PERFORCE change 16219 for review
Chris Costello
chris at freebsd.org
Sun Aug 18 20:24:32 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=16219
Change 16219 by chris at chris_holly on 2002/08/18 13:24:00
Apply introductory text written by Robert Watson, and a few
more sections written by same.
Affected files ...
.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#13 edit
Differences ...
==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#13 (text+ko) ====
@@ -70,59 +70,180 @@
(Discreationary Access Control) policies of BSD Unix systems.</para>
<para>This chapter introduces the MAC policy framework and
- provides documentation for an sample MAC policy module.</para>
+ provides documentation for a sample MAC policy module.</para>
</sect1>
- <sect1 id="mac-architecture">
- <title>Architecture</title>
- <para>XFIG: .. MAC architecture, the path of process -> syscall ->
- MAC_PERFORM -> policy</para>
+ <sect1 id="mac-introduction">
+ <title>Introduction</title>
+
+ <para>The TrustedBSD MAC framework provides a mechanism to allow
+ the compile-time or run-time extension of the kernel access
+ control model. New system policies may be implemented as
+ kernel modules and linked to the kernel; if multiple policy
+ modules are present, their results will be composed. While the
+ framework is intended to support a variety of access control
+ models, its design was derived from the requirements of a set
+ of specific access control models required for the TrustedBSD
+ and CBOSS Projects. This includes support for fixed and
+ floating label Biba integrity policies, the MLS
+ confidentiality policy, the Type Enforcement rule-based access
+ control policy, and the ability to support layering of the NSA
+ FLASK framework above the TrustedBSD MAC framework. This
+ document describes the rough architecture of the framework,
+ with the understanding that this is a work-in-progress and may
+ change subtantially as requirements evolve.</para>
+ </sect1>
+
+ <sect1 id="mac-kernel-arch">
+ <title>Kernel Architecture</title>
+
+ <para>The TrustedBSD MAC framework provides the opportunity for
+ policy modules to be augment system access control decisions.
+ Policies are permitted the opportunity to restrict the set of
+ rights available for processes at a variety of relevant points
+ in the kernel. In addition, they are provided the opportunity
+ to tag processes and various kernel objects with labels storing
+ access control information. Policy modules may register
+ interest in a subset of the total available events or objects,
+ and are not required to implement events or objects that are not
+ relevant to the policy. Multiple modules may be loaded at once,
+ and the results of the modules are composed as necessary to
+ build an over-all system policy. Policy modules may be
+ implemented such that they can be loaded on-demand at run-time,
+ or such that they may only be loaded early in the boot process.
+ This permits policies requiring pervasive labeling of all
+ objects to prevent improper use.</para>
</sect1>
-
- <sect1 id="mac-locking">
- <title>Locking</title>
-
- <!-- XXX: Update this; copied from mac(9). -->
- <para>Module writers must be aware of the locking semantics of
- entry points that they implement: MAC API entry points will have
- specific locking or reference counting semantics for each
- argument, and modules must follow the locking and reference
- counting protocol or risk a variety of failure modes, including
- race conditions, imappropriate pointer dereferences, etc.</para>
-
- <para>MAC module writers must also be aware that MAC API entry
- points will frequently be invoked from deep in a kernel stack,
- and as such must be careful to avoid violating more global
- locking requirements, such as global lock order requirements.
- For example, it may be inappropriate to lock additional objects
- not specifically maintained and ordered by the policy module, or
- the policy module might violate a global ordering requirement
- relating to those additional objects.</para>
-
- <para>Finally, MAC API module implementors must be careful to
- avoid inappropriately calling back into the MAC framework: the
- framework makes use of locking to prevent inconsistencies during
- policy module attachment and detachment. MAC API modules should
- avoid producing scenarios in which deadlocks or inconsistencies
- might occur.</para>
+
+ <sect1 id="mac-userland-arch">
+ <title>Userland Architecture</title>
+
+ <para>...</para>
</sect1>
- <sect1 id="mac-policy-ops">
- <title>Policy Operations</title>
+ <sect1 id="mac-entry-point">
+ <title>Entry Point Framework</title>
+
+ <para>Four classes of entry points are offered to policies
+ registered with the framework: entry points associated with
+ the registration and management of policies, entry points
+ denoting initialization, creation, destruction, and other life
+ cycle events for kernel objects, events assocated with access
+ control decisions that the policy module may influence, and
+ calls associated with the management of labels on objects. In
+ addition, a <function>mac_syscall()</function> entry point is
+ provided so that policies may extend the kernel interface
+ without registering new system calls.</para>
+
+ <para>Policy module writers should be aware of the kernel
+ locking strategy, as well as what object locks are available
+ during which entry points. Writers should attempt to avoid
+ deadlock scenarios by avoiding grabbing non-leaf locks inside
+ of entry points, and also follow the locking protocol for
+ object access and modification. In particular, writers should
+ be aware that while necessary locks to access objects and
+ their labels are generally held, sufficient locks to modify an
+ object or its label may not be present for all entry points.
