Date: Fri, 19 Jul 2002 17:44:06 -0700 (PDT) From: Chris Costello <chris@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 14488 for review Message-ID: <200207200044.g6K0i6Na080818@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14488 Change 14488 by chris@chris_holly on 2002/07/19 17:43:06 o Add a section on locking from the man page. o s/hook/entry point/ (and rewrap) o Remove not-supposed-to-be-documented struct mac_policy_conf o `mac_<replaceable>policy</replaceable>' is replaced by an entity for easily changing it once we decide what to change it to. o Some small SGML formatting nits o <thead>...</thead> section that keeps getting repeated was replaced with an entity containing that bit, for cleanliness purposes. o Documented mpo_destroy and fix an instant where I misspelled it as mpo_ops. o Mark up and partially document the MAC label operations. o Add a new `mac.ent' to contain the new entities mentioned above. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/book.sgml#3 edit .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac.ent#1 add .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#6 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/book.sgml#3 (text+ko) ==== @@ -10,6 +10,7 @@ <!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN"> %man; <!ENTITY % chapters SYSTEM "chapters.ent"> %chapters; +<!ENTITY % mac-entities SYSTEM "mac.ent"> %mac-entities; <!ENTITY % authors PUBLIC "-//FreeBSD//ENTITIES DocBook Author Entities//EN"> %authors <!ENTITY % mailing-lists PUBLIC "-//FreeBSD//ENTITIES DocBook Mailing List Entities//EN"> %mailing-lists; <!ENTITY % chap.index "IGNORE"> ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#6 (text+ko) ==== @@ -69,40 +69,57 @@ MAC_PERFORM -> policy</para> </sect1> + <sect1 id="mac-locking"> + <title>Locking</title> + + <!-- XXX: Update this; copied from mac(9). --> + <para>Module writers must be aware of the locking semantics of + entry points that they implement: MAC API entry points will have + specific locking or reference counting semantics for each + argument, and modules must follow the locking and reference + counting protocol or risk a variety of failure modes, including + race conditions, imappropriate pointer dereferences, etc.</para> + + <para>MAC module writers must also be aware that MAC API entry + points will frequently be invoked from deep in a kernel stack, + and as such must be careful to avoid violating more global + locking requirements, such as global lock order requirements. + For example, it may be inappropriate to lock additional objects + not specifically maintained and ordered by the policy module, or + the policy module might violate a global ordering requirement + relating to those additional objects.</para> + + <para>Finally, MAC API module implementors must be careful to + avoid inappropriately calling back into the MAC framework: the + framework makes use of locking to prevent inconsistencies during + policy module attachment and detachment. MAC API modules should + avoid producing scenarios in which deadlocks or inconsistencies + might occur.</para> + </sect1> + <sect1 id="mac-policy-ops"> <title>Policy Operations</title> - <para>The MAC policy framework implements policy operation hooks - which supply policy modules with relevant data on a subject and - the operation it is attempting to perform on an object.</para> + <para>The MAC policy framework implements policy operation entry + points which supply policy modules with relevant data on a + subject and the operation it is attempting to perform on an + object.</para> <sect2 id="mac-module-ops"> <title>Policy Module Operations</title> <para>The MAC policy framework includes the ability for policies to be compiled as separate loadable kernel modules. The - following structure is passed to the module operation - hooks:</para> + following entry points are defined for module-related + events.</para> - <programlisting>struct mac_policy_conf { - char *mpc_name; /* policy name */ - char *mpc_fullname; /* policy full name */ - struct mac_policy_ops mpc_ops; /* policy operations */ - struct mac_policy_op_entry *mpc_entries; /* ops to fill in */ - int mpc_loadtime_flags; /* flags */ - int *mpc_field_off; /* security field */ - int mpc_runtime_flags; /* flags */ - LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ -};</programlisting> - <sect3 id="mac-mpo-init"> - <title><function>mac_<replaceable>policy</replaceable>_init</function</title> + <title><function>&mac.mpo;_init</function</title> <funcsynopsis> <funcprototype> <funcdef>static void - <function>mac_<replaceable>policy</replaceable>_init</function> - </funcdef> + <function>&mac.mpo;_init</function></funcdef> <paramdef>struct mac_policy_conf *<parameter>conf</parameter></paramdef> @@ -111,12 +128,7 @@ <informaltable> <tgroup cols="2"> - <thead> - <row> - <entry>Parameter</entry> - <entry>Description</entry> - </row> - </thead> + &mac.thead; <tbody> <row> @@ -127,11 +139,10 @@ </tgroup> </informaltable> - <para>This is the initialization hook called after the policy - has been added to the list, but before the list is unlocked. - At the point a module would typically initialize its own - internal structures, print any copyright messages, - etc.</para> + <para>This is the entry point called after the policy has been + added to the list, but before the list is unlocked. At the + point a module would typically initialize its own internal + structures, print any copyright messages, etc.</para> <note><para>A <quote>module loaded</quote> message is already printed when a policy is loaded so any further messages of @@ -139,13 +150,12 @@ </sect3> <sect3 id="mpo-destroy"> - <title><function>mac_<replaceable>policy</replaceable>_destroy</function></title> + <title><function>&mac.mpo;_destroy</function></title> <funcsynopsis> <funcprototype> <funcdef>static void - <function>mac_<replaceable>policy</replaceable>_ops</function> - </funcdef> + <function>&mac.mpo;_destroy</function></funcdef> <paramdef>struct mac_policy_conf *<parameter>conf</parameter></paramdef> @@ -154,40 +164,885 @@ <informaltable> <tgroup cols="2"> - <thead> + &mac.thead; + + <tbody> + <row> + <entry><parameter>conf</parameter></entry> + <entry>MAC policy definition</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>This entry point is called when the module is being + unloaded. At this point the policy would typically be + freeing internal storage, etc.