6.7.2.1. mpo_init_bpfdesc_label
void
mpo_init_bpfdesc_label( | label) ; | |
struct label
*label
;
Initialize the label on a newly instantiated bpfdesc (BPF
descriptor). Sleeping is permitted.
6.7.2.2. mpo_init_cred_label
void
mpo_init_cred_label( | label) ; | |
struct label
*label
;
Initialize the label for a newly instantiated
user credential. Sleeping is permitted.
6.7.2.3. mpo_init_devfsdirent_label
void
mpo_init_devfsdirent_label( | label) ; | |
struct label
*label
;
Initialize the label on a newly instantiated devfs
entry. Sleeping is permitted.
6.7.2.4. mpo_init_ifnet_label
void
mpo_init_ifnet_label( | label) ; | |
struct label
*label
;
Initialize the label on a newly instantiated network
interface. Sleeping is permitted.
6.7.2.5. mpo_init_ipq_label
void
mpo_init_ipq_label( | label, | |
| flag) ; | |
struct label
*label
;
int flag
;
Initialize the label on a newly instantiated IP fragment
reassembly queue. The flag
field may
be one of M_WAITOK and M_NOWAIT,
and should be employed to avoid performing a sleeping
malloc(9) during this initialization call. IP fragment
reassembly queue allocation frequently occurs in performance
sensitive environments, and the implementation should be careful
to avoid sleeping or long-lived operations. This entry point
is permitted to fail resulting in the failure to allocate
the IP fragment reassembly queue.
6.7.2.6. mpo_init_mbuf_label
void
mpo_init_mbuf_label( | flag, | |
| label) ; | |
int flag
;
struct label
*label
;
Initialize the label on a newly instantiated mbuf packet
header (mbuf
). The
flag
field may be one of
M_WAITOK and M_NOWAIT, and
should be employed to avoid performing a sleeping
malloc(9) during this initialization call. Mbuf
allocation frequently occurs in performance sensitive
environments, and the implementation should be careful to
avoid sleeping or long-lived operations. This entry point
is permitted to fail resulting in the failure to allocate
the mbuf header.
6.7.2.7. mpo_init_mount_label
void
mpo_init_mount_label( | mntlabel, | |
| fslabel) ; | |
struct label
*mntlabel
;
struct label
*fslabel
;
Initialize the labels on a newly instantiated mount
point. Sleeping is permitted.
6.7.2.8. mpo_init_mount_fs_label
void
mpo_init_mount_fs_label( | label) ; | |
struct label
*label
;
Initialize the label on a newly mounted file
system. Sleeping is permitted
6.7.2.9. mpo_init_pipe_label
void
mpo_init_pipe_label( | label) ; | |
struct
label*label
;
Initialize a label for a newly instantiated pipe. Sleeping
is permitted.
6.7.2.10. mpo_init_socket_label
void
mpo_init_socket_label( | label, | |
| flag) ; | |
struct label
*label
;
int flag
;
Initialize a label for a newly instantiated
socket. The flag
field may be one of
M_WAITOK and M_NOWAIT, and
should be employed to avoid performing a sleeping malloc(9)
during this initialization call.
6.7.2.11. mpo_init_socket_peer_label
void
mpo_init_socket_peer_label( | label, | |
| flag) ; | |
struct label
*label
;
int flag
;
Initialize the peer label for a newly instantiated
socket. The flag
field may be one of
M_WAITOK and M_NOWAIT, and
should be employed to avoid performing a sleeping malloc(9)
during this initialization call.
6.7.2.12. mpo_init_proc_label
void
mpo_init_proc_label( | label) ; | |
struct label
*label
;
Initialize the label for a newly instantiated
process. Sleeping is permitted.
6.7.2.13. mpo_init_vnode_label
void
mpo_init_vnode_label( | label) ; | |
struct label
*label
;
Initialize the label on a newly instantiated vnode. Sleeping
is permitted.
6.7.2.14. mpo_destroy_bpfdesc_label
void
mpo_destroy_bpfdesc_label( | label) ; | |
struct label
*label
;
Destroy the label on a BPF descriptor. In this entry
point a policy should free any internal storage associated
with label
so that it may be
destroyed.
6.7.2.15. mpo_destroy_cred_label
void
mpo_destroy_cred_label( | label) ; | |
struct label
*label
;
Destroy the label on a credential. In this entry point,
a policy module should free any internal storage associated
with label
so that it may be
destroyed.
6.7.2.16. mpo_destroy_devfsdirent_label
void
mpo_destroy_devfsdirent_label( | label) ; | |
struct label
*label
;
Destroy the label on a devfs entry. In this entry
point, a policy module should free any internal storage
associated with label
so that it may
be destroyed.
6.7.2.17. mpo_destroy_ifnet_label
void
mpo_destroy_ifnet_label( | label) ; | |
struct label
*label
;
Destroy the label on a removed interface. In this entry
point, a policy module should free any internal storage
associated with label
so that it may
be destroyed.
6.7.2.18. mpo_destroy_ipq_label
void
mpo_destroy_ipq_label( | label) ; | |
struct label
*label
;
Destroy the label on an IP fragment queue. In this
entry point, a policy module should free any internal
storage associated with label
so that
it may be destroyed.
6.7.2.19. mpo_destroy_mbuf_label
void
mpo_destroy_mbuf_label( | label) ; | |
struct label
*label
;
Destroy the label on an mbuf header. In this entry
point, a policy module should free any internal storage
associated with label
so that it may
be destroyed.
6.7.2.20. mpo_destroy_mount_label
void
mpo_destroy_mount_label( | label) ; | |
struct label
*label
;
Destroy the labels on a mount point. In this entry
point, a policy module should free the internal storage
associated with mntlabel
so that they
may be destroyed.
6.7.2.21. mpo_destroy_mount_label
void
mpo_destroy_mount_label( | mntlabel, | |
| fslabel) ; | |
struct label
*mntlabel
;
struct label
*fslabel
;
Destroy the labels on a mount point. In this entry
point, a policy module should free the internal storage
associated with mntlabel
and
fslabel
so that they may be
destroyed.
6.7.2.22. mpo_destroy_socket_label
void
mpo_destroy_socket_label( | label) ; | |
struct label
*label
;
Destroy the label on a socket. In this entry point, a
policy module should free any internal storage associated
with label
so that it may be
destroyed.
6.7.2.23. mpo_destroy_socket_peer_label
void
mpo_destroy_socket_peer_label( | peerlabel) ; | |
struct label
*peerlabel
;
Destroy the peer label on a socket. In this entry
point, a policy module should free any internal storage
associated with label
so that it may
be destroyed.
6.7.2.24. mpo_destroy_pipe_label
void
mpo_destroy_pipe_label( | label) ; | |
struct label
*label
;
Destroy the label on a pipe. In this entry point, a
policy module should free any internal storage associated
with label
so that it may be
destroyed.
6.7.2.25. mpo_destroy_proc_label
void
mpo_destroy_proc_label( | label) ; | |
struct label
*label
;
Destroy the label on a process. In this entry point, a
policy module should free any internal storage associated
with label
so that it may be
destroyed.
6.7.2.26. mpo_destroy_vnode_label
void
mpo_destroy_vnode_label( | label) ; | |
struct label
*label
;
Destroy the label on a vnode. In this entry point, a
policy module should free any internal storage associated
with label
so that it may be
destroyed.
6.7.2.27. mpo_copy_mbuf_label
void
mpo_copy_mbuf_label( | src, | |
| dest) ; | |
struct label
*src
;
struct label
*dest
;
Copy the label information in
src
into
dest
.
