Index: head/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml =================================================================== --- head/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml (revision 52106) +++ head/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml (revision 52107) @@ -1,8007 +1,8068 @@ - - The TrustedBSD MAC Framework + + + The TrustedBSD MAC Framework + - ChrisCostello - TrustedBSD Project -
chris@FreeBSD.org
- + + + Chris + Costello + + + TrustedBSD Project +
+ chris@FreeBSD.org +
+ + - RobertWatson - TrustedBSD Project -
rwatson@FreeBSD.org
- + + + Robert + Watson + + + TrustedBSD Project +
+ rwatson@FreeBSD.org +
+ + - - MAC Documentation Copyright This documentation was developed for the FreeBSD Project by Chris Costello at Safeport Network Services and Network Associates Laboratories, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (CBOSS), as part of the DARPA CHATS research program. Redistribution and use in source (SGML DocBook) and 'compiled' forms (SGML, HTML, PDF, PostScript, RTF and so forth) with or without modification, are permitted provided that the following conditions are met: - Redistributions of source code (SGML DocBook) must - retain the above copyright notice, this list of conditions - and the following disclaimer as the first lines of this file - unmodified. + Redistributions of source code (SGML DocBook) must + retain the above copyright notice, this list of conditions + and the following disclaimer as the first lines of this file + unmodified. - Redistributions in compiled form (transformed to other - DTDs, converted to PDF, PostScript, RTF and other formats) - must reproduce the above copyright notice, this list of - conditions and the following disclaimer in the documentation - and/or other materials provided with the - distribution. + Redistributions in compiled form (transformed to other + DTDs, converted to PDF, PostScript, RTF and other formats) + must reproduce the above copyright notice, this list of + conditions and the following disclaimer in the documentation + and/or other materials provided with the + distribution. THIS DOCUMENTATION IS PROVIDED BY THE NETWORKS ASSOCIATES - TECHNOLOGY, INC "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF - MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - DISCLAIMED. IN NO EVENT SHALL NETWORKS ASSOCIATES TECHNOLOGY, - INC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN - IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + TECHNOLOGY, INC "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL NETWORKS ASSOCIATES TECHNOLOGY, + INC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN + IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Synopsis - FreeBSD includes experimental support for several - mandatory access control policies, as well as a framework - for kernel security extensibility, the TrustedBSD MAC - Framework. The MAC Framework is a pluggable access - control framework, permitting new security policies to - be easily linked into the kernel, loaded at boot, or loaded - dynamically at run-time. The framework provides a variety - of features to make it easier to implement new security policies, - including the ability to easily tag security labels (such as - confidentiality information) onto system objects. + FreeBSD includes experimental support for several mandatory + access control policies, as well as a framework for kernel + security extensibility, the TrustedBSD MAC Framework. The MAC + Framework is a pluggable access control framework, permitting + new security policies to be easily linked into the kernel, + loaded at boot, or loaded dynamically at run-time. The + framework provides a variety of features to make it easier to + implement new security policies, including the ability to easily + tag security labels (such as confidentiality information) onto + system objects. This chapter introduces the MAC policy framework and provides documentation for a sample MAC policy module. Introduction The TrustedBSD MAC framework provides a mechanism to allow the compile-time or run-time extension of the kernel access - control model. New system policies may be implemented as - kernel modules and linked to the kernel; if multiple policy - modules are present, their results will be composed. The - MAC Framework provides a variety of access control infrastructure - services to assist policy writers, including support for - transient and persistent policy-agnostic object security - labels. This support is currently considered experimental. + control model. New system policies may be implemented as kernel + modules and linked to the kernel; if multiple policy modules are + present, their results will be composed. The MAC Framework + provides a variety of access control infrastructure services to + assist policy writers, including support for transient and + persistent policy-agnostic object security labels. This support + is currently considered experimental. - This chapter provides information appropriate for developers + This chapter provides information appropriate for developers of policy modules, as well as potential consumers of MAC-enabled environments, to learn about how the MAC Framework supports access control extension of the kernel. Policy Background - Mandatory Access Control (MAC), refers to a set of - access control policies that are mandatorily enforced on - users by the operating system. MAC policies may be contrasted - with Discretionary Access Control (DAC) protections, by which + Mandatory Access Control (MAC), refers to a set of access + control policies that are mandatorily enforced on users by the + operating system. MAC policies may be contrasted with + Discretionary Access Control (DAC) protections, by which non-administrative users may (at their discretion) protect objects. In traditional UNIX systems, DAC protections include - file permissions and access control lists; MAC protections include - process controls preventing inter-user debugging and firewalls. - A variety of MAC policies have been formulated by operating system - designers and security researches, including the Multi-Level - Security (MLS) confidentiality policy, the Biba integrity policy, - Role-Based Access Control (RBAC), Domain and Type Enforcement (DTE), - and Type Enforcement (TE). Each - model bases decisions on a variety of factors, including user - identity, role, and security clearance, as well as security labels - on objects representing concepts such as data sensitivity and - integrity. + file permissions and access control lists; MAC protections + include process controls preventing inter-user debugging and + firewalls. A variety of MAC policies have been formulated by + operating system designers and security researches, including + the Multi-Level Security (MLS) confidentiality policy, the Biba + integrity policy, Role-Based Access Control (RBAC), Domain and + Type Enforcement (DTE), and Type Enforcement (TE). Each model + bases decisions on a variety of factors, including user + identity, role, and security clearance, as well as security + labels on objects representing concepts such as data sensitivity + and integrity. The TrustedBSD MAC Framework is capable of supporting policy modules that implement all of these policies, as well as a broad - class of system hardening policies, which may use existing security - attributes, such as user and group IDs, as well as extended - attributes on files, and other system properties. In addition, - despite the - name, the MAC Framework can also be used to implement purely - discretionary policies, as policy modules are given substantial - flexibility in how they authorize protections. + class of system hardening policies, which may use existing + security attributes, such as user and group IDs, as well as + extended attributes on files, and other system properties. In + addition, despite the name, the MAC Framework can also be used + to implement purely discretionary policies, as policy modules + are given substantial flexibility in how they authorize + protections. MAC Framework Kernel Architecture The TrustedBSD MAC Framework permits kernel modules to extend the operating system security policy, as well as - providing infrastructure functionality required by many - access control modules. If multiple policies are - simultaneously loaded, the MAC Framework will usefully (for - some definition of useful) compose the results of the - policies. + providing infrastructure functionality required by many access + control modules. If multiple policies are simultaneously + loaded, the MAC Framework will usefully (for some definition of + useful) compose the results of the policies. Kernel Elements - The MAC Framework contains a number of kernel elements: + The MAC Framework contains a number of kernel + elements: - Framework management interfaces - Concurrency and synchronization - primitives. - Policy registration - Extensible security label for kernel - objects - Policy entry point composition - operators - Label management primitives - Entry point API invoked by kernel - services - Entry point API to policy modules - Entry points implementations (policy life cycle, - object life cycle/label management, access control - checks). - Policy-agnostic label-management system - calls - mac_syscall() multiplex - system call - Various security policies implemented as MAC - policy modules + + Framework management interfaces + + + Concurrency and synchronization primitives. + + + Policy registration + + + Extensible security label for kernel objects + + + Policy entry point composition operators + + + Label management primitives + + + Entry point API invoked by kernel services + + + Entry point API to policy modules + + + Entry points implementations (policy life cycle, + object life cycle/label management, access control + checks). + + + Policy-agnostic label-management system calls + + + mac_syscall() multiplex system + call + + + Various security policies implemented as MAC policy + modules + Framework Management Interfaces The TrustedBSD MAC Framework may be directly managed using sysctl's, loader tunables, and system calls. - In most cases, sysctl's and loader tunables of the same name - modify the same - parameters, and control behavior such as enforcement of - protections relating to various kernel subsystems. In addition, - if MAC debugging support is compiled into the kernel, several - counters will be maintained tracking label allocation. - It is generally advisable that per-subsystem enforcement - controls not be used to control policy behavior in production - environments, as they broadly impact the operation of all - active policies. Instead, per-policy controls should be - preferred, as they provide greater granularity and greater - operational consistency for policy modules. + In most cases, sysctl's and loader tunables of the same + name modify the same parameters, and control behavior such as + enforcement of protections relating to various kernel + subsystems. In addition, if MAC debugging support is compiled + into the kernel, several counters will be maintained tracking + label allocation. It is generally advisable that + per-subsystem enforcement controls not be used to control + policy behavior in production environments, as they broadly + impact the operation of all active policies. Instead, + per-policy controls should be preferred, as they provide + greater granularity and greater operational consistency for + policy modules. - Loading and unloading of policy modules is performed - using the system module management system calls and other - system interfaces, including boot loader variables; policy modules - will have the opportunity to influence load and unload - events, including preventing undesired unloading of the policy. + Loading and unloading of policy modules is performed using + the system module management system calls and other system + interfaces, including boot loader variables; policy modules + will have the opportunity to influence load and unload events, + including preventing undesired unloading of the policy. Policy List Concurrency and Synchronization - As the set of active policies may change at run-time, - and the invocation of entry points is non-atomic, - synchronization is required to prevent loading or - unloading of policies while an entry point invocation - is in progress, freezing the set of active policies for the - duration. This is accomplished by means of a framework - busy count: whenever an entry point is entered, the - busy count is incremented; whenever it is exited, the - busy count is decremented. While the busy count is - elevated, policy list changes are not permitted, and - threads attempting to modify the policy list will sleep - until the list is not busy. The busy count is protected - by a mutex, and a condition variable is used to wake up - sleepers waiting on policy list modifications. One - side effect of this synchronization model is that - recursion into the MAC Framework from within a policy - module is permitted, although not generally used. + As the set of active policies may change at run-time, and + the invocation of entry points is non-atomic, synchronization + is required to prevent loading or unloading of policies while + an entry point invocation is in progress, freezing the set of + active policies for the duration. This is accomplished by + means of a framework busy count: whenever an entry point is + entered, the busy count is incremented; whenever it is exited, + the busy count is decremented. While the busy count is + elevated, policy list changes are not permitted, and threads + attempting to modify the policy list will sleep until the list + is not busy. The busy count is protected by a mutex, and a + condition variable is used to wake up sleepers waiting on + policy list modifications. One side effect of this + synchronization model is that recursion into the MAC Framework + from within a policy module is permitted, although not + generally used. - Various optimizations are used to reduce the overhead - of the busy count, including avoiding the full cost of - incrementing and decrementing if the list is empty or - contains only static entries (policies that are loaded - before the system starts, and cannot be unloaded). A - compile-time option is also provided which prevents any - change in the set of loaded policies at run-time, which - eliminates the mutex locking costs associated with - supporting dynamically loaded and unloaded policies as - synchronization is no longer required. + Various optimizations are used to reduce the overhead of + the busy count, including avoiding the full cost of + incrementing and decrementing if the list is empty or contains + only static entries (policies that are loaded before the + system starts, and cannot be unloaded). A compile-time option + is also provided which prevents any change in the set of + loaded policies at run-time, which eliminates the mutex + locking costs associated with supporting dynamically loaded + and unloaded policies as synchronization is no longer + required. As the MAC Framework is not permitted to block in some - entry points, a normal sleep lock cannot be used; as a - result, it is possible for the load or unload attempt to - block for a substantial period of time waiting for the - framework to become idle. + entry points, a normal sleep lock cannot be used; as a result, + it is possible for the load or unload attempt to block for a + substantial period of time waiting for the framework to become + idle. Label Synchronization - As kernel objects of interest may generally be accessed from - more than one thread at a time, and simultaneous entry of more - than one thread into - the MAC Framework is permitted, security attribute storage - maintained by the MAC Framework is carefully synchronized. - In general, existing kernel synchronization on kernel - object data is used to protect MAC Framework security labels - on the object: for example, MAC labels on sockets are - protected using the existing socket mutex. Likewise, - semantics for concurrent access are generally identical to - those of the container objects: for credentials, copy-on-write - semantics are maintained for label contents as with the - remainder of the credential structure. The MAC Framework - asserts necessary locks on objects when invoked with an - object reference. Policy authors must be aware of these - synchronization semantics, as they will sometimes limit the - types of accesses permitted on labels: for example, when - a read-only reference to a credential is passed to a policy - via an entry point, only read operations are permitted on - the label state attached to the credential. + As kernel objects of interest may generally be accessed + from more than one thread at a time, and simultaneous entry of + more than one thread into the MAC Framework is permitted, + security attribute storage maintained by the MAC Framework is + carefully synchronized. In general, existing kernel + synchronization on kernel object data is used to protect MAC + Framework security labels on the object: for example, MAC + labels on sockets are protected using the existing socket + mutex. Likewise, semantics for concurrent access are + generally identical to those of the container objects: for + credentials, copy-on-write semantics are maintained for label + contents as with the remainder of the credential structure. + The MAC Framework asserts necessary locks on objects when + invoked with an object reference. Policy authors must be + aware of these synchronization semantics, as they will + sometimes limit the types of accesses permitted on labels: for + example, when a read-only reference to a credential is passed + to a policy via an entry point, only read operations are + permitted on the label state attached to the + credential. Policy Synchronization and Concurrency - Policy modules must be written to assume that many - kernel threads may simultaneously enter one more - policy entry points due to the parallel and preemptive - nature of the FreeBSD kernel. If the policy module makes - use of mutable state, this may require the use of - synchronization primitives within the policy to prevent - inconsistent views on that state resulting in incorrect - operation of the policy. Policies will generally be - able to make use of existing FreeBSD synchronization - primitives for this purpose, including mutexes, sleep - locks, condition variables, and counting semaphores. - However, policies should be written to employ these - primitives carefully, respecting existing kernel lock - orders, and recognizing that some entry points are not - permitted to sleep, limiting the use of primitives in - those entry points to mutexes and wakeup operations. + Policy modules must be written to assume that many kernel + threads may simultaneously enter one more policy entry points + due to the parallel and preemptive nature of the FreeBSD + kernel. If the policy module makes use of mutable state, this + may require the use of synchronization primitives within the + policy to prevent inconsistent views on that state resulting + in incorrect operation of the policy. Policies will generally + be able to make use of existing FreeBSD synchronization + primitives for this purpose, including mutexes, sleep locks, + condition variables, and counting semaphores. However, + policies should be written to employ these primitives + carefully, respecting existing kernel lock orders, and + recognizing that some entry points are not permitted to sleep, + limiting the use of primitives in those entry points to + mutexes and wakeup operations. When policy modules call out to other kernel subsystems, they will generally need to release any in-policy locks in - order to avoid violating the kernel lock order or risking - lock recursion. This will maintain policy locks as leaf - locks in the global lock order, helping to avoid deadlock. + order to avoid violating the kernel lock order or risking lock + recursion. This will maintain policy locks as leaf locks in + the global lock order, helping to avoid deadlock. Policy Registration - The MAC Framework maintains two lists of active - policies: a static list, and a dynamic list. The lists - differ only with regards to their locking semantics: an - elevated reference count is not required to make use of - the static list. When kernel modules containing MAC - Framework policies are loaded, the policy module will - use SYSINIT to invoke a registration - function; when a policy module is unloaded, - SYSINIT will likewise invoke a - de-registration function. Registration may fail if a - policy module is loaded more than once, if insufficient - resources are available for the registration (for - example, the policy might require labeling and - insufficient labeling state might be available), or - other policy prerequisites might not be met (some - policies may only be loaded prior to boot). Likewise, - de-registration may fail if a policy is flagged as - not unloadable. + The MAC Framework maintains two lists of active policies: + a static list, and a dynamic list. The lists differ only with + regards to their locking semantics: an elevated reference + count is not required to make use of the static list. When + kernel modules containing MAC Framework policies are loaded, + the policy module will use SYSINIT to + invoke a registration function; when a policy module is + unloaded, SYSINIT will likewise invoke a + de-registration function. Registration may fail if a policy + module is loaded more than once, if insufficient resources are + available for the registration (for example, the policy might + require labeling and insufficient labeling state might be + available), or other policy prerequisites might not be met + (some policies may only be loaded prior to boot). Likewise, + de-registration may fail if a policy is flagged as not + unloadable. Entry Points - Kernel services interact with the MAC Framework in two ways: - they invoke a series of APIs to notify the framework of relevant - events, and they provide a policy-agnostic label structure - pointer in - security-relevant objects. The label pointer is maintained by - the MAC Framework via label management entry points, and permits - the Framework to offer a labeling service to policy modules - through relatively non-invasive changes to the kernel subsystem - maintaining the object. For example, label pointers have been - added to processes, process credentials, sockets, pipes, vnodes, - Mbufs, network interfaces, IP reassembly queues, and a variety - of other security-relevant structures. Kernel services also + Kernel services interact with the MAC Framework in two + ways: they invoke a series of APIs to notify the framework of + relevant events, and they provide a policy-agnostic label + structure pointer in security-relevant objects. The label + pointer is maintained by the MAC Framework via label + management entry points, and permits the Framework to offer a + labeling service to policy modules through relatively + non-invasive changes to the kernel subsystem maintaining the + object. For example, label pointers have been added to + processes, process credentials, sockets, pipes, vnodes, Mbufs, + network interfaces, IP reassembly queues, and a variety of + other security-relevant structures. Kernel services also invoke the MAC Framework when they perform important security - decisions, permitting policy modules to augment those decisions - based on their own criteria (possibly including data stored in - security labels). Most of these security critical decisions - will be explicit access control checks; however, some affect - more general decision functions such as packet matching for - sockets and label transition at program execution. + decisions, permitting policy modules to augment those + decisions based on their own criteria (possibly including data + stored in security labels). Most of these security critical + decisions will be explicit access control checks; however, + some affect more general decision functions such as packet + matching for sockets and label transition at program + execution. Policy Composition When more than one policy module is loaded into the kernel at a time, the results of the policy modules will be composed by the framework using a composition operator. This operator is currently hard-coded, and requires that all active policies - must approve a request for it to return success. As policies may - return a variety of error conditions (success, access denied, - object does not exist, ...), a precedence operator selects the - resulting error from the set of errors returned by policies. - In general, errors indicating that an object does not exist will - be preferred to errors indicating that access to an object is - denied. - While it is not guaranteed that the resulting composition will - be useful or secure, we have found that it is for many useful - selections of policies. For example, traditional trusted systems - often ship with two or more policies using a similar - composition. + must approve a request for it to return success. As policies + may return a variety of error conditions (success, access + denied, object does not exist, ...), a precedence operator + selects the resulting error from the set of errors returned by + policies. In general, errors indicating that an object does + not exist will be preferred to errors indicating that access + to an object is denied. While it is not guaranteed that the + resulting composition will be useful or secure, we have found + that it is for many useful selections of policies. For + example, traditional trusted systems often ship with two or + more policies using a similar composition. Labeling Support As many interesting access control extensions rely on security labels on objects, the MAC Framework provides a set - of policy-agnostic label management system calls covering - a variety of user-exposed objects. Common label types - include partition identifiers, sensitivity labels, integrity - labels, compartments, domains, roles, and types. By policy - agnostic, we mean that policy modules are able to completely - define the semantics of meta-data associated with an object. - Policy + of policy-agnostic label management system calls covering a + variety of user-exposed objects. Common label types include + partition identifiers, sensitivity labels, integrity labels, + compartments, domains, roles, and types. By policy agnostic, + we mean that policy modules are able to completely define the + semantics of meta-data associated with an object. Policy modules participate in the internalization and externalization of string-based labels provides by user applications, and can - expose multiple label elements to applications if desired. + expose multiple label elements to applications if + desired. - In-memory labels are stored in slab-allocated struct - label, which consists of a fixed-length array - of unions, each holding a void * pointer - and a long. Policies registering for - label storage will be assigned a "slot" identifier, which - may be used to dereference the label storage. The semantics - of the storage are left entirely up to the policy module: - modules are provided with a variety of entry points - associated with the kernel object life cycle, including - initialization, association/creation, and destruction. Using - these interfaces, it is possible to implement reference - counting and other storage models. Direct access to - the object structure is generally not required by policy - modules to retrieve a label, as the MAC Framework generally - passes both a pointer to the object and a direct pointer - to the object's label into entry points. The primary + In-memory labels are stored in slab-allocated struct label, which consists of + a fixed-length array of unions, each holding a void + * pointer and a long. Policies + registering for label storage will be assigned a "slot" + identifier, which may be used to dereference the label + storage. The semantics of the storage are left entirely up to + the policy module: modules are provided with a variety of + entry points associated with the kernel object life cycle, + including initialization, association/creation, and + destruction. Using these interfaces, it is possible to + implement reference counting and other storage models. Direct + access to the object structure is generally not required by + policy modules to retrieve a label, as the MAC Framework + generally passes both a pointer to the object and a direct + pointer to the object's label into entry points. The primary exception to this rule is the process credential, which must be manually dereferenced to access the credential label. This may change in future revisions of the MAC Framework. Initialization entry points frequently include a sleeping disposition flag indicating whether or not an initialization is permitted to sleep; if sleeping is not permitted, a failure may be returned to cancel allocation of the label (and hence - object). This may - occur, for example, in the network stack during interrupt - handling, where sleeping is not permitted, or while the caller - holds a mutex. Due to the - performance cost of maintaining labels on in-flight network - packets (Mbufs), policies must specifically declare a - requirement that Mbuf labels be allocated. Dynamically - loaded policies making use of labels must be able to handle - the case where their init function has not been called on - an object, as objects may already exist when the policy is - loaded. The MAC Framework guarantees that uninitialized label - slots will hold a 0 or NULL value, which policies may use to - detect uninitialized values. However, as allocation of Mbuf - labels is conditional, policies must also be able to handle a - NULL label pointer for Mbufs if they have been loaded - dynamically. + object). This may occur, for example, in the network stack + during interrupt handling, where sleeping is not permitted, or + while the caller holds a mutex. Due to the performance cost + of maintaining labels on in-flight network packets (Mbufs), + policies must specifically declare a requirement that Mbuf + labels be allocated. Dynamically loaded policies making use + of labels must be able to handle the case where their init + function has not been called on an object, as objects may + already exist when the policy is loaded. The MAC Framework + guarantees that uninitialized label slots will hold a 0 or + NULL value, which policies may use to detect uninitialized + values. However, as allocation of Mbuf labels is conditional, + policies must also be able to handle a NULL label pointer for + Mbufs if they have been loaded dynamically. In the case of file system labels, special support is provided for the persistent storage of security labels in - extended attributes. Where available, extended attribute transactions - are used to permit consistent compound updates of - security labels on vnodes--currently this support is present only - in the UFS2 file system. Policy authors may choose to - implement multilabel file system object labels using one - (or more) extended attributes. For efficiency reasons, the - vnode label (v_label) is a cache of any - on-disk label; policies are able to load values into the - cache when the vnode is instantiated, and update the cache - as needed. As a result, the extended attribute need not be directly - accessed with every access control check. + extended attributes. Where available, extended attribute + transactions are used to permit consistent compound updates of + security labels on vnodes--currently this support is present + only in the UFS2 file system. Policy authors may choose to + implement multilabel file system object labels using one (or + more) extended attributes. For efficiency reasons, the vnode + label (v_label) is a cache of any on-disk + label; policies are able to load values into the cache when + the vnode is instantiated, and update the cache as needed. As + a result, the extended attribute need not be directly accessed + with every access control check. - Currently, if a labeled policy permits dynamic - unloading, its state slot cannot be reclaimed, which places - a strict (and relatively low) bound on the number of - unload-reload operations for labeled policies. + + Currently, if a labeled policy permits dynamic + unloading, its state slot cannot be reclaimed, which places + a strict (and relatively low) bound on the number of + unload-reload operations for labeled policies. + System Calls The MAC Framework implements a number of system calls: most of these calls support the policy-agnostic label retrieval and manipulation APIs exposed to user applications. The label management calls accept a label description - structure, struct mac, which - contains a series of MAC label elements. Each element - contains a character string name, and character string - value. Each policy will be given the chance to claim a - particular element name, permitting policies to expose - multiple independent elements if desired. Policy modules - perform the internalization and externalization between - kernel labels and user-provided labels via entry points, - permitting a variety of semantics. Label management system - calls are generally wrapped by user library functions to - perform memory allocation and error handling, simplifying - user applications that must manage labels. + structure, struct mac, + which contains a series of MAC label elements. Each element + contains a character string name, and character string value. + Each policy will be given the chance to claim a particular + element name, permitting policies to expose multiple + independent elements if desired. Policy modules perform the + internalization and externalization between kernel labels and + user-provided labels via entry points, permitting a variety of + semantics. Label management system calls are generally + wrapped by user library functions to perform memory allocation + and error handling, simplifying user applications that must + manage labels. The following MAC-related system calls are present in the FreeBSD kernel: mac_get_proc() may be used to retrieve the label of the current process. - mac_set_proc() may be used to request - a change in the label of the current process. + mac_set_proc() may be used to + request a change in the label of the current + process. - mac_get_fd() may be used to retrieve - the label of an object (file, socket, pipe, ...) referenced by a - file descriptor. + mac_get_fd() may be used to + retrieve the label of an object (file, socket, pipe, ...) + referenced by a file descriptor. - mac_get_file() may be used to retrieve - the label of an object referenced by a file system path. + mac_get_file() may be used to + retrieve the label of an object referenced by a file + system path. - mac_set_fd() may be used to request - a change in the label of an object (file, socket, pipe, ...) - referenced by a file descriptor. + mac_set_fd() may be used to + request a change in the label of an object (file, socket, + pipe, ...) referenced by a file descriptor. - mac_set_file() may be used to request - a change in the label of an object referenced by a file system - path. + mac_set_file() may be used to + request a change in the label of an object referenced by a + file system path. - mac_syscall() permits policy modules to - create new system calls without modifying the system call table; - it accepts a target policy name, operation number, and opaque - argument for use by the policy. + mac_syscall() permits policy + modules to create new system calls without modifying the + system call table; it accepts a target policy name, + operation number, and opaque argument for use by the + policy. - mac_get_pid() may be used to request - the label of another process by process id. + mac_get_pid() may be used to + request the label of another process by process id. mac_get_link() is identical to - mac_get_file(), only it will not follow - a symbolic link if it is the final entry in the path, so may be - used to retrieve the label on a symlink. + mac_get_file(), only it will not + follow a symbolic link if it is the final entry in the + path, so may be used to retrieve the label on a + symlink. mac_set_link() is identical to - mac_set_file(), only it will not follow a - symbolic link if it is the final entry in a path, so may be used - to manipulate the label on a symlink. + mac_set_file(), only it will not + follow a symbolic link if it is the final entry in a path, + so may be used to manipulate the label on a + symlink. mac_execve() is identical to the - execve() system call, only it also accepts - a requested label to set the process label to when beginning - execution of a new program. This change in label on execution - is referred to as a "transition". + execve() system call, only it also + accepts a requested label to set the process label to when + beginning execution of a new program. This change in + label on execution is referred to as a + "transition". - mac_get_peer(), actually implemented - via a socket option, retrieves the label of a remote peer on a - socket, if available. + mac_get_peer(), actually + implemented via a socket option, retrieves the label of a + remote peer on a socket, if available. In addition to these system calls, the - SIOCSIGMAC and SIOCSIFMAC - network interface ioctls permit the labels on network interfaces to - be retrieved and set. + SIOCSIGMAC and + SIOCSIFMAC network interface ioctls permit + the labels on network interfaces to be retrieved and + set. MAC Policy Architecture - Security policies are either linked directly into the kernel, - or compiled into loadable kernel modules that may be loaded at - boot, or dynamically using the module loading system calls at - runtime. Policy modules interact with the system through a - set of declared entry points, providing access to a stream of - system events and permitting the policy to influence access - control decisions. Each policy contains a number of elements: + Security policies are either linked directly into the + kernel, or compiled into loadable kernel modules that may be + loaded at boot, or dynamically using the module loading system + calls at runtime. Policy modules interact with the system + through a set of declared entry points, providing access to a + stream of system events and permitting the policy to influence + access control decisions. Each policy contains a number of + elements: - Optional configuration parameters for - policy. - Centralized implementation of the policy - logic and parameters. - Optional implementation of policy life cycle - events, such as initialization and destruction. - Optional support for initializing, maintaining, and - destroying labels on selected kernel objects. - Optional support for user process inspection and - modification of labels on selected objects. - Implementation of selected access control - entry points that are of interest to the policy. - Declaration of policy identity, module entry - points, and policy properties. + + Optional configuration parameters for + policy. + + + Centralized implementation of the policy logic and + parameters. + + + Optional implementation of policy life cycle events, + such as initialization and destruction. + + + Optional support for initializing, maintaining, and + destroying labels on selected kernel + objects. + + + Optional support for user process inspection and + modification of labels on selected + objects. + + + Implementation of selected access control entry points + that are of interest to the policy. + + + Declaration of policy identity, module entry points, and + policy properties. + Policy Declaration Modules may be declared using the MAC_POLICY_SET() macro, which names the policy, provides a reference to the MAC entry point vector, provides load-time flags determining how the policy framework should handle the policy, and optionally requests the allocation of label state by the framework. - static struct mac_policy_ops mac_policy_ops = + static struct mac_policy_ops mac_policy_ops = { .mpo_destroy = mac_policy_destroy, .mpo_init = mac_policy_init, .mpo_init_bpfdesc_label = mac_policy_init_bpfdesc_label, .mpo_init_cred_label = mac_policy_init_label, /* ... */ .mpo_check_vnode_setutimes = mac_policy_check_vnode_setutimes, .mpo_check_vnode_stat = mac_policy_check_vnode_stat, .mpo_check_vnode_write = mac_policy_check_vnode_write, }; The MAC policy entry point vector, - mac_policy_ops in this example, associates - functions defined in the module with specific entry points. A - complete listing of available entry points and their - prototypes may be found in the MAC entry point reference - section. Of specific interest during module registration are - the .mpo_destroy and .mpo_init - entry points. .mpo_init will be invoked once a - policy is successfully registered with the module framework - but prior to any other entry points becoming active. This - permits the policy to perform any policy-specific allocation - and initialization, such as initialization of any data or - locks. .mpo_destroy will be invoked when a - policy module is unloaded to permit releasing of any allocated - memory and destruction of locks. Currently, these two entry - points are invoked with the MAC policy list mutex held to - prevent any other entry points from being invoked: this will - be changed, but in the mean time, policies should be careful - about what kernel primitives they invoke so as to avoid lock - ordering or sleeping problems. + mac_policy_ops + in this example, associates functions defined in the module + with specific entry points. A complete listing of available + entry points and their prototypes may be found in the MAC + entry point reference section. Of specific interest during + module registration are the .mpo_destroy and + .mpo_init entry points. + .mpo_init will be invoked once a policy is + successfully registered with the module framework but prior to + any other entry points becoming active. This permits the + policy to perform any policy-specific allocation and + initialization, such as initialization of any data or locks. + .mpo_destroy will be invoked when a policy + module is unloaded to permit releasing of any allocated memory + and destruction of locks. Currently, these two entry points + are invoked with the MAC policy list mutex held to prevent any + other entry points from being invoked: this will be changed, + but in the mean time, policies should be careful about what + kernel primitives they invoke so as to avoid lock ordering or + sleeping problems. The policy declaration's module name field exists so that the module may be uniquely identified for the purposes of - module dependencies. An appropriate string should be selected. - The full string name of the policy is displayed to the user - via the kernel log during load and unload events, and also - exported when providing status information to userland + module dependencies. An appropriate string should be + selected. The full string name of the policy is displayed to + the user via the kernel log during load and unload events, and + also exported when providing status information to userland processes. Policy Flags The policy declaration flags field permits the module to - provide the framework with information about its capabilities at - the time the module is loaded. Currently, three flags are + provide the framework with information about its capabilities + at the time the module is loaded. Currently, three