PERFORCE change 20044 for review
Robert Watson
rwatson at freebsd.org
Thu Oct 24 16:26:54 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=20044
Change 20044 by rwatson at rwatson_tislabs on 2002/10/24 09:26:36
Manually merge mac.9 man page changes from the merge of this
manual to the main tree. Update cross-references, remove
per-entry-point documentation (this is now in the Developer's
Handbook chapter on the MAC Framework), and bring in the
credits section.
Affected files ...
.. //depot/projects/trustedbsd/mac/share/man/man9/mac.9#10 edit
Differences ...
==== //depot/projects/trustedbsd/mac/share/man/man9/mac.9#10 (text+ko) ====
@@ -34,7 +34,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD$
+.\" $FreeBSD: src/share/man/man9/mac.9,v 1.1 2002/10/21 23:51:18 rwatson Exp $
.\"
.Dd February 16, 2002
.Os
@@ -48,6 +48,7 @@
.Pp
In the kernel configuration file:
.Cd "options MAC"
+.Cd "options MAC_DEBUG"
.Sh DESCRIPTION
.Ss Introduction
The TrustedBSD mandatory access control framework permits dynamically
@@ -141,205 +142,8 @@
the new entry points so that they may consistently enforce their
policies.
.Sh ENTRY POINTS
-.Ss Authorizational
-.Bl -tag
-.It Ft int Fn mac_bpfdesc_check_receive_from_ifnet "struct bpf_d *bpf_d" "struct ifnet *ifnet"
-Called in
-.Xr bpf_tap 9
-before allowing
-.Xr catchpacket 9 .
-(Not called in
-.Xr bpf_mtap 9
-before allowing
-.Xr catchpacket 9 ?)
-.It Ft int Fn mac_cred_check_access_vnode "struct ucred *cred" "struct vnode *vp" "int flags"
-Called in
-.Xr vn_access 9
-before checking
-.Xr VOP_ACCESS 9 .
-.It Ft int Fn mac_cred_check_bind_socket "struct ucred *cred" "struct socket *so" "struct sockaddr *sa"
-Called in
-.Xr bind 9
-before allowing
-.Xr sobind 9 .
-.It Ft int Fn mac_cred_check_chdir_vnode "struct ucred *cred" "struct vnode *dvp"
-Called in
-.Xr chdir 9
-via
-.Xr change_dir 9
-and in
-.Xr fchdir 9 .
-.It Ft int Fn mac_cred_check_connect_socket "struct ucred *cred" "struct socket *so" "struct sockaddr *sa"
-Called in
-.Xr connect 9
-before allowing
-.Xr soconnect 9 .
-.It Ft int Fn mac_cred_check_create_vnode "struct ucred *cred" "struct vnode *dvp" "struct vattr *vap"
-Called in
-.Xr unp_bind 9
-before
-.Xr VOP_CREATE 9 ,
-.Xr symlink 9
-before
-.Xr VOP_SYMLINK 9 ,
-.Xr vn_mkdir 9
-before
-.Xr VOP_MKDIR 9 ,
-.Xr vn_open_cred 9
-before
-.Xr VOP_CREATE 9 ,
-and in
-.Xr mknod 9
-and
-.Xr mkfifo 9
-before
-.Xr VOP_MKNOD 9 .
-.It Ft int Fn mac_cred_check_deleteacl_vnode "struct ucred *cred" "struct vnode *vp" "acl_type_t type"
-Called by
-.Xr vacl_delete 9
-before
-.Xr VOP_SETACL 9 .
-.It Ft int Fn mac_cred_check_getacl_vnode "struct ucred *cred" "struct vnode *vp" "acl_type_t type"
-Called by
-.Xr vacl_get_acl 9
-before
-.Xr VOP_GETACL 9 .
-.It Ft int Fn mac_cred_check_getextattr_vnode "struct ucred *cred" "struct vnode *vp" "int attrnamespace" "const char *name" "struct uio *uio"
-Called in
-.Xr extattr_get_vp 9
-before calling
-.Xr VOP_GETEXTATTR 9 .
