PERFORCE change 16221 for review
Chris Costello
chris at freebsd.org
Sun Aug 18 20:49:02 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=16221
Change 16221 by chris at chris_holly on 2002/08/18 13:48:09
Run through sgml-indent-buffer
Affected files ...
.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#14 edit
Differences ...
==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#14 (text+ko) ====
@@ -41,17 +41,17 @@
<author>
<firstname>Chris</firstname>
<surname>Costello</surname>
-
+
<affiliation>
<orgname>TrustedBSD Project</orgname>
<address><email>chris at FreeBSD.org</email></address>
</affiliation>
</author>
-
+
<author>
<firstname>Robert</firstname>
<surname>Watson</surname>
-
+
<affiliation>
<orgname>TrustedBSD Project</orgname>
<address><email>rwatson at FreeBSD.org</email></address>
@@ -59,41 +59,41 @@
</author>
</authorgroup>
</chapterinfo>
-
+
<title>Writing MAC Policies</title>
-
+
<sect1 id="mac-synopsis">
<title>Synopsis</title>
-
+
<para>MAC, or Mandatory Access Control, is a feature introduced by
the TrustedBSD Project to supplement the existing standard DAC
(Discreationary Access Control) policies of BSD Unix systems.</para>
-
+
<para>This chapter introduces the MAC policy framework and
provides documentation for a sample MAC policy module.</para>
</sect1>
-
-
- <sect1 id="mac-introduction">
- <title>Introduction</title>
-
- <para>The TrustedBSD MAC framework provides a mechanism to allow
- the compile-time or run-time extension of the kernel access
- control model. New system policies may be implemented as
- kernel modules and linked to the kernel; if multiple policy
- modules are present, their results will be composed. While the
- framework is intended to support a variety of access control
- models, its design was derived from the requirements of a set
- of specific access control models required for the TrustedBSD
- and CBOSS Projects. This includes support for fixed and
- floating label Biba integrity policies, the MLS
- confidentiality policy, the Type Enforcement rule-based access
- control policy, and the ability to support layering of the NSA
- FLASK framework above the TrustedBSD MAC framework. This
- document describes the rough architecture of the framework,
- with the understanding that this is a work-in-progress and may
- change subtantially as requirements evolve.</para>
- </sect1>
+
+
+ <sect1 id="mac-introduction">
+ <title>Introduction</title>
+
+ <para>The TrustedBSD MAC framework provides a mechanism to allow
+ the compile-time or run-time extension of the kernel access
+ control model. New system policies may be implemented as
+ kernel modules and linked to the kernel; if multiple policy
+ modules are present, their results will be composed. While the
+ framework is intended to support a variety of access control
+ models, its design was derived from the requirements of a set
+ of specific access control models required for the TrustedBSD
+ and CBOSS Projects. This includes support for fixed and
+ floating label Biba integrity policies, the MLS
+ confidentiality policy, the Type Enforcement rule-based access
+ control policy, and the ability to support layering of the NSA
+ FLASK framework above the TrustedBSD MAC framework. This
+ document describes the rough architecture of the framework,
+ with the understanding that this is a work-in-progress and may
+ change subtantially as requirements evolve.</para>
+ </sect1>
<sect1 id="mac-kernel-arch">
<title>Kernel Architecture</title>
@@ -121,42 +121,42 @@
<para>...</para>
</sect1>
-
- <sect1 id="mac-entry-point">
- <title>Entry Point Framework</title>
-
- <para>Four classes of entry points are offered to policies
- registered with the framework: entry points associated with
- the registration and management of policies, entry points
- denoting initialization, creation, destruction, and other life
- cycle events for kernel objects, events assocated with access
- control decisions that the policy module may influence, and
- calls associated with the management of labels on objects. In
- addition, a <function>mac_syscall()</function> entry point is
- provided so that policies may extend the kernel interface
- without registering new system calls.</para>
-
- <para>Policy module writers should be aware of the kernel
- locking strategy, as well as what object locks are available
- during which entry points. Writers should attempt to avoid
- deadlock scenarios by avoiding grabbing non-leaf locks inside
- of entry points, and also follow the locking protocol for
- object access and modification. In particular, writers should
- be aware that while necessary locks to access objects and
- their labels are generally held, sufficient locks to modify an
- object or its label may not be present for all entry points.
