Date: Wed, 7 Aug 2002 13:53:15 -0700 (PDT) From: Chris Costello <chris@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 15659 for review Message-ID: <200208072053.g77KrFoJ066916@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15659 Change 15659 by chris@chris_holly on 2002/08/07 13:52:26 o Clarify create_root_mount vs. create_mount o Minor spelling and markup fixes o Fix one entry point missed in the action_object -> object_action thing o Note that the access(2) checks should be the same as in mpo_check_open. o Make note of race conditions involved in dealing with UIO_USERSPACE uio, and that the `uio' parameter to mpo_check_setextattr might be NULL. o Add some man page references. o `_' is an illegal character for section ids. o Add mpo_check_socket_visible. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#12 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#12 (text+ko) ==== @@ -1336,8 +1336,7 @@ <para>Fill out the labels on the mount point being created by the passed subject credential. This call will be made when - a new file system is mounted, other than the root file - system.</para> + a new file system is mounted.</para> </sect3> <sect3 id="mac-mpo-create-root-mount"> @@ -1374,7 +1373,8 @@ <para>Fill out the labels on the mount point being created by the passed subject credential. This call will be made when - the root file system is mounted.</para> + the root file system is mounted, after + &mac.mpo;_create_mount;.</para> </sect3> <sect3 id="mac-mpo-vnode-relabel"> @@ -1906,7 +1906,7 @@ <row> <entry><parameter>newsocket</parameter></entry> - <entry>Object; phild socket; incoming connection</entry> + <entry>Object; child socket; incoming connection</entry> </row> <row> @@ -3248,13 +3248,14 @@ </sect3> - <sect3 id="mac-mpo-cred-check-connect-socket"> - <title><function>&mac.mpo;_check_connect_socket</function></title> + + <sect3 id="mac-mpo-cred-check-socket-connect"> + <title><function>&mac.mpo;_check_socket_connect</function></title> <funcsynopsis> <funcprototype> <funcdef>int - <function>&mac.mpo;_check_connect_socket</function></funcdef> + <function>&mac.mpo;_check_socket_connect</function></funcdef> <paramdef>struct ucred *<parameter>cred</parameter></paramdef> @@ -3744,8 +3745,10 @@ <para>Determine how invocations of &man.access.2; and related calls by the subject credential should return when performed - on the passed vnode using the passed access flags. Return - <returnvalue>0</returnvalue> for success, or an + on the passed vnode using the passed access flags. This + should generally be implemented using the same semantics + used in <function>&mac.mpo;_check_vnode_open</function>. + Return <returnvalue>0</returnvalue> for success, or an <varname>errno</varname> value for failure. Suggested failure: <errorcode>EACCES</errorcode> for label mismatches or <errorcode>EPERM</errorcode> for lack of @@ -4649,7 +4652,7 @@ <para>Determine whether the subject credential can revoke access to the passed vnode. Return <returnvalue>0</returnvalue> for success, or an - <errorcode>errno</errorcode> value for failure. Suggested + <varname>errno</varname> value for failure. Suggested failure: <errorcode>EACCES</errorcode> for label mismatch, or <errorcode>EPERM</errorcode> for lack of privilege.</para> @@ -4784,9 +4787,14 @@ extended attribute of passed name and passed namespace on the passed vnode. Policies implementing security labels backed into extended attributes may want to provide - additional protections for those attributes. Return - <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested + additional protections for those attributes. Additionally, + policies should avoid making decisions based on the data + referenced from <parameter>uio</parameter>, as there is a + potential race condition between this check and the actual + operation. The <parameter>uio</parameter> may also be + <literal>NULL</literal> if a delete operation is being + performed. Return <returnvalue>0</returnvalue> for success, + or an <varname>errno</varname> value for failure. Suggested failure: <errorcode>EACCES</errorcode> for label mismatch, or <errorcode>EPERM</errorcode> for lack of privilege.</para> @@ -5009,12 +5017,12 @@ <row> <entry><parameter>atime</parameter></entry> - <entry>Access time</entry> + <entry>Access time; see &man.utimes.2;</entry> </row> <row> <entry><parameter>mtime</parameter></entry> - <entry>Modification time</entry> + <entry>Modification time; see &man.utimes.2;</entry> </row> </tbody> </tgroup> @@ -5069,9 +5077,11 @@ failure: <errorcode>EACCES</errorcode> for label mismatch, <errorcode>EPERM</errorcode> for lack of privilege, or <errorcode>ESRCH</errorcode> to limit visibility.</para> + + <para>See &man.setpriority.2; for more information.</para> </sect3> - <sect3 id="mac-mpo-cred-check-proc_signal"> + <sect3 id="mac-mpo-cred-check-proc-signal"> <title><function>&mac.mpo;_check_proc_signal</function></title> <funcsynopsis> @@ -5104,7 +5114,7 @@ <row> <entry><parameter>signal</parameter></entry> - <entry>Signal; see &man.sigaction.2;</entry> + <entry>Signal; see &man.kill.2;</entry> </row> </tbody> </tgroup> @@ -5163,10 +5173,12 @@ <para>Determine whether the subject credential can <function>stat</function> the passed vnode. Return <returnvalue>0</returnvalue> for success, or an - <varname>errno</varname> value for failure. Suggested + <varname>errno</varname> value for failure. Suggested failure: <errorcode>EACCES</errorcode> for label mismatch, or <errorcode>EPERM</errorcode> for lack of privilege.</para> + + <para>See &man.stat.2; for more information.</para> </sect3> <sect3 id="mac-mpo-cred-check-ifnet-transmit"> @@ -5297,6 +5309,59 @@ or <errorcode>EPERM</errorcode> for lack of privilege.</para> </sect3> + + <sect3 id="mac-mpo-check-socket-visible"> + <title><function>&mac.mpo;_check_socket_visible</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_check_socket_visible</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct socket + *<parameter>so</parameter></paramdef> + <paramdef>struct label + *<parameter>socketlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + <entry>Immutable</entry> + </row> + + <row> + <entry><parameter>so</parameter></entry> + <entry>Object; socket</entry> + </row> + + <row> + <entry><parameter>socketlabel</parameter></entry> + <entry>Policy label for + <parameter>so</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Determine whether the subject credential cred can "see" + the passed socket (<parameter>socket</parameter>) using + system monitoring functions, such as those employed by + &man.netstat.8; and &man.sockstat.1;. Return + <returnvalue>0</returnvalue> for success, or an + <varname>errno</varname> value for failure. Suggested + failure: <errorcode>EACCES</errorcode> for label mismatches, + <errorcode>EPERM</errorcode> for lack of privilege, or + <errorcode>ESRCH</errorcode> to hide visibility.</para> + </sect3> </sect2> </sect1> </chapter> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208072053.g77KrFoJ066916>