</para> + </sect3> + </sect2> + + <sect2 id="mac-label-operations"> + <title>Label Operations</title> + + <para>...</para> + + <sect3 id="mac-mpo-init-bpfdesc"> + <title><function>&mac.mpo;_init_bpfdesc</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_bpfdesc</function></funcdef> + + <paramdef>struct bpf_d + *<parameter>bpf_d</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>bpf_d</parameter></entry> + <entry>Object; bpf descriptor</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>New label to apply</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>...</para> + </sect3> + + <sect3 id="mac-mpo-init-devfsdirent"> + <title><function>&mac.mpo;_init_devfsdirent</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_devfsdirent</function></funcdef> + + <paramdef>struct devfs_dirent + *<parameter>devfs_dirent</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>devfs_dirent</parameter></entry> + <entry>Object; devfs directory entry</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>New label to apply</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>...</para> + </sect3> + + <sect3 id="mac-mpo-init-ifnet"> + <title><function>&mac.mpo;_init_ifnet</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_ifnet</function></funcdef> + + <paramdef>struct ifnet + *<parameter>ifnet</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>ifnet</parameter></entry> + <entry>Object; network interface</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>New label to apply</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>...</para> + </sect3> + + <sect3 id="mac-mpo-init-ipq"> + <title><function>&mac.mpo;_init_ipq</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_ipq</function></funcdef> + + <paramdef>struct ipq + *<parameter>ipq</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>ipq</parameter></entry> + <entry>Object; IP reassembly queue</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>New label to apply</entry> + </row> + </tbody> + </tgroup> + </informaltable> + </sect3> + + <sect3 id="mac-mpo-init-mbuf"> + <title><function>&mac.mpo;_init_mbuf</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_mbuf</function></funcdef> + + <paramdef>struct mbuf + *<parameter>mbuf</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>mbuf</parameter></entry> + <entry>Object; mbuf</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>New label to apply</entry> + </tbody> + </tgroup> + </informaltable> + + <para>...</para> + </sect3> + + <sect3 id="mac-mpo-init-mount"> + <title><function>&mac.mpo;_init_mount</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_mount</function></funcdef> + + <paramdef>struct mount + *<parameter>mount</parameter></paramdef> + <paramdef>struct label + *<parameter>mntlabel</parameter></paramdef> + <paramdef>struct label + *<parameter>fslabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <!-- XXX: Wording on label descriptions. --> + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>mount</parameter></entry> + <entry>Object; file system mount point</entry> + </row> + + <row> + <entry><parameter>mntlabel</parameter></entry> + <entry>New file system mount point label</entry> + </row> + + <row> + <entry><parameter>fslabel</parameter></entry> + <entry>New file system label</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>...</para> + </sect3> + + <sect3 id="mac-mpo-init-socket"> + <title><function>&mac.mpo;_init_socket</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_socket</function></funcdef> + + <paramdef>struct socket + *<parameter>socket</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + <paramdef>struct label + *<parameter>peerlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>socket</parameter></entry> + <entry>Object; socket</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>New label to apply to the socket</entry> + </row> + + <row> + <entry><parameter>peerlabel</parameter></entry> + <entry>New label to apply to the socket's peer</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>...</para> + </sect3> + + <sect3 id="mac-mpo-init-subject"> + <title><function>&mac.mpo;_init_subject</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_subject</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject; user credetial</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>New label</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should allocate and + initialize any internal storage for a new label for a + subject (user) credential. No label information should be + filled out.</para> + </sect3> + + <sect3 id="mac-mpo-init-temp"> + <title><function>&mac.mpo;_init_temp</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_temp</function></funcdef> + + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>label</parameter></entry> + <entry>Temporary label</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should allocate + storage for a label meant for temporary use. No label + information should be filled out.</para> + </sect3> + + <sect3 id="mac-mpo-init-vnode"> + <title><function>&mac.mpo;_init_vnode</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_init_vnode</function></funcdef> + + <paramdef>struct vnode + *<parameter>vp</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>vp</parameter></entry> + <entry>Object; file system object</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>New label to initialize</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should allocate and + initialize any internal storage necessary for a new file + system object label.