</para>
</sect3>
<sect3 id="mac-mpo-vnode-relabel">
@@ -1906,7 +1906,7 @@
<row>
<entry><parameter>newsocket</parameter></entry>
- <entry>Object; phild socket; incoming connection</entry>
+ <entry>Object; child socket; incoming connection</entry>
</row>
<row>
@@ -3248,13 +3248,14 @@
</sect3>
- <sect3 id="mac-mpo-cred-check-connect-socket">
- <title><function>&mac.mpo;_check_connect_socket</function></title>
+
+ <sect3 id="mac-mpo-cred-check-socket-connect">
+ <title><function>&mac.mpo;_check_socket_connect</function></title>
<funcsynopsis>
<funcprototype>
<funcdef>int
- <function>&mac.mpo;_check_connect_socket</function></funcdef>
+ <function>&mac.mpo;_check_socket_connect</function></funcdef>
<paramdef>struct ucred
*<parameter>cred</parameter></paramdef>
@@ -3744,8 +3745,10 @@
<para>Determine how invocations of &man.access.2; and related
calls by the subject credential should return when performed
- on the passed vnode using the passed access flags. Return
- <returnvalue>0</returnvalue> for success, or an
+ on the passed vnode using the passed access flags. This
+ should generally be implemented using the same semantics
+ used in <function>&mac.mpo;_check_vnode_open</function>.
+ Return <returnvalue>0</returnvalue> for success, or an
<varname>errno</varname> value for failure. Suggested
failure: <errorcode>EACCES</errorcode> for label mismatches
or <errorcode>EPERM</errorcode> for lack of
@@ -4649,7 +4652,7 @@
<para>Determine whether the subject credential can revoke
access to the passed vnode. Return
<returnvalue>0</returnvalue> for success, or an
- <errorcode>errno</errorcode> value for failure. Suggested
+ <varname>errno</varname> value for failure. Suggested
failure: <errorcode>EACCES</errorcode> for label mismatch,
or <errorcode>EPERM</errorcode> for lack of
privilege.</para>
@@ -4784,9 +4787,14 @@
extended attribute of passed name and passed namespace on
the passed vnode. Policies implementing security labels
backed into extended attributes may want to provide
- additional protections for those attributes. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
+ additional protections for those attributes. Additionally,
+ policies should avoid making decisions based on the data
+ referenced from <parameter>uio</parameter>, as there is a
+ potential race condition between this check and the actual
+ operation. The <parameter>uio</parameter> may also be
+ <literal>NULL</literal> if a delete operation is being
+ performed. Return <returnvalue>0</returnvalue> for success,
+ or an <varname>errno</varname> value for failure. Suggested
failure: <errorcode>EACCES</errorcode> for label mismatch,
or <errorcode>EPERM</errorcode> for lack of
privilege.</para>
@@ -5009,12 +5017,12 @@
<row>
<entry><parameter>atime</parameter></entry>
- <entry>Access time</entry>
+ <entry>Access time; see &man.utimes.2;</entry>
</row>
<row>
<entry><parameter>mtime</parameter></entry>
- <entry>Modification time</entry>
+ <entry>Modification time; see &man.utimes.2;</entry>
</row>
</tbody>
</tgroup>
@@ -5069,9 +5077,11 @@
failure: <errorcode>EACCES</errorcode> for label mismatch,
<errorcode>EPERM</errorcode> for lack of privilege, or
<errorcode>ESRCH</errorcode> to limit visibility.</para>
+
+ <para>See &man.setpriority.2; for more information.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-proc_signal">
+ <sect3 id="mac-mpo-cred-check-proc-signal">
<title><function>&mac.mpo;_check_proc_signal</function></title>
<funcsynopsis>
@@ -5104,7 +5114,7 @@
<row>
<entry><parameter>signal</parameter></entry>
- <entry>Signal; see &man.sigaction.2;</entry>
+ <entry>Signal; see &man.kill.2;</entry>
</row>
</tbody>
</tgroup>
@@ -5163,10 +5173,12 @@
<para>Determine whether the subject credential can
<function>stat</function> the passed vnode. Return
<returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
+ <varname>errno</varname> value for failure. Suggested
failure: <errorcode>EACCES</errorcode> for label mismatch,
or <errorcode>EPERM</errorcode> for lack of
privilege.</para>
+
+ <para>See &man.stat.2; for more information.</para>
</sect3>
<sect3 id="mac-mpo-cred-check-ifnet-transmit">
@@ -5297,6 +5309,59 @@
or <errorcode>EPERM</errorcode> for lack of
privilege.</para>
</sect3>
+
+ <sect3 id="mac-mpo-check-socket-visible">
+ <title><function>&mac.mpo;_check_socket_visible</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_check_socket_visible</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct socket
+ *<parameter>so</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>socketlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ <entry>Immutable</entry>
+ </row>
+
+ <row>
+ <entry><parameter>so</parameter></entry>
+ <entry>Object; socket</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socketlabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>so</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject credential cred can "see"
+ the passed socket (<parameter>socket</parameter>) using
+ system monitoring functions, such as those employed by
+ &man.netstat.8; and &man.sockstat.1;. Return
+ <returnvalue>0</returnvalue> for success, or an
+ <varname>errno</varname> value for failure. Suggested
+ failure: <errorcode>EACCES</errorcode> for label mismatches,
+ <errorcode>EPERM</errorcode> for lack of privilege, or
+ <errorcode>ESRCH</errorcode> to hide visibility.</para>
+ </sect3>
</sect2>
</sect1>
</chapter>
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list