6.7. MAC Policy Entry Point Reference

6.7.1. General-Purpose Module Entry Points

6.7.1.1. mpo_init

void mpo_init(conf); 
struct mac_policy_conf *conf;
 
ParameterDescriptionLocking
confMAC policy definition 

Policy load event. The policy list mutex is held, so sleep operations cannot be performed, and calls out to other kernel subsystems must be made with caution. If potentially sleeping memory allocations are required during policy initialization, they should be made using a separate module SYSINIT().

6.7.1.2. mpo_destroy

void mpo_destroy(conf); 
struct mac_policy_conf *conf;
 
ParameterDescriptionLocking
confMAC policy definition 

Policy load event. The policy list mutex is held, so caution should be applied.

6.7.1.3. mpo_syscall

int mpo_syscall(td,  
 call,  
 arg); 
struct thread *td;
int call;
void *arg;
 
ParameterDescriptionLocking
tdCalling thread 
callPolicy-specific syscall number 
argPointer to syscall arguments 

This entry point provides a policy-multiplexed system call so that policies may provide additional services to user processes without registering specific system calls. The policy name provided during registration is used to demux calls from userland, and the arguments will be forwarded to this entry point. When implementing new services, security modules should be sure to invoke appropriate access control checks from the MAC framework as needed. For example, if a policy implements an augmented signal functionality, it should call the necessary signal access control checks to invoke the MAC framework and other registered policies.

Note:

Modules must currently perform the copyin() of the syscall data on their own.

6.7.1.4. mpo_thread_userret

void mpo_thread_userret(td); 
struct thread *td;
 
ParameterDescriptionLocking
tdReturning thread 

This entry point permits policy modules to perform MAC-related events when a thread returns to user space, via a system call return, trap return, or otherwise. This is required for policies that have floating process labels, as it is not always possible to acquire the process lock at arbitrary points in the stack during system call processing; process labels might represent traditional authentication data, process history information, or other data. To employ this mechanism, intended changes to the process credential label may be stored in the p_label protected by a per-policy spin lock, and then set the per-thread TDF_ASTPENDING flag and per-process PS_MACPENDM flag to schedule a call to the userret entry point. From this entry point, the policy may create a replacement credential with less concern about the locking context. Policy writers are cautioned that event ordering relating to scheduling an AST and the AST being performed may be complex and interlaced in multithreaded applications.

6.7.2. Label Operations

6.7.2.1. mpo_init_bpfdesc_label

void mpo_init_bpfdesc_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelNew label to apply 

Initialize the label on a newly instantiated bpfdesc (BPF descriptor). Sleeping is permitted.

6.7.2.2. mpo_init_cred_label

void mpo_init_cred_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelNew label to initialize 

Initialize the label for a newly instantiated user credential. Sleeping is permitted.

6.7.2.3. mpo_init_devfsdirent_label

void mpo_init_devfsdirent_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelNew label to apply 

Initialize the label on a newly instantiated devfs entry. Sleeping is permitted.

6.7.2.4. mpo_init_ifnet_label

void mpo_init_ifnet_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelNew label to apply 

Initialize the label on a newly instantiated network interface. Sleeping is permitted.

6.7.2.5. mpo_init_ipq_label

void mpo_init_ipq_label(label,  
 flag); 
struct label *label;
int flag;
 
ParameterDescriptionLocking
labelNew label to apply 
flagSleeping/non-sleeping malloc(9); see below 

Initialize the label on a newly instantiated IP fragment reassembly queue. The flag field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. IP fragment reassembly queue allocation frequently occurs in performance sensitive environments, and the implementation should be careful to avoid sleeping or long-lived operations. This entry point is permitted to fail resulting in the failure to allocate the IP fragment reassembly queue.

6.7.2.6. mpo_init_mbuf_label

void mpo_init_mbuf_label(flag,  
 label); 
int flag;
struct label *label;
 
ParameterDescriptionLocking
flagSleeping/non-sleeping malloc(9); see below 
labelPolicy label to initialize 

Initialize the label on a newly instantiated mbuf packet header (mbuf). The flag field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call. Mbuf allocation frequently occurs in performance sensitive environments, and the implementation should be careful to avoid sleeping or long-lived operations. This entry point is permitted to fail resulting in the failure to allocate the mbuf header.

6.7.2.7. mpo_init_mount_label

void mpo_init_mount_label(mntlabel,  
 fslabel); 
struct label *mntlabel;
struct label *fslabel;
 
ParameterDescriptionLocking
mntlabelPolicy label to be initialized for the mount itself 
fslabelPolicy label to be initialized for the file system 

Initialize the labels on a newly instantiated mount point. Sleeping is permitted.

6.7.2.8. mpo_init_mount_fs_label

void mpo_init_mount_fs_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelLabel to be initialized 

Initialize the label on a newly mounted file system. Sleeping is permitted

6.7.2.9. mpo_init_pipe_label

void mpo_init_pipe_label(label); 
struct label*label;
 
ParameterDescriptionLocking
labelLabel to be filled in 

Initialize a label for a newly instantiated pipe. Sleeping is permitted.

6.7.2.10. mpo_init_socket_label

void mpo_init_socket_label(label,  
 flag); 
struct label *label;
int flag;
 
ParameterDescriptionLocking
labelNew label to initialize 
flagmalloc(9) flags 

Initialize a label for a newly instantiated socket. The flag field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call.

6.7.2.11. mpo_init_socket_peer_label

void mpo_init_socket_peer_label(label,  
 flag); 
struct label *label;
int flag;
 
ParameterDescriptionLocking
labelNew label to initialize 
flagmalloc(9) flags 

Initialize the peer label for a newly instantiated socket. The flag field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a sleeping malloc(9) during this initialization call.

6.7.2.12. mpo_init_proc_label

void mpo_init_proc_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelNew label to initialize 

Initialize the label for a newly instantiated process. Sleeping is permitted.

6.7.2.13. mpo_init_vnode_label

void mpo_init_vnode_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelNew label to initialize 

Initialize the label on a newly instantiated vnode. Sleeping is permitted.

6.7.2.14. mpo_destroy_bpfdesc_label

void mpo_destroy_bpfdesc_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelbpfdesc label 

Destroy the label on a BPF descriptor. In this entry point a policy should free any internal storage associated with label so that it may be destroyed.

6.7.2.15. mpo_destroy_cred_label

void mpo_destroy_cred_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelLabel being destroyed 

Destroy the label on a credential. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.16. mpo_destroy_devfsdirent_label

void mpo_destroy_devfsdirent_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelLabel being destroyed 

Destroy the label on a devfs entry. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.17. mpo_destroy_ifnet_label

void mpo_destroy_ifnet_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelLabel being destroyed 

Destroy the label on a removed interface. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.18. mpo_destroy_ipq_label

void mpo_destroy_ipq_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelLabel being destroyed 

Destroy the label on an IP fragment queue. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.19. mpo_destroy_mbuf_label

void mpo_destroy_mbuf_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelLabel being destroyed 

Destroy the label on an mbuf header. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.20. mpo_destroy_mount_label

void mpo_destroy_mount_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelMount point label being destroyed 

Destroy the labels on a mount point. In this entry point, a policy module should free the internal storage associated with mntlabel so that they may be destroyed.

6.7.2.21. mpo_destroy_mount_label

void mpo_destroy_mount_label(mntlabel,  
 fslabel); 
struct label *mntlabel;
struct label *fslabel;
 
ParameterDescriptionLocking
mntlabelMount point label being destroyed 
fslabelFile system label being destroyed> 

Destroy the labels on a mount point. In this entry point, a policy module should free the internal storage associated with mntlabel and fslabel so that they may be destroyed.

6.7.2.22. mpo_destroy_socket_label

void mpo_destroy_socket_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelSocket label being destroyed 

Destroy the label on a socket. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.23. mpo_destroy_socket_peer_label

void mpo_destroy_socket_peer_label(peerlabel); 
struct label *peerlabel;
 
ParameterDescriptionLocking
peerlabelSocket peer label being destroyed 

Destroy the peer label on a socket. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.24. mpo_destroy_pipe_label

void mpo_destroy_pipe_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelPipe label 

Destroy the label on a pipe. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.25. mpo_destroy_proc_label

void mpo_destroy_proc_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelProcess label 

Destroy the label on a process. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.26. mpo_destroy_vnode_label

void mpo_destroy_vnode_label(label); 
struct label *label;
 
ParameterDescriptionLocking
labelProcess label 

Destroy the label on a vnode. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.

