PERFORCE change 23726 for review
Chris Costello
chris at freebsd.org
Tue Jan 14 08:19:35 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=23726
Change 23726 by chris at chris_holly on 2003/01/14 00:19:30
Piece together a new "Label operations" section. Add a few more entry
points I seem to have missed on the first few sweeps.
Affected files ...
.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#28 edit
Differences ...
==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#28 (text+ko) ====
@@ -155,8 +155,8 @@
be passed NULL pointers for label arguments to entry
points.</para>
- <sect2 id="policy-module-registration">
- <title>Policy Module Registration</title>
+ <sect2 id="mac-mpo-general">
+ <title>General-Purpose Module Entry Points</title>
<para>Modules may be declared using the
<function>MAC_POLICY_SET()</function> macro, which names the
@@ -298,8 +298,1320 @@
caution should be applied.</para>
</sect3>
+ <sect3 id="mac-mpo-syscall">
+ <title><function>&mac.mpo;_syscall</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>int
+ <function>&mac.mpo;_syscall</function></funcdef>
+
+ <paramdef>struct thread
+ *<parameter>td</parameter></paramdef>
+ <paramdef>int <parameter>call</parameter></paramdef>
+ <paramdef>void *<parameter>arg</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>td</parameter></entry>
+ <entry>Calling thread</entry>
+ </row>
+
+ <row>
+ <entry><parameter>call</parameter></entry>
+ <entry>Syscall number</entry>
+ </row>
+ <row>
+ <entry><parameter>arg</parameter></entry>
+ <entry>Pointer to syscall arguments</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>This entry point provides a policy-multiplexed system
+ call so that policies may provide additional services to
+ user processes without registering specific system calls.
+ The policy name provided during registration is used to
+ demux calls from userland, and the arguments will be
+ forwarded to this entry point. When implementing new
+ services, security modules should be sure to invoke
+ appropriate access control checks from the MAC framework as
+ needed. For example, if a policy implements an augmented
+ signal functionality, it should call the necessary signal
+ access control checks to invoke the MAC framework and other
+ registered policies.</para>
+
+ <note><para>Modules must currently perform the
+ <function>copyin()</function> of the syscall data on their
+ own.</para></note>
+ </sect3>
+
+ <sect3 id="mac-mpo-thread-userret">
+ <title><function>&mac.mpo;_thread_userret</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_thread_userret</function></funcdef>
+
+ <paramdef>struct thread
+ *<parameter>td</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>td</parameter></entry>
+ <entry>Returning thread</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <!-- XXX: Maybe rewrite this section. -->
+ <para>This entry point permits policy modules to perform
+ MAC-related events when a thread returns to user space.
+ This is required for policies that have floating process
+ labels, as it's not always possible to acquire the process
+ lock at arbitrary points in the stack during system call
+ processing; process labels might represent traditional
+ authentication data, process history information, or other
+ data.</para>
+ </sect3>
</sect2>
+
+ <sect2 id="mac-label-ops">
+ <title>Label Operations</title>
+
+ <sect3 id="mac-mpo-init-bpfdesc">
+ <title><function>&mac.mpo;_init_bpfdesc_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_bpfdesc_label</function></funcdef>
+
+ <paramdef>struct bpf_d
+ *<parameter>bpf_d</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>bpf_d</parameter></entry>
+ <entry>Object; bpf descriptor</entry>
+ </row>
+
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>New label to apply</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the label on a newly instantiated bpfdesc (BPF
+ descriptor)</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-cred-label">
+ <title><function>&mac.mpo;_init_cred_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_cred_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>New label to initialize</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the label for a newly instantiated
+ user credential.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-devfsdirent">
+ <title><function>&mac.mpo;_init_devfsdirent_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_devfsdirent_label</function></funcdef>
+
+ <paramdef>struct devfs_dirent
+ *<parameter>devfs_dirent</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>devfs_dirent</parameter></entry>
+ <entry>Object; devfs directory entry</entry>
+ </row>
+
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>New label to apply</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the label on a newly instantiated devfs
+ entry.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-ifnet">
+ <title><function>&mac.mpo;_init_ifnet_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_ifnet_label</function></funcdef>
+
+ <paramdef>struct ifnet
+ *<parameter>ifnet</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>ifnet</parameter></entry>
+ <entry>Object; network interface</entry>
+ </row>
+
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>New label to apply</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the label on a newly instantiated network
+ interface.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-ipq">
+ <title><function>&mac.mpo;_init_ipq_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_ipq_label</function></funcdef>
+
+ <paramdef>struct ipq
+ *<parameter>ipq</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>ipq</parameter></entry>
+ <entry>Object; IP reassembly queue</entry>
+ </row>
+
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>New label to apply</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the label on a newly instantiated IP fragment
