PERFORCE change 23723 for review
Chris Costello
chris at freebsd.org
Tue Jan 14 06:58:55 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=23723
Change 23723 by chris at chris_holly on 2003/01/13 22:58:55
Remove entry points which no longer exist.
Affected files ...
.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#27 edit
Differences ...
==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#27 (text+ko) ====
@@ -760,127 +760,6 @@
available.</para>
</sect4>
- <sect4 id="mac-mpo-create-devfs-vnode">
- <title><function>&mac.mpo;_create_devfs_vnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_create_devfs_vnode</function></funcdef>
-
- <paramdef>struct devfs_dirent
- *<parameter>devfs_dirent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>direntlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>devfs_dirent</parameter></entry>
- <entry>Object; devfs directory entry</entry>
- </row>
-
- <row>
- <entry><parameter>direntlabel</parameter></entry>
- <entry>Policy label for
- <parameter>devfs_dirent</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; file system object being labeled</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>vp</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the label on the vnode being created for the
- passed devfs_dirent. This call will be made when a vnode is
- required to represent the specified devfs_dirent in a
- mounted devfs instance.</para>
- </sect4>
-
- <sect4 id="mac-mpo-vnode-create-from-vnode">
- <title><function>&mac.mpo;_vnode_create_from_vnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_vnode_create_from_vnode</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>parent</parameter></paramdef>
- <paramdef>struct label
- *<parameter>parentlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>child</parameter></paramdef>
- <paramdef>struct label
- *<parameter>childlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>parent</parameter></entry>
- <entry>Parent vnode; the directory in which
- <parameter>child</parameter> is being
- created</entry>
- </row>
-
- <row>
- <entry><parameter>parentlabel</parameter></entry>
- <entry>Policy label for
- <parameter>parent</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>child</parameter></entry>
- <entry>New vnode</entry>
- </row>
-
- <row>
- <entry><parameter>childlabel</parameter></entry>
- <entry>Label to be filled in for
- <parameter>child</parameter></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Fill out the label on the vnode being created in the
- passed vnode parent by the passed subject credential. This
- call will be made when a vnode is allocated during a vnode
- creation operation. For example, this call is made by
- multi-label file systems during the creation of a new file
- or directory.</para>
- </sect4>
-
<sect4 id="mac-mpo-create-mount">
<title><function>&mac.mpo;_create_mount</function></title>
@@ -1218,227 +1097,6 @@
<function>mac_vnode_create_from_vnode</function> to
initialize the vnode label.</para>
</sect4>
-
- <sect4 id="mac-mpo-update-procfsvnode">
- <title><function>&mac.mpo;_update_procfsvnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_update_procfsvnode</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; procfs vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label to be filled in for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject; credential for the process
- entry</entry>
- <entry>Immutable</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the procfs vnode label from the passed subject
- credential. This call will be made when an operation on a
- procfs vnode requires a fresh label on a process-derived
- vnode.</para>
- </sect4>
-
- <sect4 id="mac-mpo-update-vnode-from-extattr">
- <title><function>&mac.mpo;_update_vnode_from_extattr</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_update_vnode_from_extattr</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>fslabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode whose label is being updated</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label to refresh</entry>
- </row>
-
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Mount point for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>Policy label for <parameter>vp</parameter>'s
- file system.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the vnode label by refreshing the label data from
- the extended attribute service for the vnode. The mount
- point <parameter>fslabel</parameter> is also made available
- so that the <parameter>fslabel</parameter> may be used as a
- labeling source if fallback is appropriate for the policy.
- This call is permitted to fail; if the call fails, the
- associated label refresh will also fail, causing the failure
- of the operation requiring the MAC check and vnode label
- refresh, permitting a <quote>fail closed</quote> policy if
- labeling data is not available.</para>
- </sect4>
-
- <sect4 id="mac-mpo-update-from-externalized">
- <title><function>&mac.mpo;_update_from_externalized</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_update_from_externalized</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct mac
- *<parameter>extmac</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>extmac</parameter></entry>
- <entry>Externalized MAC policy label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the vnode label from the passed externalized
- label loaded from disk by the MAC framework. This call is
- permitted to fail; if the call fails, the associated label
- refresh will also fail, causing the failure of the operation
- requiring the MAC check and vnode label refresh, permitting
- a <quote>fail closed</quote> policy if labeling data is not
- available. This call will be obsoleted by the new extended
- attribute labeling interface.</para>
- </sect4>
-
- <sect4 id="mac-mpo-update-vnode-from-mount">
- <title><function>&mac.mpo;_update_vnode_from_mount</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_update_vnode_from_mount</function></funcdef>
-
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>vnodelabel</parameter></paramdef>
- <paramdef>struct mount
- *<parameter>mp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>mountlabel</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- <entry>Locked</entry>
- </row>
-
- <row>
- <entry><parameter>vnodelabel</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>mp</parameter></entry>
- <entry>Mount point where <parameter>vp</parameter>