6.7.2.27. mpo_copy_mbuf_label

void mpo_copy_mbuf_label(src,  
 dest); 
struct label *src;
struct label *dest;
 
ParameterDescriptionLocking
srcSource label 
destDestination label 

Copy the label information in src into dest.

6.7.2.28. mpo_copy_pipe_label

void mpo_copy_pipe_label(src,  
 dest); 
struct label *src;
struct label *dest;
 
ParameterDescriptionLocking
srcSource label 
destDestination label 

Copy the label information in src into dest.

6.7.2.29. mpo_copy_vnode_label

void mpo_copy_vnode_label(src,  
 dest); 
struct label *src;
struct label *dest;
 
ParameterDescriptionLocking
srcSource label 
destDestination label 

Copy the label information in src into dest.

6.7.2.30. mpo_externalize_cred_label

int mpo_externalize_cred_label(label,  
 element_name,  
 sb,  
 *claimed); 
struct label *label;
char *element_name;
struct sbuf *sb;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be externalized 
element_nameName of the policy whose label should be externalized 
sbString buffer to be filled with a text representation of label 
claimedShould be incremented when element_data can be filled in. 

Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in sb. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.

6.7.2.31. mpo_externalize_ifnet_label

int mpo_externalize_ifnet_label(label,  
 element_name,  
 sb,  
 *claimed); 
struct label *label;
char *element_name;
struct sbuf *sb;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be externalized 
element_nameName of the policy whose label should be externalized 
sbString buffer to be filled with a text representation of label 
claimedShould be incremented when element_data can be filled in. 

Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in sb. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.

6.7.2.32. mpo_externalize_pipe_label

int mpo_externalize_pipe_label(label,  
 element_name,  
 sb,  
 *claimed); 
struct label *label;
char *element_name;
struct sbuf *sb;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be externalized 
element_nameName of the policy whose label should be externalized 
sbString buffer to be filled with a text representation of label 
claimedShould be incremented when element_data can be filled in. 

Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in sb. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.

6.7.2.33. mpo_externalize_socket_label

int mpo_externalize_socket_label(label,  
 element_name,  
 sb,  
 *claimed); 
struct label *label;
char *element_name;
struct sbuf *sb;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be externalized 
element_nameName of the policy whose label should be externalized 
sbString buffer to be filled with a text representation of label 
claimedShould be incremented when element_data can be filled in. 

Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in sb. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.

6.7.2.34. mpo_externalize_socket_peer_label

int mpo_externalize_socket_peer_label(label,  
 element_name,  
 sb,  
 *claimed); 
struct label *label;
char *element_name;
struct sbuf *sb;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be externalized 
element_nameName of the policy whose label should be externalized 
sbString buffer to be filled with a text representation of label 
claimedShould be incremented when element_data can be filled in. 

Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in sb. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.

6.7.2.35. mpo_externalize_vnode_label

int mpo_externalize_vnode_label(label,  
 element_name,  
 sb,  
 *claimed); 
struct label *label;
char *element_name;
struct sbuf *sb;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be externalized 
element_nameName of the policy whose label should be externalized 
sbString buffer to be filled with a text representation of label 
claimedShould be incremented when element_data can be filled in. 

Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in sb. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.

6.7.2.36. mpo_internalize_cred_label

int mpo_internalize_cred_label(label,  
 element_name,  
 element_data,  
 claimed); 
struct label *label;
char *element_name;
char *element_data;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be filled in 
element_nameName of the policy whose label should be internalized 
element_dataText data to be internalized 
claimedShould be incremented when data can be successfully internalized. 

Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.

6.7.2.37. mpo_internalize_ifnet_label

int mpo_internalize_ifnet_label(label,  
 element_name,  
 element_data,  
 claimed); 
struct label *label;
char *element_name;
char *element_data;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be filled in 
element_nameName of the policy whose label should be internalized 
element_dataText data to be internalized 
claimedShould be incremented when data can be successfully internalized. 

Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.

6.7.2.38. mpo_internalize_pipe_label

int mpo_internalize_pipe_label(label,  
 element_name,  
 element_data,  
 claimed); 
struct label *label;
char *element_name;
char *element_data;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be filled in 
element_nameName of the policy whose label should be internalized 
element_dataText data to be internalized 
claimedShould be incremented when data can be successfully internalized. 

Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.

6.7.2.39. mpo_internalize_socket_label

int mpo_internalize_socket_label(label,  
 element_name,  
 element_data,  
 claimed); 
struct label *label;
char *element_name;
char *element_data;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be filled in 
element_nameName of the policy whose label should be internalized 
element_dataText data to be internalized 
claimedShould be incremented when data can be successfully internalized. 

Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.

6.7.2.40. mpo_internalize_vnode_label

int mpo_internalize_vnode_label(label,  
 element_name,  
 element_data,  
 claimed); 
struct label *label;
char *element_name;
char *element_data;
int *claimed;
 
ParameterDescriptionLocking
labelLabel to be filled in 
element_nameName of the policy whose label should be internalized 
element_dataText data to be internalized 
claimedShould be incremented when data can be successfully internalized. 

Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.

6.7.3. Label Events

This class of entry points is used by the MAC framework to permit policies to maintain label information on kernel objects. For each labeled kernel object of interest to a MAC policy, entry points may be registered for relevant life cycle events. All objects implement initialization, creation, and destruction hooks. Some objects will also implement relabeling, allowing user processes to change the labels on objects. Some objects will also implement object-specific events, such as label events associated with IP reassembly. A typical labeled object will have the following life cycle of entry points:

Label initialization          o
(object-specific wait)         \
Label creation                  o
                                 \
Relabel events,                   o--<--.
Various object-specific,          |     |
Access control events             ~-->--o
                                         \
Label destruction                         o

Label initialization permits policies to allocate memory and set initial values for labels without context for the use of the object. The label slot allocated to a policy will be zeroed by default, so some policies may not need to perform initialization.

Label creation occurs when the kernel structure is associated with an actual kernel object. For example, Mbufs may be allocated and remain unused in a pool until they are required. mbuf allocation causes label initialization on the mbuf to take place, but mbuf creation occurs when the mbuf is associated with a datagram. Typically, context will be provided for a creation event, including the circumstances of the creation, and labels of other relevant objects in the creation process. For example, when an mbuf is created from a socket, the socket and its label will be presented to registered policies in addition to the new mbuf and its label. Memory allocation in creation events is discouraged, as it may occur in performance sensitive ports of the kernel; in addition, creation calls are not permitted to fail so a failure to allocate memory cannot be reported.

Object specific events do not generally fall into the other broad classes of label events, but will generally provide an opportunity to modify or update the label on an object based on additional context. For example, the label on an IP fragment reassembly queue may be updated during the MAC_UPDATE_IPQ entry point as a result of the acceptance of an additional mbuf to that queue.

Access control events are discussed in detail in the following section.

Label destruction permits policies to release storage or state associated with a label during its association with an object so that the kernel data structures supporting the object may be reused or released.

In addition to labels associated with specific kernel objects, an additional class of labels exists: temporary labels. These labels are used to store update information submitted by user processes. These labels are initialized and destroyed as with other label types, but the creation event is MAC_INTERNALIZE, which accepts a user label to be converted to an in-kernel representation.

6.7.3.1. File System Object Labeling Event Operations

6.7.3.1.1. mpo_associate_vnode_devfs
void mpo_associate_vnode_devfs(mp,  
 fslabel,  
 de,  
 delabel,  
 vp,  
 vlabel); 
struct mount *mp;
struct label *fslabel;
struct devfs_dirent *de;
struct label *delabel;
struct vnode *vp;
struct label *vlabel;
 
ParameterDescriptionLocking
mpDevfs mount point 
fslabelDevfs file system label (mp->mnt_fslabel) 
deDevfs directory entry 
delabelPolicy label associated with de 
vpvnode associated with de 
vlabelPolicy label associated with vp 

Fill in the label (vlabel) for a newly created devfs vnode based on the devfs directory entry passed in de and its label.

6.7.3.1.2. mpo_associate_vnode_extattr
int mpo_associate_vnode_extattr(mp,  
 fslabel,  
 vp,  
 vlabel); 
struct mount *mp;
struct label *fslabel;
struct vnode *vp;
struct label *vlabel;
 
ParameterDescriptionLocking
mpFile system mount point 
fslabelFile system label 
vpVnode to label 
vlabelPolicy label associated with vp 

Attempt to retrieve the label for vp from the file system extended attributes. Upon success, the value 0 is returned. Should extended attribute retrieval not be supported, an accepted fallback is to copy fslabel into vlabel. In the event of an error, an appropriate value for errno should be returned.