- Locking information for arguments is documented in the MAC
- framework entry point document.</para>
-
- <para>Policy entry points will pass a reference to the object
- label along with the object itself. This permits labeled
- policies to be unaware of the internals of the object yet
- still make decisions based on the label. The exception to this
- is the process credential, which is assumed to be understood
- by policies as a first class security object in the kernel.
- Policies that do not implement labels on kernel objects will
- be passed NULL pointers for label arguments to entry
- points.</para>
+
+ <sect1 id="mac-entry-point">
+ <title>Entry Point Framework</title>
+
+ <para>Four classes of entry points are offered to policies
+ registered with the framework: entry points associated with
+ the registration and management of policies, entry points
+ denoting initialization, creation, destruction, and other life
+ cycle events for kernel objects, events assocated with access
+ control decisions that the policy module may influence, and
+ calls associated with the management of labels on objects. In
+ addition, a <function>mac_syscall()</function> entry point is
+ provided so that policies may extend the kernel interface
+ without registering new system calls.</para>
+
+ <para>Policy module writers should be aware of the kernel
+ locking strategy, as well as what object locks are available
+ during which entry points. Writers should attempt to avoid
+ deadlock scenarios by avoiding grabbing non-leaf locks inside
+ of entry points, and also follow the locking protocol for
+ object access and modification. In particular, writers should
+ be aware that while necessary locks to access objects and
+ their labels are generally held, sufficient locks to modify an
+ object or its label may not be present for all entry points.
+ Locking information for arguments is documented in the MAC
+ framework entry point document.</para>
+
+ <para>Policy entry points will pass a reference to the object
+ label along with the object itself. This permits labeled
+ policies to be unaware of the internals of the object yet
+ still make decisions based on the label. The exception to this
+ is the process credential, which is assumed to be understood
+ by policies as a first class security object in the kernel.
+ Policies that do not implement labels on kernel objects will
+ be passed NULL pointers for label arguments to entry
+ points.</para>
<sect2 id="policy-module-registration">
<title>Policy Module Registration</title>
@@ -183,7 +183,7 @@
(macop_t)mac_none_check_vnode_write },
{ MAC_OP_LAST, NULL }
};</programlisting>
-
+
<para>The MAC policy entry point vector,
<varname>mac_none_ops</varname> in this example, associates
functions defined in the module with specific entry points. A
@@ -244,24 +244,24 @@
</listitem>
</varlistentry>
</variablelist>
-
+
<sect3 id="mac-mpo-init">
<title><function>&mac.mpo;_init</function</title>
-
+
<funcsynopsis>
<funcprototype>
<funcdef>void
<function>&mac.mpo;_init</function></funcdef>
-
+
<paramdef>struct mac_policy_conf
*<parameter>conf</parameter></paramdef>
</funcprototype>
</funcsynopsis>
-
+
<informaltable>
<tgroup cols="3">
&mac.thead;
-
+
<tbody>
<row>
<entry><parameter>conf</parameter></entry>
@@ -270,28 +270,28 @@
</tbody>
</tgroup>
</informaltable>
-
+
<para>Policy load event. The policy list mutex is held, so
caution should be applied.</para>
</sect3>
-
+
<sect3 id="mpo-destroy">
<title><function>&mac.mpo;_destroy</function></title>
-
+
<funcsynopsis>
<funcprototype>
<funcdef>void
<function>&mac.mpo;_destroy</function></funcdef>
-
+
<paramdef>struct mac_policy_conf
*<parameter>conf</parameter></paramdef>
</funcprototype>
</funcsynopsis>
-
+
<informaltable>
<tgroup cols="3">
&mac.thead;
-
+
<tbody>
<row>
<entry><parameter>conf</parameter></entry>
@@ -300,7 +300,7 @@
</tbody>
</tgroup>
</informaltable>
-
+
<para>Policy load event. The policy list mutex is held, so
caution should be applied.</para>
</sect3>
@@ -320,7 +320,7 @@
events, such as label events associated with IP reassembly. A
typical labeled object will have the following life cycle of
entry points:</para>
-
+
<programlisting>Label initialization o
(object-specific wait) \
Label creation o
@@ -376,2073 +376,2073 @@
destroyed as with other label types, but the creation event is
<symbol>MAC_INTERNALIZE</symbol>, which accepts a user label
to be converted to an in-kernel representation.</para>
-
- <sect3 id="mac-fs-label-event-ops">
- <title>File System Object Labeling Event Operations</title>
-
- <sect4 id="mac-mpo-create-devfs-device">
- <title><function>&mac.mpo;_create_devfs_device</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_devfs_device</function></funcdef>
-
- <paramdef>dev_t <parameter>dev</parameter></paramdef>
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>dev</parameter></entry>
- <entry>Device corresponding with
- <parameter>devfs_dirent</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Devfs directory entry to be labeled.</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label for <parameter>devfs_dirent</parameter>
- to be filled in.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the label on a devfs_dirent being created for
- the passed device. This call will be made when the device
- file system is mounted, regenerated, or a new device is made
- available.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-devfs-directory">
- <title><function>&mac.mpo;_create_devfs_directory</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_devfs_directory</function></funcdef>
-
- <paramdef>char *<parameter>dirname</parameter></paramdef>
- <paramdef>int <parameter>dirnamelen</parameter></paramdef>
