From owner-p4-projects  Wed Aug  7 13:53:32 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 3F0F437B401; Wed,  7 Aug 2002 13:53:17 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B434E37B400
	for <perforce@freebsd.org>; Wed,  7 Aug 2002 13:53:16 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 51F9B43E70
	for <perforce@freebsd.org>; Wed,  7 Aug 2002 13:53:16 -0700 (PDT)
	(envelope-from chris@freebsd.org)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g77KrGJU066919
	for <perforce@freebsd.org>; Wed, 7 Aug 2002 13:53:16 -0700 (PDT)
	(envelope-from chris@freebsd.org)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g77KrFoJ066916
	for perforce@freebsd.org; Wed, 7 Aug 2002 13:53:15 -0700 (PDT)
Date: Wed, 7 Aug 2002 13:53:15 -0700 (PDT)
Message-Id: <200208072053.g77KrFoJ066916@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to chris@freebsd.org using -f
From: Chris Costello <chris@FreeBSD.org>
Subject: PERFORCE change 15659 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15659

Change 15659 by chris@chris_holly on 2002/08/07 13:52:26

	o Clarify create_root_mount vs. create_mount
	o Minor spelling and markup fixes
	o Fix one entry point missed in the action_object -> object_action
	  thing
	o Note that the access(2) checks should be the same as in
	  mpo_check_open.
	o Make note of race conditions involved in dealing with UIO_USERSPACE
	  uio, and that the `uio' parameter to mpo_check_setextattr might be
	  NULL.
	o Add some man page references.
	o `_' is an illegal character for section ids.
	o Add mpo_check_socket_visible.

Affected files ...

.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#12 edit

Differences ...

==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#12 (text+ko) ====

@@ -1336,8 +1336,7 @@
 
         <para>Fill out the labels on the mount point being created by
           the passed subject credential.  This call will be made when
-          a new file system is mounted, other than the root file
-          system.</para>
+          a new file system is mounted.</para>
       </sect3>
 
       <sect3 id="mac-mpo-create-root-mount">
@@ -1374,7 +1373,8 @@
 
         <para>Fill out the labels on the mount point being created by
           the passed subject credential.  This call will be made when
-          the root file system is mounted.</para>
+          the root file system is mounted, after
+          &mac.mpo;_create_mount;.</para>
       </sect3>
 
       <sect3 id="mac-mpo-vnode-relabel">
@@ -1906,7 +1906,7 @@
 
               <row>
                 <entry><parameter>newsocket</parameter></entry>
-                <entry>Object; phild socket; incoming connection</entry>
+                <entry>Object; child socket; incoming connection</entry>
               </row>
 
               <row>
@@ -3248,13 +3248,14 @@
 
       </sect3>
 
-      <sect3 id="mac-mpo-cred-check-connect-socket">
-        <title><function>&mac.mpo;_check_connect_socket</function></title>
+
+      <sect3 id="mac-mpo-cred-check-socket-connect">
+        <title><function>&mac.mpo;_check_socket_connect</function></title>
 
         <funcsynopsis>
           <funcprototype>
             <funcdef>int
-              <function>&mac.mpo;_check_connect_socket</function></funcdef>
+              <function>&mac.mpo;_check_socket_connect</function></funcdef>
 
             <paramdef>struct ucred
               *<parameter>cred</parameter></paramdef>
@@ -3744,8 +3745,10 @@
 
         <para>Determine how invocations of &man.access.2; and related
           calls by the subject credential should return when performed
-          on the passed vnode using the passed access flags.  Return
-          <returnvalue>0</returnvalue> for success, or an
+          on the passed vnode using the passed access flags.  This
+          should generally be implemented using the same semantics
+          used in <function>&mac.mpo;_check_vnode_open</function>.
+          Return <returnvalue>0</returnvalue> for success, or an
           <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatches
           or <errorcode>EPERM</errorcode> for lack of
@@ -4649,7 +4652,7 @@
         <para>Determine whether the subject credential can revoke
           access to the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
-          <errorcode>errno</errorcode> value for failure. Suggested
+          <varname>errno</varname> value for failure. Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
@@ -4784,9 +4787,14 @@
           extended attribute of passed name and passed namespace on
           the passed vnode.  Policies implementing security labels
           backed into extended attributes may want to provide
-          additional protections for those attributes.  Return
-          <returnvalue>0</returnvalue> for success, or an
-          <varname>errno</varname> value for failure.  Suggested
+          additional protections for those attributes.  Additionally,
+          policies should avoid making decisions based on the data
+          referenced from <parameter>uio</parameter>, as there is a
+          potential race condition between this check and the actual
+          operation.  The <parameter>uio</parameter> may also be
+          <literal>NULL</literal> if a delete operation is being
+          performed.  Return <returnvalue>0</returnvalue> for success,
+          or an <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
@@ -5009,12 +5017,12 @@
 