6.7.2.28. mpo_copy_pipe_label
void
mpo_copy_pipe_label( | src, | |
| dest) ; | |
struct label
*src
;
struct label
*dest
;
Copy the label information in
src
into
dest
.
6.7.2.29. mpo_copy_vnode_label
void
mpo_copy_vnode_label( | src, | |
| dest) ; | |
struct label
*src
;
struct label
*dest
;
Copy the label information in
src
into
dest
.
6.7.2.30. mpo_externalize_cred_label
int
mpo_externalize_cred_label( | label, | |
| element_name, | |
| sb, | |
| *claimed) ; | |
struct label *label
;
char *element_name
;
struct sbuf *sb
;
int *claimed
;
Produce an externalized label based on the label structure passed.
An externalized label consists of a text representation of the label
contents that can be used with userland applications and read by the
user. Currently, all policies' externalize
entry
points will be called, so the implementation should check the contents
of element_name
before attempting to fill in
sb
. If
element_name
does not match the name of your
policy, simply return 0. Only return nonzero
if an error occurs while externalizing the label data. Once the policy
fills in element_data
, *claimed
should be incremented.
6.7.2.31. mpo_externalize_ifnet_label
int
mpo_externalize_ifnet_label( | label, | |
| element_name, | |
| sb, | |
| *claimed) ; | |
struct label *label
;
char *element_name
;
struct sbuf *sb
;
int *claimed
;
Produce an externalized label based on the label structure passed.
An externalized label consists of a text representation of the label
contents that can be used with userland applications and read by the
user. Currently, all policies' externalize
entry
points will be called, so the implementation should check the contents
of element_name
before attempting to fill in
sb
. If
element_name
does not match the name of your
policy, simply return 0. Only return nonzero
if an error occurs while externalizing the label data. Once the policy
fills in element_data
, *claimed
should be incremented.
6.7.2.32. mpo_externalize_pipe_label
int
mpo_externalize_pipe_label( | label, | |
| element_name, | |
| sb, | |
| *claimed) ; | |
struct label *label
;
char *element_name
;
struct sbuf *sb
;
int *claimed
;
Produce an externalized label based on the label structure passed.
An externalized label consists of a text representation of the label
contents that can be used with userland applications and read by the
user. Currently, all policies' externalize
entry
points will be called, so the implementation should check the contents
of element_name
before attempting to fill in
sb
. If
element_name
does not match the name of your
policy, simply return 0. Only return nonzero
if an error occurs while externalizing the label data. Once the policy
fills in element_data
, *claimed
should be incremented.
6.7.2.33. mpo_externalize_socket_label
int
mpo_externalize_socket_label( | label, | |
| element_name, | |
| sb, | |
| *claimed) ; | |
struct label *label
;
char *element_name
;
struct sbuf *sb
;
int *claimed
;
Produce an externalized label based on the label structure passed.
An externalized label consists of a text representation of the label
contents that can be used with userland applications and read by the
user. Currently, all policies' externalize
entry
points will be called, so the implementation should check the contents
of element_name
before attempting to fill in
sb
. If
element_name
does not match the name of your
policy, simply return 0. Only return nonzero
if an error occurs while externalizing the label data. Once the policy
fills in element_data
, *claimed
should be incremented.
6.7.2.34. mpo_externalize_socket_peer_label
int
mpo_externalize_socket_peer_label( | label, | |
| element_name, | |
| sb, | |
| *claimed) ; | |
struct label *label
;
char *element_name
;
struct sbuf *sb
;
int *claimed
;
Produce an externalized label based on the label structure passed.
An externalized label consists of a text representation of the label
contents that can be used with userland applications and read by the
user. Currently, all policies' externalize
entry
points will be called, so the implementation should check the contents
of element_name
before attempting to fill in
sb
. If
element_name
does not match the name of your
policy, simply return 0. Only return nonzero
if an error occurs while externalizing the label data. Once the policy
fills in element_data
, *claimed
should be incremented.
6.7.2.35. mpo_externalize_vnode_label
int
mpo_externalize_vnode_label( | label, | |
| element_name, | |
| sb, | |
| *claimed) ; | |
struct label *label
;
char *element_name
;
struct sbuf *sb
;
int *claimed
;
Produce an externalized label based on the label structure passed.
An externalized label consists of a text representation of the label
contents that can be used with userland applications and read by the
user. Currently, all policies' externalize
entry
points will be called, so the implementation should check the contents
of element_name
before attempting to fill in
sb
. If
element_name
does not match the name of your
policy, simply return 0. Only return nonzero
if an error occurs while externalizing the label data. Once the policy
fills in element_data
, *claimed
should be incremented.
6.7.2.36. mpo_internalize_cred_label
int
mpo_internalize_cred_label( | label, | |
| element_name, | |
| element_data, | |
| claimed) ; | |
struct label *label
;
char *element_name
;
char *element_data
;
int *claimed
;
Produce an internal label structure based on externalized label data
in text format. Currently, all policies' internalize
entry points are called when internalization is requested, so the
implementation should compare the contents of
element_name
to its own name in order to be sure
it should be internalizing the data in element_data
.
Just as in the externalize
entry points, the entry
point should return 0 if
element_name
does not match its own name, or when
data can successfully be internalized, in which case
*claimed
should be incremented.
6.7.2.37. mpo_internalize_ifnet_label
int
mpo_internalize_ifnet_label( | label, | |
| element_name, | |
| element_data, | |
| claimed) ; | |
struct label *label
;
char *element_name
;
char *element_data
;
int *claimed
;
Produce an internal label structure based on externalized label data
in text format. Currently, all policies' internalize
entry points are called when internalization is requested, so the
implementation should compare the contents of
element_name
to its own name in order to be sure
it should be internalizing the data in element_data
.
Just as in the externalize
entry points, the entry
point should return 0 if
element_name
does not match its own name, or when
data can successfully be internalized, in which case
*claimed
should be incremented.
6.7.2.38. mpo_internalize_pipe_label
int
mpo_internalize_pipe_label( | label, | |
| element_name, | |
| element_data, | |
| claimed) ; | |
struct label *label
;
char *element_name
;
char *element_data
;
int *claimed
;
Produce an internal label structure based on externalized label data
in text format. Currently, all policies' internalize
entry points are called when internalization is requested, so the
implementation should compare the contents of
element_name
to its own name in order to be sure
it should be internalizing the data in element_data
.
Just as in the externalize
entry points, the entry
point should return 0 if
element_name
does not match its own name, or when
data can successfully be internalized, in which case
*claimed
should be incremented.
6.7.2.39. mpo_internalize_socket_label
int
mpo_internalize_socket_label( | label, | |
| element_name, | |
| element_data, | |
| claimed) ; | |
struct label *label
;
char *element_name
;
char *element_data
;
int *claimed
;
Produce an internal label structure based on externalized label data
in text format. Currently, all policies' internalize
entry points are called when internalization is requested, so the
implementation should compare the contents of
element_name
to its own name in order to be sure
it should be internalizing the data in element_data
.
Just as in the externalize
entry points, the entry
point should return 0 if
element_name
does not match its own name, or when
data can successfully be internalized, in which case
*claimed
should be incremented.
6.7.2.40. mpo_internalize_vnode_label
int
mpo_internalize_vnode_label( | label, | |
| element_name, | |
| element_data, | |
| claimed) ; | |
struct label *label
;
char *element_name
;
char *element_data
;
int *claimed
;
Produce an internal label structure based on externalized label data
in text format. Currently, all policies' internalize
entry points are called when internalization is requested, so the
implementation should compare the contents of
element_name
to its own name in order to be sure
it should be internalizing the data in element_data
.
Just as in the externalize
entry points, the entry
point should return 0 if
element_name
does not match its own name, or when
data can successfully be internalized, in which case
*claimed
should be incremented.