6.7.3.1.3. mpo_associate_vnode_singlelabel
void mpo_associate_vnode_singlelabel(mp,  
 fslabel,  
 vp,  
 vlabel); 
struct mount *mp;
struct label *fslabel;
struct vnode *vp;
struct label *vlabel;
 
ParameterDescriptionLocking
mpFile system mount point 
fslabelFile system label 
vpVnode to label 
vlabelPolicy label associated with vp 

On non-multilabel file systems, this entry point is called to set the policy label for vp based on the file system label, fslabel.

6.7.3.1.4. mpo_create_devfs_device
void mpo_create_devfs_device(dev,  
 devfs_dirent,  
 label); 
dev_t dev;
struct devfs_dirent *devfs_dirent;
struct label *label;
 
ParameterDescriptionLocking
devDevice corresponding with devfs_dirent 
devfs_direntDevfs directory entry to be labeled. 
labelLabel for devfs_dirent to be filled in. 

Fill out the label on a devfs_dirent being created for the passed device. This call will be made when the device file system is mounted, regenerated, or a new device is made available.

6.7.3.1.5. mpo_create_devfs_directory
void mpo_create_devfs_directory(dirname,  
 dirnamelen,  
 devfs_dirent,  
 label); 
char *dirname;
int dirnamelen;
struct devfs_dirent *devfs_dirent;
struct label *label;
 
ParameterDescriptionLocking
dirnameName of directory being created 
namelenLength of string dirname 
devfs_direntDevfs directory entry for directory being created. 

Fill out the label on a devfs_dirent being created for the passed directory. This call will be made when the device file system is mounted, regenerated, or a new device requiring a specific directory hierarchy is made available.

6.7.3.1.6. mpo_create_devfs_symlink
void mpo_create_devfs_symlink(cred,  
 mp,  
 dd,  
 ddlabel,  
 de,  
 delabel); 
struct ucred *cred;
struct mount *mp;
struct devfs_dirent *dd;
struct label *ddlabel;
struct devfs_dirent *de;
struct label *delabel;
 
ParameterDescriptionLocking
credSubject credential 
mpDevfs mount point 
ddLink destination 
ddlabelLabel associated with dd 
deSymlink entry 
delabelLabel associated with de 

Fill in the label (delabel) for a newly created devfs(5) symbolic link entry.

6.7.3.1.7. mpo_create_vnode_extattr
int mpo_create_vnode_extattr(cred,  
 mp,  
 fslabel,  
 dvp,  
 dlabel,  
 vp,  
 vlabel,  
 cnp); 
struct ucred *cred;
struct mount *mp;
struct label *fslabel;
struct vnode *dvp;
struct label *dlabel;
struct vnode *vp;
struct label *vlabel;
struct componentname *cnp;
 
ParameterDescriptionLocking
credSubject credential 
mountFile system mount point 
labelFile system label 
dvpParent directory vnode 
dlabelLabel associated with dvp 
vpNewly created vnode 
vlabelPolicy label associated with vp 
cnpComponent name for vp 

Write out the label for vp to the appropriate extended attribute. If the write succeeds, fill in vlabel with the label, and return 0. Otherwise, return an appropriate error.

6.7.3.1.8. mpo_create_mount
void mpo_create_mount(cred,  
 mp,  
 mnt,  
 fslabel); 
struct ucred *cred;
struct mount *mp;
struct label *mnt;
struct label *fslabel;
 
ParameterDescriptionLocking
credSubject credential 
mpObject; file system being mounted 
mntlabelPolicy label to be filled in for mp 
fslabelPolicy label for the file system mp mounts. 

Fill out the labels on the mount point being created by the passed subject credential. This call will be made when a new file system is mounted.

6.7.3.1.9. mpo_create_root_mount
void mpo_create_root_mount(cred,  
 mp,  
 mntlabel,  
 fslabel); 
struct ucred *cred;
struct mount *mp;
struct label *mntlabel;
struct label *fslabel;
 
ParameterDescriptionLocking
See Section 6.7.3.1.8, “mpo_create_mount.

Fill out the labels on the mount point being created by the passed subject credential. This call will be made when the root file system is mounted, after mpo_create_mount;.

6.7.3.1.10. mpo_relabel_vnode
void mpo_relabel_vnode(cred,  
 vp,  
 vnodelabel,  
 newlabel); 
struct ucred *cred;
struct vnode *vp;
struct label *vnodelabel;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credential 
vpvnode to relabel 
vnodelabelExisting policy label for vp 
newlabelNew, possibly partial label to replace vnodelabel 

Update the label on the passed vnode given the passed update vnode label and the passed subject credential.

6.7.3.1.11. mpo_setlabel_vnode_extattr
int mpo_setlabel_vnode_extattr(cred,  
 vp,  
 vlabel,  
 intlabel); 
struct ucred *cred;
struct vnode *vp;
struct label *vlabel;
struct label *intlabel;
 
ParameterDescriptionLocking
credSubject credential 
vpVnode for which the label is being written 
vlabelPolicy label associated with vp 
intlabelLabel to write out 

Write out the policy from intlabel to an extended attribute. This is called from vop_stdcreatevnode_ea.

6.7.3.1.12. mpo_update_devfsdirent
void mpo_update_devfsdirent(devfs_dirent,  
 direntlabel,  
 vp,  
 vnodelabel); 
struct devfs_dirent *devfs_dirent;
struct label *direntlabel;
struct vnode *vp;
struct label *vnodelabel;
 
ParameterDescriptionLocking
devfs_direntObject; devfs directory entry 
direntlabelPolicy label for devfs_dirent to be updated. 
vpParent vnodeLocked
vnodelabelPolicy label for vp 

Update the devfs_dirent label from the passed devfs vnode label. This call will be made when a devfs vnode has been successfully relabeled to commit the label change such that it lasts even if the vnode is recycled. It will also be made when a symlink is created in devfs, following a call to mac_vnode_create_from_vnode to initialize the vnode label.

6.7.3.2. IPC Object Labeling Event Operations

6.7.3.2.1. mpo_create_mbuf_from_socket
void mpo_create_mbuf_from_socket(so,  
 socketlabel,  
 m,  
 mbuflabel); 
struct socket *so;
struct label *socketlabel;
struct mbuf *m;
struct label *mbuflabel;
 
ParameterDescriptionLocking
socketSocketSocket locking WIP
socketlabelPolicy label for socket 
mObject; mbuf 
mbuflabelPolicy label to fill in for m 

Set the label on a newly created mbuf header from the passed socket label. This call is made when a new datagram or message is generated by the socket and stored in the passed mbuf.

6.7.3.2.2. mpo_create_pipe
void mpo_create_pipe(cred,  
 pipe,  
 pipelabel); 
struct ucred *cred;
struct pipe *pipe;
struct label *pipelabel;
 
ParameterDescriptionLocking
credSubject credential 
pipePipe 
pipelabelPolicy label associated with pipe 

Set the label on a newly created pipe from the passed subject credential. This call is made when a new pipe is created.

6.7.3.2.3. mpo_create_socket
void mpo_create_socket(cred,  
 so,  
 socketlabel); 
struct ucred *cred;
struct socket *so;
struct label *socketlabel;
 
ParameterDescriptionLocking
credSubject credentialImmutable
soObject; socket to label 
socketlabelLabel to fill in for so 

Set the label on a newly created socket from the passed subject credential. This call is made when a socket is created.

6.7.3.2.4. mpo_create_socket_from_socket
void mpo_create_socket_from_socket(oldsocket,  
 oldsocketlabel,  
 newsocket,  
 newsocketlabel); 
struct socket *oldsocket;
struct label *oldsocketlabel;
struct socket *newsocket;
struct label *newsocketlabel;
 
ParameterDescriptionLocking
oldsocketListening socket 
oldsocketlabelPolicy label associated with oldsocket 
newsocketNew socket 
newsocketlabelPolicy label associated with newsocketlabel 

Label a socket, newsocket, newly accept(2)ed, based on the listen(2) socket, oldsocket.

6.7.3.2.5. mpo_relabel_pipe
void mpo_relabel_pipe(cred,  
 pipe,  
 oldlabel,  
 newlabel); 
struct ucred *cred;
struct pipe *pipe;
struct label *oldlabel;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credential 
pipePipe 
oldlabelCurrent policy label associated with pipe 
newlabelPolicy label update to apply to pipe 

Apply a new label, newlabel, to pipe.

6.7.3.2.6. mpo_relabel_socket
void mpo_relabel_socket(cred,  
 so,  
 oldlabel,  
 newlabel); 
struct ucred *cred;
struct socket *so;
struct label *oldlabel;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credentialImmutable
soObject; socket 
oldlabelCurrent label for so 
newlabelLabel update for so 

Update the label on a socket from the passed socket label update.