-.It Ft int Fn mac_cred_check_listen_socket "struct ucred *cred" "struct socket *socket"
-Called in
-.Xr listen 9
-before calling
-.Xr solisten 9 .
-.It Ft int Fn mac_cred_check_search_vnode "struct ucred *cred" "struct vnode *dvp"
-Called in
-.Xr getdents_common 9 ,
-.Xr linux_getcwd_scandir 9 ,
-.Xr svr4_sys_getdents64 9 ,
-.Xr svr4_sys_getdents 9 ,
-.Xr ibcs2_getdents 9 ,
-.Xr ibcs2_read 9 ,
-.Xr ogetdirentries 9
-and
-.Xr getdirentries 9
-before calling
-.Xr VOP_READDIR 9 .
-Called in
-.Xr lookup 9
-before calling
-.Xr VOP_LOOKUP 9 .
-.It Ft int Fn mac_cred_check_setacl_vnode "struct ucred *cred" "struct vnode *vp" "acl_type_t type" "struct acl *acl"
-Called in
-.Xr vacl_set_acl 9
-before calling
-.Xr VOP_SETACL 9 .
-.It Ft int Fn mac_cred_check_setextattr_vnode "struct ucred *cred" "struct vnode *vp" "int attrnamespace" "const char *name" "struct uio *uio"
-Called in
-.Xr extattr_set_vp 9
-and
-.Xr extattr_delete_vp 9
-before calling
-.Xr VOP_SETEXTATTR 9 .
-.It Ft int Fn mac_cred_check_setflags_vnode "struct ucred *cred" "struct vnode *vp" "u_long flags"
-Called in
-.Xr setfflags 9
-before calling
-.Xr VOP_SETATTR 9 .
-.It Ft int Fn mac_cred_check_setmode_vnode "struct ucred *cred" "struct vnode *vp" "mode_t mode"
-Called in
-.Xr setfmode 9
-before calling
-.Xr VOP_SETATTR 9 .
-.It Ft int Fn mac_cred_check_setowner_vnode "struct ucred *cred" "struct vnode *vp" "uid_t uid" "gid_t gid"
-Called in
-.Xr setfown 9
-before calling
-.Xr VOP_SETATTR 9 .
-.It Ft int Fn mac_cred_check_setutimes_vnode "struct ucred *cred" "struct vnode *vp" "struct timespec atime" "struct timespec ctime"
-Called in
-.Xr setfown 9
-before calling
-.Xr VOP_SETATTR 9 .
-.It Ft int Fn mac_cred_check_stat_vnode "struct ucred *cred" "struct vnode *vp"
-Called in
-.Xr vn_stat 9
-before calling
-.Xr VOP_GETATTR 9 .
-.It Ft int Fn mac_cred_check_delete_vnode "struct ucred *cred" "struct vnode *dvp" "struct vnode *vp"
-Called in the last component of
-.Xr namei 9
-for all DELETE operations.
-.It Ft int Fn mac_cred_check_rename_from_vnode "struct ucred *cred" "struct vnode *dvp" "struct vnode *vp"
-Called in
-.Xr rename 9
-after the
-.Xr namei 9
-DELETE operation.
-.It Ft int Fn mac_cred_check_rename_to_vnode "struct ucred *cred" "struct vnode *dvp" "struct vnode *vp" "int samedir"
-Called in
-.Xr rename 9
-after the
-.Xr namei 9
-RENAME operation and before the
-.Xr VOP_RENAME 9 .
-.It Ft int Fn mac_cred_check_open_vnode "struct ucred *cred" "struct vnode *vp" "mode_t acc_mode"
-Called by
-.Xr fcntl 9
-in the F_SETFL case before allowing flags to be changed, by
-.Xr truncate 9
-to mediate access to
-.Xr VOP_SETATTR 9
-and
-.Xr vn_open_cred 9
-when handling a non-O_CREAT vnode.
