From owner-p4-projects Wed Jul 24 17:26:21 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 5CAD837B401; Wed, 24 Jul 2002 17:25:16 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF3B237B400 for ; Wed, 24 Jul 2002 17:25:15 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0041E43E72 for ; Wed, 24 Jul 2002 17:25:14 -0700 (PDT) (envelope-from chris@freebsd.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6P0PEJU027574 for ; Wed, 24 Jul 2002 17:25:14 -0700 (PDT) (envelope-from chris@freebsd.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6P0PEtI027565 for perforce@freebsd.org; Wed, 24 Jul 2002 17:25:14 -0700 (PDT) Date: Wed, 24 Jul 2002 17:25:14 -0700 (PDT) Message-Id: <200207250025.g6P0PEtI027565@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to chris@freebsd.org using -f From: Chris Costello Subject: PERFORCE change 14874 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14874 Change 14874 by chris@chris_holly on 2002/07/24 17:24:59 o Update/augment descriptions with descriptions from Robert's post to cboss-doc. o Mark up remaining label operations except those for processes (to be committed later this evening) o Credit Robert in authors for his description paragraphs. o Update mac.ent to include locking column and colspec's so that entries can span multiple columns. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac.ent#3 edit .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#7 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac.ent#3 (text+ko) ==== @@ -1,9 +1,14 @@ - + + + Parameter Description + Locking -"> +'> ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#7 (text+ko) ==== @@ -41,11 +41,22 @@ Chris Costello + TrustedBSD Project
chris@FreeBSD.org
 + + + Robert + Watson + + + TrustedBSD Project +
rwatson@FreeBSD.org
+ + @@ -118,7 +129,7 @@ - static void + void &mac.mpo;_init struct mac_policy_conf @@ -127,7 +138,7 @@ - + &mac.thead; @@ -139,14 +150,8 @@ - This is the entry point called after the policy has been - added to the list, but before the list is unlocked. At the - point a module would typically initialize its own internal - structures, print any copyright messages, etc. - - A module loaded message is already - printed when a policy is loaded so any further messages of - that nature are probably unnecessary. + Policy load event. The policy list mutex is held, so + caution should be applied. @@ -154,7 +159,7 @@ - static void + void &mac.mpo;_destroy struct mac_policy_conf @@ -163,7 +168,7 @@ - + &mac.thead; @@ -175,9 +180,8 @@ - This entry point is called when the module is being - unloaded. At this point the policy would typically be - freeing internal storage, etc. + Policy load event. The policy list mutex is held, so + caution should be applied. @@ -191,7 +195,7 @@ - static void + void &mac.mpo;_init_bpfdesc struct bpf_d @@ -202,7 +206,7 @@ - + &mac.thead; @@ -219,7 +223,8 @@ - ... + Initialize the label on a newly instantiated bpfdesc (BPF + descriptor) @@ -227,7 +232,7 @@ - static void + void &mac.mpo;_init_devfsdirent struct devfs_dirent @@ -238,7 +243,7 @@ - + &mac.thead; @@ -255,7 +260,8 @@ - ... + Initialize the label on a newly instantiated devfs + entry. @@ -263,7 +269,7 @@ - static void + void &mac.mpo;_init_ifnet struct ifnet @@ -274,7 +280,7 @@ - + &mac.thead; @@ -291,7 +297,8 @@ - ... + Initialize the label on a newly instantiated network + interface. @@ -299,7 +306,7 @@ - static void + void &mac.mpo;_init_ipq struct ipq @@ -310,7 +317,7 @@ - + &mac.thead; @@ -326,6 +333,9 @@ + + Initialize the label on a newly instantiated IP fragment + reassembly queue. @@ -333,18 +343,19 @@ - static void + void &mac.mpo;_init_mbuf struct mbuf *mbuf + int how struct label *label - + &mac.thead; @@ -354,13 +365,29 @@ + how + Blocking/non-blocking &man.malloc.9; see + below + + + label - New label to apply + Policy label to initialize - ... + Initialize the label on a newly instantiated mbuf packet + header (mbuf). The + how field may be one of + M_WAITOK and M_NOWAIT, and + should be employed to avoid performing a blocking + &man.malloc.9; during this initialization call. Mbuf + allocation frequently occurs in performance sensitive + environments, and the implementation should be careful to + avoid blocking or long-lived operations. This entry point + is permitted to fail resulting in the failure to allocate + the mbuf header. @@ -368,7 +395,7 @@ - static void + void &mac.mpo;_init_mount