6.7.3.2.7. mpo_set_socket_peer_from_mbuf
void mpo_set_socket_peer_from_mbuf(mbuf,  
 mbuflabel,  
 oldlabel,  
 newlabel); 
struct mbuf *mbuf;
struct label *mbuflabel;
struct label *oldlabel;
struct label *newlabel;
 
ParameterDescriptionLocking
mbufFirst datagram received over socket 
mbuflabelLabel for mbuf 
oldlabelCurrent label for the socket 
newlabelPolicy label to be filled out for the socket 

Set the peer label on a stream socket from the passed mbuf label. This call will be made when the first datagram is received by the stream socket, with the exception of Unix domain sockets.

6.7.3.2.8. mpo_set_socket_peer_from_socket
void mpo_set_socket_peer_from_socket(oldsocket,  
 oldsocketlabel,  
 newsocket,  
 newsocketpeerlabel); 
struct socket *oldsocket;
struct label *oldsocketlabel;
struct socket *newsocket;
struct label *newsocketpeerlabel;
 
ParameterDescriptionLocking
oldsocketLocal socket 
oldsocketlabelPolicy label for oldsocket 
newsocketPeer socket 
newsocketpeerlabelPolicy label to fill in for newsocket 

Set the peer label on a stream UNIX domain socket from the passed remote socket endpoint. This call will be made when the socket pair is connected, and will be made for both endpoints.

6.7.3.3. Network Object Labeling Event Operations

6.7.3.3.1. mpo_create_bpfdesc
void mpo_create_bpfdesc(cred,  
 bpf_d,  
 bpflabel); 
struct ucred *cred;
struct bpf_d *bpf_d;
struct label *bpflabel;
 
ParameterDescriptionLocking
credSubject credentialImmutable
bpf_dObject; bpf descriptor 
bpfPolicy label to be filled in for bpf_d 

Set the label on a newly created BPF descriptor from the passed subject credential. This call will be made when a BPF device node is opened by a process with the passed subject credential.

6.7.3.3.2. mpo_create_ifnet
void mpo_create_ifnet(ifnet,  
 ifnetlabel); 
struct ifnet *ifnet;
struct label *ifnetlabel;
 
ParameterDescriptionLocking
ifnetNetwork interface 
ifnetlabelPolicy label to fill in for ifnet 

Set the label on a newly created interface. This call may be made when a new physical interface becomes available to the system, or when a pseudo-interface is instantiated during the boot or as a result of a user action.

6.7.3.3.3. mpo_create_ipq
void mpo_create_ipq(fragment,  
 fragmentlabel,  
 ipq,  
 ipqlabel); 
struct mbuf *fragment;
struct label *fragmentlabel;
struct ipq *ipq;
struct label *ipqlabel;
 
ParameterDescriptionLocking
fragmentFirst received IP fragment 
fragmentlabelPolicy label for fragment 
ipqIP reassembly queue to be labeled 
ipqlabelPolicy label to be filled in for ipq 

Set the label on a newly created IP fragment reassembly queue from the mbuf header of the first received fragment.

6.7.3.3.4. mpo_create_datagram_from_ipq
void mpo_create_create_datagram_from_ipq(ipq,  
 ipqlabel,  
 datagram,  
 datagramlabel); 
struct ipq *ipq;
struct label *ipqlabel;
struct mbuf *datagram;
struct label *datagramlabel;
 
ParameterDescriptionLocking
ipqIP reassembly queue 
ipqlabelPolicy label for ipq 
datagramDatagram to be labeled 
datagramlabelPolicy label to be filled in for datagramlabel 

Set the label on a newly reassembled IP datagram from the IP fragment reassembly queue from which it was generated.

6.7.3.3.5. mpo_create_fragment
void mpo_create_fragment(datagram,  
 datagramlabel,  
 fragment,  
 fragmentlabel); 
struct mbuf *datagram;
struct label *datagramlabel;
struct mbuf *fragment;
struct label *fragmentlabel;
 
ParameterDescriptionLocking
datagramDatagram 
datagramlabelPolicy label for datagram 
fragmentFragment to be labeled 
fragmentlabelPolicy label to be filled in for datagram 

Set the label on the mbuf header of a newly created IP fragment from the label on the mbuf header of the datagram it was generate from.

6.7.3.3.6. mpo_create_mbuf_from_mbuf
void mpo_create_mbuf_from_mbuf(oldmbuf,  
 oldmbuflabel,  
 newmbuf,  
 newmbuflabel); 
struct mbuf *oldmbuf;
struct label *oldmbuflabel;
struct mbuf *newmbuf;
struct label *newmbuflabel;
 
ParameterDescriptionLocking
oldmbufExisting (source) mbuf 
oldmbuflabelPolicy label for oldmbuf 
newmbufNew mbuf to be labeled 
newmbuflabelPolicy label to be filled in for newmbuf 

Set the label on the mbuf header of a newly created datagram from the mbuf header of an existing datagram. This call may be made in a number of situations, including when an mbuf is re-allocated for alignment purposes.

6.7.3.3.7. mpo_create_mbuf_linklayer
void mpo_create_mbuf_linklayer(ifnet,  
 ifnetlabel,  
 mbuf,  
 mbuflabel); 
struct ifnet *ifnet;
struct label *ifnetlabel;
struct mbuf *mbuf;
struct label *mbuflabel;
 
ParameterDescriptionLocking
ifnetNetwork interface 
ifnetlabelPolicy label for ifnet 
mbufmbuf header for new datagram 
mbuflabelPolicy label to be filled in for mbuf 

Set the label on the mbuf header of a newly created datagram generated for the purposes of a link layer response for the passed interface. This call may be made in a number of situations, including for ARP or ND6 responses in the IPv4 and IPv6 stacks.

6.7.3.3.8. mpo_create_mbuf_from_bpfdesc
void mpo_create_mbuf_from_bpfdesc(bpf_d,  
 bpflabel,  
 mbuf,  
 mbuflabel); 
struct bpf_d *bpf_d;
struct label *bpflabel;
struct mbuf *mbuf;
struct label *mbuflabel;
 
ParameterDescriptionLocking
bpf_dBPF descriptor 
bpflabelPolicy label for bpflabel 
mbufNew mbuf to be labeled 
mbuflabelPolicy label to fill in for mbuf 

Set the label on the mbuf header of a newly created datagram generated using the passed BPF descriptor. This call is made when a write is performed to the BPF device associated with the passed BPF descriptor.

6.7.3.3.9. mpo_create_mbuf_from_ifnet
void mpo_create_mbuf_from_ifnet(ifnet,  
 ifnetlabel,  
 mbuf,  
 mbuflabel); 
struct ifnet *ifnet;
struct label *ifnetlabel;
struct mbuf *mbuf;
struct label *mbuflabel;
 
ParameterDescriptionLocking
ifnetNetwork interface 
ifnetlabelPolicy label for ifnetlabel 
mbufmbuf header for new datagram 
mbuflabelPolicy label to be filled in for mbuf 

Set the label on the mbuf header of a newly created datagram generated from the passed network interface.

6.7.3.3.10. mpo_create_mbuf_multicast_encap
void mpo_create_mbuf_multicast_encap(oldmbuf,  
 oldmbuflabel,  
 ifnet,  
 ifnetlabel,  
 newmbuf,  
 newmbuflabel); 
struct mbuf *oldmbuf;
struct label *oldmbuflabel;
struct ifnet *ifnet;
struct label *ifnetlabel;
struct mbuf *newmbuf;
struct label *newmbuflabel;
 
ParameterDescriptionLocking
oldmbufmbuf header for existing datagram 
oldmbuflabelPolicy label for oldmbuf 
ifnetNetwork interface 
ifnetlabelPolicy label for ifnet 
newmbufmbuf header to be labeled for new datagram 
newmbuflabelPolicy label to be filled in for newmbuf 

Set the label on the mbuf header of a newly created datagram generated from the existing passed datagram when it is processed by the passed multicast encapsulation interface. This call is made when an mbuf is to be delivered using the virtual interface.

6.7.3.3.11. mpo_create_mbuf_netlayer
void mpo_create_mbuf_netlayer(oldmbuf,  
 oldmbuflabel,  
 newmbuf,  
 newmbuflabel); 
struct mbuf *oldmbuf;
struct label *oldmbuflabel;
struct mbuf *newmbuf;
struct label *newmbuflabel;
 
ParameterDescriptionLocking
oldmbufReceived datagram 
oldmbuflabelPolicy label for oldmbuf 
newmbufNewly created datagram 
newmbuflabelPolicy label for newmbuf 

Set the label on the mbuf header of a newly created datagram generated by the IP stack in response to an existing received datagram (oldmbuf). This call may be made in a number of situations, including when responding to ICMP request datagrams.