flags are defined: MPC_LOADTIME_FLAG_UNLOADOK This flag indicates that the policy module may be unloaded. If this flag is not provided, then the policy framework will reject requests to unload the module. This flag might be used by modules that allocate label state and are unable to free that state at runtime. MPC_LOADTIME_FLAG_NOTLATE - This flag indicates that the policy module - must be loaded and initialized early in the boot - process. If the flag is specified, attempts to register - the module following boot will be rejected. The flag - may be used by policies that require pervasive labeling - of all system objects, and cannot handle objects that - have not been properly initialized by the policy. + This flag indicates that the policy module must be + loaded and initialized early in the boot process. If + the flag is specified, attempts to register the module + following boot will be rejected. The flag may be used + by policies that require pervasive labeling of all + system objects, and cannot handle objects that have not + been properly initialized by the policy. MPC_LOADTIME_FLAG_LABELMBUFS This flag indicates that the policy module requires labeling of Mbufs, and that memory should always be allocated for the storage of Mbuf labels. By default, the MAC Framework will not allocate label storage for Mbufs unless at least one loaded policy has this flag set. This measurably improves network performance when policies do not require Mbuf labeling. A kernel option, MAC_ALWAYS_LABEL_MBUF, exists to force the MAC Framework to allocate Mbuf label storage regardless of the setting of this flag, and may be useful in some environments. - Policies using the - MPC_LOADTIME_FLAG_LABELMBUFS without the - MPC_LOADTIME_FLAG_NOTLATE flag set - must be able to correctly handle NULL - Mbuf label pointers passed into entry points. This is necessary - as in-flight Mbufs without label storage may persist after a - policy enabling Mbuf labeling has been loaded. If a policy - is loaded before the network subsystem is active (i.e., the - policy is not being loaded late), then all Mbufs are guaranteed - to have label storage. + + Policies using the + MPC_LOADTIME_FLAG_LABELMBUFS without the + MPC_LOADTIME_FLAG_NOTLATE flag set must + be able to correctly handle NULL Mbuf + label pointers passed into entry points. This is necessary + as in-flight Mbufs without label storage may persist after a + policy enabling Mbuf labeling has been loaded. If a policy + is loaded before the network subsystem is active (i.e., the + policy is not being loaded late), then all Mbufs are + guaranteed to have label storage. + Policy Entry Points Four classes of entry points are offered to policies registered with the framework: entry points associated with the registration and management of policies, entry points denoting initialization, creation, destruction, and other life cycle events for kernel objects, events associated with access control decisions that the policy module may influence, and - calls associated with the management of labels on objects. In + calls associated with the management of labels on objects. In addition, a mac_syscall() entry point is provided so that policies may extend the kernel interface without registering new system calls. Policy module writers should be aware of the kernel locking strategy, as well as what object locks are available - during which entry points. Writers should attempt to avoid + during which entry points. Writers should attempt to avoid deadlock scenarios by avoiding grabbing non-leaf locks inside of entry points, and also follow the locking protocol for object access and modification. In particular, writers should be aware that while necessary locks to access objects and their labels are generally held, sufficient locks to modify an object or its label may not be present for all entry points. Locking information for arguments is documented in the MAC framework entry point document. Policy entry points will pass a reference to the object label along with the object itself. This permits labeled policies to be unaware of the internals of the object yet - still make decisions based on the label. The exception to this - is the process credential, which is assumed to be understood - by policies as a first class security object in the kernel. + still make decisions based on the label. The exception to + this is the process credential, which is assumed to be + understood by policies as a first class security object in the + kernel. MAC Policy Entry Point Reference General-Purpose Module Entry Points - <function>&mac.mpo;_init</function> + <function>&mac.mpo;_init</function> - - - void - &mac.mpo;_init + + + void + &mac.mpo;_init - struct mac_policy_conf - *conf - - + struct mac_policy_conf + *conf + + - - - &mac.thead; + + + &mac.thead; - - - conf - MAC policy definition - - - - + + + conf + MAC policy definition + + + + - Policy load event. The policy list mutex is held, so + Policy load event. The policy list mutex is held, so sleep operations cannot be performed, and calls out to other kernel subsystems must be made with caution. If potentially sleeping memory allocations are required during policy initialization, they should be made using a separate module SYSINIT(). - <function>&mac.mpo;_destroy</function> + <function>&mac.mpo;_destroy</function> - - - void - &mac.mpo;_destroy + + + void + &mac.mpo;_destroy - struct mac_policy_conf - *conf - - + struct mac_policy_conf + *conf + + - - - &mac.thead; + + + &mac.thead; - - - conf - MAC policy definition - - - - + + + conf + MAC policy definition + + + + - Policy load event. The policy list mutex is held, so - caution should be applied. + Policy load event. The policy list mutex is held, so + caution should be applied. - <function>&mac.mpo;_syscall</function> + <function>&mac.mpo;_syscall</function> - - - int - &mac.mpo;_syscall + + + int + &mac.mpo;_syscall - struct thread - *td - int call - void *arg - - + struct thread + *td + int call + void *arg + + - - - &mac.thead; + + &mac.thead; - - - td - Calling thread - + + + td + Calling thread + - - call - Policy-specific syscall number - + + call + Policy-specific syscall number + - - arg - Pointer to syscall arguments - - - - + + arg + Pointer to syscall arguments + + + + - This entry point provides a policy-multiplexed system - call so that policies may provide additional services to - user processes without registering specific system calls. - The policy name provided during registration is used to - demux calls from userland, and the arguments will be - forwarded to this entry point. When implementing new - services, security modules should be sure to invoke - appropriate access control checks from the MAC framework as - needed. For example, if a policy implements an augmented - signal functionality, it should call the necessary signal - access control checks to invoke the MAC framework and other - registered policies. + This entry point provides a policy-multiplexed system + call so that policies may provide additional services to + user processes without registering specific system calls. + The policy name provided during registration is used to + demux calls from userland, and the arguments will be + forwarded to this entry point. When implementing new + services, security modules should be sure to invoke + appropriate access control checks from the MAC framework as + needed. For example, if a policy implements an augmented + signal functionality, it should call the necessary signal + access control checks to invoke the MAC framework and other + registered policies. - Modules must currently perform the - copyin() of the syscall data on their - own. + + Modules must currently perform the + copyin() of the syscall data on their + own. + - <function>&mac.mpo;_thread_userret</function> + <function>&mac.mpo;_thread_userret</function> - - - void - &mac.mpo;_thread_userret + + + void + &mac.mpo;_thread_userret - struct thread - *td - - + struct thread + *td + + - - - &mac.thead; + + + &mac.thead; - - - td - Returning thread - - - - + + + td + Returning thread + + + + - This entry point permits policy modules to perform - MAC-related events when a thread returns to user space, via - a system call return, trap return, or otherwise. - This is required for policies that have floating process - labels, as it is not always possible to acquire the process - lock at arbitrary points in the stack during system call - processing; process labels might represent traditional - authentication data, process history information, or other - data. To employ this mechanism, intended changes to the - process credential label may be stored in the - p_label protected by a per-policy spin - lock, and then set the per-thread - TDF_ASTPENDING flag and per-process - PS_MACPENDM flag to schedule a call - to the userret entry point. From this entry point, the - policy may create a replacement credential with less + This entry point permits policy modules to perform + MAC-related events when a thread returns to user space, via + a system call return, trap return, or otherwise. This is + required for policies that have floating process labels, as + it is not always possible to acquire the process lock at + arbitrary points in the stack during system call processing; + process labels might represent traditional authentication + data, process history information, or other data. To employ + this mechanism, intended changes to the process credential + label may be stored in the p_label + protected by a per-policy spin lock, and then set the + per-thread TDF_ASTPENDING flag and + per-process PS_MACPENDM flag to schedule + a call to the userret entry point. From this entry point, + the policy may create a replacement credential with less concern about the locking context. Policy writers are - cautioned that event ordering relating to scheduling an - AST and the AST being performed may be complex and - interlaced in multithreaded applications. + cautioned that event ordering relating to scheduling an AST + and the AST being performed may be complex and interlaced in + multithreaded applications. Label Operations - <function>&mac.mpo;_init_bpfdesc_label</function> + <function>&mac.mpo;_init_bpfdesc_label</function> - - - void - &mac.mpo;_init_bpfdesc_label + + + void + &mac.mpo;_init_bpfdesc_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - New label to apply - - - - + + + label + New label to apply + + + + - Initialize the label on a newly instantiated bpfdesc (BPF - descriptor). Sleeping is permitted. + Initialize the label on a newly instantiated bpfdesc + (BPF descriptor). Sleeping is permitted. - <function>&mac.mpo;_init_cred_label</function> + <function>&mac.mpo;_init_cred_label</function> - - - void - &mac.mpo;_init_cred_label + + + void + &mac.mpo;_init_cred_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - New label to initialize - - - - + + + label + New label to initialize + + + + - Initialize the label for a newly instantiated - user credential. Sleeping is permitted. + Initialize the label for a newly instantiated user + credential. Sleeping is permitted. - <function>&mac.mpo;_init_devfsdirent_label</function> + <function>&mac.mpo;_init_devfsdirent_label</function> - - - void - &mac.mpo;_init_devfsdirent_label + + + void + &mac.mpo;_init_devfsdirent_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - New label to apply - - - - + + + label + New label to apply + + + + - Initialize the label on a newly instantiated devfs - entry. Sleeping is permitted. + Initialize the label on a newly instantiated devfs + entry. Sleeping is permitted. - <function>&mac.mpo;_init_ifnet_label</function> + <function>&mac.mpo;_init_ifnet_label</function> - - - void - &mac.mpo;_init_ifnet_label + + + void + &mac.mpo;_init_ifnet_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - New label to apply - - - - + + + label + New label to apply + + + + - Initialize the label on a newly instantiated network - interface. Sleeping is permitted. + Initialize the label on a newly instantiated network + interface. Sleeping is permitted. - <function>&mac.mpo;_init_ipq_label</function> + <function>&mac.mpo;_init_ipq_label</function> - - - void - &mac.mpo;_init_ipq_label + + + void + &mac.mpo;_init_ipq_label - struct label - *label - int flag - - + struct label + *label + int flag + + - - - &mac.thead; + + + &mac.thead; - - - label - New label to apply - + + + label + New label to apply + - - flag - Sleeping/non-sleeping &man.malloc.9;; see + + flag + Sleeping/non-sleeping &man.malloc.9;; see below - - - - + + + + - Initialize the label on a newly instantiated IP fragment - reassembly queue. The flag field may - be one of M_WAITOK and M_NOWAIT, - and should be employed to avoid performing a sleeping - &man.malloc.9; during this initialization call. IP fragment - reassembly queue allocation frequently occurs in performance - sensitive environments, and the implementation should be careful - to avoid sleeping or long-lived operations. This entry point - is permitted to fail resulting in the failure to allocate - the IP fragment reassembly queue. + Initialize the label on a newly instantiated IP fragment + reassembly queue. The flag field may + be one of M_WAITOK and + M_NOWAIT, and should be employed to avoid + performing a sleeping &man.malloc.9; during this + initialization call. IP fragment reassembly queue + allocation frequently occurs in performance sensitive + environments, and the implementation should be careful to + avoid sleeping or long-lived operations. This entry point + is permitted to fail resulting in the failure to allocate + the IP fragment reassembly queue. - <function>&mac.mpo;_init_mbuf_label</function> + <function>&mac.mpo;_init_mbuf_label</function> - - - void - &mac.mpo;_init_mbuf_label + + + void + &mac.mpo;_init_mbuf_label - int flag - struct label - *label - - + int flag + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - flag - Sleeping/non-sleeping &man.malloc.9;; see - below - + + + flag + Sleeping/non-sleeping &man.malloc.9;; see + below + - - label - Policy label to initialize - - - - + + label + Policy label to initialize + + + + - Initialize the label on a newly instantiated mbuf packet - header (mbuf). The - flag field may be one of - M_WAITOK and M_NOWAIT, and - should be employed to avoid performing a sleeping - &man.malloc.9; during this initialization call. Mbuf - allocation frequently occurs in performance sensitive - environments, and the implementation should be careful to - avoid sleeping or long-lived operations. This entry point - is permitted to fail resulting in the failure to allocate - the mbuf header. + Initialize the label on a newly instantiated mbuf packet + header (mbuf). The + flag field may be one of + M_WAITOK and M_NOWAIT, and + should be employed to avoid performing a sleeping + &man.malloc.9; during this initialization call. Mbuf + allocation frequently occurs in performance sensitive + environments, and the implementation should be careful to + avoid sleeping or long-lived operations. This entry point + is permitted to fail resulting in the failure to allocate + the mbuf header. - <function>&mac.mpo;_init_mount_label</function> + <function>&mac.mpo;_init_mount_label</function> - - - void - &mac.mpo;_init_mount_label + + + void + &mac.mpo;_init_mount_label - struct label - *mntlabel - struct label - *fslabel - - + struct label + *mntlabel + struct label + *fslabel + + - - - &mac.thead; + + + &mac.thead; - - - mntlabel - Policy label to be initialized for the mount - itself - + + + mntlabel + Policy label to be initialized for the mount + itself + - - fslabel - Policy label to be initialized for the file - system - - - - + + fslabel + Policy label to be initialized for the file + system + + + + - Initialize the labels on a newly instantiated mount - point. Sleeping is permitted. + Initialize the labels on a newly instantiated mount + point. Sleeping is permitted. - <function>&mac.mpo;_init_mount_fs_label</function> + <function>&mac.mpo;_init_mount_fs_label</function> - - - void - &mac.mpo;_init_mount_fs_label + + + void + &mac.mpo;_init_mount_fs_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Label to be initialized - - - - + + + label + Label to be initialized + + + + - Initialize the label on a newly mounted file - system. Sleeping is permitted + Initialize the label on a newly mounted file system. + Sleeping is permitted - <function>&mac.mpo;_init_pipe_label</function> + <function>&mac.mpo;_init_pipe_label</function> - - - void - &mac.mpo;_init_pipe_label + + + void + &mac.mpo;_init_pipe_label - struct - label*label - - + struct + label*label + + - - - &mac.thead; + + + &mac.thead; - - - label - Label to be filled in - - - - + + + label + Label to be filled in + + + + - Initialize a label for a newly instantiated pipe. Sleeping - is permitted. + Initialize a label for a newly instantiated pipe. + Sleeping is permitted. - <function>&mac.mpo;_init_socket_label</function> + <function>&mac.mpo;_init_socket_label</function> - - - void - &mac.mpo;_init_socket_label + + + void + &mac.mpo;_init_socket_label - struct label - *label - int flag - - + struct label + *label + int flag + + - - - &mac.thead; + + + &mac.thead; - - - label - New label to initialize - + + + label + New label to initialize + - - flag - &man.malloc.9; flags - - - - + + flag + &man.malloc.9; flags + + + + - Initialize a label for a newly instantiated - socket. The flag field may be one of + Initialize a label for a newly instantiated socket. The + flag field may be one of M_WAITOK and M_NOWAIT, and - should be employed to avoid performing a sleeping &man.malloc.9; - during this initialization call. + should be employed to avoid performing a sleeping + &man.malloc.9; during this initialization call. - <function>&mac.mpo;_init_socket_peer_label</function> + <function>&mac.mpo;_init_socket_peer_label</function> - - - void - &mac.mpo;_init_socket_peer_label + + + void + &mac.mpo;_init_socket_peer_label - struct label - *label - int flag - - + struct label + *label + int flag + + - - - &mac.thead; + + + &mac.thead; - - - label - New label to initialize - + + + label + New label to initialize + - - flag - &man.malloc.9; flags - - - - + + flag + &man.malloc.9; flags + + + + - Initialize the peer label for a newly instantiated - socket. The flag field may be one of + Initialize the peer label for a newly instantiated + socket. The flag field may be one of M_WAITOK and M_NOWAIT, and - should be employed to avoid performing a sleeping &man.malloc.9; - during this initialization call. + should be employed to avoid performing a sleeping + &man.malloc.9; during this initialization call. - <function>&mac.mpo;_init_proc_label</function> + <function>&mac.mpo;_init_proc_label</function> - - - void - &mac.mpo;_init_proc_label + + + void + &mac.mpo;_init_proc_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - New label to initialize - - - - + + + label + New label to initialize + + + + - Initialize the label for a newly instantiated - process. Sleeping is permitted. + Initialize the label for a newly instantiated process. + Sleeping is permitted. - <function>&mac.mpo;_init_vnode_label</function> + <function>&mac.mpo;_init_vnode_label</function> - - - void - &mac.mpo;_init_vnode_label + + + void + &mac.mpo;_init_vnode_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - New label to initialize - - - - + + + label + New label to initialize + + + + - Initialize the label on a newly instantiated vnode. Sleeping - is permitted. + Initialize the label on a newly instantiated vnode. + Sleeping is permitted. + - <function>&mac.mpo;_destroy_bpfdesc_label</function> + <function>&mac.mpo;_destroy_bpfdesc_label</function> - - - void - &mac.mpo;_destroy_bpfdesc_label + + + void + &mac.mpo;_destroy_bpfdesc_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - bpfdesc label - - - - + + + label + bpfdesc label + + + + - Destroy the label on a BPF descriptor. In this entry - point a policy should free any internal storage associated - with label so that it may be - destroyed. + Destroy the label on a BPF descriptor. In this entry + point a policy should free any internal storage associated + with label so that it may be + destroyed. - <function>&mac.mpo;_destroy_cred_label</function> + <function>&mac.mpo;_destroy_cred_label</function> - - - void - &mac.mpo;_destroy_cred_label + + + void + &mac.mpo;_destroy_cred_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Label being destroyed - - - - + + + label + Label being destroyed + + + + - Destroy the label on a credential. In this entry point, - a policy module should free any internal storage associated - with label so that it may be - destroyed. + Destroy the label on a credential. In this entry point, + a policy module should free any internal storage associated + with label so that it may be + destroyed. - - <function>&mac.mpo;_destroy_devfsdirent_label</function> + <function>&mac.mpo;_destroy_devfsdirent_label</function> - - - void - &mac.mpo;_destroy_devfsdirent_label + + + void + &mac.mpo;_destroy_devfsdirent_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Label being destroyed - - - - + + + label + Label being destroyed + + + + - Destroy the label on a devfs entry. In this entry - point, a policy module should free any internal storage - associated with label so that it may - be destroyed. + Destroy the label on a devfs entry. In this entry + point, a policy module should free any internal storage + associated with label so that it may + be destroyed. - <function>&mac.mpo;_destroy_ifnet_label</function> + <function>&mac.mpo;_destroy_ifnet_label</function> - - - void - &mac.mpo;_destroy_ifnet_label + + + void + &mac.mpo;_destroy_ifnet_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Label being destroyed - - - - + + + label + Label being destroyed + + + + - Destroy