This class of entry points is used by the MAC framework to
permit policies to maintain label information on kernel
objects. For each labeled kernel object of interest to a MAC
policy, entry points may be registered for relevant life cycle
events. All objects implement initialization, creation, and
destruction hooks. Some objects will also implement
relabeling, allowing user processes to change the labels on
objects. Some objects will also implement object-specific
events, such as label events associated with IP reassembly. A
typical labeled object will have the following life cycle of
entry points:
Label initialization o
(object-specific wait) \
Label creation o
\
Relabel events, o--<--.
Various object-specific, | |
Access control events ~-->--o
\
Label destruction o
Label initialization permits policies to allocate memory
and set initial values for labels without context for the use
of the object. The label slot allocated to a policy will be
zeroed by default, so some policies may not need to perform
initialization.
Label creation occurs when the kernel structure is
associated with an actual kernel object. For example, Mbufs
may be allocated and remain unused in a pool until they are
required. mbuf allocation causes label initialization on the
mbuf to take place, but mbuf creation occurs when the mbuf is
associated with a datagram. Typically, context will be
provided for a creation event, including the circumstances of
the creation, and labels of other relevant objects in the
creation process. For example, when an mbuf is created from a
socket, the socket and its label will be presented to
registered policies in addition to the new mbuf and its label.
Memory allocation in creation events is discouraged, as it may
occur in performance sensitive ports of the kernel; in
addition, creation calls are not permitted to fail so a
failure to allocate memory cannot be reported.
Object specific events do not generally fall into the
other broad classes of label events, but will generally
provide an opportunity to modify or update the label on an
object based on additional context. For example, the label on
an IP fragment reassembly queue may be updated during the
MAC_UPDATE_IPQ entry point as a result of the
acceptance of an additional mbuf to that queue.
Access control events are discussed in detail in the
following section.
Label destruction permits policies to release storage or
state associated with a label during its association with an
object so that the kernel data structures supporting the
object may be reused or released.
In addition to labels associated with specific kernel
objects, an additional class of labels exists: temporary
labels. These labels are used to store update information
submitted by user processes. These labels are initialized and
destroyed as with other label types, but the creation event is
MAC_INTERNALIZE, which accepts a user label
to be converted to an in-kernel representation.
6.7.3.1. File System Object Labeling Event Operations
6.7.3.1.1. mpo_associate_vnode_devfs
void
mpo_associate_vnode_devfs( | mp, | |
| fslabel, | |
| de, | |
| delabel, | |
| vp, | |
| vlabel) ; | |
struct mount
*mp
;
struct label
*fslabel
;
struct devfs_dirent
*de
;
struct label
*delabel
;
struct vnode
*vp
;
struct label
*vlabel
;
Fill in the label (vlabel
) for
a newly created devfs vnode based on the devfs directory
entry passed in de
and its
label.
6.7.3.1.2. mpo_associate_vnode_extattr
int
mpo_associate_vnode_extattr( | mp, | |
| fslabel, | |
| vp, | |
| vlabel) ; | |
struct mount
*mp
;
struct label
*fslabel
;
struct vnode
*vp
;
struct label
*vlabel
;
Attempt to retrieve the label for
vp
from the file system extended
attributes. Upon success, the value 0
is returned. Should extended attribute retrieval not be
supported, an accepted fallback is to copy
fslabel
into
vlabel
. In the event of an error,
an appropriate value for errno
should
be returned.
6.7.3.1.3. mpo_associate_vnode_singlelabel
void
mpo_associate_vnode_singlelabel( | mp, | |
| fslabel, | |
| vp, | |
| vlabel) ; | |
struct mount
*mp
;
struct label
*fslabel
;
struct vnode
*vp
;
struct label
*vlabel
;
On non-multilabel file systems, this entry point is
called to set the policy label for
vp
based on the file system label,
fslabel
.
6.7.3.1.4. mpo_create_devfs_device
void
mpo_create_devfs_device( | dev, | |
| devfs_dirent, | |
| label) ; | |
dev_t dev
;
struct devfs_dirent
*devfs_dirent
;
struct label
*label
;
Fill out the label on a devfs_dirent being created for
the passed device. This call will be made when the device
file system is mounted, regenerated, or a new device is made
available.
6.7.3.1.5. mpo_create_devfs_directory
void
mpo_create_devfs_directory( | dirname, | |
| dirnamelen, | |
| devfs_dirent, | |
| label) ; | |
char *dirname
;
int dirnamelen
;
struct devfs_dirent
*devfs_dirent
;
struct label
*label
;
Fill out the label on a devfs_dirent being created for
the passed directory. This call will be made when the device
file system is mounted, regenerated, or a new device
requiring a specific directory hierarchy is made
available.
6.7.3.1.6. mpo_create_devfs_symlink
void
mpo_create_devfs_symlink( | cred, | |
| mp, | |
| dd, | |
| ddlabel, | |
| de, | |
| delabel) ; | |
struct ucred
*cred
;
struct mount
*mp
;
struct devfs_dirent
*dd
;
struct label
*ddlabel
;
struct devfs_dirent
*de
;
struct label
*delabel
;
Fill in the label (delabel
) for
a newly created devfs(5) symbolic link entry.
6.7.3.1.7. mpo_create_vnode_extattr
int
mpo_create_vnode_extattr( | cred, | |
| mp, | |
| fslabel, | |
| dvp, | |
| dlabel, | |
| vp, | |
| vlabel, | |
| cnp) ; | |
struct ucred
*cred
;
struct mount
*mp
;
struct label
*fslabel
;
struct vnode
*dvp
;
struct label
*dlabel
;
struct vnode
*vp
;
struct label
*vlabel
;
struct componentname
*cnp
;
Write out the label for vp
to
the appropriate extended attribute. If the write
succeeds, fill in vlabel
with the
label, and return 0. Otherwise,
return an appropriate error.
6.7.3.1.8. mpo_create_mount
void
mpo_create_mount( | cred, | |
| mp, | |
| mnt, | |
| fslabel) ; | |
struct ucred
*cred
;
struct mount
*mp
;
struct label
*mnt
;
struct label
*fslabel
;
Fill out the labels on the mount point being created by
the passed subject credential. This call will be made when
a new file system is mounted.
6.7.3.1.9. mpo_create_root_mount
void
mpo_create_root_mount( | cred, | |
| mp, | |
| mntlabel, | |
| fslabel) ; | |
struct ucred
*cred
;
struct mount
*mp
;
struct label
*mntlabel
;
struct label
*fslabel
;
Fill out the labels on the mount point being created by
the passed subject credential. This call will be made when
the root file system is mounted, after
mpo_create_mount;.
6.7.3.1.10. mpo_relabel_vnode
void
mpo_relabel_vnode( | cred, | |
| vp, | |
| vnodelabel, | |
| newlabel) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*vnodelabel
;
struct label
*newlabel
;
Update the label on the passed vnode given the passed
update vnode label and the passed subject credential.
6.7.3.1.11. mpo_setlabel_vnode_extattr
int
mpo_setlabel_vnode_extattr( | cred, | |
| vp, | |
| vlabel, | |
| intlabel) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*vlabel
;
struct label
*intlabel
;
Write out the policy from
intlabel
to an extended
attribute. This is called from
vop_stdcreatevnode_ea
.
6.7.3.1.12. mpo_update_devfsdirent
void
mpo_update_devfsdirent( | devfs_dirent, | |
| direntlabel, | |
| vp, | |
| vnodelabel) ; | |
struct devfs_dirent
*devfs_dirent
;
struct label
*direntlabel
;
struct vnode
*vp
;
struct label
*vnodelabel
;
Update the devfs_dirent
label
from the passed devfs vnode label. This call will be made
when a devfs vnode has been successfully relabeled to commit
the label change such that it lasts even if the vnode is
recycled. It will also be made when a symlink is
created in devfs, following a call to
mac_vnode_create_from_vnode
to
initialize the vnode label.