6.7.3.3.12. mpo_fragment_match
int mpo_fragment_match(fragment,  
 fragmentlabel,  
 ipq,  
 ipqlabel); 
struct mbuf *fragment;
struct label *fragmentlabel;
struct ipq *ipq;
struct label *ipqlabel;
 
ParameterDescriptionLocking
fragmentIP datagram fragment 
fragmentlabelPolicy label for fragment 
ipqIP fragment reassembly queue 
ipqlabelPolicy label for ipq 

Determine whether an mbuf header containing an IP datagram (fragment) fragment matches the label of the passed IP fragment reassembly queue (ipq). Return (1) for a successful match, or (0) for no match. This call is made when the IP stack attempts to find an existing fragment reassembly queue for a newly received fragment; if this fails, a new fragment reassembly queue may be instantiated for the fragment. Policies may use this entry point to prevent the reassembly of otherwise matching IP fragments if policy does not permit them to be reassembled based on the label or other information.

6.7.3.3.13. mpo_relabel_ifnet
void mpo_relabel_ifnet(cred,  
 ifnet,  
 ifnetlabel,  
 newlabel); 
struct ucred *cred;
struct ifnet *ifnet;
struct label *ifnetlabel;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credential 
ifnetObject; Network interface 
ifnetlabelPolicy label for ifnet 
newlabelLabel update to apply to ifnet 

Update the label of network interface, ifnet, based on the passed update label, newlabel, and the passed subject credential, cred.

6.7.3.3.14. mpo_update_ipq
void mpo_update_ipq(fragment,  
 fragmentlabel,  
 ipq,  
 ipqlabel); 
struct mbuf *fragment;
struct label *fragmentlabel;
struct ipq *ipq;
struct label *ipqlabel;
 
ParameterDescriptionLocking
mbufIP fragment 
mbuflabelPolicy label for mbuf 
ipqIP fragment reassembly queue 
ipqlabelPolicy label to be updated for ipq 

Update the label on an IP fragment reassembly queue (ipq) based on the acceptance of the passed IP fragment mbuf header (mbuf).

6.7.3.4. Process Labeling Event Operations

6.7.3.4.1. mpo_create_cred
void mpo_create_cred(parent_cred,  
 child_cred); 
struct ucred *parent_cred;
struct ucred *child_cred;
 
ParameterDescriptionLocking
parent_credParent subject credential 
child_credChild subject credential 

Set the label of a newly created subject credential from the passed subject credential. This call will be made when crcopy(9) is invoked on a newly created struct ucred. This call should not be confused with a process forking or creation event.

6.7.3.4.2. mpo_execve_transition
void mpo_execve_transition(old,  
 new,  
 vp,  
 vnodelabel); 
struct ucred *old;
struct ucred *new;
struct vnode *vp;
struct label *vnodelabel;
 
ParameterDescriptionLocking
oldExisting subject credentialImmutable
newNew subject credential to be labeled 
vpFile to executeLocked
vnodelabelPolicy label for vp 

Update the label of a newly created subject credential (new) from the passed existing subject credential (old) based on a label transition caused by executing the passed vnode (vp). This call occurs when a process executes the passed vnode and one of the policies returns a success from the mpo_execve_will_transition entry point. Policies may choose to implement this call simply by invoking mpo_create_cred and passing the two subject credentials so as not to implement a transitioning event. Policies should not leave this entry point unimplemented if they implement mpo_create_cred, even if they do not implement mpo_execve_will_transition.

6.7.3.4.3. mpo_execve_will_transition
int mpo_execve_will_transition(old,  
 vp,  
 vnodelabel); 
struct ucred *old;
struct vnode *vp;
struct label *vnodelabel;
 
ParameterDescriptionLocking
oldSubject credential prior to execve(2)Immutable
vpFile to execute 
vnodelabelPolicy label for vp 

Determine whether the policy will want to perform a transition event as a result of the execution of the passed vnode by the passed subject credential. Return 1 if a transition is required, 0 if not. Even if a policy returns 0, it should behave correctly in the presence of an unexpected invocation of mpo_execve_transition, as that call may happen as a result of another policy requesting a transition.

6.7.3.4.4. mpo_create_proc0
void mpo_create_proc0(cred); 
struct ucred *cred;
 
ParameterDescriptionLocking
credSubject credential to be filled in 

Create the subject credential of process 0, the parent of all kernel processes.

6.7.3.4.5. mpo_create_proc1
void mpo_create_proc1(cred); 
struct ucred *cred;
 
ParameterDescriptionLocking
credSubject credential to be filled in 

Create the subject credential of process 1, the parent of all user processes.

6.7.3.4.6. mpo_relabel_cred
void mpo_relabel_cred(cred,  
 newlabel); 
struct ucred *cred;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credential 
newlabelLabel update to apply to cred 

Update the label on a subject credential from the passed update label.

6.7.4. Access Control Checks

Access control entry points permit policy modules to influence access control decisions made by the kernel. Generally, although not always, arguments to an access control entry point will include one or more authorizing credentials, information (possibly including a label) for any other objects involved in the operation. An access control entry point may return 0 to permit the operation, or an errno(2) error value. The results of invoking the entry point across various registered policy modules will be composed as follows: if all modules permit the operation to succeed, success will be returned. If one or modules returns a failure, a failure will be returned. If more than one module returns a failure, the errno value to return to the user will be selected using the following precedence, implemented by the error_select() function in kern_mac.c:

Most precedenceEDEADLK
 EINVAL
 ESRCH
 EACCES
Least precedenceEPERM

If none of the error values returned by all modules are listed in the precedence chart then an arbitrarily selected value from the set will be returned. In general, the rules provide precedence to errors in the following order: kernel failures, invalid arguments, object not present, access not permitted, other.

6.7.4.1. mpo_check_bpfdesc_receive

int mpo_check_bpfdesc_receive(bpf_d,  
 bpflabel,  
 ifnet,  
 ifnetlabel); 
struct bpf_d *bpf_d;
struct label *bpflabel;
struct ifnet *ifnet;
struct label *ifnetlabel;
 
ParameterDescriptionLocking
bpf_dSubject; BPF descriptor 
bpflabelPolicy label for bpf_d 
ifnetObject; network interface 
ifnetlabelPolicy label for ifnet 

Determine whether the MAC framework should permit datagrams from the passed interface to be delivered to the buffers of the passed BPF descriptor. Return (0) for success, or an errno value for failure Suggested failure: EACCES for label mismatches, EPERM for lack of privilege.

6.7.4.2. mpo_check_kenv_dump

int mpo_check_kenv_dump(cred); 
struct ucred *cred;
 
ParameterDescriptionLocking
credSubject credential 

Determine whether the subject should be allowed to retrieve the kernel environment (see kenv(2)).

6.7.4.3. mpo_check_kenv_get

int mpo_check_kenv_get(cred,  
 name); 
struct ucred *cred;
char *name;
 
ParameterDescriptionLocking
credSubject credential 
nameKernel environment variable name 

Determine whether the subject should be allowed to retrieve the value of the specified kernel environment variable.

6.7.4.4. mpo_check_kenv_set

int mpo_check_kenv_set(cred,  
 name); 
struct ucred *cred;
char *name;
 
ParameterDescriptionLocking
credSubject credential 
nameKernel environment variable name 

Determine whether the subject should be allowed to set the specified kernel environment variable.

6.7.4.5. mpo_check_kenv_unset

int mpo_check_kenv_unset(cred,  
 name); 
struct ucred *cred;
char *name;
 
ParameterDescriptionLocking
credSubject credential 
nameKernel environment variable name 

Determine whether the subject should be allowed to unset the specified kernel environment variable.

6.7.4.6. mpo_check_kld_load

int mpo_check_kld_load(cred,  
 vp,  
 vlabel); 
struct ucred *cred;
struct vnode *vp;
struct label *vlabel;
 
ParameterDescriptionLocking
credSubject credential 
vpKernel module vnode 
vlabelLabel associated with vp 

Determine whether the subject should be allowed to load the specified module file.

6.7.4.7. mpo_check_kld_stat

int mpo_check_kld_stat(cred); 
struct ucred *cred;
 
ParameterDescriptionLocking
credSubject credential 

Determine whether the subject should be allowed to retrieve a list of loaded kernel module files and associated statistics.