+ Locking information for arguments is documented in the MAC
+ framework entry point document.</para>
+
+ <para>Policy entry points will pass a reference to the object
+ label along with the object itself. This permits labeled
+ policies to be unaware of the internals of the object yet
+ still make decisions based on the label. The exception to this
+ is the process credential, which is assumed to be understood
+ by policies as a first class security object in the kernel.
+ Policies that do not implement labels on kernel objects will
+ be passed NULL pointers for label arguments to entry
+ points.</para>
+
+ <sect2 id="policy-module-registration">
+ <title>Policy Module Registration</title>
+
+ <para>Modules may be declared using the
+ <function>MAC_POLICY_SET()</function> macro, which names the
+ policy, provides a reference to the MAC entry point vector,
+ provides load-time flags determining how the policy framework
+ should handle the policy, and optionally requests the
+ allocation of label state by the framework:</para>
+
+ <programlisting>static struct mac_policy_op_entry mac_none_ops[] =
+{
+ { MAC_DESTROY,
+ (macop_t)mac_none_destroy },
+ { MAC_INIT,
+ (macop_t)mac_none_init },
+ { MAC_INIT_BPFDESC,
+ (macop_t)mac_none_init_bpfdesc },
+/* ... */
+ { MAC_CHECK_VNODE_STAT,
+ (macop_t)mac_none_check_vnode_stat },
+ { MAC_CHECK_VNODE_WRITE,
+ (macop_t)mac_none_check_vnode_write },
+ { MAC_OP_LAST, NULL }
+};</programlisting>
- <para>The MAC policy framework implements policy operation entry
- points which supply policy modules with relevant data on a
- subject and the operation it is attempting to perform on an
- object.</para>
-
- <sect2 id="mac-module-ops">
- <title>Policy Module Operations</title>
-
- <para>The MAC policy framework includes the ability for policies
- to be compiled as separate loadable kernel modules. The
- following entry points are defined for module-related
- events.</para>
+ <para>The MAC policy entry point vector,
+ <varname>mac_none_ops</varname> in this example, associates
+ functions defined in the module with specific entry points. A
+ complete listing of available entry points and their
+ prototypes may be found in the MAC entry point reference
+ section. Of specific interest during module registration are
+ the <symbol>MAC_DESTROY</symbol> and <symbol>MAC_INIT</symbol>
+ entry points. <symbol>MAC_INIT</symbol> will be invoked once a
+ policy is successfully registered with the module framework
+ but prior to any other entry points becoming active. This
+ permits the policy to perform any policy-specific allocation
+ and initialization, such as initialization of any data or
+ locks. <symbol>MAC_DESTROY</symbol> will be invoked when a
+ policy module is unloaded to permit releasing of any allocated
+ memory and destruction of locks. Currently, these two entry
+ points are invoked with the MAC policy list mutex held to
+ prevent any other entry points from being invoked: this will
+ be changed, but in the mean time, policies should be careful
+ about what kernel primitives they invoke so as to avoid lock
+ ordering or sleeping problems.</para>
+
+ <para>The policy declaration's module name field exists so that
+ the module may be uniquely identified for the purposes of
+ module dependencies. An appropriate string should be selected.
+ The full string name of the policy is displayed to the user
+ via the kernel log during load and unload events, and also
+ exported when providing status information to userland
+ processes.</para>
+
+ <para>The policy flags field permits the module to provide the
+ framework with information about its loader-related
+ capabilities. Currently, two flags are defined:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>MPC_LOADTIME_FLAG_UNLOADOK</term>
+
+ <listitem>
+ <para>This flag indicates that the policy module may be
+ unloaded. If this flag is not provided, then the policy
+ framework will reject requests to unload the module.
+ This flag might be used by modules that allocate label
+ state and are unable to free that state at
+ runtime.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>MPC_LOADTIME_FLAG_NOTLATE</term>
+
+ <listitem><para>This flag indicates that the policy module
+ must be loaded and initialized early in the boot
+ process. If the flag is specified, attempts to register
+ the module following boot will be rejected. The flag
+ may be used by policies that require pervasive labeling
+ of all system objects, and cannot handle objects that
+ have not been properly initialized by the policy.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
<sect3 id="mac-mpo-init">
<title><function>&mac.mpo;_init</function</title>
@@ -184,891 +305,82 @@
caution should be applied.</para>
</sect3>
</sect2>
+
+ <sect2 id="mac-label-events">
+ <title>Label Events</title>
+
+ <para>This class of entry points is used by the MAC framework to
+ permit policies to maintain label information on kernel
+ objects. For each labeled kernel object of interest to a MAC
+ policy, entry points may be registered for relevant life cycle
+ events. All objects implement initialization, creation, and
+ destruction hooks. Some objects will also implement
+ relabeling, allowing user processes to change the labels on
+ objects. Some objects will also implement object-specific
+ events, such as label events associated with IP reassembly. A
+ typical labeled object will have the following life cycle of
+ entry points:</para>
- <sect2 id="mac-label-operations">
- <title>Label Operations</title>
+ <programlisting>Label initialization o
+(object-specific wait) \
+Label creation o
+ \
+Relabel events, o--<--.
