PERFORCE change 23720 for review
Chris Costello
chris at freebsd.org
Tue Jan 14 06:46:38 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=23720
Change 23720 by chris at chris_holly on 2003/01/13 22:46:30
Finish adding all the remaining MAC policy op entry points.
Affected files ...
.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#24 edit
Differences ...
==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#24 (text+ko) ====
@@ -446,6 +446,119 @@
label.</para>
</sect4>
+ <sect4 id="mac-mpo-associate-vnode-extattr">
+ <title><function>&mac.mpo;_associate_vnode_extattr</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_associate_vnode_extattr</function></funcdef>
+
+ <paramdef>struct mount
+ *<parameter>mp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>fslabel</parameter></paramdef>
+ <paramdef>struct vnode
+ *<parameter>vp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>vlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>mp</parameter></entry>
+ <entry>File system mount point</entry>
+ </row>
+
+ <row>
+ <entry><parameter>fslabel</parameter></entry>
+ <entry>File system label</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vp</parameter></entry>
+ <entry>Vnode to label</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vlabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>vp</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Attempt to retrieve the label for
+ <parameter>vp</parameter> from the file system extended
+ attributes. Upon success, the value <literal>0</literal>
+ is returned. Should extended attribute retrieval not be
+ supported, an accepted fallback is to copy
+ <parameter>fslabel</parameter> into
+ <parameter>vlabel</parameter>. In the event of an error,
+ an appropriate value for <varname>errno</varname> should
+ be returned.</para>
+ </sect4>
+
+ <sect4 id="mac-mpo-associate-vnode-singlelabel">
+ <title><function>&mac.mpo;_associate_vnode_singlelabel</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_associate_vnode_singlelabel</function></funcdef>
+
+ <paramdef>struct mount
+ *<parameter>mp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>fslabel</parameter></paramdef>
+ <paramdef>struct vnode
+ *<parameter>vp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>vlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>mp</parameter></entry>
+ <entry>File system mount point</entry>
+ </row>
+
+ <row>
+ <entry><parameter>fslabel</parameter></entry>
+ <entry>File system label</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vp</parameter></entry>
+ <entry>Vnode to label</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vlabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>vp</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>On non-multilabel file systems, this entry point is
+ called to set the policy label for
+ <parameter>vp</parameter> based on the file system label,
+ <parameter>fslabel</parameter>.</para>
+ </sect4>
+
<sect4 id="mac-mpo-copy-vnode-label">
<title><function>&mac.mpo;_copy_vnode_label</function></title>
@@ -991,6 +1104,61 @@
&mac.internalize.para;
</sect4>
+ <sect4 id="mac-mpo-setlabel-vnode-extattr">
+ <title><function>&mac.mpo;_setlabel_vnode_extattr</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_setlabel_vnode_extattr</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct vnode
+ *<parameter>vp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>vlabel</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>intlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vp</parameter></entry>
+ <entry>Vnode for which the label is being
+ written</entry>
+ </row>
+
+ <row>
+ <entry><parameter>vlabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>vp</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>intlabel</parameter></entry>
+ <entry>Label to write out</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Write out the policy from
+ <parameter>intlabel</parameter> to an extended
+ attribute. This is called from
+ <function>vop_stdcreatevnode_ea</function>.</para>
+ </sect4>
+
<sect4 id="mac-mpo-update-devfsdirent">
<title><function>&mac.mpo;_update_devfsdirent</function></title>
<funcsynopsis>
@@ -1365,9 +1533,55 @@
<para>Set the label on a newly created mbuf header from the
passed socket label. This call is made when a new datagram
- or messsage is generated by the socket and stored in the
+ or message is generated by the socket and stored in the
passed mbuf.</para>
</sect4>
+
+ <sect4 id="mac-mpo-create-pipe">
+ <title><function>&mac.mpo;_create_pipe</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_create_pipe</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct pipe
+ *<parameter>pipe</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>pipelabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipe</parameter></entry>
+ <entry>Pipe</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipelabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>pipe</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Set the label on a newly created pipe from the passed
+ subject credential. This call is made when a new pipe is
+ created.</para>
+ </sect4>
<sect4 id="mac-mpo-create-socket">
<title><function>&mac.mpo;_create_socket</function></title>
@@ -1577,6 +1791,59 @@
&mac.internalize.para;
</sect4>
+ <sect4 id="mac-mpo-relabel-pipe">
+ <title><function>&mac.mpo;_relabel_pipe</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_relabel_pipe</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct pipe
+ *<parameter>pipe</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>oldlabel</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>newlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipe</parameter></entry>
+ <entry>Pipe</entry>
+ </row>
+
+ <row>
+ <entry><parameter>oldlabel</parameter></entry>
+ <entry>Current policy label associated with
+ <parameter>pipe</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>newlabel</parameter></entry>
+ <entry>Policy label update to apply to
+ <parameter>pipe</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Apply a new label, <parameter>newlabel</parameter>, to
+ <parameter>pipe</parameter>.</para>
+ </sect4>
+
<sect4 id="mac-mpo-relabel-socket">
<title><function>&mac.mpo;_relabel_socket</function></title>
@@ -3185,7 +3452,299 @@
<para>Determine whether the subject should be allowed to
unload a kernel module.</para>
</sect3>
-
+
+ <sect3 id="mac-mpo-check-pipe-ioctl">
+ <title><function>&mac.mpo;_check_pipe_ioctl</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_check_pipe_ioctl</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct pipe
+ *<parameter>pipe</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>pipelabel</parameter></paramdef>
+ <paramdef>unsigned long
+ <parameter>cmd</parameter></paramdef>
+ <paramdef>void *<parameter>data</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipe</parameter></entry>