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>dirname</parameter></entry>
- <entry>Name of directory being created</entry>
- </row>
-
- <row>
- <entry><parameter>namelen</parameter></entry>
- <entry>Length of string
- <parameter>dirname</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Devfs directory entry for directory being
- created.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the label on a devfs_dirent being created for
- the passed directory. This call will be made when the device
- file system is mounted, regenerated, or a new device
- requiring a specific directory hierarchy is made
- available.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-devfs-vnode">
- <title><function>&mac.mpo;_create_devfs_vnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_devfs_vnode</function></funcdef>
-
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>direntlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Object; devfs directory entry</entry>
- </row>
-
- <row>
- <entry><parameter>direntlabel</parameter></entry>
- <entry>Policy label for
- <parameter>devfs_dirent</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; file system object being labeled</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the label on the vnode being created for the
- passed devfs_dirent. This call will be made when a vnode is
- required to represent the specified devfs_dirent in a
- mounted devfs instance.</para>
- </sect4>
-
- <sect4 id="mac-mpo-vnode-create-from-vnode">
- <title><function>&mac.mpo;_vnode_create_from_vnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_vnode_create_from_vnode</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>parent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>parentlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>child</parameter></paramdef>
- <paramdef>struct label
- *<parameter>childlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>parent</parameter></entry>
- <entry>Parent vnode; the directory in which
- <parameter>child</parameter> is being
- created</entry>
- </row>
-
- <row>
- <entry><parameter>parentlabel</parameter></entry>
- <entry>Policy label for
- <parameter>parent</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>child</parameter></entry>
- <entry>New vnode</entry>
- </row>
-
- <row>
- <entry><parameter>childlabel</parameter></entry>
- <entry>Label to be filled in for
- <parameter>child</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the label on the vnode being created in the
- passed vnode parent by the passed subject credential. This
- call will be made when a vnode is allocated during a vnode
- creation operation. For example, this call is made by
- multi-label file systems during the creation of a new file
- or directory.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-mount">
- <title><function>&mac.mpo;_create_mount</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mount</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mnt</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Object; file system being mounted</entry>
- </row>
-
- <row>
- <entry><parameter>mntlabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>mp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>Policy label for the file system
- <parameter>mp</parameter> mounts.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the labels on the mount point being created by
- the passed subject credential. This call will be made when
- a new file system is mounted.</para>
- </sect4>
-
- <sect4 id="mac-mpo-create-root-mount">
- <title><function>&mac.mpo;_create_root_mount</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_root_mount</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mntlabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry namest="first" nameend="last">See <xref
- linkend="mac-mpo-create-mount">.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the labels on the mount point being created by
- the passed subject credential. This call will be made when
- the root file system is mounted, after
- &mac.mpo;_create_mount;.</para>
- </sect4>
-
- <sect4 id="mac-mpo-vnode-relabel">
- <title><function>&mac.mpo;_vnode_relabel</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_vnode_relabel</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct label
- *<parameter>newlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>vnode to relabel</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Existing policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>newlabel</parameter></entry>
- <entry>New, possibly partial label to replace
- <parameter>vnodelabel</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the label on the passed vnode given the passed
- update vnode label and the passed subject credential.</para>
- </sect4>
-
- <sect4 id="mac-mpo-stdcreatevnode-ea">
- <title><function>&mac.mpo;_stdcreatevnode_ea</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_stdcreatevnode_ea</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>vnode to commit</entry>
- <entry>Locked on entry, locked on exit</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Label associated with
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <!-- XXX extattr.9 probably needs updating... -->
- <para>This entry point is called when a vnode is to be
- committed to disk via the extended attribute service (see
- &man.extattr.9;). If committing to the disk is successful,
- a value of <returnvalue>0</returnvalue> should be returned;
- otherwise, an appropriate error code should be
- returned.</para>
-
- <note><para>The current implementation as of July 24, 2002
- commits the data to disk from within the architecture.