6.7.3.2. IPC Object Labeling Event Operations
6.7.3.2.1. mpo_create_mbuf_from_socket
void
mpo_create_mbuf_from_socket( | so, | |
| socketlabel, | |
| m, | |
| mbuflabel) ; | |
struct socket
*so
;
struct label
*socketlabel
;
struct mbuf *m
;
struct label
*mbuflabel
;
Set the label on a newly created mbuf header from the
passed socket label. This call is made when a new datagram
or message is generated by the socket and stored in the
passed mbuf.
6.7.3.2.2. mpo_create_pipe
void
mpo_create_pipe( | cred, | |
| pipe, | |
| pipelabel) ; | |
struct ucred
*cred
;
struct pipe
*pipe
;
struct label
*pipelabel
;
Set the label on a newly created pipe from the passed
subject credential. This call is made when a new pipe is
created.
6.7.3.2.3. mpo_create_socket
void
mpo_create_socket( | cred, | |
| so, | |
| socketlabel) ; | |
struct ucred
*cred
;
struct socket
*so
;
struct label
*socketlabel
;
Set the label on a newly created socket from the passed
subject credential. This call is made when a socket is
created.
6.7.3.2.4. mpo_create_socket_from_socket
void
mpo_create_socket_from_socket( | oldsocket, | |
| oldsocketlabel, | |
| newsocket, | |
| newsocketlabel) ; | |
struct socket
*oldsocket
;
struct label
*oldsocketlabel
;
struct socket
*newsocket
;
struct label
*newsocketlabel
;
Label a socket, newsocket
,
newly accept(2)ed, based on the listen(2)
socket, oldsocket
.
6.7.3.2.5. mpo_relabel_pipe
void
mpo_relabel_pipe( | cred, | |
| pipe, | |
| oldlabel, | |
| newlabel) ; | |
struct ucred
*cred
;
struct pipe
*pipe
;
struct label
*oldlabel
;
struct label
*newlabel
;
Apply a new label, newlabel
, to
pipe
.
6.7.3.2.6. mpo_relabel_socket
void
mpo_relabel_socket( | cred, | |
| so, | |
| oldlabel, | |
| newlabel) ; | |
struct ucred
*cred
;
struct socket
*so
;
struct label
*oldlabel
;
struct label
*newlabel
;
Update the label on a socket from the passed socket
label update.
6.7.3.2.7. mpo_set_socket_peer_from_mbuf
void
mpo_set_socket_peer_from_mbuf( | mbuf, | |
| mbuflabel, | |
| oldlabel, | |
| newlabel) ; | |
struct mbuf
*mbuf
;
struct label
*mbuflabel
;
struct label
*oldlabel
;
struct label
*newlabel
;
Set the peer label on a stream socket from the passed
mbuf label. This call will be made when the first datagram
is received by the stream socket, with the exception of Unix
domain sockets.
6.7.3.2.8. mpo_set_socket_peer_from_socket
void
mpo_set_socket_peer_from_socket( | oldsocket, | |
| oldsocketlabel, | |
| newsocket, | |
| newsocketpeerlabel) ; | |
struct socket
*oldsocket
;
struct label
*oldsocketlabel
;
struct socket
*newsocket
;
struct label
*newsocketpeerlabel
;
Set the peer label on a stream UNIX domain socket from
the passed remote socket endpoint. This call will be made
when the socket pair is connected, and will be made for both
endpoints.
6.7.3.3. Network Object Labeling Event Operations
6.7.3.3.1. mpo_create_bpfdesc
void
mpo_create_bpfdesc( | cred, | |
| bpf_d, | |
| bpflabel) ; | |
struct ucred
*cred
;
struct bpf_d
*bpf_d
;
struct label
*bpflabel
;
Set the label on a newly created BPF descriptor from the
passed subject credential. This call will be made when a
BPF device node is opened by a process with the passed
subject credential.
6.7.3.3.2. mpo_create_ifnet
void
mpo_create_ifnet( | ifnet, | |
| ifnetlabel) ; | |
struct ifnet
*ifnet
;
struct label
*ifnetlabel
;
Set the label on a newly created interface. This call
may be made when a new physical interface becomes available
to the system, or when a pseudo-interface is instantiated
during the boot or as a result of a user action.
6.7.3.3.3. mpo_create_ipq
void
mpo_create_ipq( | fragment, | |
| fragmentlabel, | |
| ipq, | |
| ipqlabel) ; | |
struct mbuf
*fragment
;
struct label
*fragmentlabel
;
struct ipq
*ipq
;
struct label
*ipqlabel
;
Set the label on a newly created IP fragment reassembly
queue from the mbuf header of the first received
fragment.
6.7.3.3.4. mpo_create_datagram_from_ipq
void
mpo_create_create_datagram_from_ipq( | ipq, | |
| ipqlabel, | |
| datagram, | |
| datagramlabel) ; | |
struct ipq
*ipq
;
struct label
*ipqlabel
;
struct mbuf
*datagram
;
struct label
*datagramlabel
;
Set the label on a newly reassembled IP datagram from
the IP fragment reassembly queue from which it was
generated.
6.7.3.3.5. mpo_create_fragment
void
mpo_create_fragment( | datagram, | |
| datagramlabel, | |
| fragment, | |
| fragmentlabel) ; | |
struct mbuf
*datagram
;
struct label
*datagramlabel
;
struct mbuf
*fragment
;
struct label
*fragmentlabel
;
Set the label on the mbuf header of a newly created IP
fragment from the label on the mbuf header of the datagram
it was generate from.
6.7.3.3.6. mpo_create_mbuf_from_mbuf
void
mpo_create_mbuf_from_mbuf( | oldmbuf, | |
| oldmbuflabel, | |
| newmbuf, | |
| newmbuflabel) ; | |
struct mbuf
*oldmbuf
;
struct label
*oldmbuflabel
;
struct mbuf
*newmbuf
;
struct label
*newmbuflabel
;
Set the label on the mbuf header of a newly created
datagram from the mbuf header of an existing datagram. This
call may be made in a number of situations, including when
an mbuf is re-allocated for alignment purposes.
6.7.3.3.7. mpo_create_mbuf_linklayer
void
mpo_create_mbuf_linklayer( | ifnet, | |
| ifnetlabel, | |
| mbuf, | |
| mbuflabel) ; | |
struct ifnet
*ifnet
;
struct label
*ifnetlabel
;
struct mbuf
*mbuf
;
struct label
*mbuflabel
;
Set the label on the mbuf header of a newly created
datagram generated for the purposes of a link layer response
for the passed interface. This call may be made in a number
of situations, including for ARP or ND6 responses in the
IPv4 and IPv6 stacks.
6.7.3.3.8. mpo_create_mbuf_from_bpfdesc
void
mpo_create_mbuf_from_bpfdesc( | bpf_d, | |
| bpflabel, | |
| mbuf, | |
| mbuflabel) ; | |
struct bpf_d
*bpf_d
;
struct label
*bpflabel
;
struct mbuf
*mbuf
;
struct label
*mbuflabel
;
Set the label on the mbuf header of a newly created
datagram generated using the passed BPF descriptor. This
call is made when a write is performed to the BPF device
associated with the passed BPF descriptor.