+ reassembly queue.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-mbuf">
+ <title><function>&mac.mpo;_init_mbuf_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_mbuf_label</function></funcdef>
+
+ <paramdef>struct mbuf
+ *<parameter>mbuf</parameter></paramdef>
+ <paramdef>int <parameter>how</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>mbuf</parameter></entry>
+ <entry>Object; mbuf</entry>
+ </row>
+
+ <row>
+ <entry><parameter>how</parameter></entry>
+ <entry>Blocking/non-blocking &man.malloc.9;; see
+ below</entry>
+ </row>
+
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Policy label to initialize</entry>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the label on a newly instantiated mbuf packet
+ header (<parameter>mbuf</parameter>). The
+ <parameter>how</parameter> field may be one of
+ <symbol>M_WAITOK</symbol> and <symbol>M_NOWAIT</symbol>, and
+ should be employed to avoid performing a blocking
+ &man.malloc.9; during this initialization call. Mbuf
+ allocation frequently occurs in performance sensitive
+ environments, and the implementation should be careful to
+ avoid blocking or long-lived operations. This entry point
+ is permitted to fail resulting in the failure to allocate
+ the mbuf header.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-mount">
+ <title><function>&mac.mpo;_init_mount_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_mount_label</function></funcdef>
+
+ <paramdef>struct mount
+ *<parameter>mount</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>mntlabel</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>fslabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <!-- XXX: Wording on label descriptions. -->
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>mount</parameter></entry>
+ <entry>Object; file system mount point</entry>
+ </row>
+
+ <row>
+ <entry><parameter>mntlabel</parameter></entry>
+ <entry>Policy label to be initialized for the mount
+ itself</entry>
+ </row>
+
+ <row>
+ <entry><parameter>fslabel</parameter></entry>
+ <entry>Policy label to be initialized for the file
+ system</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the labels on a newly instantiated mount
+ point.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-mount-fs-label">
+ <title><function>&mac.mpo;_init_mount_fs_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_mount_fs_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Label to be initialized</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the label on a newly mounted file
+ system.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-pipe-label">
+ <title><function>&mac.mpo;_init_pipe_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_pipe_label</function></funcdef>
+
+ <paramdef>struct
+ label*<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Label to be filled in</entry>
+ </row>
+ </tbody>
+ </informaltable>
+
+ <para>Initialize a label for a newly instantiated pipe.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-socket">
+ <title><function>&mac.mpo;_init_socket_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_socket_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ <paramdef>int <parameter>flag</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>New label to initialize</entry>
+ </row>
+
+ <row>
+ <entry><parameter>flag</parameter></entry>
+ <entry>&man.malloc.9; flags</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize a label for a newly instantiated
+ socket.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-socket-peer-label">
+ <title><function>&mac.mpo;_init_socket_peer_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_socket_peer_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ <paramdef>int <parameter>flag</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>New label to initialize</entry>
+ </row>
+
+ <row>
+ <entry><parameter>flag</parameter></entry>
+ <entry>&man.malloc.9; flags</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the peer label for a newly instantiated
+ socket.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-init-proc-label">
+ <title><function>&mac.mpo;_init_proc_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_proc_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>New label to initialize</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the label for a newly instantiated
+ process.</para>
+ </sect3>
+
+
+ <sect3 id="mac-mpo-init-vnode">
+ <title><function>&mac.mpo;_init_vnode_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_init_vnode_label</function></funcdef>
+
+ <paramdef>struct vnode
+ *<parameter>vp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>vp</parameter></entry>
+ <entry>Object; file system object</entry>
+ </row>
+
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>New label to initialize</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Initialize the label on a newly instantiated vnode.</para>
+ </sect3>
+ <sect3 id="mac-mpo-destroy-bpfdesc">
+ <title><function>&mac.mpo;_destroy_bpfdesc_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_bpfdesc_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>bpfdesc label</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the label on a bpf descriptor. In this entry
+ point a policy should free any internal storage associated
+ with <parameter>label</parameter> so that it may be
+ destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-cred">
+ <title><function>&mac.mpo;_destroy_cred_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_cred_label</function></funcdef>
+
+ <paramdef>struct ucred
+ *<parameter>cred</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>cred</parameter></entry>
+ <entry>Subject; user credential</entry>
+ </row>
+
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Label being destroyed</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the label on a credential. In this entry point,