- The implementation will be updated to be closer to the
- above documentation as development progresses.</para></note>
- </sect4>
-
- <sect4 id="mac-mpo-update-devfsdirent">
- <title><function>&mac.mpo;_update_devfsdirent</function></title>
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_update_devfsdirent</function></funcdef>
-
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>direntlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Object; devfs directory entry</entry>
- </row>
-
- <row>
- <entry><parameter>direntlabel</parameter></entry>
- <entry>Policy label for
- <parameter>devfs_dirent</parameter> to be
- updated.</entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Parent vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the <parameter>devfs_dirent</parameter> label
- from the passed devfs vnode label. This call will be made
- when a devfs vnode has been successfully relabeled to commit
- the label change such that it lasts even if the vnode is
- recycled. It will also be made when when a symlink is
- created in devfs, following a call to
- <function>mac_vnode_create_from_vnode</function> to
- initialize the vnode label.</para>
- </sect4>
-
- <sect4 id="mac-mpo-update-procfsvnode">
- <title><function>&mac.mpo;_update_procfsvnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_update_procfsvnode</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; procfs vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject; credential for the process
- entry</entry>
- <entry>Immutable</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the procfs vnode label from the passed subject
- credential. This call will be made when an operation on a
- procfs vnode requires a fresh label on a process-derived
- vnode.</para>
- </sect4>
-
- <sect4 id="mac-mpo-update-vnode-from-extattr">
- <title><function>&mac.mpo;_update_vnode_from_extattr</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_update_vnode_from_extattr</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode whose label is being updated</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label to refresh</entry>
- </row>
-
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Mount point for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>Policy label for <parameter>vp</parameter>'s
- file system.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the vnode label by refreshing the label data from
- the extended attribute service for the vnode. The mount
- point <parameter>fslabel</parameter> is also made available
- so that the <parameter>fslabel</parameter> may be used as a
- labeling source if fallback is appropriate for the policy.
- This call is permitted to fail; if the call fails, the
- associated label refresh will also fail, causing the failure
- of the operation requiring the MAC check and vnode label
- refresh, permitting a <quote>fail closed</quote> policy if
- labeling data is not available.</para>
- </sect4>
-
- <sect4 id="mac-mpo-update-from-externalized">
- <title><function>&mac.mpo;_update_from_externalized</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_update_from_externalized</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct mac
- *<parameter>extmac</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>extmac</parameter></entry>
- <entry>Externalized MAC policy label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the vnode label from the passed externalized
- label loaded from disk by the MAC framework. This call is
- permitted to fail; if the call fails, the associated label
- refresh will also fail, causing the failure of the operation
- requiring the MAC check and vnode label refresh, permitting
- a <quote>fail closed</quote> policy if labeling data is not
- available. This call will be obsoleted by the new extended
- attribute labeling interface.</para>
- </sect4>
-
- <sect4 id="mac-mpo-update-vnode-from-mount">
- <title><function>&mac.mpo;_update_vnode_from_mount</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_update_vnode_from_mount</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mountlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Mount point where <parameter>vp</parameter>
- resides</entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>Policy label for the file system where
- <parameter>vp</parameter> resides.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the vnode label from the passed mount point
- label. This call is made when a single label file system
- vnode requires a label, or if the obsoleted MAC framework
- externalized extended attribute read fails.</para>
- </sect4>
- </sect3>
-
- <sect3 id="mac-ipc-label-ops">
- <title>IPC Object Labeling Event Operations</title>
-
- <sect4 id="mac-mpo-create-mbuf-from-socket">
- <title><function>&mac.mpo;_create_mbuf_from_socket</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_mbuf_from_socket</function></funcdef>
-
- <paramdef>struct socket
- *<parameter>so</parameter></paramdef>
- <paramdef>struct label
- *<parameter>socketlabel</parameter></paramdef>
- <paramdef>struct mbuf *<parameter>m</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mbuflabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list