6.7.3.3.9. mpo_create_mbuf_from_ifnet
void
mpo_create_mbuf_from_ifnet( | ifnet, | |
| ifnetlabel, | |
| mbuf, | |
| mbuflabel) ; | |
struct ifnet
*ifnet
;
struct label
*ifnetlabel
;
struct mbuf
*mbuf
;
struct label
*mbuflabel
;
Set the label on the mbuf header of a newly created
datagram generated from the passed network interface.
6.7.3.3.10. mpo_create_mbuf_multicast_encap
void
mpo_create_mbuf_multicast_encap( | oldmbuf, | |
| oldmbuflabel, | |
| ifnet, | |
| ifnetlabel, | |
| newmbuf, | |
| newmbuflabel) ; | |
struct mbuf
*oldmbuf
;
struct label
*oldmbuflabel
;
struct ifnet
*ifnet
;
struct label
*ifnetlabel
;
struct mbuf
*newmbuf
;
struct label
*newmbuflabel
;
Set the label on the mbuf header of a newly created
datagram generated from the existing passed datagram when it
is processed by the passed multicast encapsulation
interface. This call is made when an mbuf is to be
delivered using the virtual interface.
6.7.3.3.11. mpo_create_mbuf_netlayer
void
mpo_create_mbuf_netlayer( | oldmbuf, | |
| oldmbuflabel, | |
| newmbuf, | |
| newmbuflabel) ; | |
struct mbuf
*oldmbuf
;
struct label
*oldmbuflabel
;
struct mbuf
*newmbuf
;
struct label
*newmbuflabel
;
Set the label on the mbuf header of a newly created
datagram generated by the IP stack in response to an
existing received datagram (oldmbuf
).
This call may be made in a number of situations, including
when responding to ICMP request datagrams.
6.7.3.3.12. mpo_fragment_match
int
mpo_fragment_match( | fragment, | |
| fragmentlabel, | |
| ipq, | |
| ipqlabel) ; | |
struct mbuf
*fragment
;
struct label
*fragmentlabel
;
struct ipq
*ipq
;
struct label
*ipqlabel
;
Determine whether an mbuf header containing an IP
datagram (fragment
) fragment matches
the label of the passed IP fragment reassembly queue
(ipq
). Return
(1) for a successful match, or
(0) for no match. This call is
made when the IP stack attempts to find an existing fragment
reassembly queue for a newly received fragment; if this
fails, a new fragment reassembly queue may be instantiated
for the fragment. Policies may use this entry point to
prevent the reassembly of otherwise matching IP fragments if
policy does not permit them to be reassembled based on the
label or other information.
6.7.3.3.13. mpo_relabel_ifnet
void
mpo_relabel_ifnet( | cred, | |
| ifnet, | |
| ifnetlabel, | |
| newlabel) ; | |
struct ucred
*cred
;
struct ifnet
*ifnet
;
struct label
*ifnetlabel
;
struct label
*newlabel
;
Update the label of network interface,
ifnet
, based on the passed update
label, newlabel
, and the passed
subject credential, cred
.
6.7.3.3.14. mpo_update_ipq
void
mpo_update_ipq( | fragment, | |
| fragmentlabel, | |
| ipq, | |
| ipqlabel) ; | |
struct mbuf
*fragment
;
struct label
*fragmentlabel
;
struct ipq
*ipq
;
struct label
*ipqlabel
;
Update the label on an IP fragment reassembly queue
(ipq
) based on the acceptance of the
passed IP fragment mbuf header
(mbuf
).
6.7.3.4. Process Labeling Event Operations
6.7.3.4.1. mpo_create_cred
void
mpo_create_cred( | parent_cred, | |
| child_cred) ; | |
struct ucred
*parent_cred
;
struct ucred
*child_cred
;
Set the label of a newly created subject credential from
the passed subject credential. This call will be made when
crcopy(9) is invoked on a newly created struct
ucred. This call should not be confused with a
process forking or creation event.
6.7.3.4.2. mpo_execve_transition
void
mpo_execve_transition( | old, | |
| new, | |
| vp, | |
| vnodelabel) ; | |
struct ucred
*old
;
struct ucred
*new
;
struct vnode
*vp
;
struct label
*vnodelabel
;
Update the label of a newly created subject credential
(new
) from the passed existing
subject credential (old
) based on a
label transition caused by executing the passed vnode
(vp
). This call occurs when a
process executes the passed vnode and one of the policies
returns a success from the
mpo_execve_will_transition
entry point.
Policies may choose to implement this call simply by
invoking mpo_create_cred
and passing
the two subject credentials so as not to implement a
transitioning event. Policies should not leave this entry
point unimplemented if they implement
mpo_create_cred
, even if they do not
implement
mpo_execve_will_transition
.
6.7.3.4.3. mpo_execve_will_transition
int
mpo_execve_will_transition( | old, | |
| vp, | |
| vnodelabel) ; | |
struct ucred
*old
;
struct vnode
*vp
;
struct label
*vnodelabel
;
Determine whether the policy will want to perform a
transition event as a result of the execution of the passed
vnode by the passed subject credential. Return
1 if a transition is required,
0 if not. Even if a policy
returns 0, it should behave
correctly in the presence of an unexpected invocation of
mpo_execve_transition
, as that call may
happen as a result of another policy requesting a
transition.
6.7.3.4.4. mpo_create_proc0
void
mpo_create_proc0( | cred) ; | |
struct ucred
*cred
;
Create the subject credential of process 0, the parent
of all kernel processes.
6.7.3.4.5. mpo_create_proc1
void
mpo_create_proc1( | cred) ; | |
struct ucred
*cred
;
Create the subject credential of process 1, the parent
of all user processes.
6.7.3.4.6. mpo_relabel_cred
void
mpo_relabel_cred( | cred, | |
| newlabel) ; | |
struct ucred
*cred
;
struct label
*newlabel
;
Update the label on a subject credential from the passed
update label.
6.7.4. Access Control Checks
Access control entry points permit policy modules to
influence access control decisions made by the kernel.
Generally, although not always, arguments to an access control
entry point will include one or more authorizing credentials,
information (possibly including a label) for any other objects
involved in the operation. An access control entry point may
return 0 to permit the operation, or an errno(2) error
value. The results of invoking the entry point across various
registered policy modules will be composed as follows: if all
modules permit the operation to succeed, success will be
returned. If one or modules returns a failure, a failure will
be returned. If more than one module returns a failure, the
errno value to return to the user will be selected using the
following precedence, implemented by the
error_select()
function in
kern_mac.c
:
If none of the error values returned by all modules are
listed in the precedence chart then an arbitrarily selected
value from the set will be returned. In general, the rules
provide precedence to errors in the following order: kernel
failures, invalid arguments, object not present, access not
permitted, other.
6.7.4.1. mpo_check_bpfdesc_receive
int
mpo_check_bpfdesc_receive( | bpf_d, | |
| bpflabel, | |
| ifnet, | |
| ifnetlabel) ; | |
struct bpf_d
*bpf_d
;
struct label
*bpflabel
;
struct ifnet
*ifnet
;
struct label
*ifnetlabel
;
Determine whether the MAC framework should permit
datagrams from the passed interface to be delivered to the
buffers of the passed BPF descriptor. Return
(0) for success, or an
errno
value for failure Suggested
failure: EACCES for label mismatches,
EPERM for lack of privilege.
6.7.4.2. mpo_check_kenv_dump
int
mpo_check_kenv_dump( | cred) ; | |
struct ucred
*cred
;
Determine whether the subject should be allowed to
retrieve the kernel environment (see kenv(2)).
6.7.4.3. mpo_check_kenv_get
int
mpo_check_kenv_get( | cred, | |
| name) ; | |
struct ucred
*cred
;
char *name
;
Determine whether the subject should be allowed to
retrieve the value of the specified kernel environment
variable.
