Date: Thu, 24 Oct 2002 09:26:54 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 20044 for review Message-ID: <200210241626.g9OGQsqV009274@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=20044 Change 20044 by rwatson@rwatson_tislabs on 2002/10/24 09:26:36 Manually merge mac.9 man page changes from the merge of this manual to the main tree. Update cross-references, remove per-entry-point documentation (this is now in the Developer's Handbook chapter on the MAC Framework), and bring in the credits section. Affected files ... .. //depot/projects/trustedbsd/mac/share/man/man9/mac.9#10 edit Differences ... ==== //depot/projects/trustedbsd/mac/share/man/man9/mac.9#10 (text+ko) ==== @@ -34,7 +34,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ +.\" $FreeBSD: src/share/man/man9/mac.9,v 1.1 2002/10/21 23:51:18 rwatson Exp $ .\" .Dd February 16, 2002 .Os @@ -48,6 +48,7 @@ .Pp In the kernel configuration file: .Cd "options MAC" +.Cd "options MAC_DEBUG" .Sh DESCRIPTION .Ss Introduction The TrustedBSD mandatory access control framework permits dynamically @@ -141,205 +142,8 @@ the new entry points so that they may consistently enforce their policies. .Sh ENTRY POINTS -.Ss Authorizational -.Bl -tag -.It Ft int Fn mac_bpfdesc_check_receive_from_ifnet "struct bpf_d *bpf_d" "struct ifnet *ifnet" -Called in -.Xr bpf_tap 9 -before allowing -.Xr catchpacket 9 . -(Not called in -.Xr bpf_mtap 9 -before allowing -.Xr catchpacket 9 ?) -.It Ft int Fn mac_cred_check_access_vnode "struct ucred *cred" "struct vnode *vp" "int flags" -Called in -.Xr vn_access 9 -before checking -.Xr VOP_ACCESS 9 . -.It Ft int Fn mac_cred_check_bind_socket "struct ucred *cred" "struct socket *so" "struct sockaddr *sa" -Called in -.Xr bind 9 -before allowing -.Xr sobind 9 . -.It Ft int Fn mac_cred_check_chdir_vnode "struct ucred *cred" "struct vnode *dvp" -Called in -.Xr chdir 9 -via -.Xr change_dir 9 -and in -.Xr fchdir 9 . -.It Ft int Fn mac_cred_check_connect_socket "struct ucred *cred" "struct socket *so" "struct sockaddr *sa" -Called in -.Xr connect 9 -before allowing -.Xr soconnect 9 . -.It Ft int Fn mac_cred_check_create_vnode "struct ucred *cred" "struct vnode *dvp" "struct vattr *vap" -Called in -.Xr unp_bind 9 -before -.Xr VOP_CREATE 9 , -.Xr symlink 9 -before -.Xr VOP_SYMLINK 9 , -.Xr vn_mkdir 9 -before -.Xr VOP_MKDIR 9 , -.Xr vn_open_cred 9 -before -.Xr VOP_CREATE 9 , -and in -.Xr mknod 9 -and -.Xr mkfifo 9 -before -.Xr VOP_MKNOD 9 . -.It Ft int Fn mac_cred_check_deleteacl_vnode "struct ucred *cred" "struct vnode *vp" "acl_type_t type" -Called by -.Xr vacl_delete 9 -before -.Xr VOP_SETACL 9 . -.It Ft int Fn mac_cred_check_getacl_vnode "struct ucred *cred" "struct vnode *vp" "acl_type_t type" -Called by -.Xr vacl_get_acl 9 -before -.Xr VOP_GETACL 9 . -.It Ft int Fn mac_cred_check_getextattr_vnode "struct ucred *cred" "struct vnode *vp" "int attrnamespace" "const char *name" "struct uio *uio" -Called in -.Xr extattr_get_vp 9 -before calling -.Xr VOP_GETEXTATTR 9 . -.It Ft int Fn mac_cred_check_listen_socket "struct ucred *cred" "struct socket *socket" -Called in -.Xr listen 9 -before calling -.Xr solisten 9 . -.It Ft int Fn mac_cred_check_search_vnode "struct ucred *cred" "struct vnode *dvp" -Called in -.Xr getdents_common 9 , -.Xr linux_getcwd_scandir 9 , -.Xr svr4_sys_getdents64 9 , -.Xr svr4_sys_getdents 9 , -.Xr ibcs2_getdents 9 , -.Xr ibcs2_read 9 , -.Xr ogetdirentries 9 -and -.Xr getdirentries 9 -before calling -.Xr VOP_READDIR 9 . -Called in -.Xr lookup 9 -before calling -.Xr VOP_LOOKUP 9 . -.It Ft int Fn mac_cred_check_setacl_vnode "struct ucred *cred" "struct vnode *vp" "acl_type_t type" "struct acl *acl" -Called in -.Xr vacl_set_acl 9 -before calling -.Xr VOP_SETACL 9 . -.It Ft int Fn mac_cred_check_setextattr_vnode "struct ucred *cred" "struct vnode *vp" "int attrnamespace" "const char *name" "struct uio *uio" -Called in -.Xr extattr_set_vp 9 -and -.Xr extattr_delete_vp 9 -before calling -.Xr VOP_SETEXTATTR 9 . -.It Ft int Fn mac_cred_check_setflags_vnode "struct ucred *cred" "struct vnode *vp" "u_long flags" -Called in -.Xr setfflags 9 -before calling -.Xr VOP_SETATTR 9 . -.It Ft int Fn mac_cred_check_setmode_vnode "struct ucred *cred" "struct vnode *vp" "mode_t mode" -Called in -.Xr setfmode 9 -before