PERFORCE change 14920 for review
Chris Costello
chris at freebsd.org
Thu Jul 25 22:26:38 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14920
Change 14920 by chris at chris_holly on 2002/07/25 15:26:22
o Process labeling event ops
o Access control checks
That's "all" of the entry points, so far!
Affected files ...
.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#8 edit
Differences ...
==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#8 (text+ko) ====
@@ -2865,20 +2865,651 @@
</sect3>
</sect2>
+ <sect2 id="mac-proc-labeling-event-ops">
+ <title>Process Labeling Event Operations</title>
+
+ <para>...</para>
+
+ <sect3 id="mac-mpo-create-subject">
+ <title><function>&mac.mpo;_create_subject</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_create_subject</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>parent_cred</parameter></paramdef>
+ <paramdef>struct ucred
+ *<parameter>child_cred</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>parent_cred</parameter></entry>
+ <entry>Parent subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>child_cred</parameter></entry>
+ <entry>Child subject credential</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <!-- XXX manref -->
+ <para>Set the label of a newly created subject credential from
+ the passed subject credential. This call will be made when
+ crcopy(9) is invoked on a newly created <type>struct
+ ucred</type>. This call should not be confused with a
+ process forking or creation event.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-execve-transition">
+ <title><function>&mac.mpo;_execve_transition</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_execve_transition</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>old</parameter></paramdef>
+ <paramdef>struct ucred
+ *<parameter>new</parameter></paramdef>
+ <paramdef>struct vnode
+ *<parameter>vp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>vnodelabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>old</parameter></entry>
+ <entry>Existing subject credential</entry>
+ <entry>Immutable</entry>
+ </row>
+
+ <row>
+ <entry><parameter>new</parameter></entry>
+ <entry>New subject credential to be labeled</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vp</parameter></entry>
+ <entry>File to execute</entry>
+ <entry>Locked</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vnodelabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>vp</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Update the label of a newly created subject credential
+ (<parameter>new</parameter>) from the passed existing
+ subject credential (<parameter>old</parameter>) based on a
+ label transition caused by executing the passed vnode
+ (<parameter>vp</parameter>). This call occurs when a
+ process executes the passed vnode and one of the policies
+ returns a success from the
+ <function>mpo_execve_will_transition</function> entry point.
+ Policies may choose to implement this call simply by
+ invoking <function>mpo_create_subject</function> and passing
+ the two subject credentials so as not to implement a
+ transitioning event. Policies should not leave this entry
+ point unimplemented if they implement
+ <function>mpo_create_subject</function>, even if they do not
+ implement
+ <function>mpo_execve_will_transition</function>.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-execve-will-transition">
+ <title><function>&mac.mpo;_execve_will_transition</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_execve_will_transition</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>old</parameter></paramdef>
+ <paramdef>struct vnode
+ *<parameter>vp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>vnodelabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>old</parameter></entry>
+ <entry>Subject credential prior to
+ &man.execve.2;</entry>
+ <entry>Immutable</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vp</parameter></entry>
+ <entry>File to execute</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vnodelabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>vp</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the policy will want to perform a
+ transition event as a result of the execution of the passed
+ vnode by the passed subject credential. Return
+ <returnvalue>1</returnvalue> if a transition is required,
+ <returnvalue>0</returnvalue> if not. Even if a policy
+ returns <returnvalue>0</returnvalue>, it should behave
+ correctly in the presence of an unexpected invocation of
+ <function>mpo_execve_transition</function>, as that call may
+ happen as a result of another policy requesting a
+ transition.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-create-proc0">
+ <title><function>&mac.mpo;_create_proc0</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_create_proc0</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential to be filled in</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Create the subject credential of process 0, the parent
+ of all kernel processes.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-create-proc1">
+ <title><function>&mac.mpo;_create_proc1</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_create_proc1</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential to be filled in</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Create the subject credential of process 1, the parent