6.7.4.4. mpo_check_kenv_set
int
mpo_check_kenv_set( | cred, | |
| name) ; | |
struct ucred
*cred
;
char *name
;
Determine whether the subject should be allowed to set
the specified kernel environment variable.
6.7.4.5. mpo_check_kenv_unset
int
mpo_check_kenv_unset( | cred, | |
| name) ; | |
struct ucred
*cred
;
char *name
;
Determine whether the subject should be allowed to unset
the specified kernel environment variable.
6.7.4.6. mpo_check_kld_load
int
mpo_check_kld_load( | cred, | |
| vp, | |
| vlabel) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*vlabel
;
Determine whether the subject should be allowed to load
the specified module file.
6.7.4.7. mpo_check_kld_stat
int
mpo_check_kld_stat( | cred) ; | |
struct ucred
*cred
;
Determine whether the subject should be allowed to
retrieve a list of loaded kernel module files and associated
statistics.
6.7.4.8. mpo_check_kld_unload
int
mpo_check_kld_unload( | cred) ; | |
struct ucred
*cred
;
Determine whether the subject should be allowed to
unload a kernel module.
6.7.4.9. mpo_check_pipe_ioctl
int
mpo_check_pipe_ioctl( | cred, | |
| pipe, | |
| pipelabel, | |
| cmd, | |
| data) ; | |
struct ucred
*cred
;
struct pipe
*pipe
;
struct label
*pipelabel
;
unsigned long
cmd
;
void *data
;
Determine whether the subject should be allowed to make
the specified ioctl(2) call.
6.7.4.10. mpo_check_pipe_poll
int
mpo_check_pipe_poll( | cred, | |
| pipe, | |
| pipelabel) ; | |
struct ucred
*cred
;
struct pipe
*pipe
;
struct label
*pipelabel
;
Determine whether the subject should be allowed to poll
pipe
.
6.7.4.11. mpo_check_pipe_read
int
mpo_check_pipe_read( | cred, | |
| pipe, | |
| pipelabel) ; | |
struct ucred
*cred
;
struct pipe
*pipe
;
struct label
*pipelabel
;
Determine whether the subject should be allowed read
access to pipe
.
6.7.4.12. mpo_check_pipe_relabel
int
mpo_check_pipe_relabel( | cred, | |
| pipe, | |
| pipelabel, | |
| newlabel) ; | |
struct ucred
*cred
;
struct pipe
*pipe
;
struct label
*pipelabel
;
struct label
*newlabel
;
Determine whether the subject should be allowed to
relabel pipe
.
6.7.4.13. mpo_check_pipe_stat
int
mpo_check_pipe_stat( | cred, | |
| pipe, | |
| pipelabel) ; | |
struct ucred
*cred
;
struct pipe
*pipe
;
struct label
*pipelabel
;
Determine whether the subject should be allowed to
retrieve statistics related to
pipe
.
6.7.4.14. mpo_check_pipe_write
int
mpo_check_pipe_write( | cred, | |
| pipe, | |
| pipelabel) ; | |
struct ucred
*cred
;
struct pipe
*pipe
;
struct label
*pipelabel
;
Determine whether the subject should be allowed to write
to pipe
.
6.7.4.15. mpo_check_socket_bind
int
mpo_check_socket_bind( | cred, | |
| socket, | |
| socketlabel, | |
| sockaddr) ; | |
struct ucred
*cred
;
struct socket
*socket
;
struct label
*socketlabel
;
struct sockaddr
*sockaddr
;
6.7.4.16. mpo_check_socket_connect
int
mpo_check_socket_connect( | cred, | |
| socket, | |
| socketlabel, | |
| sockaddr) ; | |
struct ucred
*cred
;
struct socket
*socket
;
struct label
*socketlabel
;
struct sockaddr
*sockaddr
;
Determine whether the subject credential
(cred
) can connect the passed socket
(socket
) to the passed socket address
(sockaddr
). Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatches,
EPERM for lack of privilege.
6.7.4.17. mpo_check_socket_receive
int
mpo_check_socket_receive( | cred, | |
| so, | |
| socketlabel) ; | |
struct ucred
*cred
;
struct socket
*so
;
struct label
*socketlabel
;
Determine whether the subject should be allowed to
receive information from the socket
so
.
6.7.4.18. mpo_check_socket_send
int
mpo_check_socket_send( | cred, | |
| so, | |
| socketlabel) ; | |
struct ucred
*cred
;
struct socket
*so
;
struct label
*socketlabel
;
Determine whether the subject should be allowed to send
information across the socket
so
.
6.7.4.19. mpo_check_cred_visible
int
mpo_check_cred_visible( | u1, | |
| u2) ; | |
struct ucred
*u1
;
struct ucred
*u2
;
Determine whether the subject credential
u1
can “see” other
subjects with the passed subject credential
u2
. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatches,
EPERM for lack of privilege, or
ESRCH to hide visibility. This call
may be made in a number of situations, including
inter-process status sysctl's used by ps
,
and in procfs lookups.
6.7.4.20. mpo_check_socket_visible
int
mpo_check_socket_visible( | cred, | |
| socket, | |
| socketlabel) ; | |
struct ucred
*cred
;
struct socket
*socket
;
struct label
*socketlabel
;
6.7.4.21. mpo_check_ifnet_relabel
int
mpo_check_ifnet_relabel( | cred, | |
| ifnet, | |
| ifnetlabel, | |
| newlabel) ; | |
struct ucred
*cred
;
struct ifnet
*ifnet
;
struct label
*ifnetlabel
;
struct label
*newlabel
;
Determine whether the subject credential can relabel the
passed network interface to the passed label update.
6.7.4.22. mpo_check_socket_relabel
int
mpo_check_socket_relabel( | cred, | |
| socket, | |
| socketlabel, | |
| newlabel) ; | |
struct ucred
*cred
;
struct socket
*socket
;
struct label
*socketlabel
;
struct label
*newlabel
;
Determine whether the subject credential can relabel the
passed socket to the passed label update.
6.7.4.23. mpo_check_cred_relabel
int
mpo_check_cred_relabel( | cred, | |
| newlabel) ; | |
struct ucred
*cred
;
struct label
*newlabel
;
Determine whether the subject credential can relabel
itself to the passed label update.
6.7.4.24. mpo_check_vnode_relabel
int
mpo_check_vnode_relabel( | cred, | |
| vp, | |
| vnodelabel, | |
| newlabel) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*vnodelabel
;
struct label
*newlabel
;
Determine whether the subject credential can relabel the
passed vnode to the passed label update.
6.7.4.25. mpo_check_mount_stat
int mpo_check_mount_stat( | cred, | |
| mp, | |
| mountlabel) ; | |
struct ucred
*cred
;
struct mount
*mp
;
struct label
*mountlabel
;
Determine whether the subject credential can see the
results of a statfs performed on the file system. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatches
or EPERM for lack of privilege. This
call may be made in a number of situations, including during
invocations of statfs(2) and related calls, as well as to
determine what file systems to exclude from listings of file
systems, such as when getfsstat(2) is invoked.
6.7.4.26. mpo_check_proc_debug
int
mpo_check_proc_debug( | cred, | |
| proc) ; | |
struct ucred
*cred
;
struct proc
*proc
;
Determine whether the subject credential can debug the
passed process. Return 0 for
success, or an errno
value for failure.
Suggested failure: EACCES for label
mismatch, EPERM for lack of
privilege, or ESRCH to hide
visibility of the target. This call may be made in a number
of situations, including use of the ptrace(2) and
ktrace(2) APIs, as well as for some types of procfs
operations.
