Date: Fri, 19 Jul 2002 10:08:06 -0700 (PDT) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 14471 for review Message-ID: <200207191708.g6JH86ov099986@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14471 Change 14471 by green@green_laptop_2 on 2002/07/19 10:08:03 Start documenting more about the MAC operations (information for system programmers regarding code flow and coverage.) Affected files ... .. //depot/projects/trustedbsd/mac/share/man/man9/mac.9#4 edit Differences ... ==== //depot/projects/trustedbsd/mac/share/man/man9/mac.9#4 (text+ko) ==== @@ -133,6 +133,205 @@ framework, and modifying appropriate modules to take advantage of the new entry points so that they may consistently enforce their policies. +.Sh ENTRY POINTS +.Ss Authorizational +.Bl -tag +.It Ft int Fn mac_bpfdesc_check_receive_from_ifnet "struct bpf_d *bpf_d" "struct ifnet *ifnet" +Called in +.Xr bpf_tap 9 +before allowing +.Xr catchpacket 9 . +(Not called in +.Xr bpf_mtap 9 +before allowing +.Xr catchpacket 9 ?) +.It Ft int Fn mac_cred_check_access_vnode "struct ucred *cred" "struct vnode *vp" "int flags" +Called in +.Xr vn_access 9 +before checking +.Xr VOP_ACCESS 9 . +.It Ft int Fn mac_cred_check_bind_socket "struct ucred *cred" "struct socket *so" "struct sockaddr *sa" +Called in +.Xr bind 9 +before allowing +.Xr sobind 9 . +.It Ft int Fn mac_cred_check_chdir_vnode "struct ucred *cred" "struct vnode *dvp" +Called in +.Xr chdir 9 +via +.Xr change_dir 9 +and in +.Xr fchdir 9 . +.It Ft int Fn mac_cred_check_connect_socket "struct ucred *cred" "struct socket *so" "struct sockaddr *sa" +Called in +.Xr connect 9 +before allowing +.Xr soconnect 9 . +.It Ft int Fn mac_cred_check_create_vnode "struct ucred *cred" "struct vnode *dvp" "struct vattr *vap" +Called in +.Xr unp_bind 9 +before +.Xr VOP_CREATE 9 , +.Xr symlink 9 +before +.Xr VOP_SYMLINK 9 , +.Xr vn_mkdir 9 +before +.Xr VOP_MKDIR 9 , +.Xr vn_open_cred 9 +before +.Xr VOP_CREATE 9 , +and in +.Xr mknod 9 +and +.Xr mkfifo 9 +before +.Xr VOP_MKNOD 9 . +.It Ft int Fn mac_cred_check_deleteacl_vnode "struct ucred *cred" "struct vnode *vp" "acl_type_t type" +Called by +.Xr vacl_delete 9 +before +.Xr VOP_SETACL 9 . +.It Ft int Fn mac_cred_check_getacl_vnode "struct ucred *cred" "struct vnode *vp" "acl_type_t type" +Called by +.Xr vacl_get_acl 9 +before +.Xr VOP_GETACL 9 . +.It Ft int Fn mac_cred_check_getextattr_vnode "struct ucred *cred" "struct vnode *vp" "int attrnamespace" "const char *name" "struct uio *uio" +Called in +.Xr extattr_get_vp 9 +before calling +.Xr VOP_GETEXTATTR 9 . +.It Ft int Fn mac_cred_check_listen_socket "struct ucred *cred" "struct socket *socket" +Called in +.Xr listen 9 +before calling +.Xr solisten 9 . +.It Ft int Fn mac_cred_check_search_vnode "struct ucred *cred" "struct vnode *dvp" +Called in +.Xr getdents_common 9 , +.Xr linux_getcwd_scandir 9 , +.Xr svr4_sys_getdents64 9 , +.Xr svr4_sys_getdents 9 , +.Xr ibcs2_getdents 9 , +.Xr ibcs2_read 9 , +.Xr ogetdirentries 9 +and +.Xr getdirentries 9 +before calling +.Xr VOP_READDIR 9 . +Called in +.Xr lookup 9 +before calling +.Xr VOP_LOOKUP 9 . +.It Ft int Fn mac_cred_check_setacl_vnode "struct ucred *cred" "struct vnode *vp" "acl_type_t type" "struct acl *acl" +Called in +.Xr vacl_set_acl 9 +before calling +.Xr VOP_SETACL 9 . +.It Ft int Fn mac_cred_check_setextattr_vnode "struct ucred *cred" "struct vnode *vp" "int attrnamespace" "const char *name" "struct uio *uio" +Called in +.Xr extattr_set_vp 9 +and +.Xr extattr_delete_vp 9 +before calling +.Xr VOP_SETEXTATTR 9 . +.It Ft int Fn mac_cred_check_setflags_vnode "struct ucred *cred" "struct vnode *vp" "u_long flags" +Called in +.Xr setfflags 9 +before calling +.Xr VOP_SETATTR 9 . +.It Ft int Fn mac_cred_check_setmode_vnode "struct ucred *cred" "struct vnode *vp" "mode_t mode" +Called in +.Xr setfmode 9 +before calling +.Xr VOP_SETATTR 9 . +.It Ft int Fn mac_cred_check_setowner_vnode "struct ucred *cred" "struct vnode *vp" "uid_t uid" "gid_t gid" +Called in +.Xr setfown 9 +before calling +.Xr VOP_SETATTR 9 . +.It Ft int Fn mac_cred_check_setutimes_vnode "struct ucred *cred" "struct vnode *vp" "struct timespec atime" "struct timespec ctime" +Called in +.Xr setfown 9 +before calling +.Xr VOP_SETATTR 9 . +.It Ft int Fn mac_cred_check_stat_vnode "struct ucred *cred" "struct vnode *vp" +Called in +.Xr vn_stat 9 +before calling +.Xr VOP_GETATTR 9 . +.It Ft int Fn mac_cred_check_delete_vnode "struct ucred *cred" "struct vnode *dvp" "struct vnode *vp" +Called in the last component of +.Xr namei 9 +for all DELETE operations. +.It Ft int Fn mac_cred_check_rename_from_vnode "struct ucred *cred" "struct vnode *dvp" "struct vnode *vp" +Called in +.Xr rename 9 +after the +.Xr namei 9 +DELETE operation. +.It Ft int Fn mac_cred_check_rename_to_vnode "struct ucred *cred" "struct vnode *dvp" "struct vnode *vp" "int samedir" +Called in +.Xr rename 9 +after the +.Xr namei 9 +RENAME operation and before the +.Xr VOP_RENAME 9 . +.It Ft int Fn mac_cred_check_open_vnode "struct ucred *cred" "struct vnode *vp" "mode_t acc_mode" +Called by +.Xr fcntl 9 +in the F_SETFL case before allowing flags to be changed, by +.Xr truncate 9 +to mediate access to +.Xr VOP_SETATTR 9 +and +.Xr vn_open_cred 9 +when handling a non-O_CREAT vnode. +.It Ft int Fn mac_cred_check_revoke_vnode "struct ucred *cred" "struct vnode *vp" +Called by +.Xr revoke 9 +to mediate access to +.Xr VOP_REVOKE 9 . +.It Ft int Fn mac_cred_check_statfs "struct ucred *cred" "struct mount *mp" +Called by +.Xr osf1_statfs 9 , +.Xr osf1_fstatfs 9 , +.Xr osf1_getfsstat 9 , +.Xr linux_statfs 9 , +.Xr linux_fstatfs 9 , +.Xr linux_ustat 9 , +.Xr statfs 9 , +.Xr fstatfs 9 , +.Xr getfsstat 9 +and +.Xr fhstatfs 9 +before calling +.Xr VFS_STATFS 9 . +.El +.Ss Label-based +.Bl -tag +.It Ft int Fn mac_getsockopt_label_get "struct ucred *cred" "struct socket *so" "struct mac *extmac" +Called by +.Xr sogetopt 9 +in the SO_LABEL case. +.It Ft int Fn mac_getsockopt_peerlabel_get "struct ucred *cred" "struct socket *so" "struct mac *extmac" +Called by +.Xr sogetopt 9 +in the SO_PEERLABEL case. +.It Ft int Fn mac_getsockopt_label_set "struct ucred *cred" "struct socket *so" "struct mac *extmac" +Called by +.Xr sosetopt 9 +in the SO_LABEL case. +.It Ft int Fn mac_ioctl_ifnet_get "struct ucred *cred" "struct ifreq *ifr" "struct ifnet *ifnet" +Called by +.Xr ifhwioctl 9 +in the SIOCGIFMAC case. +.It Ft int Fn mac_ioctl_ifnet_set "struct ucred *cred" "struct ifreq *ifr" "struct ifnet *ifnet" +Called by +.Xr ifhwioctl 9 +in the SIOCSIFMAC case. +.El .Pp .Sh SEE ALSO .Xr acl 3 , To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207191708.g6JH86ov099986>