+ <entry>Pipe</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipelabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>pipe</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>cmd</parameter></entry>
+ <entry>&man.ioctl.2; command</entry>
+ </row>
+
+ <row>
+ <entry><parameter>data</parameter></entry>
+ <entry>&man.ioctl.2; data</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject should be allowed to make
+ the specified &man.ioctl.2; call.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-check-pipe-poll">
+ <title><function>&mac.mpo;_check_pipe_poll</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_check_pipe_poll</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct pipe
+ *<parameter>pipe</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>pipelabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipe</parameter></entry>
+ <entry>Pipe</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipelabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>pipe</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject should be allowed to poll
+ <parameter>pipe</parameter>.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-check-pipe-read">
+ <title><function>&mac.mpo;_check_pipe_read</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_check_pipe_read</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct pipe
+ *<parameter>pipe</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>pipelabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipe</parameter></entry>
+ <entry>Pipe</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipelabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>pipe</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject should be allowed read
+ access to <parameter>pipe</parameter>.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-check-pipe-relabel">
+ <title><function>&mac.mpo;_check_pipe_relabel</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_check_pipe_relabel</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct pipe
+ *<parameter>pipe</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>pipelabel</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>newlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipe</parameter></entry>
+ <entry>Pipe</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipelabel</parameter></entry>
+ <entry>Current policy label associated with
+ <parameter>pipe</parameter></entry>
+ </row>
+
+ <row>
+ <entry><parameter>newlabel</parameter></entry>
+ <entry>Label update to
+ <parameter>pipelabel</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject should be allowed to
+ relabel <parameter>pipe</parameter>.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-check-pipe-stat">
+ <title><function>&mac.mpo;_check_pipe_stat</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_check_pipe_stat</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct pipe
+ *<parameter>pipe</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>pipelabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipe</parameter></entry>
+ <entry>Pipe</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipelabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>pipe</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject should be allowed to
+ retrieve statistics related to
+ <parameter>pipe</parameter>.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-check-pipe-write">
+ <title><function>&mac.mpo;_check_pipe_write</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_check_pipe_write</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct pipe
+ *<parameter>pipe</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>pipelabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipe</parameter></entry>
+ <entry>Pipe</entry>
+ </row>
+
+ <row>
+ <entry><parameter>pipelabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>pipe</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject should be allowed to write
+ to <parameter>pipe</parameter>.</para>
+ </sect3>
+
<sect3 id="mac-mpo-cred-check-socket-bind">
<title><function>&mac.mpo;_check_socket_bind</function></title>
@@ -3296,6 +3855,98 @@
failure: <errorcode>EACCES</errorcode> for label mismatches,
<errorcode>EPERM</errorcode> for lack of privilege.</para>
</sect3>
+
+ <sect3 id="mac-mpo-check-socket-receive">
+ <title><function>&mac.mpo;_check_socket_receive</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_check_socket_receive</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct socket
+ *<parameter>so</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>socketlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>so</parameter></entry>
+ <entry>Socket</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socketlabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>so</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject should be allowed to
+ receive information from the socket
+ <parameter>so</parameter>.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-check-socket-send">
+ <title><function>&mac.mpo;_check_socket_send</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_check_socket_send</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct socket
+ *<parameter>so</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>socketlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>so</parameter></entry>
+ <entry>Socket</entry>
+ </row>
+
+ <row>
+ <entry><parameter>socketlabel</parameter></entry>
+ <entry>Policy label associated with
+ <parameter>so</parameter></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Determine whether the subject should be allowed to send
+ information across the socket
+ <parameter>so</parameter>.</para>
+ </sect3>
<sect3 id="mac-mpo-check-cred-visible">
<title><function>&mac.mpo;_check_cred_visible</function></title>
@@ -7110,7 +7761,42 @@
own.</para></note>
</sect3>
+ <sect3 id="mac-mpo-thread-userret">
+ <title><function>&mac.mpo;_thread_userret</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_thread_userret</function></funcdef>
+ <paramdef>struct thread
+ *<parameter>td</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>td</parameter></entry>
+ <entry>Returning thread</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <!-- XXX: Maybe rewrite this section. -->
+ <para>This entry point permits policy modules to perform
+ MAC-related events when a thread returns to user space.
+ This is required for policies that have floating process
+ labels, as it's not always possible to acquire the process
+ lock at arbitrary points in the stack during system call
+ processing; process labels might represent traditional
+ authentication data, process history information, or other
+ data.</para>
+ </sect3>
</sect2>
</sect1>
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list