Date: Sun, 18 Aug 2002 13:49:02 -0700 (PDT) From: Chris Costello <chris@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 16221 for review Message-ID: <200208182049.g7IKn2cG061156@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=16221 Change 16221 by chris@chris_holly on 2002/08/18 13:48:09 Run through sgml-indent-buffer Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#14 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#14 (text+ko) ==== @@ -41,17 +41,17 @@ <author> <firstname>Chris</firstname> <surname>Costello</surname> - + <affiliation> <orgname>TrustedBSD Project</orgname> <address><email>chris@FreeBSD.org</email></address> </affiliation> </author> - + <author> <firstname>Robert</firstname> <surname>Watson</surname> - + <affiliation> <orgname>TrustedBSD Project</orgname> <address><email>rwatson@FreeBSD.org</email></address> @@ -59,41 +59,41 @@ </author> </authorgroup> </chapterinfo> - + <title>Writing MAC Policies</title> - + <sect1 id="mac-synopsis"> <title>Synopsis</title> - + <para>MAC, or Mandatory Access Control, is a feature introduced by the TrustedBSD Project to supplement the existing standard DAC (Discreationary Access Control) policies of BSD Unix systems.</para> - + <para>This chapter introduces the MAC policy framework and provides documentation for a sample MAC policy module.</para> </sect1> - - - <sect1 id="mac-introduction"> - <title>Introduction</title> - - <para>The TrustedBSD MAC framework provides a mechanism to allow - the compile-time or run-time extension of the kernel access - control model. New system policies may be implemented as - kernel modules and linked to the kernel; if multiple policy - modules are present, their results will be composed. While the - framework is intended to support a variety of access control - models, its design was derived from the requirements of a set - of specific access control models required for the TrustedBSD - and CBOSS Projects. This includes support for fixed and - floating label Biba integrity policies, the MLS - confidentiality policy, the Type Enforcement rule-based access - control policy, and the ability to support layering of the NSA - FLASK framework above the TrustedBSD MAC framework. This - document describes the rough architecture of the framework, - with the understanding that this is a work-in-progress and may - change subtantially as requirements evolve.</para> - </sect1> + + + <sect1 id="mac-introduction"> + <title>Introduction</title> + + <para>The TrustedBSD MAC framework provides a mechanism to allow + the compile-time or run-time extension of the kernel access + control model. New system policies may be implemented as + kernel modules and linked to the kernel; if multiple policy + modules are present, their results will be composed. While the + framework is intended to support a variety of access control + models, its design was derived from the requirements of a set + of specific access control models required for the TrustedBSD + and CBOSS Projects. This includes support for fixed and + floating label Biba integrity policies, the MLS + confidentiality policy, the Type Enforcement rule-based access + control policy, and the ability to support layering of the NSA + FLASK framework above the TrustedBSD MAC framework. This + document describes the rough architecture of the framework, + with the understanding that this is a work-in-progress and may + change subtantially as requirements evolve.</para> + </sect1> <sect1 id="mac-kernel-arch"> <title>Kernel Architecture</title> @@ -121,42 +121,42 @@ <para>...</para> </sect1> - - <sect1 id="mac-entry-point"> - <title>Entry Point Framework</title> - - <para>Four classes of entry points are offered to policies - registered with the framework: entry points associated with - the registration and management of policies, entry points - denoting initialization, creation, destruction, and other life - cycle events for kernel objects, events assocated with access - control decisions that the policy module may influence, and - calls associated with the management of labels on objects. In - addition, a <function>mac_syscall()</function> entry point is - provided so that policies may extend the kernel interface - without registering new system calls.</para> - - <para>Policy module writers should be aware of the kernel - locking strategy, as well as what object locks are available - during which entry points. Writers should attempt to avoid - deadlock scenarios by avoiding grabbing non-leaf locks inside - of entry points, and also follow the locking protocol for - object access and modification. In particular, writers should - be aware that while necessary locks to access objects and - their labels are generally held, sufficient locks to modify an - object or its label may not be present for all entry points. - Locking information for arguments is documented in the MAC - framework entry point document.</para> - - <para>Policy entry points will pass a reference to the object - label along with the object itself. This permits labeled - policies to be unaware of the internals of the object yet - still make decisions based on the label. The exception to this - is the process credential, which is assumed to be understood - by policies as a first class security object in the kernel. - Policies that do not implement labels on kernel objects will - be passed NULL pointers for label arguments to entry - points.</para> + + <sect1 id="mac-entry-point"> + <title>Entry Point Framework</title> + + <para>Four classes of entry points are offered to policies + registered with the framework: entry points associated with + the registration and management of policies, entry points + denoting initialization, creation, destruction, and other life + cycle events for kernel objects, events assocated with access + control decisions that the policy module may influence, and + calls associated with the management of labels on objects. In + addition, a <function>mac_syscall()</function> entry point is + provided so that policies may extend the kernel interface + without registering new system calls.