+Various object-specific, | |
+Access control events ~-->--o
+ \
+Label destruction o</programlisting>
+
+ <para>Label initialization permits policies to allocate memory
+ and set initial values for labels without context for the use
+ of the object. The label slot allocated to a policy will be
+ zero'd by default, so some policies may not need to perform
+ initialization.</para>
+
+ <para>Label creation occurs when the kernel structure is
+ associated with an actual kernel object. For example, mbufs
+ may be allocated and remain unused in a pool until they are
+ required. mbuf allocation causes label initialization on the
+ mbuf to take place, but mbuf creation occurs when the mbuf is
+ associated with a datagram. Typically, context will be
+ provided for a creation event, including the circumstances of
+ the creation, and labels of other relevant objects in the
+ creation process. For example, when an mbuf is created from a
+ socket, the socket and its label will be presented to
+ registered policies in addition to the new mbuf and its label.
+ Memory allocation in creation events is discouraged, as it may
+ occur in performance sensitive ports of the kernel; in
+ addition, creation calls are not permitted to fail so a
+ failure to allocate memory cannot be reported.</para>
+
+ <para>Object specific events do not generally fall into the
+ other broad classes of label events, but will generally
+ provide an opportunity to modify or update the label on an
+ object based on additional context. For example, the label on
+ an IP fragment reassembly queue may be updated during the
+ <symbol>MAC_UPDATE_IPQ</symbol> entry point as a result of the
+ acceptance of an additional mbuf to that queue.</para>
+
+ <para>Access control events are discussed in detail in the
+ following section.</para>
+
+ <para>Label destruction permits policies to release storage or
+ state associated with a label during its association with an
+ object so that the kernel data structures supporting the
+ object may be reused or released.</para>
+
+ <para>In addition to labels associated with specific kernel
+ objects, an additional class of labels exists: temporary
+ labels. These labels are used to store update information
+ submitted by user processes. These labels are initialized and
+ destroyed as with other label types, but the creation event is
+ <symbol>MAC_INTERNALIZE</symbol>, which accepts a user label
+ to be converted to an in-kernel representation.</para>
- <para>...</para>
-
- <sect3 id="mac-mpo-init-bpfdesc">
- <title><function>&mac.mpo;_init_bpfdesc</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_bpfdesc</function></funcdef>
-
- <paramdef>struct bpf_d
- *<parameter>bpf_d</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>bpf_d</parameter></entry>
- <entry>Object; bpf descriptor</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to apply</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated bpfdesc (BPF
- descriptor)</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-devfsdirent">
- <title><function>&mac.mpo;_init_devfsdirent</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_devfsdirent</function></funcdef>
-
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Object; devfs directory entry</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to apply</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated devfs
- entry.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-ifnet">
- <title><function>&mac.mpo;_init_ifnet</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_ifnet</function></funcdef>
-
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Object; network interface</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to apply</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated network
- interface.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-ipq">
- <title><function>&mac.mpo;_init_ipq</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_ipq</function></funcdef>
-
- <paramdef>struct ipq
- *<parameter>ipq</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>ipq</parameter></entry>
- <entry>Object; IP reassembly queue</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to apply</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated IP fragment
- reassembly queue.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-mbuf">
- <title><function>&mac.mpo;_init_mbuf</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_mbuf</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>mbuf</parameter></paramdef>
- <paramdef>int <parameter>how</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mbuf</parameter></entry>
- <entry>Object; mbuf</entry>
- </row>
-
- <row>
- <entry><parameter>how</parameter></entry>
- <entry>Blocking/non-blocking &man.malloc.9; see
- below</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label to initialize</entry>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated mbuf packet
- header (<parameter>mbuf</parameter>). The
- <parameter>how</parameter> field may be one of
- <symbol>M_WAITOK</symbol> and <symbol>M_NOWAIT</symbol>, and
- should be employed to avoid performing a blocking
- &man.malloc.9; during this initialization call. Mbuf
- allocation frequently occurs in performance sensitive
- environments, and the implementation should be careful to
- avoid blocking or long-lived operations. This entry point
- is permitted to fail resulting in the failure to allocate
- the mbuf header.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-mount">
- <title><function>&mac.mpo;_init_mount</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_mount</function></funcdef>
-
- <paramdef>struct mount
- *<parameter>mount</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mntlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <!-- XXX: Wording on label descriptions. -->
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mount</parameter></entry>
- <entry>Object; file system mount point</entry>
- </row>
-
- <row>
- <entry><parameter>mntlabel</parameter></entry>
- <entry>Policy label to be initialized for the mount
- itself</entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>Policy label to be initialized for the file
- system</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the labels on a newly instantiated mount