- resides</entry>
- </row>
-
- <row>
- <entry><parameter>fslabel</parameter></entry>
- <entry>Policy label for the file system where
- <parameter>vp</parameter> resides.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Update the vnode label from the passed mount point
- label. This call is made when a single label file system
- vnode requires a label, or if the obsoleted MAC framework
- externalized extended attribute read fails.</para>
- </sect4>
</sect3>
<sect3 id="mac-ipc-label-ops">
@@ -4997,12 +4655,12 @@
</sect3>
<sect3 id="mac-mpo-check-vnode-mmap-downgrade">
- <title><function>&mac.mpo;_check_mmap_downgrade</function></title>
+ <title><function>&mac.mpo;_check_vnode_mmap_downgrade</function></title>
<funcsynopsis>
<funcprototype>
<funcdef>void
- <function>&mac.mpo;_check_mmap_downgrade</function></funcdef>
+ <function>&mac.mpo;_check_vnode_mmap_downgrade</function></funcdef>
<paramdef>struct ucred
*<parameter>cred</parameter></paramdef>
@@ -5557,159 +5215,6 @@
process.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-rename-from-vnode">
- <title><function>&mac.mpo;_check_rename_from_vnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_rename_from_vnode</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter>cred</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>dvp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>dlabel</parameter></paramdef>
- <paramdef>struct vnode
- *<parameter>vp</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- <paramdef>struct componentname
- *<parameter>cnp</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Directory vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label for
- <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <!-- XXX ??? -->
- <row>
- <entry><parameter>cnp</parameter></entry>
- <entry>Pathname</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can rename the
- passed vnode (<parameter>vp</parameter>) in the passed
- directory (<parameter>dvp</parameter>) using the passed name
- (<parameter>cnp</parameter>). This call will be made in
- combination with a follow-up call to
- <function>mpo_check_rename_to_vnode</function>. Return
- <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
- <sect3 id="mac-mpo-cred-check-rename-to-vnode">
- <title><function>&mac.mpo;_check_rename_to_vnode</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>int
- <function>&mac.mpo;_check_rename_to_vnode</function></funcdef>
-
- <paramdef>struct ucred
- *<parameter></parameter>cred</paramdef>
- <paramdef>struct vnode
- *<parameter></parameter>dvp</paramdef>
- <paramdef>struct label
- *<parameter></parameter>dlabel</paramdef>
- <paramdef>struct vnode
- *<parameter></parameter>vp</paramdef>
- <paramdef>struct label
- *<parameter></parameter>label</paramdef>
- <paramdef>int <parameter></parameter>samedir</paramdef>
- <paramdef>struct componentname
- *<parameter>cnp</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>cred</parameter></entry>
- <entry>Subject credential</entry>
- </row>
-
- <row>
- <entry><parameter>dvp</parameter></entry>
- <entry>Directory vnode</entry>
- </row>
-
- <row>
- <entry><parameter>dlabel</parameter></entry>
- <entry>Policy label for <parameter>dvp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>vp</parameter></entry>
- <entry>Object; vnode</entry>
- </row>
-
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Policy label for
- <parameter>vp</parameter></entry>
- </row>
-
- <row>
- <entry><parameter>cnp</parameter></entry>
- <entry>Pathname</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Determine whether the subject credential can rename to
- the passed vnode (<parameter>vp</parameter>) and the passed
- directory (<parameter>dvp</parameter>) with the passed name
- (<parameter>cnp</parameter>). This call will be made in
- combination with an earlier call to
- <function>mpo_check_rename_from_vnode</function>.
- Return <returnvalue>0</returnvalue> for success, or an
- <varname>errno</varname> value for failure. Suggested
- failure: <errorcode>EACCES</errorcode> for label mismatch,
- or <errorcode>EPERM</errorcode> for lack of
- privilege.</para>
- </sect3>
-
<sect3 id="mac-mpo-cred-check-vnode-revoke">
<title><function>&mac.mpo;_check_vnode_revoke</function></title>
@@ -7228,37 +6733,6 @@
user credential.</para>
</sect3>
- <sect3 id="mac-mpo-init-temp">
- <title><function>&mac.mpo;_init_temp_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_init_temp_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Temporary label</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Initialize a newly instantiated temporary label;
- temporary labels are frequently used to hold label update
- requests.</para>
- </sect3>
-
<sect3 id="mac-mpo-init-vnode">
<title><function>&mac.mpo;_init_vnode_label</function></title>
@@ -7294,41 +6768,7 @@
<para>Initialize the label on a newly instantiated vnode.</para>
</sect3>
-
- <sect3 id="mac-mpo-destroy-bpfdesc">
- <title><function>&mac.mpo;_destroy_bpfdesc</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_bpfdesc_label</function></funcdef>
-
- <paramdef>struct bpf_d
- *<parameter>bpf_d</parameter></paramdef>
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy the label on a BPF descriptor. In this entry
- point, a policy module should free any internal storage
- associated with <parameter>label</parameter> so that it may
- be destroyed.</para>
- </sect3>
-
<sect3 id="mac-mpo-destroy-devfsdirent">
<title><function>&mac.mpo;_destroy_devfsdirent_label</function></title>
@@ -7630,38 +7070,6 @@
destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-temp">
- <title><function>&mac.mpo;_destroy_temp_label</function></title>
-
- <funcsynopsis>
- <funcprototype>
- <funcdef>void
- <function>&mac.mpo;_destroy_temp_label</function></funcdef>
-
- <paramdef>struct label
- *<parameter>label</parameter></paramdef>
- </funcprototype>
- </funcsynopsis>
-
- <informaltable>
- <tgroup cols="3">
- &mac.thead;
-
- <tbody>
- <row>
- <entry><parameter>label</parameter></entry>
- <entry>Temporary label being destroyed</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>Destroy a temporary label. In this entry point, a
- policy module should free any internal storage associated
- with the temporary label <parameter>label</parameter> so
- that it may be destroyed.</para>
- </sect3>
-
<sect3 id="mac-mpo-destroy-vnode">
<title><function>&mac.mpo;_destroy_vnode_label</function></title>
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list