               <row>
                 <entry><parameter>atime</parameter></entry>
-                <entry>Access time</entry>
+                <entry>Access time; see &man.utimes.2;</entry>
               </row>
 
               <row>
                 <entry><parameter>mtime</parameter></entry>
-                <entry>Modification time</entry>
+                <entry>Modification time; see &man.utimes.2;</entry>
               </row>
             </tbody>
           </tgroup>
@@ -5069,9 +5077,11 @@
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           <errorcode>EPERM</errorcode> for lack of privilege, or
           <errorcode>ESRCH</errorcode> to limit visibility.</para>
+
+        <para>See &man.setpriority.2; for more information.</para>
       </sect3>
 
-      <sect3 id="mac-mpo-cred-check-proc_signal">
+      <sect3 id="mac-mpo-cred-check-proc-signal">
         <title><function>&mac.mpo;_check_proc_signal</function></title>
 
         <funcsynopsis>
@@ -5104,7 +5114,7 @@
 
               <row>
                 <entry><parameter>signal</parameter></entry>
-                <entry>Signal; see &man.sigaction.2;</entry>
+                <entry>Signal; see &man.kill.2;</entry>
               </row>
             </tbody>
           </tgroup>
@@ -5163,10 +5173,12 @@
         <para>Determine whether the subject credential can
           <function>stat</function> the passed vnode.  Return
           <returnvalue>0</returnvalue> for success, or an
-          <varname>errno</varname> value for failure. Suggested
+          <varname>errno</varname> value for failure.  Suggested
           failure: <errorcode>EACCES</errorcode> for label mismatch,
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
+
+        <para>See &man.stat.2; for more information.</para>
       </sect3>
 
       <sect3 id="mac-mpo-cred-check-ifnet-transmit">
@@ -5297,6 +5309,59 @@
           or <errorcode>EPERM</errorcode> for lack of
           privilege.</para>
       </sect3>
+
+      <sect3 id="mac-mpo-check-socket-visible">
+        <title><function>&mac.mpo;_check_socket_visible</function></title>
+
+        <funcsynopsis>
+          <funcprototype>
+            <funcdef>int
+              <function>&mac.mpo;_check_socket_visible</function></funcdef>
+
+            <paramdef>struct ucred
+              *<parameter>cred</parameter></paramdef>
+            <paramdef>struct socket
+              *<parameter>so</parameter></paramdef>
+            <paramdef>struct label
+              *<parameter>socketlabel</parameter></paramdef>
+          </funcprototype>
+        </funcsynopsis>
+
+        <informaltable>
+          <tgroup cols="3">
+            &mac.thead;
+
+            <tbody>
+              <row>
+                <entry><parameter>cred</parameter></entry>
+                <entry>Subject credential</entry>
+                <entry>Immutable</entry>
+              </row>
+
+              <row>
+                <entry><parameter>so</parameter></entry>
+                <entry>Object; socket</entry>
+              </row>
+
+              <row>
+                <entry><parameter>socketlabel</parameter></entry>
+                <entry>Policy label for
+                  <parameter>so</parameter></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>Determine whether the subject credential cred can "see"
+          the passed socket (<parameter>socket</parameter>) using
+          system monitoring functions, such as those employed by
+          &man.netstat.8; and &man.sockstat.1;.  Return
+          <returnvalue>0</returnvalue> for success, or an
+          <varname>errno</varname> value for failure.  Suggested
+          failure: <errorcode>EACCES</errorcode> for label mismatches,
+          <errorcode>EPERM</errorcode> for lack of privilege, or
+          <errorcode>ESRCH</errorcode> to hide visibility.</para>
+      </sect3>
     </sect2>
   </sect1>
 </chapter>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message