the label on a removed interface. In this entry - point, a policy module should free any internal storage - associated with label so that it may - be destroyed. + Destroy the label on a removed interface. In this entry + point, a policy module should free any internal storage + associated with label so that it may + be destroyed. - <function>&mac.mpo;_destroy_ipq_label</function> + <function>&mac.mpo;_destroy_ipq_label</function> - - - void - &mac.mpo;_destroy_ipq_label + + + void + &mac.mpo;_destroy_ipq_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Label being destroyed - - - - + + + label + Label being destroyed + + + + - Destroy the label on an IP fragment queue. In this - entry point, a policy module should free any internal - storage associated with label so that - it may be destroyed. + Destroy the label on an IP fragment queue. In this + entry point, a policy module should free any internal + storage associated with label so that + it may be destroyed. - <function>&mac.mpo;_destroy_mbuf_label</function> + <function>&mac.mpo;_destroy_mbuf_label</function> - - - void - &mac.mpo;_destroy_mbuf_label + + + void + &mac.mpo;_destroy_mbuf_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Label being destroyed - - - - + + + label + Label being destroyed + + + + - Destroy the label on an mbuf header. In this entry - point, a policy module should free any internal storage - associated with label so that it may - be destroyed. + Destroy the label on an mbuf header. In this entry + point, a policy module should free any internal storage + associated with label so that it may + be destroyed. - <function>&mac.mpo;_destroy_mount_label</function> + <function>&mac.mpo;_destroy_mount_label</function> - - - void - &mac.mpo;_destroy_mount_label + + + void + &mac.mpo;_destroy_mount_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Mount point label being destroyed - - - - + + + label + Mount point label being destroyed + + + + - Destroy the labels on a mount point. In this entry - point, a policy module should free the internal storage - associated with mntlabel so that they - may be destroyed. + Destroy the labels on a mount point. In this entry + point, a policy module should free the internal storage + associated with mntlabel so that they + may be destroyed. - <function>&mac.mpo;_destroy_mount_label</function> + <function>&mac.mpo;_destroy_mount_label</function> - - - void - &mac.mpo;_destroy_mount_label + + + void + &mac.mpo;_destroy_mount_label - struct label - *mntlabel - struct label - *fslabel - - + struct label + *mntlabel + struct label + *fslabel + + - - - &mac.thead; + + + &mac.thead; - - - mntlabel - Mount point label being destroyed - + + + mntlabel + Mount point label being destroyed + - - fslabel - File system label being destroyed> - - - - + + fslabel + File system label being destroyed> + + + + - Destroy the labels on a mount point. In this entry - point, a policy module should free the internal storage - associated with mntlabel and - fslabel so that they may be - destroyed. + Destroy the labels on a mount point. In this entry + point, a policy module should free the internal storage + associated with mntlabel and + fslabel so that they may be + destroyed. - <function>&mac.mpo;_destroy_socket_label</function> + <function>&mac.mpo;_destroy_socket_label</function> - - - void - &mac.mpo;_destroy_socket_label + + + void + &mac.mpo;_destroy_socket_label - struct label - *label + struct label + *label + + - - + + + &mac.thead; - - - &mac.thead; + + + label + Socket label being destroyed + + + + - - - label - Socket label being destroyed - - - - - - - Destroy the label on a socket. In this entry point, a - policy module should free any internal storage associated - with label so that it may be - destroyed. + Destroy the label on a socket. In this entry point, a + policy module should free any internal storage associated + with label so that it may be + destroyed. - <function>&mac.mpo;_destroy_socket_peer_label</function> + <function>&mac.mpo;_destroy_socket_peer_label</function> - - - void - &mac.mpo;_destroy_socket_peer_label + + + void + &mac.mpo;_destroy_socket_peer_label - struct label - *peerlabel - - + struct label + *peerlabel + + - - - &mac.thead; + + + &mac.thead; - - - peerlabel - Socket peer label being destroyed - - - - + + + peerlabel + Socket peer label being destroyed + + + + - Destroy the peer label on a socket. In this entry - point, a policy module should free any internal storage - associated with label so that it may - be destroyed. + Destroy the peer label on a socket. In this entry + point, a policy module should free any internal storage + associated with label so that it may + be destroyed. - <function>&mac.mpo;_destroy_pipe_label</function> + <function>&mac.mpo;_destroy_pipe_label</function> - - - void - &mac.mpo;_destroy_pipe_label + + + void + &mac.mpo;_destroy_pipe_label - struct label - *label - - + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Pipe label - - - - + + + label + Pipe label + + + + - Destroy the label on a pipe. In this entry point, a - policy module should free any internal storage associated - with label so that it may be - destroyed. + Destroy the label on a pipe. In this entry point, a + policy module should free any internal storage associated + with label so that it may be + destroyed. - <function>&mac.mpo;_destroy_proc_label</function> + <function>&mac.mpo;_destroy_proc_label</function> - - - void - &mac.mpo;_destroy_proc_label - struct label - *label - - + + + void + &mac.mpo;_destroy_proc_label + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Process label - - - - + + + label + Process label + + + + - Destroy the label on a process. In this entry point, a - policy module should free any internal storage associated - with label so that it may be - destroyed. + Destroy the label on a process. In this entry point, a + policy module should free any internal storage associated + with label so that it may be + destroyed. - <function>&mac.mpo;_destroy_vnode_label</function> + <function>&mac.mpo;_destroy_vnode_label</function> - - - void - &mac.mpo;_destroy_vnode_label - struct label - *label - - + + + void + &mac.mpo;_destroy_vnode_label + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - label - Process label - - - - + + + label + Process label + + + + - Destroy the label on a vnode. In this entry point, a - policy module should free any internal storage associated - with label so that it may be - destroyed. + Destroy the label on a vnode. In this entry point, a + policy module should free any internal storage associated + with label so that it may be + destroyed. - <function>&mac.mpo;_copy_mbuf_label</function> + <function>&mac.mpo;_copy_mbuf_label</function> - - - void - &mac.mpo;_copy_mbuf_label + + + void + &mac.mpo;_copy_mbuf_label - struct label - *src - struct label - *dest - - + struct label + *src + struct label + *dest + + - - - &mac.thead; + + + &mac.thead; - - - src - Source label - + + + src + Source label + - - dest - Destination label - - - - + + dest + Destination label + + + + - Copy the label information in - src into - dest. + Copy the label information in src + into dest. - <function>&mac.mpo;_copy_pipe_label</function> + <function>&mac.mpo;_copy_pipe_label</function> - - - void - &mac.mpo;_copy_pipe_label + + + void + &mac.mpo;_copy_pipe_label - struct label - *src - struct label - *dest - - + struct label + *src + struct label + *dest + + - - - &mac.thead; + + + &mac.thead; - - - src - Source label - + + + src + Source label + - - dest - Destination label - - - - + + dest + Destination label + + + + - Copy the label information in - src into - dest. + Copy the label information in src + into dest. - <function>&mac.mpo;_copy_vnode_label</function> + <function>&mac.mpo;_copy_vnode_label</function> - - - void - &mac.mpo;_copy_vnode_label + + + void + &mac.mpo;_copy_vnode_label - struct label - *src - struct label - *dest - - + struct label + *src + struct label + *dest + + - - - &mac.thead; + + + &mac.thead; - - - src - Source label - + + + src + Source label + - - dest - Destination label - - - - + + dest + Destination label + + + + - Copy the label information in - src into - dest. + Copy the label information in src + into dest. - <function>&mac.mpo;_externalize_cred_label</function> + <function>&mac.mpo;_externalize_cred_label</function> - - - int - &mac.mpo;_externalize_cred_label + + + int + &mac.mpo;_externalize_cred_label - &mac.externalize.paramdefs; - - + &mac.externalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.externalize.tbody; - - + &mac.externalize.tbody; + + - &mac.externalize.para; + &mac.externalize.para; - <function>&mac.mpo;_externalize_ifnet_label</function> + <function>&mac.mpo;_externalize_ifnet_label</function> - - - int - &mac.mpo;_externalize_ifnet_label + + + int + &mac.mpo;_externalize_ifnet_label - &mac.externalize.paramdefs; - - + &mac.externalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.externalize.tbody; - - + &mac.externalize.tbody; + + - &mac.externalize.para; + &mac.externalize.para; - <function>&mac.mpo;_externalize_pipe_label</function> + <function>&mac.mpo;_externalize_pipe_label</function> - - - int - &mac.mpo;_externalize_pipe_label + + + int + &mac.mpo;_externalize_pipe_label - &mac.externalize.paramdefs; - - + &mac.externalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.externalize.tbody; - - + &mac.externalize.tbody; + + - &mac.externalize.para; + &mac.externalize.para; - <function>&mac.mpo;_externalize_socket_label</function> + <function>&mac.mpo;_externalize_socket_label</function> - - - int - &mac.mpo;_externalize_socket_label + + + int + &mac.mpo;_externalize_socket_label - &mac.externalize.paramdefs; - - + &mac.externalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.externalize.tbody; - - + &mac.externalize.tbody; + + - &mac.externalize.para; + &mac.externalize.para; - <function>&mac.mpo;_externalize_socket_peer_label</function> + <function>&mac.mpo;_externalize_socket_peer_label</function> - - - int - &mac.mpo;_externalize_socket_peer_label + + + int + &mac.mpo;_externalize_socket_peer_label + &mac.externalize.paramdefs; + + - &mac.externalize.paramdefs; - - + + + &mac.thead; - - - &mac.thead; + &mac.externalize.tbody; + + - &mac.externalize.tbody; - - - - &mac.externalize.para; + &mac.externalize.para; - <function>&mac.mpo;_externalize_vnode_label</function> + <function>&mac.mpo;_externalize_vnode_label</function> - - - int - &mac.mpo;_externalize_vnode_label + + + int + &mac.mpo;_externalize_vnode_label - &mac.externalize.paramdefs; - - + &mac.externalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.externalize.tbody; - - + &mac.externalize.tbody; + + - &mac.externalize.para; + &mac.externalize.para; - <function>&mac.mpo;_internalize_cred_label</function> + <function>&mac.mpo;_internalize_cred_label</function> - - - int - &mac.mpo;_internalize_cred_label + + + int + &mac.mpo;_internalize_cred_label - &mac.internalize.paramdefs; - - + &mac.internalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.internalize.tbody; - - + &mac.internalize.tbody; + + - &mac.internalize.para; + &mac.internalize.para; - <function>&mac.mpo;_internalize_ifnet_label</function> + <function>&mac.mpo;_internalize_ifnet_label</function> - - - int - &mac.mpo;_internalize_ifnet_label + + + int + &mac.mpo;_internalize_ifnet_label - &mac.internalize.paramdefs; - - + &mac.internalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.internalize.tbody; - - + &mac.internalize.tbody; + + - &mac.internalize.para; + &mac.internalize.para; - <function>&mac.mpo;_internalize_pipe_label</function> + <function>&mac.mpo;_internalize_pipe_label</function> - - - int - &mac.mpo;_internalize_pipe_label + + + int + &mac.mpo;_internalize_pipe_label - &mac.internalize.paramdefs; - - + &mac.internalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.internalize.tbody; - - + &mac.internalize.tbody; + + - &mac.internalize.para; + &mac.internalize.para; - <function>&mac.mpo;_internalize_socket_label</function> + <function>&mac.mpo;_internalize_socket_label</function> - - - int - &mac.mpo;_internalize_socket_label + + + int + &mac.mpo;_internalize_socket_label - &mac.internalize.paramdefs; - - + &mac.internalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.internalize.tbody; - - + &mac.internalize.tbody; + + - &mac.internalize.para; + &mac.internalize.para; - <function>&mac.mpo;_internalize_vnode_label</function> + <function>&mac.mpo;_internalize_vnode_label</function> - - - int - &mac.mpo;_internalize_vnode_label + + + int + &mac.mpo;_internalize_vnode_label - &mac.internalize.paramdefs; - - + &mac.internalize.paramdefs; + + - - - &mac.thead; + + + &mac.thead; - &mac.internalize.tbody; - - + &mac.internalize.tbody; + + - &mac.internalize.para; + &mac.internalize.para; Label Events This class of entry points is used by the MAC framework to - permit policies to maintain label information on kernel - objects. For each labeled kernel object of interest to a MAC - policy, entry points may be registered for relevant life cycle - events. All objects implement initialization, creation, and - destruction hooks. Some objects will also implement - relabeling, allowing user processes to change the labels on - objects. Some objects will also implement object-specific - events, such as label events associated with IP reassembly. A - typical labeled object will have the following life cycle of - entry points: + permit policies to maintain label information on kernel + objects. For each labeled kernel object of interest to a MAC + policy, entry points may be registered for relevant life cycle + events. All objects implement initialization, creation, and + destruction hooks. Some objects will also implement + relabeling, allowing user processes to change the labels on + objects. Some objects will also implement object-specific + events, such as label events associated with IP reassembly. A + typical labeled object will have the following life cycle of + entry points: Label initialization o (object-specific wait) \ Label creation o \ Relabel events, o--<--. Various object-specific, | | Access control events ~-->--o \ Label destruction o Label initialization permits policies to allocate memory - and set initial values for labels without context for the use - of the object. The label slot allocated to a policy will be - zeroed by default, so some policies may not need to perform - initialization. + and set initial values for labels without context for the use + of the object. The label slot allocated to a policy will be + zeroed by default, so some policies may not need to perform + initialization. Label creation occurs when the kernel structure is - associated with an actual kernel object. For example, Mbufs - may be allocated and remain unused in a pool until they are - required. mbuf allocation causes label initialization on the - mbuf to take place, but mbuf creation occurs when the mbuf is - associated with a datagram. Typically, context will be - provided for a creation event, including the circumstances of - the creation, and labels of other relevant objects in the - creation process. For example, when an mbuf is created from a - socket, the socket and its label will be presented to - registered policies in addition to the new mbuf and its label. - Memory allocation in creation events is discouraged, as it may - occur in performance sensitive ports of the kernel; in - addition, creation calls are not permitted to fail so a - failure to allocate memory cannot be reported. + associated with an actual kernel object. For example, Mbufs + may be allocated and remain unused in a pool until they are + required. mbuf allocation causes label initialization on the + mbuf to take place, but mbuf creation occurs when the mbuf is + associated with a datagram. Typically, context will be + provided for a creation event, including the circumstances of + the creation, and labels of other relevant objects in the + creation process. For example, when an mbuf is created from a + socket, the socket and its label will be presented to + registered policies in addition to the new mbuf and its label. + Memory allocation in creation events is discouraged, as it may + occur in performance sensitive ports of the kernel; in + addition, creation calls are not permitted to fail so a + failure to allocate memory cannot be reported. Object specific events do not generally fall into the - other broad classes of label events, but will generally - provide an opportunity to modify or update the label on an - object based on additional context. For example, the label on - an IP fragment reassembly queue may be updated during the - MAC_UPDATE_IPQ entry point as a result of the - acceptance of an additional mbuf to that queue. + other broad classes of label events, but will generally + provide an opportunity to modify or update the label on an + object based on additional context. For example, the label on + an IP fragment reassembly queue may be updated during the + MAC_UPDATE_IPQ entry point as a result of the + acceptance of an additional mbuf to that queue. Access control events are discussed in detail in the - following section. + following section. Label destruction permits policies to release storage or - state associated with a label during its association with an - object so that the kernel data structures supporting the - object may be reused or released. + state associated with a label during its association with an + object so that the kernel data structures supporting the + object may be reused or released. In addition to labels associated with specific kernel - objects, an additional class of labels exists: temporary - labels. These labels are used to store update information - submitted by user processes. These labels are initialized and - destroyed as with other label types, but the creation event is - MAC_INTERNALIZE, which accepts a user label - to be converted to an in-kernel representation. + objects, an additional class of labels exists: temporary + labels. These labels are used to store update information + submitted by user processes. These labels are initialized and + destroyed as with other label types, but the creation event is + MAC_INTERNALIZE, which accepts a user label + to be converted to an in-kernel representation. - File System Object Labeling Event Operations + File System Object Labeling Event Operations - - <function>&mac.mpo;_associate_vnode_devfs</function> + + <function>&mac.mpo;_associate_vnode_devfs</function> - - - void - &mac.mpo;_associate_vnode_devfs + + + void + &mac.mpo;_associate_vnode_devfs - struct mount - *mp - struct label - *fslabel - struct devfs_dirent - *de - struct label - *delabel - struct vnode - *vp - struct label - *vlabel - - + struct mount + *mp + struct label + *fslabel + struct devfs_dirent + *de + struct label + *delabel + struct vnode + *vp + struct label + *vlabel + + - - - &mac.thead; + + + &mac.thead; - - - mp - Devfs mount point - + + + mp + Devfs mount point + - - fslabel - Devfs file system label - (mp->mnt_fslabel) - + + fslabel + Devfs file system label + (mp->mnt_fslabel) + - - de - Devfs directory entry - + + de + Devfs directory entry + - - delabel - Policy label associated with - de - + + delabel + Policy label associated with + de + - - vp - vnode associated with - de - + + vp + vnode associated with + de + - - vlabel - Policy label associated with - vp - - - - + + vlabel + Policy label associated with + vp + + + + - Fill in the label (vlabel) for - a newly created devfs vnode based on the devfs directory - entry passed in de and its - label. - + Fill in the label (vlabel) for + a newly created devfs vnode based on the devfs directory + entry passed in de and its + label. + - - <function>&mac.mpo;_associate_vnode_extattr</function> + + <function>&mac.mpo;_associate_vnode_extattr</function> - - - int - &mac.mpo;_associate_vnode_extattr + + + int + &mac.mpo;_associate_vnode_extattr - struct mount - *mp - struct label - *fslabel - struct vnode - *vp - struct label - *vlabel - - + struct mount + *mp + struct label + *fslabel + struct vnode + *vp + struct label + *vlabel + + - - - &mac.thead; + + + &mac.thead; - - - mp - File system mount point - + + + mp + File system mount point + - - fslabel - File system label - + + fslabel + File system label + - - vp - Vnode to label - + + vp + Vnode to label + - - vlabel - Policy label associated with - vp - - - - + + vlabel + Policy label associated with + vp + + + + - Attempt to retrieve the label for - vp from the file system extended - attributes. Upon success, the value 0 - is returned. Should extended attribute retrieval not be - supported, an accepted fallback is to copy - fslabel into - vlabel. In the event of an error, - an appropriate value for errno should - be returned. - + Attempt to retrieve the label for + vp from the file system extended + attributes. Upon success, the value 0 + is returned. Should extended attribute retrieval not be + supported, an accepted fallback is to copy + fslabel into + vlabel. In the event of an error, + an appropriate value for errno should + be returned. + - - <function>&mac.mpo;_associate_vnode_singlelabel</function> + + <function>&mac.mpo;_associate_vnode_singlelabel</function> - - - void - &mac.mpo;_associate_vnode_singlelabel + + + void + &mac.mpo;_associate_vnode_singlelabel + struct mount + *mp + struct label + *fslabel + struct vnode + *vp + struct label + *vlabel + + - struct mount - *mp - struct label - *fslabel - struct vnode - *vp - struct label - *vlabel - - + + + &mac.thead; - - - &mac.thead; + + + mp + File system mount point + - - - mp - File system mount point - + + fslabel + File system label + - - fslabel - File system label - + + vp + Vnode to label + - - vp - Vnode to label - + + vlabel + Policy label associated with + vp + + + + - - vlabel - Policy label associated with - vp - - - - + On non-multilabel file systems, this entry point is + called to set the policy label for + vp based on the file system label, + fslabel. + - On non-multilabel file systems, this entry point is - called to set the policy label for - vp based on the file system label, - fslabel. - + + <function>&mac.mpo;_create_devfs_device</function> + + + void + &mac.mpo;_create_devfs_device - - <function>&mac.mpo;_create_devfs_device</function> + dev_t dev + struct devfs_dirent + *devfs_dirent + struct label + *label + + - - - void - &mac.mpo;_create_devfs_device + + + &mac.thead; - dev_t dev - struct devfs_dirent - *devfs_dirent - struct label - *label - - + + + dev + Device corresponding with + devfs_dirent + - - - &mac.thead; + + devfs_dirent + Devfs directory entry to be labeled. + - - - dev - Device corresponding with - devfs_dirent - + + label + Label for devfs_dirent + to be filled in. + + + + - - devfs_dirent - Devfs directory entry to be labeled. - + Fill out the label on a devfs_dirent being created for + the passed device. This call will be made when the device + file system is mounted, regenerated, or a new device is + made available. + - - label - Label for devfs_dirent - to be filled in. - - - - + + <function>&mac.mpo;_create_devfs_directory</function> - Fill out the label on a devfs_dirent being created for - the passed device. This call will be made when the device - file system is mounted, regenerated, or a new device is made - available. - + + + void + &mac.mpo;_create_devfs_directory - - <function>&mac.mpo;_create_devfs_directory</function> + char + *dirname + int + dirnamelen + struct devfs_dirent + *devfs_dirent + struct label + *label + + - - - void - &mac.mpo;_create_devfs_directory + + + &mac.thead; - char *dirname - int dirnamelen - struct devfs_dirent - *devfs_dirent - struct label - *label - - + + + dirname + Name of directory being created + - - - &mac.thead; + + namelen + Length of string + dirname + - - - dirname - Name of directory being created - + + devfs_dirent + Devfs directory entry for directory being + created. + + + + - - namelen - Length of string - dirname - + Fill out the label on a devfs_dirent being created for + the passed directory. This call will be made when the + device file system is mounted, regenerated, or a new + device requiring a specific directory hierarchy is made + available. + - - devfs_dirent - Devfs directory entry for directory being - created. - - - - + + <function>&mac.mpo;_create_devfs_symlink</function> - Fill out the label on a devfs_dirent being created for - the passed directory. This call will be made when the device - file system is mounted, regenerated, or a new device - requiring a specific directory hierarchy is made - available. - + + + void + &mac.mpo;_create_devfs_symlink - - <function>&mac.mpo;_create_devfs_symlink</function> + struct ucred + *cred + struct mount + *mp + struct devfs_dirent + *dd + struct label + *ddlabel + struct devfs_dirent + *de + struct label + *delabel + + - - - void - &mac.mpo;_create_devfs_symlink + + + &mac.thead; - struct ucred - *cred - struct mount - *mp - struct devfs_dirent - *dd - struct label - *ddlabel - struct devfs_dirent - *de - struct label - *delabel - - + + + cred + Subject credential + - - - &mac.thead; + + mp + Devfs mount point + - - - cred - Subject credential - + + dd + Link destination + - - mp - Devfs mount point - + + ddlabel + Label associated with + dd + - - dd - Link destination - + + de + Symlink entry + - - ddlabel - Label associated with - dd - + + delabel + Label associated with + de + + + + - - de - Symlink entry - + Fill in the label (delabel) for + a newly created &man.devfs.5; symbolic link entry. + - - delabel - Label associated with - de - - - - + + <function>&mac.mpo;_create_vnode_extattr</function> - Fill in the label (delabel) for - a newly created &man.devfs.5; symbolic link entry. - + + + int + &mac.mpo;_create_vnode_extattr - - <function>&mac.mpo;_create_vnode_extattr</function> + struct ucred + *cred + struct mount + *mp + struct label + *fslabel + struct vnode + *dvp + struct label + *dlabel + struct vnode + *vp + struct label + *vlabel + struct componentname + *cnp + + - - - int - &mac.mpo;_create_vnode_extattr + + + &mac.thead; - struct ucred - *cred - struct mount - *mp - struct label - *fslabel - struct vnode - *dvp - struct label - *dlabel - struct vnode - *vp - struct label - *vlabel - struct componentname - *cnp - - + + + cred + Subject credential + - - - &mac.thead; + + mount + File system mount point + - - - cred - Subject credential - + + label + File system label + - - mount - File system mount point - + + dvp + Parent directory vnode + - - label - File system label - + + dlabel + Label associated with + dvp + - - dvp - Parent directory vnode - + + vp + Newly created vnode + - - dlabel - Label associated with - dvp - + + vlabel + Policy label associated with + vp + - - vp - Newly created vnode - + + cnp + Component name for + vp + + + + - - vlabel - Policy label associated with - vp - + Write out the label for vp to + the appropriate extended attribute. If the write + succeeds, fill in vlabel with the + label, and return 0. + Otherwise, return an appropriate error. + - - cnp - Component name for - vp - - - - + + <function>&mac.mpo;_create_mount</function> - Write out the label for vp to - the appropriate extended attribute. If the write - succeeds, fill in vlabel with the - label, and return 0. Otherwise, - return an appropriate error. - + + + void + &mac.mpo;_create_mount - - <function>&mac.mpo;_create_mount</function> + struct ucred + *cred + struct mount + *mp + struct + label *mnt + struct label + *fslabel + + - - - void - &mac.mpo;_create_mount + + + &mac.thead; - struct ucred - *cred - struct mount - *mp - struct label - *mnt - struct label - *fslabel - - + + + cred + Subject credential + - - - &mac.thead; + + mp + Object; file system being mounted + - - - cred - Subject credential - + + mntlabel + Policy label to be filled in for + mp + - - mp - Object; file system being mounted - + + fslabel + Policy label for the file system + mp mounts. + + + + - - mntlabel - Policy label to be filled in for - mp - + Fill out the labels on the mount point being created + by the passed subject credential. This call will be made + when a new file system is mounted. + - - fslabel - Policy label for the file system - mp mounts. - - - - + + <function>&mac.mpo;_create_root_mount</function> - Fill out the labels on the mount point being created by - the passed subject credential. This call will be made when - a new file system is mounted. - + + + void + &mac.mpo;_create_root_mount - - <function>&mac.mpo;_create_root_mount</function> + struct ucred + *cred + struct mount + *mp + struct label + *mntlabel + struct label + *fslabel + + - - - void - &mac.mpo;_create_root_mount + + + &mac.thead; - struct ucred - *cred - struct mount - *mp - struct label - *mntlabel - struct label - *fslabel - - + + + See . + + + + - - - &mac.thead; + Fill out the labels on the mount point being created + by the passed subject credential. This call will be made + when the root file system is mounted, after + &mac.mpo;_create_mount;. + - - - See . - - - - + + <function>&mac.mpo;_relabel_vnode</function> - Fill out the labels on the mount point being created by - the passed subject credential. This call will be made when - the root file system is mounted, after - &mac.mpo;_create_mount;. - + + + void + &mac.mpo;_relabel_vnode - - <function>&mac.mpo;_relabel_vnode</function> + struct ucred + *cred + struct vnode + *vp + struct label + *vnodelabel + struct label + *newlabel + + - - - void - &mac.mpo;_relabel_vnode + + + &mac.thead; - struct ucred - *cred - struct vnode - *vp - struct label - *vnodelabel - struct label - *newlabel - - + + + cred + Subject credential + - - - &mac.thead; + + vp + vnode to relabel + - - - cred - Subject credential - + + vnodelabel + Existing policy label for + vp + - - vp - vnode to relabel - + + newlabel + New, possibly partial label to replace + vnodelabel + + + + - - vnodelabel - Existing policy label for - vp - + Update the label on the passed vnode given the passed + update vnode label and the passed subject + credential. + - - newlabel - New, possibly partial label to replace - vnodelabel - - - - + + <function>&mac.mpo;_setlabel_vnode_extattr</function> - Update the label on the passed vnode given the passed - update vnode label and the passed subject credential. - + + + int + &mac.mpo;_setlabel_vnode_extattr - - <function>&mac.mpo;_setlabel_vnode_extattr</function> + struct ucred + *cred + struct vnode + *vp + struct label + *vlabel + struct label + *intlabel + + - - - int - &mac.mpo;_setlabel_vnode_extattr + + + &mac.thead; - struct ucred - *cred - struct vnode - *vp - struct label - *vlabel - struct label - *intlabel - - + + + cred + Subject credential + - - - &mac.thead; + + vp + Vnode for which the label is being + written + - - - cred - Subject credential - + + vlabel + Policy label associated with + vp + - - vp - Vnode for which the label is being - written - + + intlabel + Label to write out + + + + - - vlabel - Policy label associated with - vp - + Write out the policy from + intlabel to an extended attribute. + This is called from + vop_stdcreatevnode_ea. + - - intlabel - Label to write out - - - - + + <function>&mac.mpo;_update_devfsdirent</function> - Write out the policy from - intlabel to an extended - attribute. This is called from - vop_stdcreatevnode_ea. - + + + void + &mac.mpo;_update_devfsdirent - - <function>&mac.mpo;_update_devfsdirent</function> - - - void - &mac.mpo;_update_devfsdirent + struct devfs_dirent + *devfs_dirent + struct label + *direntlabel + struct vnode + *vp + struct label + *vnodelabel + + - struct devfs_dirent - *devfs_dirent - struct label - *direntlabel - struct vnode - *vp - struct label - *vnodelabel - - + + + &mac.thead; - - - &mac.thead; + + + devfs_dirent + Object; devfs directory entry + - - - devfs_dirent - Object; devfs directory entry - + + direntlabel + Policy label for + devfs_dirent to be + updated. + - - direntlabel - Policy label for - devfs_dirent to be - updated. - + + vp + Parent vnode + Locked + - - vp - Parent vnode - Locked - + + vnodelabel + Policy label for + vp + + + + - - vnodelabel - Policy label for - vp - - - - - - Update the devfs_dirent label - from the passed devfs vnode label. This call will be made - when a devfs vnode has been successfully relabeled to commit - the label change such that it lasts even if the vnode is - recycled. It will also be made when a symlink is - created in devfs, following a call to - mac_vnode_create_from_vnode to - initialize the vnode label. - + Update the devfs_dirent label + from the passed devfs vnode label. This call will be made + when a devfs vnode has been successfully relabeled to + commit the label change such that it lasts even if the + vnode is recycled. It will also be made when a symlink is + created in devfs, following a call to + mac_vnode_create_from_vnode to + initialize the vnode label. + - IPC Object Labeling Event Operations + IPC Object Labeling Event Operations + + <function>&mac.mpo;_create_mbuf_from_socket</function> - - <function>&mac.mpo;_create_mbuf_from_socket</function> + + + void + &mac.mpo;_create_mbuf_from_socket - - - void - &mac.mpo;_create_mbuf_from_socket + struct socket + *so + struct label + *socketlabel + struct mbuf + *m + struct label + *mbuflabel + + - struct socket - *so - struct label - *socketlabel - struct mbuf *m - struct label - *mbuflabel - - + + + &mac.thead; - - - &mac.thead; + + + socket + Socket + Socket locking WIP + - - - socket - Socket - Socket locking WIP - + + socketlabel + Policy label for + socket + - - socketlabel - Policy label for - socket - + + m + Object; mbuf + - - m - Object; mbuf - + + mbuflabel + Policy label to fill in for + m + + + + - - mbuflabel - Policy label to fill in for - m - - - - + Set the label on a newly created mbuf header from the + passed socket label. This call is made when a new + datagram or message is generated by the socket and stored + in the passed mbuf. + - Set the label on a newly created mbuf header from the - passed socket label. This call is made when a new datagram - or message is generated by the socket and stored in the - passed mbuf. - + + <function>&mac.mpo;_create_pipe</function> - - <function>&mac.mpo;_create_pipe</function> + + + void + &mac.mpo;_create_pipe - - - void - &mac.mpo;_create_pipe + struct ucred + *cred + struct pipe + *pipe + struct label + *pipelabel + + - struct ucred - *cred - struct pipe - *pipe - struct label - *pipelabel - - + + + &mac.thead; - - - &mac.thead; + + + cred + Subject credential + - - - cred - Subject credential - + + pipe + Pipe + - - pipe - Pipe - + + pipelabel + Policy label associated with + pipe + + + + - - pipelabel - Policy label associated with - pipe - - - - + Set the label on a newly created pipe from the passed + subject credential. This call is made when a new pipe is + created. + - Set the label on a newly created pipe from the passed - subject credential. This call is made when a new pipe is - created. - + + <function>&mac.mpo;_create_socket</function> - - <function>&mac.mpo;_create_socket</function> + + + void + &mac.mpo;_create_socket - - - void - &mac.mpo;_create_socket + struct ucred + *cred + struct socket + *so + struct label + *socketlabel + + - struct ucred - *cred - struct socket - *so - struct label - *socketlabel - - + + + &mac.thead; - - - &mac.thead; + + + cred + Subject credential + Immutable + - - - cred - Subject credential - Immutable - + + so + Object; socket to label + - - so - Object; socket to label - + + socketlabel + Label to fill in for + so + + + + - - socketlabel - Label to fill in for - so - - - - + Set the label on a newly created socket from the + passed subject credential. This call is made when a + socket is created. + - Set the label on a newly created socket from the passed - subject credential. This call is made when a socket is - created. - + + <function>&mac.mpo;_create_socket_from_socket</function> - - <function>&mac.mpo;_create_socket_from_socket</function> + + + void + &mac.mpo;_create_socket_from_socket - - - void - &mac.mpo;_create_socket_from_socket + struct socket + *oldsocket + struct label + *oldsocketlabel + struct socket + *newsocket + struct label + *newsocketlabel + + - struct socket - *oldsocket - struct label - *oldsocketlabel - struct socket - *newsocket - struct label - *newsocketlabel - - + + + &mac.thead; - - - &mac.thead; + + + oldsocket + Listening socket + - - - oldsocket - Listening socket - + + oldsocketlabel + Policy label associated with + oldsocket + - - oldsocketlabel - Policy label associated with - oldsocket - + + newsocket + New socket + - - newsocket - New socket - + + newsocketlabel + Policy label associated with + newsocketlabel + + + + - - newsocketlabel - Policy label associated with - newsocketlabel - - - - + Label a socket, newsocket, + newly &man.accept.2;ed, based on the &man.listen.2; + socket, oldsocket. + - Label a socket, newsocket, - newly &man.accept.2;ed, based on the &man.listen.2; - socket, oldsocket. - + + <function>&mac.mpo;_relabel_pipe</function> - - <function>&mac.mpo;_relabel_pipe</function> + + + void + &mac.mpo;_relabel_pipe - - - void - &mac.mpo;_relabel_pipe + struct ucred + *cred + struct pipe + *pipe + struct label + *oldlabel + struct label + *newlabel + + - struct ucred - *cred - struct pipe - *pipe - struct label - *oldlabel - struct label - *newlabel - - + + + &mac.thead; - - - &mac.thead; + + + cred + Subject credential + - - - cred - Subject credential - + + pipe + Pipe + - - pipe - Pipe - + + oldlabel + Current policy label associated with + pipe + - - oldlabel - Current policy label associated with - pipe - + + newlabel + Policy label update to apply to + pipe + + + + - - newlabel - Policy label update to apply to - pipe - - - - + Apply a new label, newlabel, to + pipe. + - Apply a new label, newlabel, to - pipe. - + + <function>&mac.mpo;_relabel_socket</function> - - <function>&mac.mpo;_relabel_socket</function> + + + void + &mac.mpo;_relabel_socket - - - void - &mac.mpo;_relabel_socket + struct ucred + *cred + struct socket + *so + struct label + *oldlabel + struct label + *newlabel + + - struct ucred - *cred - struct socket - *so - struct label - *oldlabel - struct label - *newlabel - - + + + &mac.thead; - - - &mac.thead; + + + cred + Subject credential + Immutable + - - - cred - Subject credential - Immutable - + + so + Object; socket + - - so - Object; socket - + + oldlabel + Current label for + so + - - oldlabel - Current label for - so - + + newlabel + Label update for + so + + + + - - newlabel - Label update for - so - - - - + Update the label on a socket from the passed socket + label update. + - Update the label on a socket from the passed socket - label update. - + + <function>&mac.mpo;_set_socket_peer_from_mbuf</function> - - <function>&mac.mpo;_set_socket_peer_from_mbuf</function> + + + void + &mac.mpo;_set_socket_peer_from_mbuf - - - void - &mac.mpo;_set_socket_peer_from_mbuf + struct mbuf + *mbuf + struct label + *mbuflabel + struct label + *oldlabel + struct label + *newlabel + + - struct mbuf - *mbuf - struct label - *mbuflabel - struct label - *oldlabel - struct label - *newlabel - - + + + &mac.thead; - - - &mac.thead; + + + mbuf + First datagram received over socket + - - - mbuf - First datagram received over socket - + + mbuflabel + Label for mbuf + - - mbuflabel - Label for mbuf - + + oldlabel + Current label for the socket + - - oldlabel - Current label for the socket - + + newlabel + Policy label to be filled out for the + socket + + + + - - newlabel - Policy label to be filled out for the - socket - - - - + Set the peer label on a stream socket from the passed + mbuf label. This call will be made when the first + datagram is received by the stream socket, with the + exception of Unix domain sockets. + - Set the peer label on a stream socket from the passed - mbuf label. This call will be made when the first datagram - is received by the stream socket, with the exception of Unix - domain sockets. - + + <function>&mac.mpo;_set_socket_peer_from_socket</function> - - <function>&mac.mpo;_set_socket_peer_from_socket</function> + + + void + &mac.mpo;_set_socket_peer_from_socket + struct socket + *oldsocket + struct label + *oldsocketlabel + struct socket + *newsocket + struct label + *newsocketpeerlabel + + - - - void - &mac.mpo;_set_socket_peer_from_socket + + + &mac.thead; - struct socket - *oldsocket - struct label - *oldsocketlabel - struct socket - *newsocket - struct label - *newsocketpeerlabel - - + + + oldsocket + Local socket + - - - &mac.thead; + + oldsocketlabel + Policy label for + oldsocket + - - - oldsocket - Local socket - + + newsocket + Peer socket + - - oldsocketlabel - Policy label for - oldsocket - + + newsocketpeerlabel + Policy label to fill in for + newsocket + + + + - - newsocket - Peer socket - - - - newsocketpeerlabel - Policy label to fill in for - newsocket - - - - - - Set the peer label on a stream UNIX domain socket from - the passed remote socket endpoint. This call will be made - when the socket pair is connected, and will be made for both - endpoints. - + Set the peer label on a stream UNIX domain socket from + the passed remote socket endpoint. This call will be made + when the socket pair is connected, and will be made for + both endpoints. + - Network Object Labeling Event Operations + Network Object Labeling Event Operations - - <function>&mac.mpo;_create_bpfdesc</function> + + <function>&mac.mpo;_create_bpfdesc</function> - - - void - &mac.mpo;_create_bpfdesc + + + void + &mac.mpo;_create_bpfdesc - struct ucred - *cred - struct bpf_d - *bpf_d - struct label - *bpflabel - - + struct ucred + *cred + struct bpf_d + *bpf_d + struct label + *bpflabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - Immutable - + + + cred + Subject credential + Immutable + - - bpf_d - Object; bpf descriptor - + + bpf_d + Object; bpf descriptor + - - bpf - Policy label to be filled in for - bpf_d - - - - + + bpf + Policy label to be filled in for + bpf_d + + + + - Set the label on a newly created BPF descriptor from the - passed subject credential. This call will be made when a - BPF device node is opened by a process with the passed - subject credential. - + Set the label on a newly created BPF descriptor from + the passed subject credential. This call will be made + when a BPF device node is opened by a process with the + passed subject credential. + - - <function>&mac.mpo;_create_ifnet</function> + + <function>&mac.mpo;_create_ifnet</function> - - - void - &mac.mpo;_create_ifnet + + + void + &mac.mpo;_create_ifnet - struct ifnet - *ifnet - struct label - *ifnetlabel - - + struct ifnet + *ifnet + struct label + *ifnetlabel + + - - - &mac.thead; + + + &mac.thead; - - - ifnet - Network interface - + + + ifnet + Network interface + - - ifnetlabel - Policy label to fill in for - ifnet - - - - + + ifnetlabel + Policy label to fill in for + ifnet + + + + - Set the label on a newly created interface. This call - may be made when a new physical interface becomes available - to the system, or when a pseudo-interface is instantiated - during the boot or as a result of a user action. - + Set the label on a newly created interface. This call + may be made when a new physical interface becomes + available to the system, or when a pseudo-interface is + instantiated during the boot or as a result of a user + action. + - - <function>&mac.mpo;_create_ipq</function> + + <function>&mac.mpo;_create_ipq</function> - - - void - &mac.mpo;_create_ipq + + + void + &mac.mpo;_create_ipq - struct mbuf - *fragment - struct label - *fragmentlabel - struct ipq - *ipq - struct label - *ipqlabel - - + struct mbuf + *fragment + struct label + *fragmentlabel + struct ipq + *ipq + struct label + *ipqlabel + + - - - &mac.thead; + + + &mac.thead; - - - fragment - First received IP fragment - + + + fragment + First received IP fragment + - - fragmentlabel - Policy label for - fragment - + + fragmentlabel + Policy label for + fragment + - - ipq - IP reassembly queue to be labeled - + + ipq + IP reassembly queue to be labeled + - - ipqlabel - Policy label to be filled in for - ipq - - - - + + ipqlabel + Policy label to be filled in for + ipq + + + + - Set the label on a newly created IP fragment reassembly - queue from the mbuf header of the first received - fragment. - + Set the label on a newly created IP fragment + reassembly queue from the mbuf header of the first + received fragment. + - - <function>&mac.mpo;_create_datagram_from_ipq</function> + + <function>&mac.mpo;_create_datagram_from_ipq</function> - - - void - &mac.mpo;_create_create_datagram_from_ipq + + + void + &mac.mpo;_create_create_datagram_from_ipq - struct ipq - *ipq - struct label - *ipqlabel - struct mbuf - *datagram - struct label - *datagramlabel - - + struct ipq + *ipq + struct label + *ipqlabel + struct mbuf + *datagram + struct label + *datagramlabel + + - - - &mac.thead; + + + &mac.thead; - - - ipq - IP reassembly queue - + + + ipq + IP reassembly queue + - - ipqlabel - Policy label for - ipq - + + ipqlabel + Policy label for + ipq + - - datagram - Datagram to be labeled - + + datagram + Datagram to be labeled + - - datagramlabel - Policy label to be filled in for - datagramlabel - - - - + + datagramlabel + Policy label to be filled in for + datagramlabel + + + + - Set the label on a newly reassembled IP datagram from - the IP fragment reassembly queue from which it was - generated. - + Set the label on a newly reassembled IP datagram from + the IP fragment reassembly queue from which it was + generated. + - - <function>&mac.mpo;_create_fragment</function> + + <function>&mac.mpo;_create_fragment</function> - - - void - &mac.mpo;_create_fragment + + + void + &mac.mpo;_create_fragment - struct mbuf - *datagram - struct label - *datagramlabel - struct mbuf - *fragment - struct label - *fragmentlabel - - + struct mbuf + *datagram + struct label + *datagramlabel + struct mbuf + *fragment + struct label + *fragmentlabel + + - - - &mac.thead; + + + &mac.thead; - - - datagram - Datagram - + + + datagram + Datagram + - - datagramlabel - Policy label for - datagram - + + datagramlabel + Policy label for + datagram + - - fragment - Fragment to be labeled - + + fragment + Fragment to be labeled + - - fragmentlabel - Policy label to be filled in for - datagram - - - - + + fragmentlabel + Policy label to be filled in for + datagram + + + + - Set the label on the mbuf header of a newly created IP - fragment from the label on the mbuf header of the datagram - it was generate from. - + Set the label on the mbuf header of a newly created IP + fragment from the label on the mbuf header of the datagram + it was generate from. + - - <function>&mac.mpo;_create_mbuf_from_mbuf</function> + + <function>&mac.mpo;_create_mbuf_from_mbuf</function> - - - void - &mac.mpo;_create_mbuf_from_mbuf + + + void + &mac.mpo;_create_mbuf_from_mbuf - struct mbuf - *oldmbuf - struct label - *oldmbuflabel - struct mbuf - *newmbuf - struct label - *newmbuflabel - - + struct mbuf + *oldmbuf + struct label + *oldmbuflabel + struct mbuf + *newmbuf + struct label + *newmbuflabel + + - - - &mac.thead; + + + &mac.thead; - - - oldmbuf - Existing (source) mbuf - + + + oldmbuf + Existing (source) mbuf + - - oldmbuflabel - Policy label for - oldmbuf - + + oldmbuflabel + Policy label for + oldmbuf + - - newmbuf - New mbuf to be labeled - + + newmbuf + New mbuf to be labeled + - - newmbuflabel - Policy label to be filled in for - newmbuf - - - - + + newmbuflabel + Policy label to be filled in for + newmbuf + + + + - Set the label on the mbuf header of a newly created - datagram from the mbuf header of an existing datagram. This - call may be made in a number of situations, including when - an mbuf is re-allocated for alignment purposes. - + Set the label on the mbuf header of a newly created + datagram from the mbuf header of an existing datagram. + This call may be made in a number of situations, including + when an mbuf is re-allocated for alignment + purposes. + - - <function>&mac.mpo;_create_mbuf_linklayer</function> + + <function>&mac.mpo;_create_mbuf_linklayer</function> - - - void - &mac.mpo;_create_mbuf_linklayer + + + void + &mac.mpo;_create_mbuf_linklayer - struct ifnet - *ifnet - struct label - *ifnetlabel - struct mbuf - *mbuf - struct label - *mbuflabel - - + struct ifnet + *ifnet + struct label + *ifnetlabel + struct mbuf + *mbuf + struct label + *mbuflabel + + - - - &mac.thead; + + + &mac.thead; - - - ifnet - Network interface - + + + ifnet + Network interface + - - ifnetlabel - Policy label for - ifnet - + + ifnetlabel + Policy label for + ifnet + - - mbuf - mbuf header for new datagram - + + mbuf + mbuf header for new datagram + - - mbuflabel - Policy label to be filled in for - mbuf - - - - + + mbuflabel + Policy label to be filled in for + mbuf + + + + - Set the label on the mbuf header of a newly created - datagram generated for the purposes of a link layer response - for the passed interface. This call may be made in a number - of situations, including for ARP or ND6 responses in the - IPv4 and IPv6 stacks. - + Set the label on the mbuf header of a newly created + datagram generated for the purposes of a link layer + response for the passed interface. This call may be made + in a number of situations, including for ARP or ND6 + responses in the IPv4 and IPv6 stacks. + - - <function>&mac.mpo;_create_mbuf_from_bpfdesc</function> + + <function>&mac.mpo;_create_mbuf_from_bpfdesc</function> - - - void - &mac.mpo;_create_mbuf_from_bpfdesc + + + void + &mac.mpo;_create_mbuf_from_bpfdesc - struct bpf_d - *bpf_d - struct label - *bpflabel - struct mbuf - *mbuf - struct label - *mbuflabel - - + struct bpf_d + *bpf_d + struct label + *bpflabel + struct mbuf + *mbuf + struct label + *mbuflabel + + - - - &mac.thead; + + + &mac.thead; - - - bpf_d - BPF descriptor - + + + bpf_d + BPF descriptor + - - bpflabel - Policy label for - bpflabel - + + bpflabel + Policy label for + bpflabel + - - mbuf - New mbuf to be labeled - + + mbuf + New mbuf to be labeled + - - mbuflabel - Policy label to fill in for - mbuf - - - - + + mbuflabel + Policy label to fill in for + mbuf + + + + - Set the label on the mbuf header of a newly created - datagram generated using the passed BPF descriptor. This - call is made when a write is performed to the BPF device - associated with the passed BPF descriptor. - + Set the label on the mbuf header of a newly created + datagram generated using the passed BPF descriptor. This + call is made when a write is performed to the BPF device + associated with the passed BPF descriptor. + - - <function>&mac.mpo;_create_mbuf_from_ifnet</function> + + <function>&mac.mpo;_create_mbuf_from_ifnet</function> - - - void - &mac.mpo;_create_mbuf_from_ifnet + + + void + &mac.mpo;_create_mbuf_from_ifnet - struct ifnet - *ifnet - struct label - *ifnetlabel - struct mbuf - *mbuf - struct label - *mbuflabel - - + struct ifnet + *ifnet + struct label + *ifnetlabel + struct mbuf + *mbuf + struct label + *mbuflabel + + - - - &mac.thead; + + + &mac.thead; - - - ifnet - Network interface - + + + ifnet + Network interface + - - ifnetlabel - Policy label for - ifnetlabel - + + ifnetlabel + Policy label for + ifnetlabel + - - mbuf - mbuf header for new datagram - + + mbuf + mbuf header for new datagram + - - mbuflabel - Policy label to be filled in for - mbuf - - - - + + mbuflabel + Policy label to be filled in for + mbuf + + + + - Set the label on the mbuf header of a newly created - datagram generated from the passed network interface. - + Set the label on the mbuf header of a newly created + datagram generated from the passed network + interface. + - - <function>&mac.mpo;_create_mbuf_multicast_encap</function> + + <function>&mac.mpo;_create_mbuf_multicast_encap</function> - - - void - &mac.mpo;_create_mbuf_multicast_encap + + + void + &mac.mpo;_create_mbuf_multicast_encap + struct mbuf + *oldmbuf + struct label + *oldmbuflabel + struct ifnet + *ifnet + struct label + *ifnetlabel + struct mbuf + *newmbuf + struct label + *newmbuflabel + + - struct mbuf - *oldmbuf - struct label - *oldmbuflabel - struct ifnet - *ifnet - struct label - *ifnetlabel - struct mbuf - *newmbuf - struct label - *newmbuflabel - - + + + &mac.thead; - - - &mac.thead; + + + oldmbuf + mbuf header for existing datagram + - - - oldmbuf - mbuf header for existing datagram - + + oldmbuflabel + Policy label for + oldmbuf + - - oldmbuflabel - Policy label for - oldmbuf - + + ifnet + Network interface + - - ifnet - Network interface - + + ifnetlabel + Policy label for + ifnet + - - ifnetlabel - Policy label for - ifnet - + + newmbuf + mbuf header to be labeled for new + datagram + - - newmbuf - mbuf header to be labeled for new - datagram - + + newmbuflabel + Policy label to be filled in for + newmbuf + + + + - - newmbuflabel - Policy label to be filled in for - newmbuf - - - - + Set the label on the mbuf header of a newly created + datagram generated from the existing passed datagram when + it is processed by the passed multicast encapsulation + interface. This call is made when an mbuf is to be + delivered using the virtual interface. + - Set the label on the mbuf header of a newly created - datagram generated from the existing passed datagram when it - is processed by the passed multicast encapsulation - interface. This call is made when an mbuf is to be - delivered using the virtual interface. - + + <function>&mac.mpo;_create_mbuf_netlayer</function> - - <function>&mac.mpo;_create_mbuf_netlayer</function> + + + void + &mac.mpo;_create_mbuf_netlayer - - - void - &mac.mpo;_create_mbuf_netlayer + struct mbuf + *oldmbuf + struct label + *oldmbuflabel + struct mbuf + *newmbuf + struct label + *newmbuflabel + + - struct mbuf - *oldmbuf - struct label - *oldmbuflabel - struct mbuf - *newmbuf - struct label - *newmbuflabel - - + + + &mac.thead; - - - &mac.thead; + + + oldmbuf + Received datagram + - - - oldmbuf - Received datagram - + + oldmbuflabel + Policy label for + oldmbuf + - - oldmbuflabel - Policy label for - oldmbuf - + + newmbuf + Newly created datagram + - - newmbuf - Newly created datagram - + + newmbuflabel + Policy label for + newmbuf + + + + - - newmbuflabel - Policy label for - newmbuf - - - - + Set the label on the mbuf header of a newly created + datagram generated by the IP stack in response to an + existing received datagram + (oldmbuf). This call may be made + in a number of situations, including when responding to + ICMP request datagrams. + - Set the label on the mbuf header of a newly created - datagram generated by the IP stack in response to an - existing received datagram (oldmbuf). - This call may be made in a number of situations, including - when responding to ICMP request datagrams. - + + <function>&mac.mpo;_fragment_match</function> - - <function>&mac.mpo;_fragment_match</function> + + + int + &mac.mpo;_fragment_match - - - int - &mac.mpo;_fragment_match + struct mbuf + *fragment + struct label + *fragmentlabel + struct ipq + *ipq + struct label + *ipqlabel + + - struct mbuf - *fragment - struct label - *fragmentlabel - struct ipq - *ipq - struct label - *ipqlabel - - + + + &mac.thead; - - - &mac.thead; + + + fragment + IP datagram fragment + - - - fragment - IP datagram fragment - + + fragmentlabel + Policy label for + fragment + - - fragmentlabel - Policy label for - fragment - + + ipq + IP fragment reassembly queue + - - ipq - IP fragment reassembly queue - + + ipqlabel + Policy label for + ipq + + + + - - ipqlabel - Policy label for - ipq - - - - + Determine whether an mbuf header containing an IP + datagram (fragment) fragment + matches the label of the passed IP fragment reassembly + queue (ipq). Return + (1) for a successful match, or + (0) for no match. This call is + made when the IP stack attempts to find an existing + fragment reassembly queue for a newly received fragment; + if this fails, a new fragment reassembly queue may be + instantiated for the fragment. Policies may use this + entry point to prevent the reassembly of otherwise + matching IP fragments if policy does not permit them to be + reassembled based on the label or other + information. + - Determine whether an mbuf header containing an IP - datagram (fragment) fragment matches - the label of the passed IP fragment reassembly queue - (ipq). Return - (1) for a successful match, or - (0) for no match. This call is - made when the IP stack attempts to find an existing fragment - reassembly queue for a newly received fragment; if this - fails, a new fragment reassembly queue may be instantiated - for the fragment. Policies may use this entry point to - prevent the reassembly of otherwise matching IP fragments if - policy does not permit them to be reassembled based on the - label or other information. - + + <function>&mac.mpo;_relabel_ifnet</function> - - <function>&mac.mpo;_relabel_ifnet</function> + + + void + &mac.mpo;_relabel_ifnet - - - void - &mac.mpo;_relabel_ifnet + struct ucred + *cred + struct ifnet + *ifnet + struct label + *ifnetlabel + struct label + *newlabel + + - struct ucred - *cred - struct ifnet - *ifnet - struct label - *ifnetlabel - struct label - *newlabel - - + + + &mac.thead; - - - &mac.thead; + + + cred + Subject credential + - - - cred - Subject credential - + + ifnet + Object; Network interface + - - ifnet - Object; Network interface - + + ifnetlabel + Policy label for + ifnet + - - ifnetlabel - Policy label for - ifnet - + + newlabel + Label update to apply to + ifnet + + + + - - newlabel - Label update to apply to - ifnet - - - - + Update the label of network interface, + ifnet, based on the passed update + label, newlabel, and the passed + subject credential, cred. + - Update the label of network interface, - ifnet, based on the passed update - label, newlabel, and the passed - subject credential, cred. - + + <function>&mac.mpo;_update_ipq</function> - - <function>&mac.mpo;_update_ipq</function> + + + void + &mac.mpo;_update_ipq - - - void - &mac.mpo;_update_ipq + struct mbuf + *fragment + struct label + *fragmentlabel + struct ipq + *ipq + struct label + *ipqlabel + + - struct mbuf - *fragment - struct label - *fragmentlabel - struct ipq - *ipq - struct label - *ipqlabel - - + + + &mac.thead; - - - &mac.thead; + + + mbuf + IP fragment + - - - mbuf - IP fragment - + + mbuflabel + Policy label for + mbuf + - - mbuflabel - Policy label for - mbuf - + + ipq + IP fragment reassembly queue + - - ipq - IP fragment reassembly queue - + + ipqlabel + Policy label to be updated for + ipq + + + + - - ipqlabel - Policy label to be updated for - ipq - - - - - - Update the label on an IP fragment reassembly queue - (ipq) based on the acceptance of the - passed IP fragment mbuf header - (mbuf). - + Update the label on an IP fragment reassembly queue + (ipq) based on the acceptance of + the passed IP fragment mbuf header + (mbuf). + - Process Labeling Event Operations + Process Labeling Event Operations - - <function>&mac.mpo;_create_cred</function> + + <function>&mac.mpo;_create_cred</function> - - - void - &mac.mpo;_create_cred + + + void + &mac.mpo;_create_cred - struct ucred - *parent_cred - struct ucred - *child_cred - - + struct ucred + *parent_cred + struct ucred + *child_cred + + - - - &mac.thead; + + + &mac.thead; - - - parent_cred - Parent subject credential - + + + parent_cred + Parent subject credential + - - child_cred - Child subject credential - - - - + + child_cred + Child subject credential + + + + - Set the label of a newly created subject credential from - the passed subject credential. This call will be made when - &man.crcopy.9; is invoked on a newly created struct - ucred. This call should not be confused with a - process forking or creation event. - + Set the label of a newly created subject credential + from the passed subject credential. This call will be + made when &man.crcopy.9; is invoked on a newly created + struct ucred. This call should not be + confused with a process forking or creation event. + - - <function>&mac.mpo;_execve_transition</function> + + <function>&mac.mpo;_execve_transition</function> - - - void - &mac.mpo;_execve_transition + + + void + &mac.mpo;_execve_transition - struct ucred - *old - struct ucred - *new - struct vnode - *vp - struct label - *vnodelabel - - + struct ucred + *old + struct ucred + *new + struct vnode + *vp + struct label + *vnodelabel + + - - - &mac.thead; + + + &mac.thead; - - - old - Existing subject credential - Immutable - + + + old + Existing subject credential + Immutable + - - new - New subject credential to be labeled - + + new + New subject credential to be labeled + - - vp - File to execute - Locked - + + vp + File to execute Locked + - - vnodelabel - Policy label for - vp - - - - + + vnodelabel + Policy label for + vp + + + + - Update the label of a newly created subject credential - (new) from the passed existing - subject credential (old) based on a - label transition caused by executing the passed vnode - (vp). This call occurs when a - process executes the passed vnode and one of the policies - returns a success from the - mpo_execve_will_transition entry point. - Policies may choose to implement this call simply by - invoking mpo_create_cred and passing - the two subject credentials so as not to implement a - transitioning event. Policies should not leave this entry - point unimplemented if they implement - mpo_create_cred, even if they do not - implement - mpo_execve_will_transition. - + Update the label of a newly created subject credential + (new) from the passed existing + subject credential (old) based on a + label transition caused by executing the passed vnode + (vp). This call occurs when a + process executes the passed vnode and one of the policies + returns a success from the + mpo_execve_will_transition entry + point. Policies may choose to implement this call simply + by invoking mpo_create_cred and + passing the two subject credentials so as not to implement + a transitioning event. Policies should not leave this + entry point unimplemented if they implement + mpo_create_cred, even if they do not + implement + mpo_execve_will_transition. + - - <function>&mac.mpo;_execve_will_transition</function> + + <function>&mac.mpo;_execve_will_transition</function> - - - int - &mac.mpo;_execve_will_transition + + + int + &mac.mpo;_execve_will_transition - struct ucred - *old - struct vnode - *vp - struct label - *vnodelabel - - + struct ucred + *old + struct vnode + *vp + struct label + *vnodelabel + + - - - &mac.thead; + + + &mac.thead; - - - old - Subject credential prior to - &man.execve.2; - Immutable - + + + old + Subject credential prior to + &man.execve.2; + Immutable + - - vp - File to execute - + + vp + File to execute + - - vnodelabel - Policy label for - vp - - - - + + vnodelabel + Policy label for + vp + + + + - Determine whether the policy will want to perform a - transition event as a result of the execution of the passed - vnode by the passed subject credential. Return - 1 if a transition is required, - 0 if not. Even if a policy - returns 0, it should behave - correctly in the presence of an unexpected invocation of - mpo_execve_transition, as that call may - happen as a result of another policy requesting a - transition. - + Determine whether the policy will want to perform a + transition event as a result of the execution of the + passed vnode by the passed subject credential. Return + 1 if a transition is required, + 0 if not. Even if a policy + returns 0, it should behave + correctly in the presence of an unexpected invocation of + mpo_execve_transition, as that call + may happen as a result of another policy requesting a + transition. + - - <function>&mac.mpo;_create_proc0</function> + + <function>&mac.mpo;_create_proc0</function> - - - void - &mac.mpo;_create_proc0 + + + void + &mac.mpo;_create_proc0 - struct ucred - *cred - - + struct ucred + *cred + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential to be filled in - - - - + + + cred + Subject credential to be filled in + + + + - Create the subject credential of process 0, the parent - of all kernel processes. - + Create the subject credential of process 0, the parent + of all kernel processes. + - - <function>&mac.mpo;_create_proc1</function> + + <function>&mac.mpo;_create_proc1</function> - - - void - &mac.mpo;_create_proc1 + + + void + &mac.mpo;_create_proc1 - struct ucred - *cred - - + struct ucred + *cred + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential to be filled in - - - - + + + cred + Subject credential to be filled in + + + + - Create the subject credential of process 1, the parent - of all user processes. - + Create the subject credential of process 1, the parent + of all user processes. + - - <function>&mac.mpo;_relabel_cred</function> + + <function>&mac.mpo;_relabel_cred</function> - - - void - &mac.mpo;_relabel_cred + + + void + &mac.mpo;_relabel_cred - struct ucred - *cred - struct label - *newlabel - - + struct ucred + *cred + struct label + *newlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - newlabel - Label update to apply to - cred - - - - + + newlabel + Label update to apply to + cred + + + + - Update the label on a subject credential from the passed - update label. - + Update the label on a subject credential from the + passed update label. + Access Control Checks Access control entry points permit policy modules to - influence access control decisions made by the kernel. - Generally, although not always, arguments to an access control - entry point will include one or more authorizing credentials, - information (possibly including a label) for