Date: Mon, 13 Jan 2003 22:46:38 -0800 (PST) From: Chris Costello <chris@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 23720 for review Message-ID: <200301140646.h0E6kc8H047985@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=23720 Change 23720 by chris@chris_holly on 2003/01/13 22:46:30 Finish adding all the remaining MAC policy op entry points. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#24 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml#24 (text+ko) ==== @@ -446,6 +446,119 @@ label.</para> </sect4> + <sect4 id="mac-mpo-associate-vnode-extattr"> + <title><function>&mac.mpo;_associate_vnode_extattr</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_associate_vnode_extattr</function></funcdef> + + <paramdef>struct mount + *<parameter>mp</parameter></paramdef> + <paramdef>struct label + *<parameter>fslabel</parameter></paramdef> + <paramdef>struct vnode + *<parameter>vp</parameter></paramdef> + <paramdef>struct label + *<parameter>vlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>mp</parameter></entry> + <entry>File system mount point</entry> + </row> + + <row> + <entry><parameter>fslabel</parameter></entry> + <entry>File system label</entry> + </row> + + <row> + <entry><parameter>vp</parameter></entry> + <entry>Vnode to label</entry> + </row> + + <row> + <entry><parameter>vlabel</parameter></entry> + <entry>Policy label associated with + <parameter>vp</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Attempt to retrieve the label for + <parameter>vp</parameter> from the file system extended + attributes. Upon success, the value <literal>0</literal> + is returned. Should extended attribute retrieval not be + supported, an accepted fallback is to copy + <parameter>fslabel</parameter> into + <parameter>vlabel</parameter>. In the event of an error, + an appropriate value for <varname>errno</varname> should + be returned.</para> + </sect4> + + <sect4 id="mac-mpo-associate-vnode-singlelabel"> + <title><function>&mac.mpo;_associate_vnode_singlelabel</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>void + <function>&mac.mpo;_associate_vnode_singlelabel</function></funcdef> + + <paramdef>struct mount + *<parameter>mp</parameter></paramdef> + <paramdef>struct label + *<parameter>fslabel</parameter></paramdef> + <paramdef>struct vnode + *<parameter>vp</parameter></paramdef> + <paramdef>struct label + *<parameter>vlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>mp</parameter></entry> + <entry>File system mount point</entry> + </row> + + <row> + <entry><parameter>fslabel</parameter></entry> + <entry>File system label</entry> + </row> + + <row> + <entry><parameter>vp</parameter></entry> + <entry>Vnode to label</entry> + </row> + + <row> + <entry><parameter>vlabel</parameter></entry> + <entry>Policy label associated with + <parameter>vp</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>On non-multilabel file systems, this entry point is + called to set the policy label for + <parameter>vp</parameter> based on the file system label, + <parameter>fslabel</parameter>.</para> + </sect4> + <sect4 id="mac-mpo-copy-vnode-label"> <title><function>&mac.mpo;_copy_vnode_label</function></title> @@ -991,6 +1104,61 @@ &mac.internalize.para; </sect4> + <sect4 id="mac-mpo-setlabel-vnode-extattr"> + <title><function>&mac.mpo;_setlabel_vnode_extattr</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_setlabel_vnode_extattr</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct vnode + *<parameter>vp</parameter></paramdef> + <paramdef>struct label + *<parameter>vlabel</parameter></paramdef> + <paramdef>struct label + *<parameter>intlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>vp</parameter></entry> + <entry>Vnode for which the label is being + written</entry> + </row> + + <row> + <entry><parameter>vlabel</parameter></entry> + <entry>Policy label associated with + <parameter>vp</parameter></entry> + </row> + + <row> + <entry><parameter>intlabel</parameter></entry> + <entry>Label to write out</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Write out the policy from + <parameter>intlabel</parameter> to an extended + attribute. This is called from + <function>vop_stdcreatevnode_ea</function>.</para> + </sect4> + <sect4 id="mac-mpo-update-devfsdirent"> <title><function>&mac.mpo;_update_devfsdirent</function></title> <funcsynopsis> @@ -1365,9 +1533,55 @@ <para>Set the label on a newly created mbuf header from the passed socket label. This call is made when a new datagram - or messsage is generated by the socket and stored in the + or message is generated by the socket and stored in the passed mbuf.