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-bpfdesc"> + <title><function>&mac.mpo;_destroy_bpfdesc</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_bpfdesc</function></funcdef> + + <paramdef>struct bpf_d + *<parameter>bpf_d</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>bpf_d</parameter></entry> + <entry>Object; bpf descriptor</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>Label being destroyed</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free any + internal storage associated with + <parameter>label</parameter> so that it may be + destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-devfsdirent"> + <title><function>&mac.mpo;_destroy_devfsdirent</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_devfsdirent</function></funcdef> + + <paramdef>struct devfs_dirent + *<parameter>devfs_dirent</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>devfs_dirent</parameter></entry> + <entry>Object; devfs directory entry</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>Label being destroyed</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free any + internal storage asociated with <parameter>label</parameter> + so that it may be destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-ifnet"> + <title><function>&mac.mpo;_destroy_ifnet</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_ifnet</function></funcdef> + + <paramdef>struct ifnet + *<parameter>ifnet</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>ifnet</parameter></entry> + <entry>Object; network interface</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>Label being destroyed</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free any + internal storage associated with + <parameter>label</parameter> so that it may be + destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-ipq"> + <title><function>&mac.mpo;_destroy_ipq</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_ipq</function></funcdef> + + <paramdef>struct ipq + *<parameter>ipq</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>ipq</parameter></entry> + <entry>Object; IP reassembly queue</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>Label being destroyed</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free any + internal storage associated with + <parameter>label</parameter> so that it may be + destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-mbuf"> + <title><function>&mac.mpo;_destroy_mbuf</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_mbuf</function></funcdef> + + <paramdef>struct mbuf + *<parameter>mbuf</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>mbuf</parameter></entry> + <entry>Object; mbuf</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>Label being destroyed</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free any + internal storage associated with + <parameter>label</parameter> so that it may be + destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-mount"> + <title><function>&mac.mpo;_destroy_mount</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_mount</function></funcdef> + + <paramdef>struct mount + *<parameter>mp</parameter></paramdef> + <paramdef>struct label + *<parameter>mntlabel</parameter></paramdef> + <paramdef>struct label + *<parameter>fslabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>mp</parameter></entry> + <entry>Object; file system mount point</entry> + </row> + + <row> + <entry><parameter>mntlabel</parameter></entry> + <entry>Mount point label being destroyed</entry> + </row> + + <row> + <entry><parameter>fslabel</parameter></entry> + <entry>File system label being destroyed> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free the + internal storage associated with + <parameter>mntlabel</parameter> and + <parameter>fslabel</parameter> so that they may be + destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-socket"> + <title><function>&mac.mpo;_destroy_socket</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_socket</function></funcdef> + + <paramdef>struct socket + *<parameter>socket</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + <paramdef>struct label + *<parameter>peerlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>socket</parameter></entry> + <entry>Object; socket</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>Socket label being destroyed</entry> + </row> + + <row> + <entry><parameter>peerlabel</parameter></entry> + <entry>Socket peer label being destroyed</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free any + internal storage associated with + <parameter>label</parameter> and + <parameter>peerlabel</parameter> so that they may be + destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-subject"> + <title><function>&mac.mpo;_destroy_subject</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_subject</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject; user credential</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>Label being destroyed</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free any + internal storage associated with + <parameter>label</parameter> so that it may be + destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-temp"> + <title><function>&mac.mpo;_destroy_temp</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_temp</function></funcdef> + + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>label</parameter></entry> + <entry>Temporary label being destroyed</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free any + internal storage associated with the temporary label + <parameter>label</parameter> so that it may be + destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-destroy-vnode"> + <title><function>&mac.mpo;_destroy_vnode</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_destroy_vnode</function></funcdef> + + <paramdef>struct vnode + *<parameter>vp</parameter></paramdef> + <paramdef>struct label + *<parameter>label</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>vp</parameter></entry> + <entry>Object; file system object</entry> + </row> + + <row> + <entry><parameter>label</parameter></entry> + <entry>Label being destroyed</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>In this entry point, a policy module should free any + internal storage associated with + <parameter>label</parameter> so that it may be + destroyed.</para> + </sect3> + + <sect3 id="mac-mpo-externalize"> + <title><function>&mac.mpo;_externalize</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>&mac.mpo;_externalize</function></funcdef> + + <paramdef>struct label + *<parameter>label</parameter></paramdef> + <paramdef>struct mac + *<parameter>extmac</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>label</parameter></entry> + <entry>Label to be externalized</entry> + </row> + <row> - <entry>Parameter</entry> - <entry>Description</entry> + <entry><parameter>extmac</parameter></entry> + <entry>MAC structure to be filled in</entry> </row> - </thead> + </tbody> + </informaltable> + + <!-- XXX: Is Adam working on changing this mechanism? --> + <para>...</para> + </sect3> + + <sect3 id="mac-mpo-internalize"> + <title><function>&mac.mpo;_internalize</function></title> >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207200044.g6K0i6Na080818>