From owner-p4-projects  Thu Jul 25 15:27:53 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 8193037B401; Thu, 25 Jul 2002 15:26:40 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0A94537B400
	for <perforce@freebsd.org>; Thu, 25 Jul 2002 15:26:40 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BAE5143E4A
	for <perforce@freebsd.org>; Thu, 25 Jul 2002 15:26:38 -0700 (PDT)
	(envelope-from chris@freebsd.org)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6PMQcJU049981
	for <perforce@freebsd.org>; Thu, 25 Jul 2002 15:26:38 -0700 (PDT)
	(envelope-from chris@freebsd.org)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6PMQcYk049978
	for perforce@freebsd.org; Thu, 25 Jul 2002 15:26:38 -0700 (PDT)
Date: Thu, 25 Jul 2002 15:26:38 -0700 (PDT)
Message-Id: <200207252226.g6PMQcYk049978@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to chris@freebsd.org using -f
From: Chris Costello <chris@FreeBSD.org>
Subject: PERFORCE change 14920 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14920

Change 14920 by chris@chris_holly on 2002/07/25 15:26:22

	o Process labeling event ops
	o Access control checks
	
	That's "all" of the entry points, so far!

Affected files ...

.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#8 edit

Differences ...

==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#8 (text+ko) ====

@@ -2865,20 +2865,651 @@
       </sect3>
     </sect2>
 
+    <sect2 id="mac-proc-labeling-event-ops">
+      <title>Process Labeling Event Operations</title>
+
+      <para>...</para>
+
+      <sect3 id="mac-mpo-create-subject">
+        <title><function>&mac.mpo;_create_subject</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>void
+              <function>&mac.mpo;_create_subject</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>parent_cred</parameter></paramdef>
+            <paramdef>struct ucred
+              *<parameter>child_cred</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+
+            <tbody>
+              <row>
+                <entry><parameter>parent_cred</parameter></entry>
+                <entry>Parent subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>child_cred</parameter></entry>
+                <entry>Child subject credential</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <!-- XXX manref -->
+        <para>Set the label of a newly created subject credential from
+          the passed subject credential.  This call will be made when
+          crcopy(9) is invoked on a newly created <type>struct
+            ucred</type>.  This call should not be confused with a
+          process forking or creation event.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-execve-transition">
+        <title><function>&mac.mpo;_execve_transition</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>void
+              <function>&mac.mpo;_execve_transition</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>old</parameter></paramdef>
+            <paramdef>struct ucred
+              *<parameter>new</parameter></paramdef>
+            <paramdef>struct vnode
+              *<parameter>vp</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>vnodelabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+
+            <tbody>
+              <row>
+                <entry><parameter>old</parameter></entry>
+                <entry>Existing subject credential</entry>
+                <entry>Immutable</entry>
+              </row>
+
+              <row>
+                <entry><parameter>new</parameter></entry>
+                <entry>New subject credential to be labeled</entry>
+              </row>
+
+              <row>
+                <entry><parameter>vp</parameter></entry>
+                <entry>File to execute</entry>
+                <entry>Locked</entry>
+              </row>
+
+              <row>
+                <entry><parameter>vnodelabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>vp</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Update the label of a newly created subject credential
+          (<parameter>new</parameter>) from the passed existing
+          subject credential (<parameter>old</parameter>) based on a
+          label transition caused by executing the passed vnode
+          (<parameter>vp</parameter>).  This call occurs when a
+          process executes the passed vnode and one of the policies
+          returns a success from the
+          <function>mpo_execve_will_transition</function> entry point.
+          Policies may choose to implement this call simply by
+          invoking <function>mpo_create_subject</function> and passing
+          the two subject credentials so as not to implement a
+          transitioning event.  Policies should not leave this entry
+          point unimplemented if they implement
+          <function>mpo_create_subject</function>, even if they do not
+          implement
+          <function>mpo_execve_will_transition</function>.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-execve-will-transition">
+        <title><function>&mac.mpo;_execve_will_transition</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_execve_will_transition</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>old</parameter></paramdef>
+            <paramdef>struct vnode
+              *<parameter>vp</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>vnodelabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>old</parameter></entry>
+                <entry>Subject credential prior to
+                    &man.execve.2;</entry>
+                <entry>Immutable</entry>
+              </row>
+
+              <row>
+                <entry><parameter>vp</parameter></entry>
+                <entry>File to execute</entry>
+              </row>
+
+              <row>
+                <entry><parameter>vnodelabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>vp</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the policy will want to perform a
+          transition event as a result of the execution of the passed
+          vnode by the passed subject credential.  Return
+          <returnvalue>1</returnvalue> if a transition is required,
+          <returnvalue>0</returnvalue> if not.  Even if a policy
+          returns <returnvalue>0</returnvalue>, it should behave
+          correctly in the presence of an unexpected invocation of
+          <function>mpo_execve_transition</function>, as that call may
+          happen as a result of another policy requesting a
+          transition.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-create-proc0">
+        <title><function>&mac.mpo;_create_proc0</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>void
+              <function>&mac.mpo;_create_proc0</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential to be filled in</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Create the subject credential of process 0, the parent
+          of all kernel processes.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-create-proc1">
+        <title><function>&mac.mpo;_create_proc1</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>void
+              <function>&mac.mpo;_create_proc1</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential to be filled in</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Create the subject credential of process 1, the parent
+          of all kernel processes.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-relabel-subject">
+        <title><function>&mac.mpo;_relabel_subject</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>void
+              <function>&mac.mpo;_relabel_subject</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>newlabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>newlabel</parameter></entry>
+                <entry>Label update to apply to
+                  <parameter>cred</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Update the label on a subject credential from the passed
+          update label.</para>
+      </sect3>
+    </sect2>
+
     <sect2 id="mac-access-control-checks">
       <title>Access Control Checks</title>
 
