Date: Tue, 16 Jul 2002 13:19:08 -0700 (PDT) From: Chris Costello <chris@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 14345 for review Message-ID: <200207162019.g6GKJ8q1071990@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14345 Change 14345 by chris@chris_holly on 2002/07/16 13:18:33 Document the module event hooks. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#5 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#5 (text+ko) ==== @@ -76,6 +76,106 @@ which supply policy modules with relevant data on a subject and the operation it is attempting to perform on an object.</para> + <sect2 id="mac-module-ops"> + <title>Policy Module Operations</title> + + <para>The MAC policy framework includes the ability for policies + to be compiled as separate loadable kernel modules. The + following structure is passed to the module operation + hooks:</para> + + <programlisting>struct mac_policy_conf { + char *mpc_name; /* policy name */ + char *mpc_fullname; /* policy full name */ + struct mac_policy_ops mpc_ops; /* policy operations */ + struct mac_policy_op_entry *mpc_entries; /* ops to fill in */ + int mpc_loadtime_flags; /* flags */ + int *mpc_field_off; /* security field */ + int mpc_runtime_flags; /* flags */ + LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ +};</programlisting> + + <sect3 id="mac-mpo-init"> + <title><function>mac_<replaceable>policy</replaceable>_init</function</title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>mac_<replaceable>policy</replaceable>_init</function> + </funcdef> + + <paramdef>struct mac_policy_conf + *<parameter>conf</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + <thead> + <row> + <entry>Parameter</entry> + <entry>Description</entry> + </row> + </thead> + + <tbody> + <row> + <entry><parameter>conf</parameter></entry> + <entry>MAC policy definition</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>This is the initialization hook called after the policy + has been added to the list, but before the list is unlocked. + At the point a module would typically initialize its own + internal structures, print any copyright messages, + etc.</para> + + <note><para>A <quote>module loaded</quote> message is already + printed when a policy is loaded so any further messages of + that nature are probably unnecessary.</para></note> + </sect3> + + <sect3 id="mpo-destroy"> + <title><function>mac_<replaceable>policy</replaceable>_destroy</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>static void + <function>mac_<replaceable>policy</replaceable>_ops</function> + </funcdef> + + <paramdef>struct mac_policy_conf + *<parameter>conf</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="2"> + <thead> + <row> + <entry>Parameter</entry> + <entry>Description</entry> + </row> + </thead> + + <tbody> + <row> + <entry><parameter>conf</parameter></entry> + <entry>MAC policy definition</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>This hook is called when the module is being unloaded. + At this point the policy would typically be freeing internal + storage, etc.</para> + </sect3> + </sect2> + <sect2 id="mac-access-control-checks"> <title>Access Control Checks</title> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207162019.g6GKJ8q1071990>