6.7.4.27. mpo_check_vnode_access
int
mpo_check_vnode_access( | cred, | |
| vp, | |
| label, | |
| flags) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
int flags
;
Determine how invocations of access(2) and related
calls by the subject credential should return when performed
on the passed vnode using the passed access flags. This
should generally be implemented using the same semantics
used in mpo_check_vnode_open
.
Return 0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatches
or EPERM for lack of
privilege.
6.7.4.28. mpo_check_vnode_chdir
int
mpo_check_vnode_chdir( | cred, | |
| dvp, | |
| dlabel) ; | |
struct ucred
*cred
;
struct vnode
*dvp
;
struct label
*dlabel
;
Determine whether the subject credential can change the
process working directory to the passed vnode. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.29. mpo_check_vnode_chroot
int
mpo_check_vnode_chroot( | cred, | |
| dvp, | |
| dlabel) ; | |
struct ucred
*cred
;
struct vnode
*dvp
;
struct label
*dlabel
;
Determine whether the subject should be allowed to
chroot(2) into the specified directory
(dvp
).
6.7.4.30. mpo_check_vnode_create
int
mpo_check_vnode_create( | cred, | |
| dvp, | |
| dlabel, | |
| cnp, | |
| vap) ; | |
struct ucred
*cred
;
struct vnode
*dvp
;
struct label
*dlabel
;
struct componentname
*cnp
;
struct vattr
*vap
;
Determine whether the subject credential can create a
vnode with the passed parent directory, passed name
information, and passed attribute information. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of privilege.
This call may be made in a number of situations, including
as a result of calls to open(2) with
O_CREAT, mkfifo(2), and
others.
6.7.4.31. mpo_check_vnode_delete
int
mpo_check_vnode_delete( | cred, | |
| dvp, | |
| dlabel, | |
| vp, | |
| label, | |
| cnp) ; | |
struct ucred
*cred
;
struct vnode
*dvp
;
struct label
*dlabel
;
struct vnode
*vp
;
void *label
;
struct componentname
*cnp
;
Determine whether the subject credential can delete a
vnode from the passed parent directory and passed name
information. Return 0 for
success, or an errno
value for failure.
Suggested failure: EACCES for label
mismatch, or EPERM for lack of
privilege. This call may be made in a number of situations,
including as a result of calls to unlink(2) and
rmdir(2). Policies implementing this entry point
should also implement
mpo_check_rename_to
to authorize
deletion of objects as a result of being the target of a
rename.
6.7.4.32. mpo_check_vnode_deleteacl
int
mpo_check_vnode_deleteacl( | cred, | |
| vp, | |
| label, | |
| type) ; | |
struct ucred *cred
;
struct vnode *vp
;
struct label *label
;
acl_type_t type
;
Determine whether the subject credential can delete the
ACL of passed type from the passed vnode. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.33. mpo_check_vnode_exec
int
mpo_check_vnode_exec( | cred, | |
| vp, | |
| label) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
Determine whether the subject credential can execute the
passed vnode. Determination of execute privilege is made
separately from decisions about any transitioning event.
Return 0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.34. mpo_check_vnode_getacl
int
mpo_check_vnode_getacl( | cred, | |
| vp, | |
| label, | |
| type) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
acl_type_t
type
;
Determine whether the subject credential can retrieve
the ACL of passed type from the passed vnode. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.35. mpo_check_vnode_getextattr
int
mpo_check_vnode_getextattr( | cred, | |
| vp, | |
| label, | |
| attrnamespace, | |
| name, | |
| uio) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
int
attrnamespace
;
const char
*name
;
struct uio
*uio
;
Determine whether the subject credential can retrieve
the extended attribute with the passed namespace and name
from the passed vnode. Policies implementing labeling using
extended attributes may be interested in special handling of
operations on those extended attributes. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.36. mpo_check_vnode_link
int
mpo_check_vnode_link( | cred, | |
| dvp, | |
| dlabel, | |
| vp, | |
| label, | |
| cnp) ; | |
struct ucred
*cred
;
struct vnode
*dvp
;
struct label
*dlabel
;
struct vnode
*vp
;
struct label
*label
;
struct componentname
*cnp
;
Determine whether the subject should be allowed to
create a link to the vnode vp
with
the name specified by cnp
.
6.7.4.37. mpo_check_vnode_mmap
int
mpo_check_vnode_mmap( | cred, | |
| vp, | |
| label, | |
| prot) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
int prot
;
Determine whether the subject should be allowed to map
the vnode vp
with the protections
specified in prot
.
6.7.4.38. mpo_check_vnode_mmap_downgrade
void
mpo_check_vnode_mmap_downgrade( | cred, | |
| vp, | |
| label, | |
| prot) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
int *prot
;
Downgrade the mmap protections based on the subject and
object labels.
6.7.4.39. mpo_check_vnode_mprotect
int
mpo_check_vnode_mprotect( | cred, | |
| vp, | |
| label, | |
| prot) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
int prot
;
Determine whether the subject should be allowed to
set the specified memory protections on memory mapped from
the vnode vp
.
6.7.4.40. mpo_check_vnode_poll
int
mpo_check_vnode_poll( | active_cred, | |
| file_cred, | |
| vp, | |
| label) ; | |
struct ucred
*active_cred
;
struct ucred
*file_cred
;
struct vnode
*vp
;
struct label
*label
;
Determine whether the subject should be allowed to poll
the vnode vp
.
6.7.4.41. mpo_check_vnode_rename_from
int
mpo_vnode_rename_from( | cred, | |
| dvp, | |
| dlabel, | |
| vp, | |
| label, | |
| cnp) ; | |
struct ucred
*cred
;
struct vnode
*dvp
;
struct label
*dlabel
;
struct vnode
*vp
;
struct label
*label
;
struct componentname
*cnp
;
Determine whether the subject should be allowed to
rename the vnode vp
to something
else.
6.7.4.42. mpo_check_vnode_rename_to
int
mpo_check_vnode_rename_to( | cred, | |
| dvp, | |
| dlabel, | |
| vp, | |
| label, | |
| samedir, | |
| cnp) ; | |
struct ucred
*cred
;
struct vnode
*dvp
;
struct label
*dlabel
;
struct vnode
*vp
;
struct label
*label
;
int samedir
;
struct componentname
*cnp
;
Determine whether the subject should be allowed to
rename to the vnode vp
, into the
directory dvp
, or to the name
represented by cnp
. If there is no
existing file to overwrite, vp
and
label
will be NULL.
6.7.4.43. mpo_check_socket_listen
int
mpo_check_socket_listen( | cred, | |
| socket, | |
| socketlabel) ; | |
struct ucred
*cred
;
struct socket
*socket
;
struct label
*socketlabel
;
Determine whether the subject credential can listen on
the passed socket. Return 0 for
success, or an errno
value for failure.
Suggested failure: EACCES for label
mismatch, or EPERM for lack of
privilege.
6.7.4.44. mpo_check_vnode_lookup
int
mpo_check_vnode_lookup( | , | |
| , | |
| , | |
| cnp) ; | |
struct ucred
*cred
;
struct vnode
*dvp
;
struct label
*dlabel
;
struct componentname
*cnp
;
Determine whether the subject credential can perform a
lookup in the passed directory vnode for the passed name.
Return 0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.45. mpo_check_vnode_open
int
mpo_check_vnode_open( | cred, | |
| vp, | |
| label, | |
| acc_mode) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
int
acc_mode
;
Determine whether the subject credential can perform an
open operation on the passed vnode with the passed access
mode. Return 0 for success, or
an errno value for failure. Suggested failure:
EACCES for label mismatch, or
EPERM for lack of privilege.