</para> + + <para>Policy module writers should be aware of the kernel + locking strategy, as well as what object locks are available + during which entry points. Writers should attempt to avoid + deadlock scenarios by avoiding grabbing non-leaf locks inside + of entry points, and also follow the locking protocol for + object access and modification. In particular, writers should + be aware that while necessary locks to access objects and + their labels are generally held, sufficient locks to modify an + object or its label may not be present for all entry points. + Locking information for arguments is documented in the MAC + framework entry point document.</para> + + <para>Policy entry points will pass a reference to the object + label along with the object itself. This permits labeled + policies to be unaware of the internals of the object yet + still make decisions based on the label. The exception to this + is the process credential, which is assumed to be understood + by policies as a first class security object in the kernel. + Policies that do not implement labels on kernel objects will + be passed NULL pointers for label arguments to entry + points.</para> <sect2 id="policy-module-registration"> <title>Policy Module Registration</title> @@ -183,7 +183,7 @@ (macop_t)mac_none_check_vnode_write }, { MAC_OP_LAST, NULL } };</programlisting> - + <para>The MAC policy entry point vector, <varname>mac_none_ops</varname> in this example, associates functions defined in the module with specific entry points. A @@ -244,24 +244,24 @@ </listitem> </varlistentry> </variablelist> - + <sect3 id="mac-mpo-init"> <title><function>&mac.mpo;_init</function</title> - + <funcsynopsis> <funcprototype> <funcdef>void <function>&mac.mpo;_init</function></funcdef> - + <paramdef>struct mac_policy_conf *<parameter>conf</parameter></paramdef> </funcprototype> </funcsynopsis> - + <informaltable> <tgroup cols="3"> &mac.thead; - + <tbody> <row> <entry><parameter>conf</parameter></entry> @@ -270,28 +270,28 @@ </tbody> </tgroup> </informaltable> - + <para>Policy load event. The policy list mutex is held, so caution should be applied.</para> </sect3> - + <sect3 id="mpo-destroy"> <title><function>&mac.mpo;_destroy</function></title> - + <funcsynopsis> <funcprototype> <funcdef>void <function>&mac.mpo;_destroy</function></funcdef> - + <paramdef>struct mac_policy_conf *<parameter>conf</parameter></paramdef> </funcprototype> </funcsynopsis> - + <informaltable> <tgroup cols="3"> &mac.thead; - + <tbody> <row> <entry><parameter>conf</parameter></entry> @@ -300,7 +300,7 @@ </tbody> </tgroup> </informaltable> - + <para>Policy load event. The policy list mutex is held, so caution should be applied.</para> </sect3> @@ -320,7 +320,7 @@ events, such as label events associated with IP reassembly. A typical labeled object will have the following life cycle of entry points:</para> - + <programlisting>Label initialization o (object-specific wait) \ Label creation o @@ -376,2073 +376,2073 @@ destroyed as with other label types, but the creation event is <symbol>MAC_INTERNALIZE</symbol>, which accepts a user label to be converted to an in-kernel representation.</para> - - <sect3 id="mac-fs-label-event-ops"> - <title>File System Object Labeling Event Operations</title> - - <sect4 id="mac-mpo-create-devfs-device"> - <title><function>&mac.mpo;_create_devfs_device</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_devfs_device</function></funcdef> - - <paramdef>dev_t <parameter>dev</parameter></paramdef> - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>dev</parameter></entry> - <entry>Device corresponding with - <parameter>devfs_dirent</parameter></entry> - </row> - - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Devfs directory entry to be labeled.</entry> - </row> - - <row> - <entry><parameter>label</parameter></entry> - <entry>Label for <parameter>devfs_dirent</parameter> - to be filled in.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the label on a devfs_dirent being created for - the passed device. This call will be made when the device - file system is mounted, regenerated, or a new device is made - available.</para> - </sect4> - - <sect4 id="mac-mpo-create-devfs-directory"> - <title><function>&mac.mpo;_create_devfs_directory</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_devfs_directory</function></funcdef> - - <paramdef>char *<parameter>dirname</parameter></paramdef> - <paramdef>int <parameter>dirnamelen</parameter></paramdef> - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>label</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>dirname</parameter></entry> - <entry>Name of directory being created</entry> - </row> - - <row> - <entry><parameter>namelen</parameter></entry> - <entry>Length of string - <parameter>dirname</parameter></entry> - </row> - - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Devfs directory entry for directory being - created.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the label on a devfs_dirent being created for - the passed directory. This call will be made when the device - file system is mounted, regenerated, or a new device - requiring a specific directory hierarchy is made - available.