6.7.4.8. mpo_check_kld_unload

int mpo_check_kld_unload(cred); 
struct ucred *cred;
 
ParameterDescriptionLocking
credSubject credential 

Determine whether the subject should be allowed to unload a kernel module.

6.7.4.9. mpo_check_pipe_ioctl

int mpo_check_pipe_ioctl(cred,  
 pipe,  
 pipelabel,  
 cmd,  
 data); 
struct ucred *cred;
struct pipe *pipe;
struct label *pipelabel;
unsigned long cmd;
void *data;
 
ParameterDescriptionLocking
credSubject credential 
pipePipe 
pipelabelPolicy label associated with pipe 
cmdioctl(2) command 
dataioctl(2) data 

Determine whether the subject should be allowed to make the specified ioctl(2) call.

6.7.4.10. mpo_check_pipe_poll

int mpo_check_pipe_poll(cred,  
 pipe,  
 pipelabel); 
struct ucred *cred;
struct pipe *pipe;
struct label *pipelabel;
 
ParameterDescriptionLocking
credSubject credential 
pipePipe 
pipelabelPolicy label associated with pipe 

Determine whether the subject should be allowed to poll pipe.

6.7.4.11. mpo_check_pipe_read

int mpo_check_pipe_read(cred,  
 pipe,  
 pipelabel); 
struct ucred *cred;
struct pipe *pipe;
struct label *pipelabel;
 
ParameterDescriptionLocking
credSubject credential 
pipePipe 
pipelabelPolicy label associated with pipe 

Determine whether the subject should be allowed read access to pipe.

6.7.4.12. mpo_check_pipe_relabel

int mpo_check_pipe_relabel(cred,  
 pipe,  
 pipelabel,  
 newlabel); 
struct ucred *cred;
struct pipe *pipe;
struct label *pipelabel;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credential 
pipePipe 
pipelabelCurrent policy label associated with pipe 
newlabelLabel update to pipelabel 

Determine whether the subject should be allowed to relabel pipe.

6.7.4.13. mpo_check_pipe_stat

int mpo_check_pipe_stat(cred,  
 pipe,  
 pipelabel); 
struct ucred *cred;
struct pipe *pipe;
struct label *pipelabel;
 
ParameterDescriptionLocking
credSubject credential 
pipePipe 
pipelabelPolicy label associated with pipe 

Determine whether the subject should be allowed to retrieve statistics related to pipe.

6.7.4.14. mpo_check_pipe_write

int mpo_check_pipe_write(cred,  
 pipe,  
 pipelabel); 
struct ucred *cred;
struct pipe *pipe;
struct label *pipelabel;
 
ParameterDescriptionLocking
credSubject credential 
pipePipe 
pipelabelPolicy label associated with pipe 

Determine whether the subject should be allowed to write to pipe.

6.7.4.15. mpo_check_socket_bind

int mpo_check_socket_bind(cred,  
 socket,  
 socketlabel,  
 sockaddr); 
struct ucred *cred;
struct socket *socket;
struct label *socketlabel;
struct sockaddr *sockaddr;
 
ParameterDescriptionLocking
credSubject credential 
socketSocket to be bound 
socketlabelPolicy label for socket 
sockaddrAddress of socket 

6.7.4.16. mpo_check_socket_connect

int mpo_check_socket_connect(cred,  
 socket,  
 socketlabel,  
 sockaddr); 
struct ucred *cred;
struct socket *socket;
struct label *socketlabel;
struct sockaddr *sockaddr;
 
ParameterDescriptionLocking
credSubject credential 
socketSocket to be connected 
socketlabelPolicy label for socket 
sockaddrAddress of socket 

Determine whether the subject credential (cred) can connect the passed socket (socket) to the passed socket address (sockaddr). Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches, EPERM for lack of privilege.

6.7.4.17. mpo_check_socket_receive

int mpo_check_socket_receive(cred,  
 so,  
 socketlabel); 
struct ucred *cred;
struct socket *so;
struct label *socketlabel;
 
ParameterDescriptionLocking
credSubject credential 
soSocket 
socketlabelPolicy label associated with so 

Determine whether the subject should be allowed to receive information from the socket so.

6.7.4.18. mpo_check_socket_send

int mpo_check_socket_send(cred,  
 so,  
 socketlabel); 
struct ucred *cred;
struct socket *so;
struct label *socketlabel;
 
ParameterDescriptionLocking
credSubject credential 
soSocket 
socketlabelPolicy label associated with so 

Determine whether the subject should be allowed to send information across the socket so.

6.7.4.19. mpo_check_cred_visible

int mpo_check_cred_visible(u1,  
 u2); 
struct ucred *u1;
struct ucred *u2;
 
ParameterDescriptionLocking
u1Subject credential 
u2Object credential 

Determine whether the subject credential u1 can see other subjects with the passed subject credential u2. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches, EPERM for lack of privilege, or ESRCH to hide visibility. This call may be made in a number of situations, including inter-process status sysctl's used by ps, and in procfs lookups.

6.7.4.20. mpo_check_socket_visible

int mpo_check_socket_visible(cred,  
 socket,  
 socketlabel); 
struct ucred *cred;
struct socket *socket;
struct label *socketlabel;
 
ParameterDescriptionLocking
credSubject credential 
socketObject; socket 
socketlabelPolicy label for socket 

6.7.4.21. mpo_check_ifnet_relabel

int mpo_check_ifnet_relabel(cred,  
 ifnet,  
 ifnetlabel,  
 newlabel); 
struct ucred *cred;
struct ifnet *ifnet;
struct label *ifnetlabel;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credential 
ifnetObject; network interface 
ifnetlabelExisting policy label for ifnet 
newlabelPolicy label update to later be applied to ifnet 

Determine whether the subject credential can relabel the passed network interface to the passed label update.

6.7.4.22. mpo_check_socket_relabel

int mpo_check_socket_relabel(cred,  
 socket,  
 socketlabel,  
 newlabel); 
struct ucred *cred;
struct socket *socket;
struct label *socketlabel;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credential 
socketObject; socket 
socketlabelExisting policy label for socket 
newlabelLabel update to later be applied to socketlabel 

Determine whether the subject credential can relabel the passed socket to the passed label update.

6.7.4.23. mpo_check_cred_relabel

int mpo_check_cred_relabel(cred,  
 newlabel); 
struct ucred *cred;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credential 
newlabelLabel update to later be applied to cred 

Determine whether the subject credential can relabel itself to the passed label update.

6.7.4.24. mpo_check_vnode_relabel

int mpo_check_vnode_relabel(cred,  
 vp,  
 vnodelabel,  
 newlabel); 
struct ucred *cred;
struct vnode *vp;
struct label *vnodelabel;
struct label *newlabel;
 
ParameterDescriptionLocking
credSubject credentialImmutable
vpObject; vnodeLocked
vnodelabelExisting policy label for vp 
newlabelPolicy label update to later be applied to vp 

Determine whether the subject credential can relabel the passed vnode to the passed label update.

6.7.4.25. mpo_check_mount_stat

int mpo_check_mount_stat(cred,  
 mp,  
 mountlabel); 
struct ucred *cred;
struct mount *mp;
struct label *mountlabel;
 
ParameterDescriptionLocking
credSubject credential 
mpObject; file system mount 
mountlabelPolicy label for mp 

Determine whether the subject credential can see the results of a statfs performed on the file system. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches or EPERM for lack of privilege. This call may be made in a number of situations, including during invocations of statfs(2) and related calls, as well as to determine what file systems to exclude from listings of file systems, such as when getfsstat(2) is invoked.

6.7.4.26. mpo_check_proc_debug

int mpo_check_proc_debug(cred,  
 proc); 
struct ucred *cred;
struct proc *proc;
 
ParameterDescriptionLocking
credSubject credentialImmutable
procObject; process 

Determine whether the subject credential can debug the passed process. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility of the target. This call may be made in a number of situations, including use of the ptrace(2) and ktrace(2) APIs, as well as for some types of procfs operations.

6.7.4.27. mpo_check_vnode_access

int mpo_check_vnode_access(cred,  
 vp,  
 label,  
 flags); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
int flags;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 
flagsaccess(2) flags 

Determine how invocations of access(2) and related calls by the subject credential should return when performed on the passed vnode using the passed access flags. This should generally be implemented using the same semantics used in mpo_check_vnode_open. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches or EPERM for lack of privilege.