-.It Ft int Fn mac_cred_check_revoke_vnode "struct ucred *cred" "struct vnode *vp"
-Called by
-.Xr revoke 9
-to mediate access to
-.Xr VOP_REVOKE 9 .
-.It Ft int Fn mac_cred_check_statfs "struct ucred *cred" "struct mount *mp"
-Called by
-.Xr osf1_statfs 9 ,
-.Xr osf1_fstatfs 9 ,
-.Xr osf1_getfsstat 9 ,
-.Xr linux_statfs 9 ,
-.Xr linux_fstatfs 9 ,
-.Xr linux_ustat 9 ,
-.Xr statfs 9 ,
-.Xr fstatfs 9 ,
-.Xr getfsstat 9
-and
-.Xr fhstatfs 9
-before calling
-.Xr VFS_STATFS 9 .
-.El
-.Ss Label-based
-.Bl -tag
-.It Ft int Fn mac_getsockopt_label_get "struct ucred *cred" "struct socket *so" "struct mac *extmac"
-Called by
-.Xr sogetopt 9
-in the SO_LABEL case.
-.It Ft int Fn mac_getsockopt_peerlabel_get "struct ucred *cred" "struct socket *so" "struct mac *extmac"
-Called by
-.Xr sogetopt 9
-in the SO_PEERLABEL case.
-.It Ft int Fn mac_getsockopt_label_set "struct ucred *cred" "struct socket *so" "struct mac *extmac"
-Called by
-.Xr sosetopt 9
-in the SO_LABEL case.
-.It Ft int Fn mac_ioctl_ifnet_get "struct ucred *cred" "struct ifreq *ifr" "struct ifnet *ifnet"
-Called by
-.Xr ifhwioctl 9
-in the SIOCGIFMAC case.
-.It Ft int Fn mac_ioctl_ifnet_set "struct ucred *cred" "struct ifreq *ifr" "struct ifnet *ifnet"
-Called by
-.Xr ifhwioctl 9
-in the SIOCSIFMAC case.
-.El
-.Pp
+System service and module authors should reference the FreeBSD
+Developer's Handbook for information on the MAC Framework APIs.
.Sh SEE ALSO
.Xr acl 3 ,
.Xr cap 3 ,
@@ -348,6 +152,7 @@
.Xr posix1e 3 ,
.Xr ucred 9 ,
.Xr vaccess 9 ,
+.Xr vaccess_acl_posix1e 9 ,
.Xr VFS 9 ,
.Rs
.%T "FreeBSD Developers' Handbook"
@@ -357,3 +162,42 @@
.Sh AUTHORS
This man page was written by
.An Robert Watson .
+This software was contributed to the
+.Fx
+Project by Network Associates Laboratories, the Security Research
+Division of Network Associates Inc. under DARPA/SPAWAR contract
+N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research program.
+.Pp
+.An -nosplit
+The TrustedBSD MAC Framework was designed by
+.An Robert Watson ,
+and implemented by the Network Associates Laboratories Network Security
+(NETSEC), Secure Execution Environement (SEE), and Adaptive
+Network Defense research groups.
+Network Associates Laboratory staff contributing to the CBOSS Project
+include (in alphabetical order):
+.An Lee Badger ,
+.An Brian Feldman ,
+.An Tim Fraser ,
+.An Doug Kilpatrick ,
+.An Suresh Krishnaswamy ,
+.An Adam Migus ,
+.An Wayne Morrison ,
+.An Chris Vance ,
+and
+.An Robert Watson .
+.Pp
+Sub-contracted staff include:
+.An Chris Costello ,
+.An Poul-Henning Kamp ,
+.An Jonathan Lemon ,
+.An Kirk McKusick ,
+.An Dag-Erling Smorgrav .
+.Pp
+Additional contributors include:
+.An Chris Faulhaber ,
+.An Ilmar Habibulin ,
+.An Thomas Moestl ,
+and
+.An Andrew Reiter .
+.An -split
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list