6.7.4.46. mpo_check_vnode_readdir
int
mpo_check_vnode_readdir( | , | |
| , | |
| ) ; | |
struct ucred
*cred
;
struct vnode
*dvp
;
struct label
*dlabel
;
Determine whether the subject credential can perform a
readdir
operation on the passed
directory vnode. Return 0 for
success, or an errno
value for failure.
Suggested failure: EACCES for label
mismatch, or EPERM for lack of
privilege.
6.7.4.47. mpo_check_vnode_readlink
int
mpo_check_vnode_readlink( | cred, | |
| vp, | |
| label) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
Determine whether the subject credential can perform a
readlink
operation on the passed
symlink vnode. Return 0 for
success, or an errno
value for failure.
Suggested failure: EACCES for label
mismatch, or EPERM for lack of
privilege. This call may be made in a number of situations,
including an explicit readlink
call by
the user process, or as a result of an implicit
readlink
during a name lookup by the
process.
6.7.4.48. mpo_check_vnode_revoke
int
mpo_check_vnode_revoke( | cred, | |
| vp, | |
| label) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
Determine whether the subject credential can revoke
access to the passed vnode. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.49. mpo_check_vnode_setacl
int
mpo_check_vnode_setacl( | cred, | |
| vp, | |
| label, | |
| type, | |
| acl) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
acl_type_t
type
;
struct acl
*acl
;
Determine whether the subject credential can set the
passed ACL of passed type on the passed vnode. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.50. mpo_check_vnode_setextattr
int
mpo_check_vnode_setextattr( | cred, | |
| vp, | |
| label, | |
| attrnamespace, | |
| name, | |
| uio) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
int
attrnamespace
;
const char
*name
;
struct uio
*uio
;
Determine whether the subject credential can set the
extended attribute of passed name and passed namespace on
the passed vnode. Policies implementing security labels
backed into extended attributes may want to provide
additional protections for those attributes. Additionally,
policies should avoid making decisions based on the data
referenced from uio
, as there is a
potential race condition between this check and the actual
operation. The uio
may also be
NULL
if a delete operation is being
performed. Return 0 for success,
or an errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.51. mpo_check_vnode_setflags
int
mpo_check_vnode_setflags( | cred, | |
| vp, | |
| label, | |
| flags) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
u_long flags
;
Determine whether the subject credential can set the
passed flags on the passed vnode. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.52. mpo_check_vnode_setmode
int
mpo_check_vnode_setmode( | cred, | |
| vp, | |
| label, | |
| mode) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
mode_t mode
;
Determine whether the subject credential can set the
passed mode on the passed vnode. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.53. mpo_check_vnode_setowner
int
mpo_check_vnode_setowner( | cred, | |
| vp, | |
| label, | |
| uid, | |
| gid) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
uid_t uid
;
gid_t gid
;
Determine whether the subject credential can set the
passed uid and passed gid as file uid and file gid on the
passed vnode. The IDs may be set to (-1
)
to request no update. Return 0
for success, or an errno
value for
failure. Suggested failure: EACCES
for label mismatch, or EPERM for lack
of privilege.
6.7.4.54. mpo_check_vnode_setutimes
int
mpo_check_vnode_setutimes( | , | |
| , | |
| , | |
| , | |
| ) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
struct timespec
atime
;
struct timespec
mtime
;
Determine whether the subject credential can set the
passed access timestamps on the passed vnode. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.55. mpo_check_proc_sched
int
mpo_check_proc_sched( | ucred, | |
| proc) ; | |
struct ucred
*ucred
;
struct proc
*proc
;
Determine whether the subject credential can change the
scheduling parameters of the passed process. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
EPERM for lack of privilege, or
ESRCH to limit visibility.
See setpriority(2) for more information.
6.7.4.56. mpo_check_proc_signal
int
mpo_check_proc_signal( | cred, | |
| proc, | |
| signal) ; | |
struct ucred
*cred
;
struct proc
*proc
;
int signal
;
Determine whether the subject credential can deliver the
passed signal to the passed process. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
EPERM for lack of privilege, or
ESRCH to limit visibility.
6.7.4.57. mpo_check_vnode_stat
int
mpo_check_vnode_stat( | cred, | |
| vp, | |
| label) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*label
;
Determine whether the subject credential can
stat
the passed vnode. Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatch,
or EPERM for lack of
privilege.
See stat(2) for more information.
6.7.4.58. mpo_check_ifnet_transmit
int
mpo_check_ifnet_transmit( | cred, | |
| ifnet, | |
| ifnetlabel, | |
| mbuf, | |
| mbuflabel) ; | |
struct ucred
*cred
;
struct ifnet
*ifnet
;
struct label
*ifnetlabel
;
struct mbuf
*mbuf
;
struct label
*mbuflabel
;
Determine whether the network interface can transmit the
passed mbuf. Return 0 for
success, or an errno
value for failure.
Suggested failure: EACCES for label
mismatch, or EPERM for lack of
privilege.
6.7.4.59. mpo_check_socket_deliver
int
mpo_check_socket_deliver( | cred, | |
| ifnet, | |
| ifnetlabel, | |
| mbuf, | |
| mbuflabel) ; | |
struct ucred
*cred
;
struct ifnet
*ifnet
;
struct label
*ifnetlabel
;
struct mbuf
*mbuf
;
struct label
*mbuflabel
;
Determine whether the socket may receive the datagram
stored in the passed mbuf header. Return
0 for success, or an
errno
value for failure. Suggested
failures: EACCES for label mismatch,
or EPERM for lack of
privilege.
6.7.4.60. mpo_check_socket_visible
int
mpo_check_socket_visible( | cred, | |
| so, | |
| socketlabel) ; | |
struct ucred
*cred
;
struct socket
*so
;
struct label
*socketlabel
;
Determine whether the subject credential cred can "see"
the passed socket (socket
) using
system monitoring functions, such as those employed by
netstat(8) and sockstat(1). Return
0 for success, or an
errno
value for failure. Suggested
failure: EACCES for label mismatches,
EPERM for lack of privilege, or
ESRCH to hide visibility.
6.7.4.61. mpo_check_system_acct
int
mpo_check_system_acct( | ucred, | |
| vp, | |
| vlabel) ; | |
struct ucred
*ucred
;
struct vnode
*vp
;
struct label
*vlabel
;
Determine whether the subject should be allowed to
enable accounting, based on its label and the label of the
accounting log file.
6.7.4.62. mpo_check_system_nfsd
int
mpo_check_system_nfsd( | cred) ; | |
struct ucred
*cred
;
Determine whether the subject should be allowed to call
nfssvc(2).
6.7.4.63. mpo_check_system_reboot
int
mpo_check_system_reboot( | cred, | |
| howto) ; | |
struct ucred
*cred
;
int howto
;
Determine whether the subject should be allowed to
reboot the system in the specified manner.
6.7.4.64. mpo_check_system_settime
int
mpo_check_system_settime( | cred) ; | |
struct ucred
*cred
;
Determine whether the user should be allowed to set the
system clock.
6.7.4.65. mpo_check_system_swapon
int
mpo_check_system_swapon( | cred, | |
| vp, | |
| vlabel) ; | |
struct ucred
*cred
;
struct vnode
*vp
;
struct label
*vlabel
;
Determine whether the subject should be allowed to add
vp
as a swap device.
6.7.4.66. mpo_check_system_sysctl
int
mpo_check_system_sysctl( | cred, | |
| name, | |
| namelen, | |
| old, | |
| oldlenp, | |
| inkernel, | |
| new, | |
| newlen) ; | |
struct ucred
*cred
;
int *name
;
u_int *namelen
;
void *old
;
size_t
*oldlenp
;
int inkernel
;
void *new
;
size_t newlen
;
Determine whether the subject should be allowed to make
the specified sysctl(3) transaction.