6.7.4.28. mpo_check_vnode_chdir

int mpo_check_vnode_chdir(cred,  
 dvp,  
 dlabel); 
struct ucred *cred;
struct vnode *dvp;
struct label *dlabel;
 
ParameterDescriptionLocking
credSubject credential 
dvpObject; vnode to chdir(2) into 
dlabelPolicy label for dvp 

Determine whether the subject credential can change the process working directory to the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.29. mpo_check_vnode_chroot

int mpo_check_vnode_chroot(cred,  
 dvp,  
 dlabel); 
struct ucred *cred;
struct vnode *dvp;
struct label *dlabel;
 
ParameterDescriptionLocking
credSubject credential 
dvpDirectory vnode 
dlabelPolicy label associated with dvp 

Determine whether the subject should be allowed to chroot(2) into the specified directory (dvp).

6.7.4.30. mpo_check_vnode_create

int mpo_check_vnode_create(cred,  
 dvp,  
 dlabel,  
 cnp,  
 vap); 
struct ucred *cred;
struct vnode *dvp;
struct label *dlabel;
struct componentname *cnp;
struct vattr *vap;
 
ParameterDescriptionLocking
credSubject credential 
dvpObject; vnode 
dlabelPolicy label for dvp 
cnpComponent name for dvp 
vapvnode attributes for vap 

Determine whether the subject credential can create a vnode with the passed parent directory, passed name information, and passed attribute information. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege. This call may be made in a number of situations, including as a result of calls to open(2) with O_CREAT, mkfifo(2), and others.

6.7.4.31. mpo_check_vnode_delete

int mpo_check_vnode_delete(cred,  
 dvp,  
 dlabel,  
 vp,  
 label,  
 cnp); 
struct ucred *cred;
struct vnode *dvp;
struct label *dlabel;
struct vnode *vp;
void *label;
struct componentname *cnp;
 
ParameterDescriptionLocking
credSubject credential 
dvpParent directory vnode 
dlabelPolicy label for dvp 
vpObject; vnode to delete 
labelPolicy label for vp 
cnpComponent name for vp 

Determine whether the subject credential can delete a vnode from the passed parent directory and passed name information. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege. This call may be made in a number of situations, including as a result of calls to unlink(2) and rmdir(2). Policies implementing this entry point should also implement mpo_check_rename_to to authorize deletion of objects as a result of being the target of a rename.

6.7.4.32. mpo_check_vnode_deleteacl

int mpo_check_vnode_deleteacl(cred,  
 vp,  
 label,  
 type); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
acl_type_t type;
 
ParameterDescriptionLocking
credSubject credentialImmutable
vpObject; vnodeLocked
labelPolicy label for vp 
typeACL type 

Determine whether the subject credential can delete the ACL of passed type from the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.33. mpo_check_vnode_exec

int mpo_check_vnode_exec(cred,  
 vp,  
 label); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode to execute 
labelPolicy label for vp 

Determine whether the subject credential can execute the passed vnode. Determination of execute privilege is made separately from decisions about any transitioning event. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.34. mpo_check_vnode_getacl

int mpo_check_vnode_getacl(cred,  
 vp,  
 label,  
 type); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
acl_type_t type;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 
typeACL type 

Determine whether the subject credential can retrieve the ACL of passed type from the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.35. mpo_check_vnode_getextattr

int mpo_check_vnode_getextattr(cred,  
 vp,  
 label,  
 attrnamespace,  
 name,  
 uio); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
int attrnamespace;
const char *name;
struct uio *uio;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 
attrnamespaceExtended attribute namespace 
nameExtended attribute name 
uioI/O structure pointer; see uio(9) 

Determine whether the subject credential can retrieve the extended attribute with the passed namespace and name from the passed vnode. Policies implementing labeling using extended attributes may be interested in special handling of operations on those extended attributes. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.36. mpo_check_vnode_link

int mpo_check_vnode_link(cred,  
 dvp,  
 dlabel,  
 vp,  
 label,  
 cnp); 
struct ucred *cred;
struct vnode *dvp;
struct label *dlabel;
struct vnode *vp;
struct label *label;
struct componentname *cnp;
 
ParameterDescriptionLocking
credSubject credential 
dvpDirectory vnode 
dlabelPolicy label associated with dvp 
vpLink destination vnode 
labelPolicy label associated with vp 
cnpComponent name for the link being created 

Determine whether the subject should be allowed to create a link to the vnode vp with the name specified by cnp.

6.7.4.37. mpo_check_vnode_mmap

int mpo_check_vnode_mmap(cred,  
 vp,  
 label,  
 prot); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
int prot;
 
ParameterDescriptionLocking
credSubject credential 
vpVnode to map 
labelPolicy label associated with vp 
protMmap protections (see mmap(2)) 

Determine whether the subject should be allowed to map the vnode vp with the protections specified in prot.

6.7.4.38. mpo_check_vnode_mmap_downgrade

void mpo_check_vnode_mmap_downgrade(cred,  
 vp,  
 label,  
 prot); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
int *prot;
 
ParameterDescriptionLocking
credSee Section 6.7.4.37, “mpo_check_vnode_mmap. 
vp 
label 
protMmap protections to be downgraded 

Downgrade the mmap protections based on the subject and object labels.

6.7.4.39. mpo_check_vnode_mprotect

int mpo_check_vnode_mprotect(cred,  
 vp,  
 label,  
 prot); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
int prot;
 
ParameterDescriptionLocking
credSubject credential 
vpMapped vnode 
protMemory protections 

Determine whether the subject should be allowed to set the specified memory protections on memory mapped from the vnode vp.

6.7.4.40. mpo_check_vnode_poll

int mpo_check_vnode_poll(active_cred,  
 file_cred,  
 vp,  
 label); 
struct ucred *active_cred;
struct ucred *file_cred;
struct vnode *vp;
struct label *label;
 
ParameterDescriptionLocking
active_credSubject credential 
file_credCredential associated with the struct file 
vpPolled vnode 
labelPolicy label associated with vp 

Determine whether the subject should be allowed to poll the vnode vp.

6.7.4.41. mpo_check_vnode_rename_from

int mpo_vnode_rename_from(cred,  
 dvp,  
 dlabel,  
 vp,  
 label,  
 cnp); 
struct ucred *cred;
struct vnode *dvp;
struct label *dlabel;
struct vnode *vp;
struct label *label;
struct componentname *cnp;
 
ParameterDescriptionLocking
credSubject credential 
dvpDirectory vnode 
dlabelPolicy label associated with dvp 
vpVnode to be renamed 
labelPolicy label associated with vp 
cnpComponent name for vp 

Determine whether the subject should be allowed to rename the vnode vp to something else.

6.7.4.42. mpo_check_vnode_rename_to

int mpo_check_vnode_rename_to(cred,  
 dvp,  
 dlabel,  
 vp,  
 label,  
 samedir,  
 cnp); 
struct ucred *cred;
struct vnode *dvp;
struct label *dlabel;
struct vnode *vp;
struct label *label;
int samedir;
struct componentname *cnp;
 
ParameterDescriptionLocking
credSubject credential 
dvpDirectory vnode 
dlabelPolicy label associated with dvp 
vpOverwritten vnode 
labelPolicy label associated with vp 
samedirBoolean; 1 if the source and destination directories are the same 
cnpDestination component name 

Determine whether the subject should be allowed to rename to the vnode vp, into the directory dvp, or to the name represented by cnp. If there is no existing file to overwrite, vp and label will be NULL.

6.7.4.43. mpo_check_socket_listen

int mpo_check_socket_listen(cred,  
 socket,  
 socketlabel); 
struct ucred *cred;
struct socket *socket;
struct label *socketlabel;
 
ParameterDescriptionLocking
credSubject credential 
socketObject; socket 
socketlabelPolicy label for socket 

Determine whether the subject credential can listen on the passed socket. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.44. mpo_check_vnode_lookup

int mpo_check_vnode_lookup(,  
 ,  
 ,  
 cnp); 
struct ucred *cred;
struct vnode *dvp;
struct label *dlabel;
struct componentname *cnp;
 
ParameterDescriptionLocking
credSubject credential 
dvpObject; vnode 
dlabelPolicy label for dvp 
cnpComponent name being looked up 

Determine whether the subject credential can perform a lookup in the passed directory vnode for the passed name. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.45. mpo_check_vnode_open

int mpo_check_vnode_open(cred,  
 vp,  
 label,  
 acc_mode); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
int acc_mode;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 
acc_modeopen(2) access mode 

Determine whether the subject credential can perform an open operation on the passed vnode with the passed access mode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.46. mpo_check_vnode_readdir

int mpo_check_vnode_readdir(,  
 ,  
 ); 
struct ucred *cred;
struct vnode *dvp;
struct label *dlabel;
 
ParameterDescriptionLocking
credSubject credential 
dvpObject; directory vnode 
dlabelPolicy label for dvp 

Determine whether the subject credential can perform a readdir operation on the passed directory vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.47. mpo_check_vnode_readlink

int mpo_check_vnode_readlink(cred,  
 vp,  
 label); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 

Determine whether the subject credential can perform a readlink operation on the passed symlink vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege. This call may be made in a number of situations, including an explicit readlink call by the user process, or as a result of an implicit readlink during a name lookup by the process.