</para> - </sect4> - - <sect4 id="mac-mpo-create-devfs-vnode"> - <title><function>&mac.mpo;_create_devfs_vnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_devfs_vnode</function></funcdef> - - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>direntlabel</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Object; devfs directory entry</entry> - </row> - - <row> - <entry><parameter>direntlabel</parameter></entry> - <entry>Policy label for - <parameter>devfs_dirent</parameter></entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; file system object being labeled</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the label on the vnode being created for the - passed devfs_dirent. This call will be made when a vnode is - required to represent the specified devfs_dirent in a - mounted devfs instance.</para> - </sect4> - - <sect4 id="mac-mpo-vnode-create-from-vnode"> - <title><function>&mac.mpo;_vnode_create_from_vnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_vnode_create_from_vnode</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>parent</parameter></paramdef> - <paramdef>struct label - *<parameter>parentlabel</parameter></paramdef> - <paramdef>struct vnode - *<parameter>child</parameter></paramdef> - <paramdef>struct label - *<parameter>childlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>parent</parameter></entry> - <entry>Parent vnode; the directory in which - <parameter>child</parameter> is being - created</entry> - </row> - - <row> - <entry><parameter>parentlabel</parameter></entry> - <entry>Policy label for - <parameter>parent</parameter></entry> - </row> - - <row> - <entry><parameter>child</parameter></entry> - <entry>New vnode</entry> - </row> - - <row> - <entry><parameter>childlabel</parameter></entry> - <entry>Label to be filled in for - <parameter>child</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the label on the vnode being created in the - passed vnode parent by the passed subject credential. This - call will be made when a vnode is allocated during a vnode - creation operation. For example, this call is made by - multi-label file systems during the creation of a new file - or directory.</para> - </sect4> - - <sect4 id="mac-mpo-create-mount"> - <title><function>&mac.mpo;_create_mount</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mount</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>mnt</parameter></paramdef> - <paramdef>struct label - *<parameter>fslabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>mp</parameter></entry> - <entry>Object; file system being mounted</entry> - </row> - - <row> - <entry><parameter>mntlabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>mp</parameter></entry> - </row> - - <row> - <entry><parameter>fslabel</parameter></entry> - <entry>Policy label for the file system - <parameter>mp</parameter> mounts.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the labels on the mount point being created by - the passed subject credential. This call will be made when - a new file system is mounted.</para> - </sect4> - - <sect4 id="mac-mpo-create-root-mount"> - <title><function>&mac.mpo;_create_root_mount</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_root_mount</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>mntlabel</parameter></paramdef> - <paramdef>struct label - *<parameter>fslabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry namest="first" nameend="last">See <xref - linkend="mac-mpo-create-mount">.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Fill out the labels on the mount point being created by - the passed subject credential. This call will be made when - the root file system is mounted, after - &mac.mpo;_create_mount;.</para> - </sect4> - - <sect4 id="mac-mpo-vnode-relabel"> - <title><function>&mac.mpo;_vnode_relabel</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_vnode_relabel</function></funcdef> - - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct label - *<parameter>newlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject credential</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>vnode to relabel</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Existing policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>newlabel</parameter></entry> - <entry>New, possibly partial label to replace - <parameter>vnodelabel</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the label on the passed vnode given the passed - update vnode label and the passed subject credential.</para> - </sect4> - - <sect4 id="mac-mpo-stdcreatevnode-ea"> - <title><function>&mac.mpo;_stdcreatevnode_ea</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_stdcreatevnode_ea</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>vnode to commit</entry> - <entry>Locked on entry, locked on exit</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Label associated with - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <!-- XXX extattr.9 probably needs updating... --> - <para>This entry point is called when a vnode is to be - committed to disk via the extended attribute service (see - &man.extattr.9;). If committing to the disk is successful, - a value of <returnvalue>0</returnvalue> should be returned; - otherwise, an appropriate error code should be - returned.</para> - - <note><para>The current implementation as of July 24, 2002 - commits the data to disk from within the architecture. - The implementation will be updated to be closer to the - above documentation as development progresses.</para></note> - </sect4> - - <sect4 id="mac-mpo-update-devfsdirent"> - <title><function>&mac.mpo;_update_devfsdirent</function></title> - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_update_devfsdirent</function></funcdef> - - <paramdef>struct devfs_dirent - *<parameter>devfs_dirent</parameter></paramdef> - <paramdef>struct label - *<parameter>direntlabel</parameter></paramdef> - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>devfs_dirent</parameter></entry> - <entry>Object; devfs directory entry</entry> - </row> - - <row> - <entry><parameter>direntlabel</parameter></entry> - <entry>Policy label for - <parameter>devfs_dirent</parameter> to be - updated.