       <para>Access control checks are implemented as checks
         supplementary to existing Unix permissions.</para>
 
+      <sect3 id="mac-mpo-bpfdesc-check-receive-from-ifnet">
+        <title><function>&mac.mpo;_bpfdesc_check_receive_from_ifnet</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_bpfdesc_check_receive_from_ifnet</function></funcdef>
+
+            <paramdef>struct bpf_d
+              *<parameter>bpf_d</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>bpflabel</parameter></paramdef>
+            <paramdef>struct ifnet
+              *<parameter>ifnet</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>ifnetlabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>bpf_d</parameter></entry>
+                <entry>Subject; BPF descriptor</entry>
+              </row>
+
+              <row>
+                <entry><parameter>bpflabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>bpf_d</parameter></entry>
+              </row>
+
+              <row>
+                <entry><parameter>ifnet</parameter></entry>
+                <entry>Object; network interface</entry>
+              </row>
+
+              <row>
+                <entry><parameter>ifnetlabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>ifnet</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the MAC framework should permit
+          datagrams from the passed interface to be delivered to the
+          buffers of the passed BPF descriptor.  Return
+          (<returnvalue>0</returnvalue>) for success, or an
+          <varname>errno</varname> value for failure Suggested
+          failure: <errorcode>EACCES</errorcode> for label mismatches,
+          <errorcode>EPERM</errorcode> for lack of privilege.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-cred-check-bind-socket">
+        <title><function>&mac.mpo;_cred_check_bind_socket</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_cred_check_bind_socket</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct socket
+              *<parameter>socket</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>socketlabel</parameter></paramdef>
+            <paramdef>struct sockaddr
+              *<parameter>sockaddr</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>socket</parameter></entry>
+                <entry>Socket to be bound</entry>
+              </row>
+
+              <row>
+                <entry><parameter>socketlabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>socket</parameter></entry>
+              </row>
+
+              <row>
+                <entry><parameter>sockaddr</parameter></entry>
+                <entry>Address of
+                  <parameter>socket</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+      </sect3>
+
+      <sect3 id="mac-mpo-cred-check-connect-socket">
+        <title><function>&mac.mpo;_cred_check_connect_socket</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_cred_check_connect_socket</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct socket
+              *<parameter>socket</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>socketlabel</parameter></paramdef>
+            <paramdef>struct sockaddr
+              *<parameter>sockaddr</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>socket</parameter></entry>
+                <entry>Socket to be connected</entry>
+              </row>
+
+              <row>
+                <entry><parameter>socketlabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>socket</parameter></entry>
+              </row>
+
+              <row>
+                <entry><parameter>sockaddr</parameter></entry>
+                <entry>Address of
+                  <parameter>socket</parameter></entry>
+              </row>
+            </tbody>            
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the subject credential
+          (<parameter>cred</parameter>) can connect the passed socket
+          (<parameter>socket</parameter>) to the passed socket address
+          (<parameter>sockaddr</parameter>).  Return
+          <returnvalue>0</returnvalue> for success, or an
+          <varname>errno</varname> value for failure.  Suggested
+          failure: <errorcode>EACCES</errorcode> for label mismatches,
+          <errorcode>EPERM</errorcode> for lack of privilege.</para>
+      </sect3>
+
+      <sect3>
+        <title><function>&mac.mpo;_cred_check_see_cred</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_cred_check_see_cred</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>u1</parameter></paramdef>