</para> </sect4> + + <sect4 id="mac-mpo-create-pipe"> + <title><function>&mac.mpo;_create_pipe</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>void + <function>&mac.mpo;_create_pipe</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct pipe + *<parameter>pipe</parameter></paramdef> + <paramdef>struct label + *<parameter>pipelabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>pipe</parameter></entry> + <entry>Pipe</entry> + </row> + + <row> + <entry><parameter>pipelabel</parameter></entry> + <entry>Policy label associated with + <parameter>pipe</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Set the label on a newly created pipe from the passed + subject credential. This call is made when a new pipe is + created.</para> + </sect4> <sect4 id="mac-mpo-create-socket"> <title><function>&mac.mpo;_create_socket</function></title> @@ -1577,6 +1791,59 @@ &mac.internalize.para; </sect4> + <sect4 id="mac-mpo-relabel-pipe"> + <title><function>&mac.mpo;_relabel_pipe</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>void + <function>&mac.mpo;_relabel_pipe</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct pipe + *<parameter>pipe</parameter></paramdef> + <paramdef>struct label + *<parameter>oldlabel</parameter></paramdef> + <paramdef>struct label + *<parameter>newlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>pipe</parameter></entry> + <entry>Pipe</entry> + </row> + + <row> + <entry><parameter>oldlabel</parameter></entry> + <entry>Current policy label associated with + <parameter>pipe</parameter></entry> + </row> + + <row> + <entry><parameter>newlabel</parameter></entry> + <entry>Policy label update to apply to + <parameter>pipe</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Apply a new label, <parameter>newlabel</parameter>, to + <parameter>pipe</parameter>.</para> + </sect4> + <sect4 id="mac-mpo-relabel-socket"> <title><function>&mac.mpo;_relabel_socket</function></title> @@ -3185,7 +3452,299 @@ <para>Determine whether the subject should be allowed to unload a kernel module.</para> </sect3> - + + <sect3 id="mac-mpo-check-pipe-ioctl"> + <title><function>&mac.mpo;_check_pipe_ioctl</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_check_pipe_ioctl</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct pipe + *<parameter>pipe</parameter></paramdef> + <paramdef>struct label + *<parameter>pipelabel</parameter></paramdef> + <paramdef>unsigned long + <parameter>cmd</parameter></paramdef> + <paramdef>void *<parameter>data</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>pipe</parameter></entry> + <entry>Pipe</entry> + </row> + + <row> + <entry><parameter>pipelabel</parameter></entry> + <entry>Policy label associated with + <parameter>pipe</parameter></entry> + </row> + + <row> + <entry><parameter>cmd</parameter></entry> + <entry>&man.ioctl.2; command</entry> + </row> + + <row> + <entry><parameter>data</parameter></entry> + <entry>&man.ioctl.2; data</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Determine whether the subject should be allowed to make + the specified &man.ioctl.2; call.</para> + </sect3> + + <sect3 id="mac-mpo-check-pipe-poll"> + <title><function>&mac.mpo;_check_pipe_poll</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_check_pipe_poll</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct pipe + *<parameter>pipe</parameter></paramdef> + <paramdef>struct label + *<parameter>pipelabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>pipe</parameter></entry> + <entry>Pipe</entry> + </row> + + <row> + <entry><parameter>pipelabel</parameter></entry> + <entry>Policy label associated with + <parameter>pipe</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Determine whether the subject should be allowed to poll + <parameter>pipe</parameter>.</para> + </sect3> + + <sect3 id="mac-mpo-check-pipe-read"> + <title><function>&mac.mpo;_check_pipe_read</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_check_pipe_read</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct pipe + *<parameter>pipe</parameter></paramdef> + <paramdef>struct label + *<parameter>pipelabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>pipe</parameter></entry> + <entry>Pipe</entry> + </row> + + <row> + <entry><parameter>pipelabel</parameter></entry> + <entry>Policy label associated with + <parameter>pipe</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Determine whether the subject should be allowed read + access to <parameter>pipe</parameter>.</para> + </sect3> + + <sect3 id="mac-mpo-check-pipe-relabel"> + <title><function>&mac.mpo;_check_pipe_relabel</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_check_pipe_relabel</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct pipe + *<parameter>pipe</parameter></paramdef> + <paramdef>struct label + *<parameter>pipelabel</parameter></paramdef> + <paramdef>struct label + *<parameter>newlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>pipe</parameter></entry> + <entry>Pipe</entry> + </row> + + <row> + <entry><parameter>pipelabel</parameter></entry> + <entry>Current policy label associated with + <parameter>pipe</parameter></entry> + </row> + + <row> + <entry><parameter>newlabel</parameter></entry> + <entry>Label update to + <parameter>pipelabel</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Determine whether the subject should be allowed to + relabel <parameter>pipe</parameter>.