6.7.4.48. mpo_check_vnode_revoke

int mpo_check_vnode_revoke(cred,  
 vp,  
 label); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 

Determine whether the subject credential can revoke access to the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.49. mpo_check_vnode_setacl

int mpo_check_vnode_setacl(cred,  
 vp,  
 label,  
 type,  
 acl); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
acl_type_t type;
struct acl *acl;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 
typeACL type 
aclACL 

Determine whether the subject credential can set the passed ACL of passed type on the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.50. mpo_check_vnode_setextattr

int mpo_check_vnode_setextattr(cred,  
 vp,  
 label,  
 attrnamespace,  
 name,  
 uio); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
int attrnamespace;
const char *name;
struct uio *uio;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 
attrnamespaceExtended attribute namespace 
nameExtended attribute name 
uioI/O structure pointer; see uio(9) 

Determine whether the subject credential can set the extended attribute of passed name and passed namespace on the passed vnode. Policies implementing security labels backed into extended attributes may want to provide additional protections for those attributes. Additionally, policies should avoid making decisions based on the data referenced from uio, as there is a potential race condition between this check and the actual operation. The uio may also be NULL if a delete operation is being performed. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.51. mpo_check_vnode_setflags

int mpo_check_vnode_setflags(cred,  
 vp,  
 label,  
 flags); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
u_long flags;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 
flagsFile flags; see chflags(2) 

Determine whether the subject credential can set the passed flags on the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.52. mpo_check_vnode_setmode

int mpo_check_vnode_setmode(cred,  
 vp,  
 label,  
 mode); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
mode_t mode;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 
modeFile mode; see chmod(2) 

Determine whether the subject credential can set the passed mode on the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.53. mpo_check_vnode_setowner

int mpo_check_vnode_setowner(cred,  
 vp,  
 label,  
 uid,  
 gid); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
uid_t uid;
gid_t gid;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 
uidUser ID 
gidGroup ID 

Determine whether the subject credential can set the passed uid and passed gid as file uid and file gid on the passed vnode. The IDs may be set to (-1) to request no update. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.54. mpo_check_vnode_setutimes

int mpo_check_vnode_setutimes(,  
 ,  
 ,  
 ,  
 ); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
struct timespec atime;
struct timespec mtime;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vp 
labelPolicy label for vp 
atimeAccess time; see utimes(2) 
mtimeModification time; see utimes(2) 

Determine whether the subject credential can set the passed access timestamps on the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.55. mpo_check_proc_sched

int mpo_check_proc_sched(ucred,  
 proc); 
struct ucred *ucred;
struct proc *proc;
 
ParameterDescriptionLocking
credSubject credential 
procObject; process 

Determine whether the subject credential can change the scheduling parameters of the passed process. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.

See setpriority(2) for more information.

6.7.4.56. mpo_check_proc_signal

int mpo_check_proc_signal(cred,  
 proc,  
 signal); 
struct ucred *cred;
struct proc *proc;
int signal;
 
ParameterDescriptionLocking
credSubject credential 
procObject; process 
signalSignal; see kill(2) 

Determine whether the subject credential can deliver the passed signal to the passed process. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.

6.7.4.57. mpo_check_vnode_stat

int mpo_check_vnode_stat(cred,  
 vp,  
 label); 
struct ucred *cred;
struct vnode *vp;
struct label *label;
 
ParameterDescriptionLocking
credSubject credential 
vpObject; vnode 
labelPolicy label for vp 

Determine whether the subject credential can stat the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

See stat(2) for more information.

6.7.4.58. mpo_check_ifnet_transmit

int mpo_check_ifnet_transmit(cred,  
 ifnet,  
 ifnetlabel,  
 mbuf,  
 mbuflabel); 
struct ucred *cred;
struct ifnet *ifnet;
struct label *ifnetlabel;
struct mbuf *mbuf;
struct label *mbuflabel;
 
ParameterDescriptionLocking
credSubject credential 
ifnetNetwork interface 
ifnetlabelPolicy label for ifnet 
mbufObject; mbuf to be sent 
mbuflabelPolicy label for mbuf 

Determine whether the network interface can transmit the passed mbuf. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.59. mpo_check_socket_deliver

int mpo_check_socket_deliver(cred,  
 ifnet,  
 ifnetlabel,  
 mbuf,  
 mbuflabel); 
struct ucred *cred;
struct ifnet *ifnet;
struct label *ifnetlabel;
struct mbuf *mbuf;
struct label *mbuflabel;
 
ParameterDescriptionLocking
credSubject credential 
ifnetNetwork interface 
ifnetlabelPolicy label for ifnet 
mbufObject; mbuf to be delivered 
mbuflabelPolicy label for mbuf 

Determine whether the socket may receive the datagram stored in the passed mbuf header. Return 0 for success, or an errno value for failure. Suggested failures: EACCES for label mismatch, or EPERM for lack of privilege.

6.7.4.60. mpo_check_socket_visible

int mpo_check_socket_visible(cred,  
 so,  
 socketlabel); 
struct ucred *cred;
struct socket *so;
struct label *socketlabel;
 
ParameterDescriptionLocking
credSubject credentialImmutable
soObject; socket 
socketlabelPolicy label for so 

Determine whether the subject credential cred can "see" the passed socket (socket) using system monitoring functions, such as those employed by netstat(8) and sockstat(1). Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches, EPERM for lack of privilege, or ESRCH to hide visibility.

6.7.4.61. mpo_check_system_acct

int mpo_check_system_acct(ucred,  
 vp,  
 vlabel); 
struct ucred *ucred;
struct vnode *vp;
struct label *vlabel;
 
ParameterDescriptionLocking
ucredSubject credential 
vpAccounting file; acct(5) 
vlabelLabel associated with vp 

Determine whether the subject should be allowed to enable accounting, based on its label and the label of the accounting log file.

6.7.4.62. mpo_check_system_nfsd

int mpo_check_system_nfsd(cred); 
struct ucred *cred;
 
ParameterDescriptionLocking
credSubject credential 

Determine whether the subject should be allowed to call nfssvc(2).

6.7.4.63. mpo_check_system_reboot

int mpo_check_system_reboot(cred,  
 howto); 
struct ucred *cred;
int howto;
 
ParameterDescriptionLocking
credSubject credential 
howtohowto parameter from reboot(2) 

Determine whether the subject should be allowed to reboot the system in the specified manner.

6.7.4.64. mpo_check_system_settime

int mpo_check_system_settime(cred); 
struct ucred *cred;
 
ParameterDescriptionLocking
credSubject credential 

Determine whether the user should be allowed to set the system clock.

6.7.4.65. mpo_check_system_swapon

int mpo_check_system_swapon(cred,  
 vp,  
 vlabel); 
struct ucred *cred;
struct vnode *vp;
struct label *vlabel;
 
ParameterDescriptionLocking
credSubject credential 
vpSwap device 
vlabelLabel associated with vp 

Determine whether the subject should be allowed to add vp as a swap device.

6.7.4.66. mpo_check_system_sysctl

int mpo_check_system_sysctl(cred,  
 name,  
 namelen,  
 old,  
 oldlenp,  
 inkernel,  
 new,  
 newlen); 
struct ucred *cred;
int *name;
u_int *namelen;
void *old;
size_t *oldlenp;
int inkernel;
void *new;
size_t newlen;
 
ParameterDescriptionLocking
credSubject credential 
nameSee sysctl(3) 
namelen 
old 
oldlenp 
inkernelBoolean; 1 if called from kernel 
newSee sysctl(3) 
newlen 

Determine whether the subject should be allowed to make the specified sysctl(3) transaction.

6.7.5. Label Management Calls

Relabel events occur when a user process has requested that the label on an object be modified. A two-phase update occurs: first, an access control check will be performed to determine if the update is both valid and permitted, and then the update itself is performed via a separate entry point. Relabel entry points typically accept the object, object label reference, and an update label submitted by the process. Memory allocation during relabel is discouraged, as relabel calls are not permitted to fail (failure should be reported earlier in the relabel check).

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <[email protected]>.
Send questions about this document to <[email protected]>.