+ of all kernel processes.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-relabel-subject">
+ <title><function>&mac.mpo;_relabel_subject</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_relabel_subject</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>newlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>newlabel</parameter></entry>
+ <entry>Label update to apply to
+ <parameter>cred</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Update the label on a subject credential from the passed
+ update label.</para>
+ </sect3>
+ </sect2>
+
<sect2 id="mac-access-control-checks">
<title>Access Control Checks</title>
<para>Access control checks are implemented as checks
supplementary to existing Unix permissions.</para>
+ <sect3 id="mac-mpo-bpfdesc-check-receive-from-ifnet">
+ <title><function>&mac.mpo;_bpfdesc_check_receive_from_ifnet</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_bpfdesc_check_receive_from_ifnet</function></funcdef>
+
+ <paramdef>struct bpf_d
+ *<parameter>bpf_d</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>bpflabel</parameter></paramdef>
+ <paramdef>struct ifnet
+ *<parameter>ifnet</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>ifnetlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>bpf_d</parameter></entry>
+ <entry>Subject; BPF descriptor</entry>
+ </row>
+
+ <row>
+ <entry><parameter>bpflabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>bpf_d</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>ifnet</parameter></entry>
+ <entry>Object; network interface</entry>
+ </row>
+
+ <row>
+ <entry><parameter>ifnetlabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>ifnet</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the MAC framework should permit
+ datagrams from the passed interface to be delivered to the
+ buffers of the passed BPF descriptor. Return
+ (<returnvalue>0</returnvalue>) for success, or an
+ <varname>errno</varname> value for failure Suggested
+ failure: <errorcode>EACCES</errorcode> for label mismatches,
+ <errorcode>EPERM</errorcode> for lack of privilege.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-cred-check-bind-socket">
+ <title><function>&mac.mpo;_cred_check_bind_socket</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_bind_socket</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct socket
+ *<parameter>socket</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>socketlabel</parameter></paramdef>
+ <paramdef>struct sockaddr
+ *<parameter>sockaddr</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socket</parameter></entry>
+ <entry>Socket to be bound</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socketlabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>socket</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>sockaddr</parameter></entry>
+ <entry>Address of
+ <parameter>socket</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ </sect3>
+
+ <sect3 id="mac-mpo-cred-check-connect-socket">
+ <title><function>&mac.mpo;_cred_check_connect_socket</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_connect_socket</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct socket
+ *<parameter>socket</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>socketlabel</parameter></paramdef>
+ <paramdef>struct sockaddr
+ *<parameter>sockaddr</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socket</parameter></entry>
+ <entry>Socket to be connected</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socketlabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>socket</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>sockaddr</parameter></entry>
+ <entry>Address of
+ <parameter>socket</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject credential
+ (<parameter>cred</parameter>) can connect the passed socket
+ (<parameter>socket</parameter>) to the passed socket address
+ (<parameter>sockaddr</parameter>). Return
+ <returnvalue>0</returnvalue> for success, or an
+ <varname>errno</varname> value for failure. Suggested
+ failure: <errorcode>EACCES</errorcode> for label mismatches,
+ <errorcode>EPERM</errorcode> for lack of privilege.</para>
+ </sect3>
+
+ <sect3>
+ <title><function>&mac.mpo;_cred_check_see_cred</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_see_cred</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>u1</parameter></paramdef>
+ <paramdef>struct ucred
+ *<parameter>u2</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>u1</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>u2</parameter></entry>
+ <entry>Object credential</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject credential
+ <parameter>u1</parameter> can <quote>see</quote> other
+ subjects with the passed subject credential
+ <parameter>u2</parameter>. Return
+ <returnvalue>0</returnvalue> for success, or an
+ <varname>errno</varname> value for failure. Suggested
+ failure: <errorcode>EACCES</errorcode> for label mismatches,
+ <errorcode>EPERM</errorcode> for lack of privilege, or
+ <errorcode>ESRCH</errorcode> to hide visibility. This call
+ may be made in a number of situations, including
+ inter-process status sysctls used by <command>ps</command>,
+ and in procfs lookups.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-cred-check-see-socket">