struct mount @@ -382,7 +409,7 @@ - + &mac.thead; @@ -393,18 +420,21 @@ mntlabel - New file system mount point label + Policy label to be initialized for the mount + itself fslabel - New file system label + Policy label to be initialized for the file + system - ... + Initialize the labels on a newly instantiated mount + point. @@ -412,7 +442,7 @@ - static void + void &mac.mpo;_init_socket struct socket @@ -425,7 +455,7 @@ - + &mac.thead; @@ -447,7 +477,8 @@ - ... + Initialize the labels on a newly instantiated + socket. @@ -455,7 +486,7 @@ - static void + void &mac.mpo;_init_subject struct ucred @@ -466,7 +497,7 @@ - + &mac.thead; @@ -483,10 +514,7 @@ - In this entry point, a policy module should allocate and - initialize any internal storage for a new label for a - subject (user) credential. No label information should be - filled out. + Initialize the labels on a newly instantiated subject. @@ -494,7 +522,7 @@ - static void + void &mac.mpo;_init_temp struct label @@ -503,7 +531,7 @@ - + &mac.thead; @@ -515,9 +543,9 @@ - In this entry point, a policy module should allocate - storage for a label meant for temporary use. No label - information should be filled out. + Initialize a newly instantiated temporary label; + temporary labels are frequently used to hold label update + requests. @@ -525,7 +553,7 @@ - static void + void &mac.mpo;_init_vnode struct vnode @@ -536,7 +564,7 @@ - + &mac.thead; @@ -553,9 +581,7 @@ - In this entry point, a policy module should allocate and - initialize any internal storage necessary for a new file - system object label. + Initialize the label on a newly instantiated vnode. @@ -563,7 +589,7 @@ - static void + void &mac.mpo;_destroy_bpfdesc struct bpf_d @@ -574,7 +600,7 @@ - + &mac.thead; @@ -591,10 +617,10 @@ - In this entry point, a policy module should free any - internal storage associated with - label so that it may be - destroyed. + Destroy the label on a BPF descriptor. In this entry + point, a policy module should free any internal storage + associated with label so that it may + be destroyed. @@ -602,7 +628,7 @@ - static void + void &mac.mpo;_destroy_devfsdirent struct devfs_dirent @@ -613,7 +639,7 @@ - + &mac.thead; @@ -630,9 +656,10 @@ - In this entry point, a policy module should free any - internal storage asociated with label - so that it may be destroyed. + Destroy the label on a devfs entry. In this entry + point, a policy module should free any internal storage + asociated with label so that it may + be destroyed. @@ -640,7 +667,7 @@ - static void + void &mac.mpo;_destroy_ifnet struct ifnet @@ -651,7 +678,7 @@ - + &mac.thead; @@ -668,10 +695,10 @@ - In this entry point, a policy module should free any - internal storage associated with - label so that it may be - destroyed. + Destroy the label on a removed interface. In this entry + point, a policy module should free any internal storage + associated with label so that it may + be destroyed. @@ -679,7 +706,7 @@ - static void + void &mac.mpo;_destroy_ipq struct ipq @@ -690,7 +717,7 @@ - + &mac.thead; @@ -707,10 +734,10 @@ - In this entry point, a policy module should free any - internal storage associated with - label so that it may be - destroyed. + Destroy the label on an IP fragment queue. In this + entry point, a policy module should free any internal + storage associated with label so that + it may be destroyed. @@ -718,7 +745,7 @@ - static void + void &mac.mpo;_destroy_mbuf struct mbuf @@ -729,7 +756,7 @@ - + &mac.thead; @@ -746,10 +773,10 @@ - In this entry point, a policy module should free any - internal storage associated with - label so that it may be - destroyed. + Destroy the label on an mbuf header. In this entry + point, a policy module should free any internal storage + associated with label so that it may + be destroyed. @@ -757,7 +784,7 @@ - static void + void &mac.mpo;_destroy_mount struct mount @@ -770,7 +797,7 @@ - + &mac.thead; @@ -792,9 +819,9 @@ - In this entry point, a policy module should free the - internal storage associated with - mntlabel and + Destroy the labels on a mount point. In this entry + point, a policy module should free the internal storage + associated with mntlabel and fslabel so that they may be destroyed. @@ -804,7 +831,7 @@ - static void + void &mac.mpo;_destroy_socket struct socket @@ -817,7 +844,7 @@ - + &mac.thead; @@ -839,9 +866,9 @@ - In this entry point, a policy module should free any - internal