+            <paramdef>struct ucred
+              *<parameter>u2</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>u1</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>u2</parameter></entry>
+                <entry>Object credential</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the subject credential
+          <parameter>u1</parameter> can <quote>see</quote> other
+          subjects with the passed subject credential
+          <parameter>u2</parameter>.  Return
+          <returnvalue>0</returnvalue> for success, or an
+          <varname>errno</varname> value for failure.  Suggested
+          failure: <errorcode>EACCES</errorcode> for label mismatches,
+          <errorcode>EPERM</errorcode> for lack of privilege, or
+          <errorcode>ESRCH</errorcode> to hide visibility.  This call
+          may be made in a number of situations, including
+          inter-process status sysctls used by <command>ps</command>,
+          and in procfs lookups.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-cred-check-see-socket">
+        <title><function>&mac.mpo;_cred_check_see_socket</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_cred_check_see_socket</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct socket
+              *<parameter>socket</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>socketlabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>socket</parameter></entry>
+                <entry>Object; socket</entry>
+              </row>
+
+              <row>
+                <entry><parameter>socketlabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>socket</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+      </sect3>
+
+      <sect3 id="mac-mpo-cred-check-relabel-ifnet">
+        <title><function>&mac.mpo;_cred_check_relabel_ifnet</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_cred_check_relabel_ifnet</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct ifnet
+              *<parameter>ifnet</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>ifnetlabel</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>newlabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>ifnet</parameter></entry>
+                <entry>Object; network interface</entry>
+              </row>
+
+              <row>
+                <entry><parameter>ifnetlabel</parameter></entry>
+                <entry>Existing policy label for
+                  <parameter>ifnet</parameter></entry>
+              </row>
+
+              <row>
+                <entry><parameter>newlabel</parameter></entry>
+                <entry>Policy label update to later be applied to
+                  <parameter>ifnet</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the subject credential can relabel the
+          passed network interface to the passed label update.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-cred-check-relabel-socket">
+        <title><function>&mac.mpo;_cred_check_relabel_socket</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_cred_check_relabel_socket</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct socket
+              *<parameter>socket</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>socketlabel</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>newlabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>socket</parameter></entry>
+                <entry>Object; socket</entry>
+              </row>
+
+              <row>
+                <entry><parameter>socketlabel</parameter></entry>
+                <entry>Existing policy label for
+                  <parameter>socket</parameter></entry>
+              </row>
+
+              <row>
+                <entry><parameter>newlabel</parameter></entry>
+                <entry>Label update to later be applied to
+                  <parameter>socketlabel</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the subject credential can relabel the
+          passed socket to the passed label update.</para>
+      </sect3>
+
       <sect3 id="mac-mpo-cred-check-relabel-subject">
         <title><function>&mac.mpo;_cred_check_relabel_subject</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
-              <function>&mac.mpo;_cred_check_relabel_subject</function>
-            </funcdef>
+              <function>&mac.mpo;_cred_check_relabel_subject</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
@@ -2890,50 +3521,101 @@
         <informaltable>
           <tgroup cols="3">
             &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
 