</para> + </sect3> + + <sect3 id="mac-mpo-check-pipe-stat"> + <title><function>&mac.mpo;_check_pipe_stat</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_check_pipe_stat</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct pipe + *<parameter>pipe</parameter></paramdef> + <paramdef>struct label + *<parameter>pipelabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>pipe</parameter></entry> + <entry>Pipe</entry> + </row> + + <row> + <entry><parameter>pipelabel</parameter></entry> + <entry>Policy label associated with + <parameter>pipe</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Determine whether the subject should be allowed to + retrieve statistics related to + <parameter>pipe</parameter>.</para> + </sect3> + + <sect3 id="mac-mpo-check-pipe-write"> + <title><function>&mac.mpo;_check_pipe_write</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_check_pipe_write</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct pipe + *<parameter>pipe</parameter></paramdef> + <paramdef>struct label + *<parameter>pipelabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>pipe</parameter></entry> + <entry>Pipe</entry> + </row> + + <row> + <entry><parameter>pipelabel</parameter></entry> + <entry>Policy label associated with + <parameter>pipe</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Determine whether the subject should be allowed to write + to <parameter>pipe</parameter>.</para> + </sect3> + <sect3 id="mac-mpo-cred-check-socket-bind"> <title><function>&mac.mpo;_check_socket_bind</function></title> @@ -3296,6 +3855,98 @@ failure: <errorcode>EACCES</errorcode> for label mismatches, <errorcode>EPERM</errorcode> for lack of privilege.</para> </sect3> + + <sect3 id="mac-mpo-check-socket-receive"> + <title><function>&mac.mpo;_check_socket_receive</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_check_socket_receive</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct socket + *<parameter>so</parameter></paramdef> + <paramdef>struct label + *<parameter>socketlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>so</parameter></entry> + <entry>Socket</entry> + </row> + + <row> + <entry><parameter>socketlabel</parameter></entry> + <entry>Policy label associated with + <parameter>so</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Determine whether the subject should be allowed to + receive information from the socket + <parameter>so</parameter>.</para> + </sect3> + + <sect3 id="mac-mpo-check-socket-send"> + <title><function>&mac.mpo;_check_socket_send</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>int + <function>&mac.mpo;_check_socket_send</function></funcdef> + + <paramdef>struct ucred + *<parameter>cred</parameter></paramdef> + <paramdef>struct socket + *<parameter>so</parameter></paramdef> + <paramdef>struct label + *<parameter>socketlabel</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>cred</parameter></entry> + <entry>Subject credential</entry> + </row> + + <row> + <entry><parameter>so</parameter></entry> + <entry>Socket</entry> + </row> + + <row> + <entry><parameter>socketlabel</parameter></entry> + <entry>Policy label associated with + <parameter>so</parameter></entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <para>Determine whether the subject should be allowed to send + information across the socket + <parameter>so</parameter>.</para> + </sect3> <sect3 id="mac-mpo-check-cred-visible"> <title><function>&mac.mpo;_check_cred_visible</function></title> @@ -7110,7 +7761,42 @@ own.</para></note> </sect3> + <sect3 id="mac-mpo-thread-userret"> + <title><function>&mac.mpo;_thread_userret</function></title> + + <funcsynopsis> + <funcprototype> + <funcdef>void + <function>&mac.mpo;_thread_userret</function></funcdef> + <paramdef>struct thread + *<parameter>td</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + <informaltable> + <tgroup cols="3"> + &mac.thead; + + <tbody> + <row> + <entry><parameter>td</parameter></entry> + <entry>Returning thread</entry> + </row> + </tbody> + </tgroup> + </informaltable> + + <!-- XXX: Maybe rewrite this section. --> + <para>This entry point permits policy modules to perform + MAC-related events when a thread returns to user space. + This is required for policies that have floating process + labels, as it's not always possible to acquire the process + lock at arbitrary points in the stack during system call + processing; process labels might represent traditional + authentication data, process history information, or other + data.</para> + </sect3> </sect2> </sect1> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301140646.h0E6kc8H047985>