</entry> - </row> - - <row> - <entry><parameter>vp</parameter></entry> - <entry>Parent vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the <parameter>devfs_dirent</parameter> label - from the passed devfs vnode label. This call will be made - when a devfs vnode has been successfully relabeled to commit - the label change such that it lasts even if the vnode is - recycled. It will also be made when when a symlink is - created in devfs, following a call to - <function>mac_vnode_create_from_vnode</function> to - initialize the vnode label.</para> - </sect4> - - <sect4 id="mac-mpo-update-procfsvnode"> - <title><function>&mac.mpo;_update_procfsvnode</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_update_procfsvnode</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct ucred - *<parameter>cred</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; procfs vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label to be filled in for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>cred</parameter></entry> - <entry>Subject; credential for the process - entry</entry> - <entry>Immutable</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the procfs vnode label from the passed subject - credential. This call will be made when an operation on a - procfs vnode requires a fresh label on a process-derived - vnode.</para> - </sect4> - - <sect4 id="mac-mpo-update-vnode-from-extattr"> - <title><function>&mac.mpo;_update_vnode_from_extattr</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_update_vnode_from_extattr</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>fslabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode whose label is being updated</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label to refresh</entry> - </row> - - <row> - <entry><parameter>mp</parameter></entry> - <entry>Mount point for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>fslabel</parameter></entry> - <entry>Policy label for <parameter>vp</parameter>'s - file system.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the vnode label by refreshing the label data from - the extended attribute service for the vnode. The mount - point <parameter>fslabel</parameter> is also made available - so that the <parameter>fslabel</parameter> may be used as a - labeling source if fallback is appropriate for the policy. - This call is permitted to fail; if the call fails, the - associated label refresh will also fail, causing the failure - of the operation requiring the MAC check and vnode label - refresh, permitting a <quote>fail closed</quote> policy if - labeling data is not available.</para> - </sect4> - - <sect4 id="mac-mpo-update-from-externalized"> - <title><function>&mac.mpo;_update_from_externalized</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>int - <function>&mac.mpo;_update_from_externalized</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct mac - *<parameter>extmac</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>extmac</parameter></entry> - <entry>Externalized MAC policy label</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the vnode label from the passed externalized - label loaded from disk by the MAC framework. This call is - permitted to fail; if the call fails, the associated label - refresh will also fail, causing the failure of the operation - requiring the MAC check and vnode label refresh, permitting - a <quote>fail closed</quote> policy if labeling data is not - available. This call will be obsoleted by the new extended - attribute labeling interface.</para> - </sect4> - - <sect4 id="mac-mpo-update-vnode-from-mount"> - <title><function>&mac.mpo;_update_vnode_from_mount</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_update_vnode_from_mount</function></funcdef> - - <paramdef>struct vnode - *<parameter>vp</parameter></paramdef> - <paramdef>struct label - *<parameter>vnodelabel</parameter></paramdef> - <paramdef>struct mount - *<parameter>mp</parameter></paramdef> - <paramdef>struct label - *<parameter>mountlabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> - <entry><parameter>vp</parameter></entry> - <entry>Object; vnode</entry> - <entry>Locked</entry> - </row> - - <row> - <entry><parameter>vnodelabel</parameter></entry> - <entry>Policy label for - <parameter>vp</parameter></entry> - </row> - - <row> - <entry><parameter>mp</parameter></entry> - <entry>Mount point where <parameter>vp</parameter> - resides</entry> - </row> - - <row> - <entry><parameter>fslabel</parameter></entry> - <entry>Policy label for the file system where - <parameter>vp</parameter> resides.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - - <para>Update the vnode label from the passed mount point - label. This call is made when a single label file system - vnode requires a label, or if the obsoleted MAC framework - externalized extended attribute read fails.</para> - </sect4> - </sect3> - - <sect3 id="mac-ipc-label-ops"> - <title>IPC Object Labeling Event Operations</title> - - <sect4 id="mac-mpo-create-mbuf-from-socket"> - <title><function>&mac.mpo;_create_mbuf_from_socket</function></title> - - <funcsynopsis> - <funcprototype> - <funcdef>void - <function>&mac.mpo;_create_mbuf_from_socket</function></funcdef> - - <paramdef>struct socket - *<parameter>so</parameter></paramdef> - <paramdef>struct label - *<parameter>socketlabel</parameter></paramdef> - <paramdef>struct mbuf *<parameter>m</parameter></paramdef> - <paramdef>struct label - *<parameter>mbuflabel</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - <informaltable> - <tgroup cols="3"> - &mac.thead; - - <tbody> - <row> >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208182049.g7IKn2cG061156>