+              <row>
+                <entry><parameter>newlabel</parameter></entry>
+                <entry>Label update to later be applied to
+                  <parameter>cred</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the subject credential can relabel
+          itself to the passed label update.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-cred-check-relabel-vnode">
+        <title><function>&mac.mpo;_cred_check_relabel_vnode</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+             <function>&mac.mpo;_cred_check_relabel_vnode</function></funcdef>
+
+            <paramdef>struct ucred
+             *<parameter>cred</parameter></paramdef>
+            <paramdef>struct vnode
+              *<parameter>vp</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>vnodelabel</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>newlabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
                 <entry>Subject credential</entry>
+                <entry>Immutable</entry>
               </row>
 
               <row>
-                <entry><parameter>newlabel</parameter</entry>
-                <entry>New label to apply to subject</entry>
+                <entry><parameter>vp</parameter></entry>
+                <entry>Object; vnode</entry>
+                <entry>Locked</entry>
+              </row>
+
+              <row>
+                <entry><parameter>vnodelabel</parameter></entry>
+                <entry>Existing policy label for
+                  <parameter>vp</parameter></entry>
+              </row>
+
+              <row>
+                <entry><parameter>newlabel</parameter></entry>
+                <entry>Policy label update to later be applied to
+                  <parameter>vp</parameter></entry>
+              </row>
             </tbody>
           </tgroup>
         </informaltable>
 
-        <para>This policy operation is intended to determine whether a
-          subject should be allowed to change its label.  Generally,
-          this is implemented by checking if the subject would be
-          upgrading its own privilege by making the requested change,
-          and denying (returning typically
-          <errorcode>EPERM</errorcode>) the request if so.</para>
+        <para>Determine whether the subject credential can relabel the
+          passed vnode to the passed label update.</para>
       </sect3>
 
-      <sect3 id="mac-mpo-cred-check-statfs">
-        <title><function>&mac.mpo;_cred_check_statfs</function</title>
+      <sect3 id="mpo-cred-check-statfs">
+        <title><function>&mac.mpo;_cred_check_statfs</function></title>
 
         <funcsynopsis>
           <funcprototype>
-            <funcdef>int
-              <function>&mac.mpo;_cred_check_statfs</function>
-            </funcdef>
+            <funcdef>int <function>&mac.mpo;_cred_check_statfs</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
             <paramdef>struct mount
               *<parameter>mp</parameter></paramdef>
             <paramdef>struct label
-              *<parameter>mntlabel</parameter></paramdef>
+              *<parameter>mountlabel</parameter></paramdef>
           </funcprototype>
         </funcsynopsis>
 
         <informaltable>
           <tgroup cols="3">
             &mac.thead;
-
+            
             <tbody>
               <row>
                 <entry><parameter>cred</parameter></entry>
@@ -2942,29 +3624,28 @@
 
               <row>
                 <entry><parameter>mp</parameter></entry>
-                <entry>Object; file system mount point</entry>
+                <entry>Object; file system mount</entry>
               </row>
 
               <row>
-                <entry><parameter>mntlabel</parameter></entry>
-                <entry>Object label</entry>
+                <entry><parameter>mountlabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>mp</parameter></entry>
+              </row>
             </tbody>
           </tgroup>
         </informaltable>
 