+ <title><function>&mac.mpo;_cred_check_see_socket</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_see_socket</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct socket
+ *<parameter>socket</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>socketlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socket</parameter></entry>
+ <entry>Object; socket</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socketlabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>socket</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ </sect3>
+
+ <sect3 id="mac-mpo-cred-check-relabel-ifnet">
+ <title><function>&mac.mpo;_cred_check_relabel_ifnet</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_relabel_ifnet</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct ifnet
+ *<parameter>ifnet</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>ifnetlabel</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>newlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>ifnet</parameter></entry>
+ <entry>Object; network interface</entry>
+ </row>
+
+ <row>
+ <entry><parameter>ifnetlabel</parameter></entry>
+ <entry>Existing policy label for
+ <parameter>ifnet</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>newlabel</parameter></entry>
+ <entry>Policy label update to later be applied to
+ <parameter>ifnet</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject credential can relabel the
+ passed network interface to the passed label update.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-cred-check-relabel-socket">
+ <title><function>&mac.mpo;_cred_check_relabel_socket</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_relabel_socket</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct socket
+ *<parameter>socket</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>socketlabel</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>newlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socket</parameter></entry>
+ <entry>Object; socket</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socketlabel</parameter></entry>
+ <entry>Existing policy label for
+ <parameter>socket</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>newlabel</parameter></entry>
+ <entry>Label update to later be applied to
+ <parameter>socketlabel</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject credential can relabel the
+ passed socket to the passed label update.</para>
+ </sect3>
+
<sect3 id="mac-mpo-cred-check-relabel-subject">
<title><function>&mac.mpo;_cred_check_relabel_subject</function></title>
<funcsynopsis>
<funcprototype>
<funcdef>int
- <function>&mac.mpo;_cred_check_relabel_subject</function>
- </funcdef>
+ <function>&mac.mpo;_cred_check_relabel_subject</function></funcdef>
<paramdef>struct ucred
*<parameter>cred</parameter></paramdef>
@@ -2890,50 +3521,101 @@
<informaltable>
<tgroup cols="3">
&mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+ <row>
+ <entry><parameter>newlabel</parameter></entry>
+ <entry>Label update to later be applied to
+ <parameter>cred</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject credential can relabel
+ itself to the passed label update.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-cred-check-relabel-vnode">
+ <title><function>&mac.mpo;_cred_check_relabel_vnode</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_relabel_vnode</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct vnode
+ *<parameter>vp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>vnodelabel</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>newlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
<tbody>
<row>
<entry><parameter>cred</parameter></entry>
<entry>Subject credential</entry>
+ <entry>Immutable</entry>
</row>
<row>
- <entry><parameter>newlabel</parameter</entry>
- <entry>New label to apply to subject</entry>
+ <entry><parameter>vp</parameter></entry>
+ <entry>Object; vnode</entry>
+ <entry>Locked</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vnodelabel</parameter></entry>
+ <entry>Existing policy label for
+ <parameter>vp</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>newlabel</parameter></entry>
+ <entry>Policy label update to later be applied to
+ <parameter>vp</parameter></entry>
+ </row>
</tbody>
</tgroup>
</informaltable>
- <para>This policy operation is intended to determine whether a
- subject should be allowed to change its label. Generally,
- this is implemented by checking if the subject would be
- upgrading its own privilege by making the requested change,
- and denying (returning typically
- <errorcode>EPERM</errorcode>) the request if so.</para>
+ <para>Determine whether the subject credential can relabel the
+ passed vnode to the passed label update.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-statfs">
- <title><function>&mac.mpo;_cred_check_statfs</function</title>
+ <sect3 id="mpo-cred-check-statfs">
+ <title><function>&mac.mpo;_cred_check_statfs</function></title>
<funcsynopsis>
<funcprototype>
- <funcdef>int
- <function>&mac.mpo;_cred_check_statfs</function>
- </funcdef>
+ <funcdef>int <function>&mac.mpo;_cred_check_statfs</function></funcdef>
<paramdef>struct ucred
*<parameter>cred</parameter></paramdef>
<paramdef>struct mount
*<parameter>mp</parameter></paramdef>
<paramdef>struct label
- *<parameter>mntlabel</parameter></paramdef>
+ *<parameter>mountlabel</parameter></paramdef>
</funcprototype>
</funcsynopsis>