+ a policy module should free any internal storage associated
+ with <parameter>label</parameter> so that it may be
+ destroyed.</para>
+ </sect3>
+
+
+ <sect3 id="mac-mpo-destroy-devfsdirent">
+ <title><function>&mac.mpo;_destroy_devfsdirent_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_devfsdirent_label</function></funcdef>
+
+ <paramdef>struct devfs_dirent
+ *<parameter>devfs_dirent</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>devfs_dirent</parameter></entry>
+ <entry>Object; devfs directory entry</entry>
+ </row>
+
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Label being destroyed</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the label on a devfs entry. In this entry
+ point, a policy module should free any internal storage
+ asociated with <parameter>label</parameter> so that it may
+ be destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-ifnet-label">
+ <title><function>&mac.mpo;_destroy_ifnet_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_ifnet_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Label being destroyed</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the label on a removed interface. In this entry
+ point, a policy module should free any internal storage
+ associated with <parameter>label</parameter> so that it may
+ be destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-ipq-label">
+ <title><function>&mac.mpo;_destroy_ipq_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_ipq_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Label being destroyed</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the label on an IP fragment queue. In this
+ entry point, a policy module should free any internal
+ storage associated with <parameter>label</parameter> so that
+ it may be destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-mbuf-label">
+ <title><function>&mac.mpo;_destroy_mbuf_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_mbuf_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Label being destroyed</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the label on an mbuf header. In this entry
+ point, a policy module should free any internal storage
+ associated with <parameter>label</parameter> so that it may
+ be destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-mount-label">
+ <title><function>&mac.mpo;_destroy_mount_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_mount_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Mount point label being destroyed</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the labels on a mount point. In this entry
+ point, a policy module should free the internal storage
+ associated with <parameter>mntlabel</parameter> so that they
+ may be destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-mount">
+ <title><function>&mac.mpo;_destroy_mount_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_mount_label</function></funcdef>
+
+ <paramdef>struct mount
+ *<parameter>mp</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>mntlabel</parameter></paramdef>
+ <paramdef>struct label
+ *<parameter>fslabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>mp</parameter></entry>
+ <entry>Object; file system mount point</entry>
+ </row>
+
+ <row>
+ <entry><parameter>mntlabel</parameter></entry>
+ <entry>Mount point label being destroyed</entry>
+ </row>
+
+ <row>
+ <entry><parameter>fslabel</parameter></entry>
+ <entry>File system label being destroyed>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the labels on a mount point. In this entry
+ point, a policy module should free the internal storage
+ associated with <parameter>mntlabel</parameter> and
+ <parameter>fslabel</parameter> so that they may be
+ destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-socket">
+ <title><function>&mac.mpo;_destroy_socket_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_socket_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Socket label being destroyed</entry>
+ </row>
+
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the label on a socket. In this entry point, a
+ policy module should free any internal storage associated
+ with <parameter>label</parameter> so that it may be
+ destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-socket-peer-label">
+ <title><function>&mac.mpo;_destroy_socket_peer_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_socket_peer_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>peerlabel</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>peerlabel</parameter></entry>
+ <entry>Socket peer label being destroyed</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the peer label on a socket. In this entry
+ point, a policy module should free any internal storage
+ associated with <parameter>label</parameter> so that it may
+ be destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-pipe-label">
+ <title><function>&mac.mpo;_destroy_pipe_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_pipe_label</function></funcdef>
+
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
+ <entry><parameter>label</parameter></entry>
+ <entry>Pipe label</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>Destroy the label on a pipe. In this entry point, a
+ policy module should free any internal storage associated
+ with <parameter>label</parameter> so that it may be
+ destroyed.</para>
+ </sect3>
+
+ <sect3 id="mac-mpo-destroy-proc-label">
+ <title><function>&mac.mpo;_destroy_proc_label</function></title>
+
+ <funcsynopsis>
+ <funcprototype>
+ <funcdef>void
+ <function>&mac.mpo;_destroy_proc_label</function></funcdef>
+ <paramdef>struct label
+ *<parameter>label</parameter></paramdef>
+ </funcprototype>
+ </funcsynopsis>
+
+ <informaltable>
+ <tgroup cols="3">
+ &mac.thead;
+
+ <tbody>
+ <row>
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list