storage associated with - label and + Destroy the labels on a socket. In this entry point, a + policy module should free any internal storage associated + with label and peerlabel so that they may be destroyed. @@ -851,7 +878,7 @@ - static void + void &mac.mpo;_destroy_subject struct ucred @@ -862,7 +889,7 @@ - + &mac.thead; @@ -879,9 +906,9 @@ - In this entry point, a policy module should free any - internal storage associated with - label so that it may be + Destroy the label on a credential. In this entry point, + a policy module should free any internal storage associated + with label so that it may be destroyed. @@ -890,7 +917,7 @@ - static void + void &mac.mpo;_destroy_temp struct label @@ -899,7 +926,7 @@ - + &mac.thead; @@ -911,10 +938,10 @@ - In this entry point, a policy module should free any - internal storage associated with the temporary label - label so that it may be - destroyed. + Destroy a temporary label. In this entry point, a + policy module should free any internal storage associated + with the temporary label label so + that it may be destroyed. @@ -922,7 +949,7 @@ - static void + void &mac.mpo;_destroy_vnode struct vnode @@ -933,7 +960,7 @@ - + &mac.thead; @@ -950,9 +977,9 @@ - In this entry point, a policy module should free any - internal storage associated with - label so that it may be + Destroy the label on a vnode. In this entry point, a + policy module should free any internal storage associated + with label so that it may be destroyed. @@ -961,7 +988,7 @@ - static void + void &mac.mpo;_externalize struct label @@ -972,7 +999,7 @@ - + &mac.thead; @@ -988,8 +1015,10 @@ - - ... + Given an internalized subject or object label, fill out + an externalized label. This call is permitted to fail. + This call will be obsoleted by the new userland and extended + attribute interfaces for the MAC framework. @@ -997,7 +1026,7 @@ - static void + void &mac.mpo;_internalize struct label @@ -1008,7 +1037,7 @@ - + &mac.thead; @@ -1025,8 +1054,1814 @@ - - ... + Given an externalized subject or object label, likely + from userland, internalize the label. The entry point + implementation should handle incorrect or corrupted labels. + This call is permitted to fail. This call will be obsoleted + by the new userland and extended attribute interfaces for + the MAC framework. + + + + + File System Object Labeling Event Operations + + ... + + + <function>&mac.mpo;_create_devfs_device</function> + + + + void + &mac.mpo;_create_devfs_device + + dev_t dev + struct devfs_dirent + *devfs_dirent + struct label + *label + + + + + + &mac.thead; + + + + dev + Device corresponding with + devfs_dirent + + + + devfs_dirent + Devfs directory entry to be labeled. + + + + label + Label for devfs_dirent + to be filled in. + + + + + + Fill out the label on a devfs_dirent being created for + the passed device. This call will be made when the device + file system is mounted, regenerated, or a new device is made + available. + + + + <function>&mac.mpo;_create_devfs_directory</function> + + + + void + &mac.mpo;_create_devfs_directory + + char *dirname + int dirnamelen + struct devfs_dirent + *devfs_dirent + struct label + *label + + + + + + &mac.thead; + + + + dirname + Name of directory being created + + + + namelen + Length of string + dirname + + + + devfs_dirent + Devfs directory entry for directory being + created. + + + + + + Fill out the label on a devfs_dirent being created for + the passed directory. This call will be made when the device + file system is mounted, regenerated, or a new device + requiring a specific directory hierarchy is made + available. + + + + <function>&mac.mpo;_create_devfs_vnode</function> + + + + void + &mac.mpo;_create_devfs_vnode + + struct devfs_dirent + *devfs_dirent + struct label + *direntlabel + struct vnode + *vp + struct label + *vnodelabel + + + + + + &mac.thead; + + + + devfs_dirent + Object; devfs directory entry + + + + direntlabel + Policy label for + devfs_dirent + + + + vp + Object; file system object being labeled + + + + vnodelabel + Policy label to be filled in for + vp + + + + + + Fill out the label on the vnode being created for the + passed devfs_dirent. This call will be made when a vnode is + required to represent the specified devfs_dirent in a + mounted devfs instance. + + + + <function>&mac.mpo;_create_vnode_from_vnode</function> + + + >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message