- point.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-socket">
- <title><function>&mac.mpo;_init_socket</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_socket</function></funcdef>
-
- <paramdef>struct socket
- *<parameter>socket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>struct label
- *<parameter>peerlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>socket</parameter></entry>
- <entry>Object; socket</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to apply to the socket</entry>
- </row>
-
- <row>
- <entry><parameter>peerlabel</parameter></entry>
- <entry>New label to apply to the socket's peer</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the labels on a newly instantiated
- socket.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-cred">
- <title><function>&mac.mpo;_init_cred</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_cred</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject; user credetial</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the labels on a newly instantiated subject.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-temp">
- <title><function>&mac.mpo;_init_temp</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_temp</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Temporary label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize a newly instantiated temporary label;
- temporary labels are frequently used to hold label update
- requests.</para>
- </sect3>
-
- <sect3 id="mac-mpo-init-vnode">
- <title><function>&mac.mpo;_init_vnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_vnode</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; file system object</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>New label to initialize</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize the label on a newly instantiated vnode.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-bpfdesc">
- <title><function>&mac.mpo;_destroy_bpfdesc</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_bpfdesc</function></funcdef>
-
- <paramdef>struct bpf_d
- *<parameter>bpf_d</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>bpf_d</parameter></entry>
- <entry>Object; bpf descriptor</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a BPF descriptor. In this entry
- point, a policy module should free any internal storage
- associated with <parameter>label</parameter> so that it may
- be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-devfsdirent">
- <title><function>&mac.mpo;_destroy_devfsdirent</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_devfsdirent</function></funcdef>
-
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Object; devfs directory entry</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a devfs entry. In this entry
- point, a policy module should free any internal storage
- asociated with <parameter>label</parameter> so that it may
- be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-ifnet">
- <title><function>&mac.mpo;_destroy_ifnet</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_ifnet</function></funcdef>
-
- <paramdef>struct ifnet
- *<parameter>ifnet</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>ifnet</parameter></entry>
- <entry>Object; network interface</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a removed interface. In this entry
- point, a policy module should free any internal storage
- associated with <parameter>label</parameter> so that it may
- be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-ipq">
- <title><function>&mac.mpo;_destroy_ipq</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_ipq</function></funcdef>
-
- <paramdef>struct ipq
- *<parameter>ipq</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>ipq</parameter></entry>
- <entry>Object; IP reassembly queue</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on an IP fragment queue. In this
- entry point, a policy module should free any internal
- storage associated with <parameter>label</parameter> so that
- it may be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-mbuf">
- <title><function>&mac.mpo;_destroy_mbuf</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_mbuf</function></funcdef>
-
- <paramdef>struct mbuf
- *<parameter>mbuf</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mbuf</parameter></entry>
- <entry>Object; mbuf</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on an mbuf header. In this entry
- point, a policy module should free any internal storage
- associated with <parameter>label</parameter> so that it may
- be destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-mount">
- <title><function>&mac.mpo;_destroy_mount</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_mount</function></funcdef>
-
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mntlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Object; file system mount point</entry>
- </row>
-
- <row>
- <entry><parameter>mntlabel</parameter></entry>
- <entry>Mount point label being destroyed</entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>File system label being destroyed>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the labels on a mount point. In this entry
- point, a policy module should free the internal storage
- associated with <parameter>mntlabel</parameter> and
- <parameter>fslabel</parameter> so that they may be
- destroyed.</para>
- </sect3>
-
- <sect3 id="mac-mpo-destroy-socket">
- <title><function>&mac.mpo;_destroy_socket</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_socket</function></funcdef>
-
- <paramdef>struct socket
- *<parameter>socket</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>struct label
- *<parameter>peerlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>socket</parameter></entry>
- <entry>Object; socket</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Socket label being destroyed</entry>
- </row>
-
- <row>
- <entry><parameter>peerlabel</parameter></entry>
- <entry>Socket peer label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the labels on a socket. In this entry point, a
- policy module should free any internal storage associated
- with <parameter>label</parameter> and
- <parameter>peerlabel</parameter> so that they may be
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list