<informaltable>
<tgroup cols="3">
&mac.thead;
-
+
<tbody>
<row>
<entry><parameter>cred</parameter></entry>
@@ -2942,29 +3624,28 @@
<row>
<entry><parameter>mp</parameter></entry>
- <entry>Object; file system mount point</entry>
+ <entry>Object; file system mount</entry>
</row>
<row>
- <entry><parameter>mntlabel</parameter></entry>
- <entry>Object label</entry>
+ <entry><parameter>mountlabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>mp</parameter></entry>
+ </row>
</tbody>
</tgroup>
</informaltable>
- <para>This policy operation is intended to determine whether a
- specified subject should be allowed to retrieve file system
- statistics information. Generally a policy module
- implementing this operation would compare the subject label
- (<varname>cred->cr_label</varname>) to the object label
- (<varname>mntlabel</varname>) and return
- <literal>0</literal> if the subject is to be granted the
- information requested, and <errorcode>EACCES</errorcode>
- otherwise.</para>
-
- <note><para>Figure out a scenario where using
- <parameter>mp</parameter> is immenently practical, especially
- for use in the sample module.</para></note>
+ <para>Determine whether the subject credential can see the
+ results of a statfs performed on the file system. Return
+ <returnvalue>0</returnvalue> for success, or an
+ <varname>errno</varname> value for failure. Suggested
+ failure: <errorcode>EACCES</errorcode> for label mismatches
+ or <errorcode>EPERM</errorcode> for lack of privilege. This
+ call may be made in a number of situations, including during
+ invocations of &man.statfs.2; and related calls, as well as to
+ determine what file systems to exclude from listings of file
+ systems, such as when &man.getfsstat.2; is invoked. </para>
</sect3>
<sect3 id="mac-mpo-cred-check-debug-proc">
@@ -2973,11 +3654,1390 @@
<funcsynopsis>
<funcprototype>
<funcdef>int
- <function>&mac.mpo;_cred_check_debug_proc</function>
- </funcdef>
+ <function>&mac.mpo;_cred_check_debug_proc</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct proc
+ *<parameter>proc</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ <entry>Immutable</entry>
+ </row>
+
+ <row>
+ <entry><parameter>proc</parameter></entry>
+ <entry>Object; process</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject credential can debug the
+ passed process. Return <returnvalue>0</returnvalue> for
+ success, or an <varname>errno</varname> value for failure.
+ Suggested failure: <errorcode>EACCES</errorcode> for label
+ mismatch, <errorcode>EPERM</errorcode> for lack of
+ privilege, or <errorcode>ESRCH</errorcode> to hide
+ visibility of the target. This call may be made in a number
+ of situations, including use of the &man.ptrace.2; and
+ &man.ktrace.2; APIs, as well as for some types of procfs
+ operations.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-cred-check-access-vnode">
+ <title><function>&mac.mpo;_cred_check_access_vnode</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_access_vnode</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct vnode
+ *<parameter>vp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ <paramdef>int <parameter>flags</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vp</parameter></entry>
+ <entry>Object; vnode</entry>
+ </row>
+
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Policy label for
+ <parameter>vp</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>flags</parameter></entry>
+ <entry>&man.access.2; flags</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine how invocations of &man.access.2; and related
+ calls by the subject credential should return when performed
+ on the passed vnode using the passed access flags. Return
+ <returnvalue>0</returnvalue> for success, or an
+ <varname>errno</varname> value for failure. Suggested
+ failure: <errorcode>EACCES</errorcode> for label mismatches
+ or <errorcode>EPERM</errorcode> for lack of
+ privilege.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-cred-check-chdir-vnode">
+ <title><function>&mac.mpo;_cred_check_chdir_vnode</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_chdir_vnode</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct vnode
+ *<parameter>dvp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>dlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>dvp</parameter></entry>
+ <entry>Object; vnode to &man.chdir.2; into</entry>
+ </row>
+
+ <row>
+ <entry><parameter>dlabel</parameter></entry>
+ <entry>Policy label for
+ <parameter>dvp</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject credential can change the
+ process working directory to the passed vnode. Return
+ <returnvalue>0</returnvalue> for success, or an
+ <varname>errno</varname> value for failure. Suggested
+ failure: <errorcode>EACCES</errorcode> for label mismatch,
+ or <errorcode>EPERM</errorcode> for lack of
+ privilege.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-cred-check-create-vnode">
+ <title><function>&mac.mpo;_cred_check_create_vnode</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_cred_check_create_vnode</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct vnode
+ *<parameter>dvp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>dlabel</parameter></paramdef>
+ <paramdef>struct componentname
+ *<parameter>cnp</parameter></paramdef>
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list