calling -.Xr VOP_SETATTR 9 . -.It Ft int Fn mac_cred_check_setowner_vnode "struct ucred *cred" "struct vnode *vp" "uid_t uid" "gid_t gid" -Called in -.Xr setfown 9 -before calling -.Xr VOP_SETATTR 9 . -.It Ft int Fn mac_cred_check_setutimes_vnode "struct ucred *cred" "struct vnode *vp" "struct timespec atime" "struct timespec ctime" -Called in -.Xr setfown 9 -before calling -.Xr VOP_SETATTR 9 . -.It Ft int Fn mac_cred_check_stat_vnode "struct ucred *cred" "struct vnode *vp" -Called in -.Xr vn_stat 9 -before calling -.Xr VOP_GETATTR 9 . -.It Ft int Fn mac_cred_check_delete_vnode "struct ucred *cred" "struct vnode *dvp" "struct vnode *vp" -Called in the last component of -.Xr namei 9 -for all DELETE operations. -.It Ft int Fn mac_cred_check_rename_from_vnode "struct ucred *cred" "struct vnode *dvp" "struct vnode *vp" -Called in -.Xr rename 9 -after the -.Xr namei 9 -DELETE operation. -.It Ft int Fn mac_cred_check_rename_to_vnode "struct ucred *cred" "struct vnode *dvp" "struct vnode *vp" "int samedir" -Called in -.Xr rename 9 -after the -.Xr namei 9 -RENAME operation and before the -.Xr VOP_RENAME 9 . -.It Ft int Fn mac_cred_check_open_vnode "struct ucred *cred" "struct vnode *vp" "mode_t acc_mode" -Called by -.Xr fcntl 9 -in the F_SETFL case before allowing flags to be changed, by -.Xr truncate 9 -to mediate access to -.Xr VOP_SETATTR 9 -and -.Xr vn_open_cred 9 -when handling a non-O_CREAT vnode. -.It Ft int Fn mac_cred_check_revoke_vnode "struct ucred *cred" "struct vnode *vp" -Called by -.Xr revoke 9 -to mediate access to -.Xr VOP_REVOKE 9 . -.It Ft int Fn mac_cred_check_statfs "struct ucred *cred" "struct mount *mp" -Called by -.Xr osf1_statfs 9 , -.Xr osf1_fstatfs 9 , -.Xr osf1_getfsstat 9 , -.Xr linux_statfs 9 , -.Xr linux_fstatfs 9 , -.Xr linux_ustat 9 , -.Xr statfs 9 , -.Xr fstatfs 9 , -.Xr getfsstat 9 -and -.Xr fhstatfs 9 -before calling -.Xr VFS_STATFS 9 . -.El -.Ss Label-based -.Bl -tag -.It Ft int Fn mac_getsockopt_label_get "struct ucred *cred" "struct socket *so" "struct mac *extmac" -Called by -.Xr sogetopt 9 -in the SO_LABEL case. -.It Ft int Fn mac_getsockopt_peerlabel_get "struct ucred *cred" "struct socket *so" "struct mac *extmac" -Called by -.Xr sogetopt 9 -in the SO_PEERLABEL case. -.It Ft int Fn mac_getsockopt_label_set "struct ucred *cred" "struct socket *so" "struct mac *extmac" -Called by -.Xr sosetopt 9 -in the SO_LABEL case. -.It Ft int Fn mac_ioctl_ifnet_get "struct ucred *cred" "struct ifreq *ifr" "struct ifnet *ifnet" -Called by -.Xr ifhwioctl 9 -in the SIOCGIFMAC case. -.It Ft int Fn mac_ioctl_ifnet_set "struct ucred *cred" "struct ifreq *ifr" "struct ifnet *ifnet" -Called by -.Xr ifhwioctl 9 -in the SIOCSIFMAC case. -.El -.Pp +System service and module authors should reference the FreeBSD +Developer's Handbook for information on the MAC Framework APIs. .Sh SEE ALSO .Xr acl 3 , .Xr cap 3 , @@ -348,6 +152,7 @@ .Xr posix1e 3 , .Xr ucred 9 , .Xr vaccess 9 , +.Xr vaccess_acl_posix1e 9 , .Xr VFS 9 , .Rs .%T "FreeBSD Developers' Handbook" @@ -357,3 +162,42 @@ .Sh AUTHORS This man page was written by .An Robert Watson . +This software was contributed to the +.Fx +Project by Network Associates Laboratories, the Security Research +Division of Network Associates Inc. under DARPA/SPAWAR contract +N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research program. +.Pp +.An -nosplit +The TrustedBSD MAC Framework was designed by +.An Robert Watson , +and implemented by the Network Associates Laboratories Network Security +(NETSEC), Secure Execution Environement (SEE), and Adaptive +Network Defense research groups. +Network Associates Laboratory staff contributing to the CBOSS Project +include (in alphabetical order): +.An Lee Badger , +.An Brian Feldman , +.An Tim Fraser , +.An Doug Kilpatrick , +.An Suresh Krishnaswamy , +.An Adam Migus , +.An Wayne Morrison , +.An Chris Vance , +and +.An Robert Watson . +.Pp +Sub-contracted staff include: +.An Chris Costello , +.An Poul-Henning Kamp , +.An Jonathan Lemon , +.An Kirk McKusick , +.An Dag-Erling Smorgrav . +.Pp +Additional contributors include: +.An Chris Faulhaber , +.An Ilmar Habibulin , +.An Thomas Moestl , +and +.An Andrew Reiter . +.An -split To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210241626.g9OGQsqV009274>