-        <para>This policy operation is intended to determine whether a
-          specified subject should be allowed to retrieve file system
-          statistics information.  Generally a policy module
-          implementing this operation would compare the subject label
-          (<varname>cred->cr_label</varname>) to the object label
-          (<varname>mntlabel</varname>) and return
-          <literal>0</literal> if the subject is to be granted the
-          information requested, and <errorcode>EACCES</errorcode>
-          otherwise.</para>
-
-        <note><para>Figure out a scenario where using
-            <parameter>mp</parameter> is immenently practical, especially
-            for use in the sample module.</para></note>
+        <para>Determine whether the subject credential can see the
+          results of a statfs performed on the file system.  Return
+          <returnvalue>0</returnvalue> for success, or an
+          <varname>errno</varname> value for failure.  Suggested
+          failure: <errorcode>EACCES</errorcode> for label mismatches
+          or <errorcode>EPERM</errorcode> for lack of privilege.  This
+          call may be made in a number of situations, including during
+          invocations of &man.statfs.2; and related calls, as well as to
+          determine what file systems to exclude from listings of file
+          systems, such as when &man.getfsstat.2; is invoked. </para>
       </sect3>
 
       <sect3 id="mac-mpo-cred-check-debug-proc">
@@ -2973,11 +3654,1390 @@
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
-              <function>&mac.mpo;_cred_check_debug_proc</function>
-            </funcdef>
+              <function>&mac.mpo;_cred_check_debug_proc</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct proc
+              *<parameter>proc</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+                <entry>Immutable</entry>
+              </row>
+
+              <row>
+                <entry><parameter>proc</parameter></entry>
+                <entry>Object; process</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the subject credential can debug the
+          passed process.  Return <returnvalue>0</returnvalue> for
+          success, or an <varname>errno</varname> value for failure.
+          Suggested failure: <errorcode>EACCES</errorcode> for label
+          mismatch, <errorcode>EPERM</errorcode> for lack of
+          privilege, or <errorcode>ESRCH</errorcode> to hide
+          visibility of the target.  This call may be made in a number
+          of situations, including use of the &man.ptrace.2; and
+          &man.ktrace.2; APIs, as well as for some types of procfs
+          operations.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-cred-check-access-vnode">
+        <title><function>&mac.mpo;_cred_check_access_vnode</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_cred_check_access_vnode</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct vnode
+              *<parameter>vp</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>label</parameter></paramdef>
+            <paramdef>int <parameter>flags</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>vp</parameter></entry>
+                <entry>Object; vnode</entry>
+              </row>
+
+              <row>
+                <entry><parameter>label</parameter></entry>
+                <entry>Policy label for
+                  <parameter>vp</parameter></entry>
+              </row>
+
+              <row>
+                <entry><parameter>flags</parameter></entry>
+                <entry>&man.access.2; flags</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine how invocations of &man.access.2; and related
+          calls by the subject credential should return when performed
+          on the passed vnode using the passed access flags.  Return
+          <returnvalue>0</returnvalue> for success, or an
+          <varname>errno</varname> value for failure.  Suggested
+          failure: <errorcode>EACCES</errorcode> for label mismatches
+          or <errorcode>EPERM</errorcode> for lack of
+          privilege.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-cred-check-chdir-vnode">
+        <title><function>&mac.mpo;_cred_check_chdir_vnode</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_cred_check_chdir_vnode</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct vnode
+              *<parameter>dvp</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>dlabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+            
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+              </row>
+
+              <row>
+                <entry><parameter>dvp</parameter></entry>
+                <entry>Object; vnode to &man.chdir.2; into</entry>
+              </row>
+
+              <row>
+                <entry><parameter>dlabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>dvp</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the subject credential can change the
+          process working directory to the passed vnode.  Return
+          <returnvalue>0</returnvalue> for success, or an
+          <varname>errno</varname> value for failure.  Suggested
+          failure: <errorcode>EACCES</errorcode> for label mismatch,
+          or <errorcode>EPERM</errorcode> for lack of
+          privilege.</para>
+      </sect3>
+
+      <sect3 id="mac-mpo-cred-check-create-vnode">
+        <title><function>&mac.mpo;_cred_check_create_vnode</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_cred_check_create_vnode</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct vnode
+              *<parameter>dvp</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>dlabel</parameter></paramdef>
+            <paramdef>struct componentname
+              *<parameter>cnp</parameter></paramdef>

>>> TRUNCATED FOR MAIL (1000 lines) <<<

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message