From owner-p4-projects Tue Jul 16 13:19:20 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id A300A37B400; Tue, 16 Jul 2002 13:19:10 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 370FA37B405 for ; Tue, 16 Jul 2002 13:19:10 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA0A743E6D for ; Tue, 16 Jul 2002 13:19:08 -0700 (PDT) (envelope-from chris@freebsd.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6GKJ8JU071993 for ; Tue, 16 Jul 2002 13:19:08 -0700 (PDT) (envelope-from chris@freebsd.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6GKJ8q1071990 for perforce@freebsd.org; Tue, 16 Jul 2002 13:19:08 -0700 (PDT) Date: Tue, 16 Jul 2002 13:19:08 -0700 (PDT) Message-Id: <200207162019.g6GKJ8q1071990@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to chris@freebsd.org using -f From: Chris Costello Subject: PERFORCE change 14345 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14345 Change 14345 by chris@chris_holly on 2002/07/16 13:18:33 Document the module event hooks. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#5 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#5 (text+ko) ==== @@ -76,6 +76,106 @@ which supply policy modules with relevant data on a subject and the operation it is attempting to perform on an object. + + Policy Module Operations + + The MAC policy framework includes the ability for policies + to be compiled as separate loadable kernel modules. The + following structure is passed to the module operation + hooks: + + struct mac_policy_conf { + char *mpc_name; /* policy name */ + char *mpc_fullname; /* policy full name */ + struct mac_policy_ops mpc_ops; /* policy operations */ + struct mac_policy_op_entry *mpc_entries; /* ops to fill in */ + int mpc_loadtime_flags; /* flags */ + int *mpc_field_off; /* security field */ + int mpc_runtime_flags; /* flags */ + LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ +}; + + + <function>mac_<replaceable>policy</replaceable>_init</function + + + + static void + mac_policy_init + + + struct mac_policy_conf + *conf + + + + + + + + Parameter + Description + + + + + + conf + MAC policy definition + + + + + + This is the initialization hook called after the policy + has been added to the list, but before the list is unlocked. + At the point a module would typically initialize its own + internal structures, print any copyright messages, + etc. + + A module loaded message is already + printed when a policy is loaded so any further messages of + that nature are probably unnecessary. + + + + <function>mac_<replaceable>policy</replaceable>_destroy</function> + + + + static void + mac_policy_ops + + + struct mac_policy_conf + *conf + + + + + + + + Parameter + Description + + + + + + conf + MAC policy definition + + + + + + This hook is called when the module is being unloaded. + At this point the policy would typically be freeing internal + storage, etc. + + + Access Control Checks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message