any other objects - involved in the operation. An access control entry point may - return 0 to permit the operation, or an &man.errno.2; error - value. The results of invoking the entry point across various - registered policy modules will be composed as follows: if all - modules permit the operation to succeed, success will be - returned. If one or modules returns a failure, a failure will - be returned. If more than one module returns a failure, the - errno value to return to the user will be selected using the - following precedence, implemented by the - error_select() function in - kern_mac.c: + influence access control decisions made by the kernel. + Generally, although not always, arguments to an access control + entry point will include one or more authorizing credentials, + information (possibly including a label) for any other objects + involved in the operation. An access control entry point may + return 0 to permit the operation, or an &man.errno.2; error + value. The results of invoking the entry point across various + registered policy modules will be composed as follows: if all + modules permit the operation to succeed, success will be + returned. If one or modules returns a failure, a failure will + be returned. If more than one module returns a failure, the + errno value to return to the user will be selected using the + following precedence, implemented by the + error_select() function in + kern_mac.c: - - - - Most precedence - EDEADLK + + + + Most precedence + EDEADLK + - - - EINVAL - - - - ESRCH - - - - EACCES - - - Least precedence - EPERM - - - + + + EINVAL + + + + + ESRCH + + + + + EACCES + + + + Least precedence + EPERM + + + If none of the error values returned by all modules are - listed in the precedence chart then an arbitrarily selected - value from the set will be returned. In general, the rules - provide precedence to errors in the following order: kernel - failures, invalid arguments, object not present, access not - permitted, other. + listed in the precedence chart then an arbitrarily selected + value from the set will be returned. In general, the rules + provide precedence to errors in the following order: kernel + failures, invalid arguments, object not present, access not + permitted, other. - <function>&mac.mpo;_check_bpfdesc_receive</function> + <function>&mac.mpo;_check_bpfdesc_receive</function> - - - int - &mac.mpo;_check_bpfdesc_receive + + + int + &mac.mpo;_check_bpfdesc_receive - struct bpf_d - *bpf_d - struct label - *bpflabel - struct ifnet - *ifnet - struct label - *ifnetlabel - - + struct bpf_d + *bpf_d + struct label + *bpflabel + struct ifnet + *ifnet + struct label + *ifnetlabel + + - - - &mac.thead; + + + &mac.thead; - - - bpf_d - Subject; BPF descriptor - + + + bpf_d + Subject; BPF descriptor + - - bpflabel - Policy label for - bpf_d - + + bpflabel + Policy label for + bpf_d + - - ifnet - Object; network interface - + + ifnet + Object; network interface + - - ifnetlabel - Policy label for - ifnet - - - - + + ifnetlabel + Policy label for + ifnet + + + + - Determine whether the MAC framework should permit - datagrams from the passed interface to be delivered to the - buffers of the passed BPF descriptor. Return - (0) for success, or an - errno value for failure Suggested - failure: EACCES for label mismatches, - EPERM for lack of privilege. + Determine whether the MAC framework should permit + datagrams from the passed interface to be delivered to the + buffers of the passed BPF descriptor. Return + (0) for success, or an + errno value for failure Suggested + failure: EACCES for label mismatches, + EPERM for lack of privilege. - <function>&mac.mpo;_check_kenv_dump</function> + <function>&mac.mpo;_check_kenv_dump</function> - - - int - &mac.mpo;_check_kenv_dump + + + int + &mac.mpo;_check_kenv_dump - struct ucred - *cred - - + struct ucred + *cred + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - - - - + + + cred + Subject credential + + + + - Determine whether the subject should be allowed to - retrieve the kernel environment (see &man.kenv.2;). + Determine whether the subject should be allowed to + retrieve the kernel environment (see &man.kenv.2;). - <function>&mac.mpo;_check_kenv_get</function> + <function>&mac.mpo;_check_kenv_get</function> - - - int - &mac.mpo;_check_kenv_get + + + int + &mac.mpo;_check_kenv_get - struct ucred - *cred - char *name - - + struct ucred + *cred + char *name + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - name - Kernel environment variable name - - - - + + name + Kernel environment variable name + + + + - Determine whether the subject should be allowed to - retrieve the value of the specified kernel environment - variable. + Determine whether the subject should be allowed to + retrieve the value of the specified kernel environment + variable. - <function>&mac.mpo;_check_kenv_set</function> + <function>&mac.mpo;_check_kenv_set</function> - - - int - &mac.mpo;_check_kenv_set + + + int + &mac.mpo;_check_kenv_set - struct ucred - *cred - char *name - - + struct ucred + *cred + char *name + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - name - Kernel environment variable name - - - - + + name + Kernel environment variable name + + + + - Determine whether the subject should be allowed to set - the specified kernel environment variable. + Determine whether the subject should be allowed to set + the specified kernel environment variable. - <function>&mac.mpo;_check_kenv_unset</function> + <function>&mac.mpo;_check_kenv_unset</function> - - - int - &mac.mpo;_check_kenv_unset + + + int + &mac.mpo;_check_kenv_unset - struct ucred - *cred - char *name - - + struct ucred + *cred + char *name + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - name - Kernel environment variable name - - - - + + name + Kernel environment variable name + + + + - Determine whether the subject should be allowed to unset - the specified kernel environment variable. + Determine whether the subject should be allowed to unset + the specified kernel environment variable. - <function>&mac.mpo;_check_kld_load</function> + <function>&mac.mpo;_check_kld_load</function> - - - int - &mac.mpo;_check_kld_load + + + int + &mac.mpo;_check_kld_load - struct ucred - *cred - struct vnode - *vp - struct label - *vlabel - - + struct ucred + *cred + struct vnode + *vp + struct label + *vlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Kernel module vnode - + + vp + Kernel module vnode + - - vlabel - Label associated with - vp - - - - + + vlabel + Label associated with + vp + + + + - Determine whether the subject should be allowed to load - the specified module file. + Determine whether the subject should be allowed to load + the specified module file. - <function>&mac.mpo;_check_kld_stat</function> + <function>&mac.mpo;_check_kld_stat</function> - - - int - &mac.mpo;_check_kld_stat + + + int + &mac.mpo;_check_kld_stat - struct ucred - *cred - - + struct ucred + *cred + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - - - - + + + cred + Subject credential + + + + - Determine whether the subject should be allowed to - retrieve a list of loaded kernel module files and associated - statistics. + Determine whether the subject should be allowed to + retrieve a list of loaded kernel module files and associated + statistics. - <function>&mac.mpo;_check_kld_unload</function> + <function>&mac.mpo;_check_kld_unload</function> - - - int - &mac.mpo;_check_kld_unload + + + int + &mac.mpo;_check_kld_unload - struct ucred - *cred - - + struct ucred + *cred + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - - - - + + + cred + Subject credential + + + + - Determine whether the subject should be allowed to - unload a kernel module. + Determine whether the subject should be allowed to + unload a kernel module. - <function>&mac.mpo;_check_pipe_ioctl</function> + <function>&mac.mpo;_check_pipe_ioctl</function> - - - int - &mac.mpo;_check_pipe_ioctl + + + int + &mac.mpo;_check_pipe_ioctl - struct ucred - *cred - struct pipe - *pipe - struct label - *pipelabel - unsigned long - cmd - void *data - - + struct ucred + *cred + struct pipe + *pipe + struct label + *pipelabel + unsigned long + cmd + void *data + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - pipe - Pipe - + + pipe + Pipe + - - pipelabel - Policy label associated with - pipe - + + pipelabel + Policy label associated with + pipe + - - cmd - &man.ioctl.2; command - + + cmd + &man.ioctl.2; command + - - data - &man.ioctl.2; data - - - - + + data + &man.ioctl.2; data + + + + - Determine whether the subject should be allowed to make - the specified &man.ioctl.2; call. + Determine whether the subject should be allowed to make + the specified &man.ioctl.2; call. - <function>&mac.mpo;_check_pipe_poll</function> + <function>&mac.mpo;_check_pipe_poll</function> - - - int - &mac.mpo;_check_pipe_poll + + + int + &mac.mpo;_check_pipe_poll - struct ucred - *cred - struct pipe - *pipe - struct label - *pipelabel - - + struct ucred + *cred + struct pipe + *pipe + struct label + *pipelabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - pipe - Pipe - + + pipe + Pipe + - - pipelabel - Policy label associated with - pipe - - - - + + pipelabel + Policy label associated with + pipe + + + + - Determine whether the subject should be allowed to poll - pipe. + Determine whether the subject should be allowed to poll + pipe. - <function>&mac.mpo;_check_pipe_read</function> + <function>&mac.mpo;_check_pipe_read</function> - - - int - &mac.mpo;_check_pipe_read + + + int + &mac.mpo;_check_pipe_read - struct ucred - *cred - struct pipe - *pipe - struct label - *pipelabel - - + struct ucred + *cred + struct pipe + *pipe + struct label + *pipelabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - pipe - Pipe - + + pipe + Pipe + - - pipelabel - Policy label associated with - pipe - - - - + + pipelabel + Policy label associated with + pipe + + + + - Determine whether the subject should be allowed read - access to pipe. + Determine whether the subject should be allowed read + access to pipe. - <function>&mac.mpo;_check_pipe_relabel</function> + <function>&mac.mpo;_check_pipe_relabel</function> - - - int - &mac.mpo;_check_pipe_relabel + + + int + &mac.mpo;_check_pipe_relabel - struct ucred - *cred - struct pipe - *pipe - struct label - *pipelabel - struct label - *newlabel - - + struct ucred + *cred + struct pipe + *pipe + struct label + *pipelabel + struct label + *newlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - pipe - Pipe - + + pipe + Pipe + - - pipelabel - Current policy label associated with - pipe - + + pipelabel + Current policy label associated with + pipe + - - newlabel - Label update to - pipelabel - - - - + + newlabel + Label update to + pipelabel + + + + - Determine whether the subject should be allowed to - relabel pipe. + Determine whether the subject should be allowed to + relabel pipe. - <function>&mac.mpo;_check_pipe_stat</function> + <function>&mac.mpo;_check_pipe_stat</function> - - - int - &mac.mpo;_check_pipe_stat + + + int + &mac.mpo;_check_pipe_stat - struct ucred - *cred - struct pipe - *pipe - struct label - *pipelabel - - + struct ucred + *cred + struct pipe + *pipe + struct label + *pipelabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - pipe - Pipe - + + pipe + Pipe + - - pipelabel - Policy label associated with - pipe - - - - + + pipelabel + Policy label associated with + pipe + + + + - Determine whether the subject should be allowed to - retrieve statistics related to - pipe. + Determine whether the subject should be allowed to + retrieve statistics related to + pipe. - <function>&mac.mpo;_check_pipe_write</function> + <function>&mac.mpo;_check_pipe_write</function> - - - int - &mac.mpo;_check_pipe_write + + + int + &mac.mpo;_check_pipe_write - struct ucred - *cred - struct pipe - *pipe - struct label - *pipelabel - - + struct ucred + *cred + struct pipe + *pipe + struct label + *pipelabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - pipe - Pipe - + + pipe + Pipe + - - pipelabel - Policy label associated with - pipe - - - - + + pipelabel + Policy label associated with + pipe + + + + - Determine whether the subject should be allowed to write - to pipe. + Determine whether the subject should be allowed to write + to pipe. - <function>&mac.mpo;_check_socket_bind</function> + <function>&mac.mpo;_check_socket_bind</function> - - - int - &mac.mpo;_check_socket_bind + + + int + &mac.mpo;_check_socket_bind - struct ucred - *cred - struct socket - *socket - struct label - *socketlabel - struct sockaddr - *sockaddr - - + struct ucred + *cred + struct socket + *socket + struct label + *socketlabel + struct sockaddr + *sockaddr + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - socket - Socket to be bound - + + socket + Socket to be bound + - - socketlabel - Policy label for - socket - + + socketlabel + Policy label for + socket + - - sockaddr - Address of - socket - - - - - + + sockaddr + Address of + socket + + + + - - <function>&mac.mpo;_check_socket_connect</function> + <function>&mac.mpo;_check_socket_connect</function> - - - int - &mac.mpo;_check_socket_connect + + + int + &mac.mpo;_check_socket_connect - struct ucred - *cred - struct socket - *socket - struct label - *socketlabel - struct sockaddr - *sockaddr - - + struct ucred + *cred + struct socket + *socket + struct label + *socketlabel + struct sockaddr + *sockaddr + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - socket - Socket to be connected - + + socket + Socket to be connected + - - socketlabel - Policy label for - socket - + + socketlabel + Policy label for + socket + - - sockaddr - Address of - socket - - - - + + sockaddr + Address of + socket + + + + - Determine whether the subject credential - (cred) can connect the passed socket - (socket) to the passed socket address - (sockaddr). Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatches, - EPERM for lack of privilege. + Determine whether the subject credential + (cred) can connect the passed socket + (socket) to the passed socket address + (sockaddr). Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatches, + EPERM for lack of privilege. - <function>&mac.mpo;_check_socket_receive</function> + <function>&mac.mpo;_check_socket_receive</function> - - - int - &mac.mpo;_check_socket_receive + + + int + &mac.mpo;_check_socket_receive - struct ucred - *cred - struct socket - *so - struct label - *socketlabel - - + struct ucred + *cred + struct socket + *so + struct label + *socketlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - so - Socket - + + so + Socket + - - socketlabel - Policy label associated with - so - - - - + + socketlabel + Policy label associated with + so + + + + - Determine whether the subject should be allowed to - receive information from the socket - so. + Determine whether the subject should be allowed to + receive information from the socket + so. - <function>&mac.mpo;_check_socket_send</function> + <function>&mac.mpo;_check_socket_send</function> - - - int - &mac.mpo;_check_socket_send + + + int + &mac.mpo;_check_socket_send - struct ucred - *cred - struct socket - *so - struct label - *socketlabel - - + struct ucred + *cred + struct socket + *so + struct label + *socketlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - so - Socket - + + so + Socket + - - socketlabel - Policy label associated with - so - - - - + + socketlabel + Policy label associated with + so + + + + - Determine whether the subject should be allowed to send - information across the socket - so. + Determine whether the subject should be allowed to send + information across the socket + so. - <function>&mac.mpo;_check_cred_visible</function> + <function>&mac.mpo;_check_cred_visible</function> - - - int - &mac.mpo;_check_cred_visible + + + int + &mac.mpo;_check_cred_visible - struct ucred - *u1 - struct ucred - *u2 - - + struct ucred + *u1 + struct ucred + *u2 + + - - - &mac.thead; + + + &mac.thead; - - - u1 - Subject credential - + + + u1 + Subject credential + - - u2 - Object credential - - - - + + u2 + Object credential + + + + - Determine whether the subject credential - u1 can see other - subjects with the passed subject credential - u2. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatches, - EPERM for lack of privilege, or - ESRCH to hide visibility. This call - may be made in a number of situations, including - inter-process status sysctl's used by ps, - and in procfs lookups. + Determine whether the subject credential + u1 can see other + subjects with the passed subject credential + u2. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatches, + EPERM for lack of privilege, or + ESRCH to hide visibility. This call + may be made in a number of situations, including + inter-process status sysctl's used by ps, + and in procfs lookups. - <function>&mac.mpo;_check_socket_visible</function> + <function>&mac.mpo;_check_socket_visible</function> - - - int - &mac.mpo;_check_socket_visible + + + int + &mac.mpo;_check_socket_visible - struct ucred - *cred - struct socket - *socket - struct label - *socketlabel - - + struct ucred + *cred + struct socket + *socket + struct label + *socketlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - socket - Object; socket - + + socket + Object; socket + - - socketlabel - Policy label for - socket - - - - - + + socketlabel + Policy label for + socket + + + + - <function>&mac.mpo;_check_ifnet_relabel</function> + <function>&mac.mpo;_check_ifnet_relabel</function> - - - int - &mac.mpo;_check_ifnet_relabel + + + int + &mac.mpo;_check_ifnet_relabel - struct ucred - *cred - struct ifnet - *ifnet - struct label - *ifnetlabel - struct label - *newlabel - - + struct ucred + *cred + struct ifnet + *ifnet + struct label + *ifnetlabel + struct label + *newlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - ifnet - Object; network interface - + + ifnet + Object; network interface + - - ifnetlabel - Existing policy label for - ifnet - + + ifnetlabel + Existing policy label for + ifnet + - - newlabel - Policy label update to later be applied to - ifnet - - - - + + newlabel + Policy label update to later be applied to + ifnet + + + + - Determine whether the subject credential can relabel the - passed network interface to the passed label update. + Determine whether the subject credential can relabel the + passed network interface to the passed label update. - <function>&mac.mpo;_check_socket_relabel</function> + <function>&mac.mpo;_check_socket_relabel</function> - - - int - &mac.mpo;_check_socket_relabel + + + int + &mac.mpo;_check_socket_relabel - struct ucred - *cred - struct socket - *socket - struct label - *socketlabel - struct label - *newlabel - - + struct ucred + *cred + struct socket + *socket + struct label + *socketlabel + struct label + *newlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - socket - Object; socket - + + socket + Object; socket + - - socketlabel - Existing policy label for - socket - + + socketlabel + Existing policy label for + socket + - - newlabel - Label update to later be applied to - socketlabel - - - - + + newlabel + Label update to later be applied to + socketlabel + + + + - Determine whether the subject credential can relabel the - passed socket to the passed label update. + Determine whether the subject credential can relabel the + passed socket to the passed label update. - <function>&mac.mpo;_check_cred_relabel</function> + <function>&mac.mpo;_check_cred_relabel</function> - - - int - &mac.mpo;_check_cred_relabel + + + int + &mac.mpo;_check_cred_relabel - struct ucred - *cred - struct label - *newlabel - - + struct ucred + *cred + struct label + *newlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - newlabel - Label update to later be applied to - cred - - - - + + newlabel + Label update to later be applied to + cred + + + + - Determine whether the subject credential can relabel - itself to the passed label update. + Determine whether the subject credential can relabel + itself to the passed label update. - <function>&mac.mpo;_check_vnode_relabel</function> + <function>&mac.mpo;_check_vnode_relabel</function> - - - int - &mac.mpo;_check_vnode_relabel + + + int + &mac.mpo;_check_vnode_relabel - struct ucred - *cred - struct vnode - *vp - struct label - *vnodelabel - struct label - *newlabel - - + struct ucred + *cred + struct vnode + *vp + struct label + *vnodelabel + struct label + *newlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - Immutable - + + + cred + Subject credential + Immutable + - - vp - Object; vnode - Locked - + + vp + Object; vnode + Locked + - - vnodelabel - Existing policy label for - vp - + + vnodelabel + Existing policy label for + vp + - - newlabel - Policy label update to later be applied to - vp - - - - + + newlabel + Policy label update to later be applied to + vp + + + + - Determine whether the subject credential can relabel the - passed vnode to the passed label update. + Determine whether the subject credential can relabel the + passed vnode to the passed label update. - <function>&mac.mpo;_check_mount_stat</function> + <function>&mac.mpo;_check_mount_stat</function> - - - int &mac.mpo;_check_mount_stat + + + int + &mac.mpo;_check_mount_stat - struct ucred - *cred - struct mount - *mp - struct label - *mountlabel - - + struct ucred + *cred + struct mount + *mp + struct label + *mountlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - mp - Object; file system mount - + + mp + Object; file system mount + - - mountlabel - Policy label for - mp - - - - + + mountlabel + Policy label for + mp + + + + - Determine whether the subject credential can see the - results of a statfs performed on the file system. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatches - or EPERM for lack of privilege. This - call may be made in a number of situations, including during - invocations of &man.statfs.2; and related calls, as well as to - determine what file systems to exclude from listings of file - systems, such as when &man.getfsstat.2; is invoked. + Determine whether the subject credential can see the + results of a statfs performed on the file system. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatches + or EPERM for lack of privilege. This + call may be made in a number of situations, including during + invocations of &man.statfs.2; and related calls, as well as + to determine what file systems to exclude from listings of + file systems, such as when &man.getfsstat.2; is + invoked. - <function>&mac.mpo;_check_proc_debug</function> + <function>&mac.mpo;_check_proc_debug</function> - - - int - &mac.mpo;_check_proc_debug + + + int + &mac.mpo;_check_proc_debug - struct ucred - *cred - struct proc - *proc - - + struct ucred + *cred + struct proc + *proc + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - Immutable - + + + cred + Subject credential + Immutable + - - proc - Object; process - - - - + + proc + Object; process + + + + - Determine whether the subject credential can debug the - passed process. Return 0 for - success, or an errno value for failure. - Suggested failure: EACCES for label - mismatch, EPERM for lack of - privilege, or ESRCH to hide - visibility of the target. This call may be made in a number - of situations, including use of the &man.ptrace.2; and - &man.ktrace.2; APIs, as well as for some types of procfs - operations. + Determine whether the subject credential can debug the + passed process. Return 0 for + success, or an errno value for failure. + Suggested failure: EACCES for label + mismatch, EPERM for lack of + privilege, or ESRCH to hide + visibility of the target. This call may be made in a number + of situations, including use of the &man.ptrace.2; and + &man.ktrace.2; APIs, as well as for some types of procfs + operations. - <function>&mac.mpo;_check_vnode_access</function> + <function>&mac.mpo;_check_vnode_access</function> - - - int - &mac.mpo;_check_vnode_access + + + int + &mac.mpo;_check_vnode_access - struct ucred - *cred - struct vnode - *vp - struct label - *label - int flags - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + int flags + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for - vp - + + label + Policy label for + vp + - - flags - &man.access.2; flags - - - - + + flags + &man.access.2; flags + + + + - Determine how invocations of &man.access.2; and related - calls by the subject credential should return when performed - on the passed vnode using the passed access flags. This - should generally be implemented using the same semantics - used in &mac.mpo;_check_vnode_open. - Return 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatches - or EPERM for lack of - privilege. + Determine how invocations of &man.access.2; and related + calls by the subject credential should return when performed + on the passed vnode using the passed access flags. This + should generally be implemented using the same semantics + used in &mac.mpo;_check_vnode_open. + Return 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatches + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_chdir</function> + <function>&mac.mpo;_check_vnode_chdir</function> - - - int - &mac.mpo;_check_vnode_chdir + + + int + &mac.mpo;_check_vnode_chdir - struct ucred - *cred - struct vnode - *dvp - struct label - *dlabel - - + struct ucred + *cred + struct vnode + *dvp + struct label + *dlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - dvp - Object; vnode to &man.chdir.2; into - + + dvp + Object; vnode to &man.chdir.2; into + - - dlabel - Policy label for - dvp - - - - + + dlabel + Policy label for + dvp + + + + - Determine whether the subject credential can change the - process working directory to the passed vnode. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can change the + process working directory to the passed vnode. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_chroot</function> + <function>&mac.mpo;_check_vnode_chroot</function> - - - int - &mac.mpo;_check_vnode_chroot + + + int + &mac.mpo;_check_vnode_chroot - struct ucred - *cred - struct vnode - *dvp - struct label - *dlabel - - + struct ucred + *cred + struct vnode + *dvp + struct label + *dlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - dvp - Directory vnode - + + dvp + Directory vnode + - - dlabel - Policy label associated with - dvp - - - - + + dlabel + Policy label associated with + dvp + + + + - Determine whether the subject should be allowed to - &man.chroot.2; into the specified directory - (dvp). + Determine whether the subject should be allowed to + &man.chroot.2; into the specified directory + (dvp). - <function>&mac.mpo;_check_vnode_create</function> + <function>&mac.mpo;_check_vnode_create</function> - - - int - &mac.mpo;_check_vnode_create + + + int + &mac.mpo;_check_vnode_create - struct ucred - *cred - struct vnode - *dvp - struct label - *dlabel - struct componentname - *cnp - struct vattr - *vap - - + struct ucred + *cred + struct vnode + *dvp + struct label + *dlabel + struct componentname + *cnp + struct vattr + *vap + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - dvp - Object; vnode - + + dvp + Object; vnode + - - dlabel - Policy label for - dvp - + + dlabel + Policy label for + dvp + - - cnp - Component name for - dvp - + + cnp + Component name for + dvp + - - vap - vnode attributes for vap - - - - + + vap + vnode attributes for + vap + + + + - Determine whether the subject credential can create a - vnode with the passed parent directory, passed name - information, and passed attribute information. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of privilege. - This call may be made in a number of situations, including - as a result of calls to &man.open.2; with - O_CREAT, &man.mkfifo.2;, and - others. + Determine whether the subject credential can create a + vnode with the passed parent directory, passed name + information, and passed attribute information. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of privilege. This + call may be made in a number of situations, including as a + result of calls to &man.open.2; with + O_CREAT, &man.mkfifo.2;, and others. - <function>&mac.mpo;_check_vnode_delete</function> + <function>&mac.mpo;_check_vnode_delete</function> - - - int - &mac.mpo;_check_vnode_delete + + + int + &mac.mpo;_check_vnode_delete - struct ucred - *cred - struct vnode - *dvp - struct label - *dlabel - struct vnode - *vp - void *label - struct componentname - *cnp - - + struct ucred + *cred + struct vnode + *dvp + struct label + *dlabel + struct vnode + *vp + void *label + struct componentname + *cnp + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - dvp - Parent directory vnode - + + dvp + Parent directory vnode + - - dlabel - Policy label for - dvp - + + dlabel + Policy label for + dvp + - - vp - Object; vnode to delete - + + vp + Object; vnode to delete + - - label - Policy label for - vp - + + label + Policy label for + vp + - - cnp - Component name for - vp - - - - + + cnp + Component name for + vp + + + + - Determine whether the subject credential can delete a - vnode from the passed parent directory and passed name - information. Return 0 for - success, or an errno value for failure. - Suggested failure: EACCES for label - mismatch, or EPERM for lack of - privilege. This call may be made in a number of situations, - including as a result of calls to &man.unlink.2; and - &man.rmdir.2;. Policies implementing this entry point - should also implement - mpo_check_rename_to to authorize - deletion of objects as a result of being the target of a - rename. + Determine whether the subject credential can delete a + vnode from the passed parent directory and passed name + information. Return 0 for + success, or an errno value for failure. + Suggested failure: EACCES for label + mismatch, or EPERM for lack of + privilege. This call may be made in a number of situations, + including as a result of calls to &man.unlink.2; and + &man.rmdir.2;. Policies implementing this entry point + should also implement + mpo_check_rename_to to authorize + deletion of objects as a result of being the target of a + rename. - <function>&mac.mpo;_check_vnode_deleteacl</function> + <function>&mac.mpo;_check_vnode_deleteacl</function> - - - int - &mac.mpo;_check_vnode_deleteacl + + + int + &mac.mpo;_check_vnode_deleteacl - struct ucred *cred - struct vnode *vp - struct label *label - acl_type_t type - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + acl_type_t + type + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - Immutable - + + + cred + Subject credential + Immutable + - - vp - Object; vnode - Locked - + + vp + Object; vnode + Locked + - - label - Policy label for - vp - + + label + Policy label for + vp + - - type - ACL type - - - - + + type + ACL type + + + + - Determine whether the subject credential can delete the - ACL of passed type from the passed vnode. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can delete the + ACL of passed type from the passed vnode. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_exec</function> + <function>&mac.mpo;_check_vnode_exec</function> - - - int - &mac.mpo;_check_vnode_exec + + + int + &mac.mpo;_check_vnode_exec - struct ucred - *cred - struct vnode - *vp - struct label - *label - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode to execute - + + vp + Object; vnode to execute + - - label - Policy label for - vp - - - - + + label + Policy label for + vp + + + + - Determine whether the subject credential can execute the - passed vnode. Determination of execute privilege is made - separately from decisions about any transitioning event. - Return 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can execute the + passed vnode. Determination of execute privilege is made + separately from decisions about any transitioning event. + Return 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_getacl</function> + <function>&mac.mpo;_check_vnode_getacl</function> - - - int - &mac.mpo;_check_vnode_getacl + + + int + &mac.mpo;_check_vnode_getacl - struct ucred - *cred - struct vnode - *vp - struct label - *label - acl_type_t - type - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + acl_type_t + type + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for - vp - + + label + Policy label for + vp + - - type - ACL type - - - - + + type + ACL type + + + + - Determine whether the subject credential can retrieve - the ACL of passed type from the passed vnode. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can retrieve + the ACL of passed type from the passed vnode. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_getextattr</function> + <function>&mac.mpo;_check_vnode_getextattr</function> - - - int - &mac.mpo;_check_vnode_getextattr + + + int + &mac.mpo;_check_vnode_getextattr - struct ucred - *cred - struct vnode - *vp - struct label - *label - int - attrnamespace - const char - *name - struct uio - *uio - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + int + attrnamespace + const char + *name + struct uio + *uio + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for - vp - + + label + Policy label for + vp + - - attrnamespace - Extended attribute namespace - + + attrnamespace + Extended attribute namespace + - - name - Extended attribute name - + + name + Extended attribute name + - - uio - I/O structure pointer; see &man.uio.9; - - - - + + uio + I/O structure pointer; see &man.uio.9; + + + + - Determine whether the subject credential can retrieve - the extended attribute with the passed namespace and name - from the passed vnode. Policies implementing labeling using - extended attributes may be interested in special handling of - operations on those extended attributes. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can retrieve + the extended attribute with the passed namespace and name + from the passed vnode. Policies implementing labeling using + extended attributes may be interested in special handling of + operations on those extended attributes. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_link</function> + <function>&mac.mpo;_check_vnode_link</function> - - - int - &mac.mpo;_check_vnode_link + + + int + &mac.mpo;_check_vnode_link - struct ucred - *cred - struct vnode - *dvp - struct label - *dlabel - struct vnode - *vp - struct label - *label - struct componentname - *cnp - - + struct ucred + *cred + struct vnode + *dvp + struct label + *dlabel + struct vnode + *vp + struct label + *label + struct componentname + *cnp + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - dvp - Directory vnode - + + dvp + Directory vnode + - - dlabel - Policy label associated with - dvp - + + dlabel + Policy label associated with + dvp + - - vp - Link destination vnode - + + vp + Link destination vnode + - - label - Policy label associated with - vp - + + label + Policy label associated with + vp + - - cnp - Component name for the link being created - - - - + + cnp + Component name for the link being + created + + + + - Determine whether the subject should be allowed to - create a link to the vnode vp with - the name specified by cnp. + Determine whether the subject should be allowed to + create a link to the vnode vp with + the name specified by cnp. - <function>&mac.mpo;_check_vnode_mmap</function> + <function>&mac.mpo;_check_vnode_mmap</function> - - - int - &mac.mpo;_check_vnode_mmap + + + int + &mac.mpo;_check_vnode_mmap - struct ucred - *cred - struct vnode - *vp - struct label - *label - int prot - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + int prot + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Vnode to map - + + vp + Vnode to map + - - label - Policy label associated with - vp - + + label + Policy label associated with + vp + - - prot - Mmap protections (see &man.mmap.2;) - - - - + + prot + Mmap protections (see &man.mmap.2;) + + + + - Determine whether the subject should be allowed to map - the vnode vp with the protections - specified in prot. + Determine whether the subject should be allowed to map + the vnode vp with the protections + specified in prot. - <function>&mac.mpo;_check_vnode_mmap_downgrade</function> + <function>&mac.mpo;_check_vnode_mmap_downgrade</function> - - - void - &mac.mpo;_check_vnode_mmap_downgrade + + + void + &mac.mpo;_check_vnode_mmap_downgrade - struct ucred - *cred - struct vnode - *vp - struct label - *label - int *prot - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + int *prot + + - - - &mac.thead; + + + &mac.thead; - - - cred - See - . - + + + cred + See . + - - vp - + + vp + - - label - + + label + - - prot - Mmap protections to be downgraded - - - - + + prot + Mmap protections to be downgraded + + + + - Downgrade the mmap protections based on the subject and - object labels. + Downgrade the mmap protections based on the subject and + object labels. - <function>&mac.mpo;_check_vnode_mprotect</function> + <function>&mac.mpo;_check_vnode_mprotect</function> - - - int - &mac.mpo;_check_vnode_mprotect + + + int + &mac.mpo;_check_vnode_mprotect - struct ucred - *cred - struct vnode - *vp - struct label - *label - int prot - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + int prot + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Mapped vnode - + + vp + Mapped vnode + - - prot - Memory protections - - - - + + prot + Memory protections + + + + - Determine whether the subject should be allowed to - set the specified memory protections on memory mapped from - the vnode vp. + Determine whether the subject should be allowed to set + the specified memory protections on memory mapped from the + vnode vp. - <function>&mac.mpo;_check_vnode_poll</function> + <function>&mac.mpo;_check_vnode_poll</function> - - - int - &mac.mpo;_check_vnode_poll + + + int + &mac.mpo;_check_vnode_poll - struct ucred - *active_cred - struct ucred - *file_cred - struct vnode - *vp - struct label - *label - - + struct ucred + *active_cred + struct ucred + *file_cred + struct vnode + *vp + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - active_cred - Subject credential - + + + active_cred + Subject credential + - - file_cred - Credential associated with the struct - file - + + file_cred + Credential associated with the struct + file + - - vp - Polled vnode - + + vp + Polled vnode + - - label - Policy label associated with - vp - - - - + + label + Policy label associated with + vp + + + + - Determine whether the subject should be allowed to poll - the vnode vp. + Determine whether the subject should be allowed to poll + the vnode vp. - <function>&mac.mpo;_check_vnode_rename_from</function> + <function>&mac.mpo;_check_vnode_rename_from</function> - - - int - &mac.mpo;_vnode_rename_from + + + int + &mac.mpo;_vnode_rename_from - struct ucred - *cred - struct vnode - *dvp - struct label - *dlabel - struct vnode - *vp - struct label - *label - struct componentname - *cnp - - + struct ucred + *cred + struct vnode + *dvp + struct label + *dlabel + struct vnode + *vp + struct label + *label + struct componentname + *cnp + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - dvp - Directory vnode - + + dvp + Directory vnode + - - dlabel - Policy label associated with - dvp - + + dlabel + Policy label associated with + dvp + - - vp - Vnode to be renamed - + + vp + Vnode to be renamed + - - label - Policy label associated with - vp - + + label + Policy label associated with + vp + - - cnp - Component name for - vp - - - - + + cnp + Component name for + vp + + + + - Determine whether the subject should be allowed to - rename the vnode vp to something - else. + Determine whether the subject should be allowed to + rename the vnode vp to something + else. - <function>&mac.mpo;_check_vnode_rename_to</function> + <function>&mac.mpo;_check_vnode_rename_to</function> - - - int - &mac.mpo;_check_vnode_rename_to + + + int + &mac.mpo;_check_vnode_rename_to - struct ucred - *cred - struct vnode - *dvp - struct label - *dlabel - struct vnode - *vp - struct label - *label - int samedir - struct componentname - *cnp - - + struct ucred + *cred + struct vnode + *dvp + struct label + *dlabel + struct vnode + *vp + struct label + *label + int samedir + struct componentname + *cnp + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - dvp - Directory vnode - + + dvp + Directory vnode + - - dlabel - Policy label associated with - dvp - + + dlabel + Policy label associated with + dvp + - - vp - Overwritten vnode - + + vp + Overwritten vnode + - - label - Policy label associated with - vp - + + label + Policy label associated with + vp + - - samedir - Boolean; 1 if the source and - destination directories are the same - + + samedir + Boolean; 1 if the source and + destination directories are the same + - - cnp - Destination component name - - - - + + cnp + Destination component name + + + + - Determine whether the subject should be allowed to - rename to the vnode vp, into the - directory dvp, or to the name - represented by cnp. If there is no - existing file to overwrite, vp and - label will be NULL. + Determine whether the subject should be allowed to + rename to the vnode vp, into the + directory dvp, or to the name + represented by cnp. If there is no + existing file to overwrite, vp and + label will be NULL. - <function>&mac.mpo;_check_socket_listen</function> + <function>&mac.mpo;_check_socket_listen</function> - - - int - &mac.mpo;_check_socket_listen + + + int + &mac.mpo;_check_socket_listen - struct ucred - *cred - struct socket - *socket - struct label - *socketlabel - - + struct ucred + *cred + struct socket + *socket + struct label + *socketlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - socket - Object; socket - + + socket + Object; socket + - - socketlabel - Policy label for - socket - - - - + + socketlabel + Policy label for + socket + + + + - Determine whether the subject credential can listen on - the passed socket. Return 0 for - success, or an errno value for failure. - Suggested failure: EACCES for label - mismatch, or EPERM for lack of - privilege. + Determine whether the subject credential can listen on + the passed socket. Return 0 for + success, or an errno value for failure. + Suggested failure: EACCES for label + mismatch, or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_lookup</function> + <function>&mac.mpo;_check_vnode_lookup</function> - - - int - &mac.mpo;_check_vnode_lookup + + + int + &mac.mpo;_check_vnode_lookup - struct ucred - *cred - struct vnode - *dvp - struct label - *dlabel - struct componentname - *cnp - - + struct ucred *cred + struct vnode *dvp + struct label *dlabel + struct componentname + *cnp + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - dvp - Object; vnode - + + dvp + Object; vnode + - - dlabel - Policy label for - dvp - + + dlabel + Policy label for + dvp + - - cnp - Component name being looked up - - - - + + cnp + Component name being looked up + + + + - Determine whether the subject credential can perform a - lookup in the passed directory vnode for the passed name. - Return 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can perform a + lookup in the passed directory vnode for the passed name. + Return 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_open</function> + <function>&mac.mpo;_check_vnode_open</function> - - - int - &mac.mpo;_check_vnode_open + + + int + &mac.mpo;_check_vnode_open - struct ucred - *cred - struct vnode - *vp - struct label - *label - int - acc_mode - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + int acc_mode + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for - vp - + + label + Policy label for + vp + - - acc_mode - &man.open.2; access mode - - - - + + acc_mode + &man.open.2; access mode + + + + - Determine whether the subject credential can perform an - open operation on the passed vnode with the passed access - mode. Return 0 for success, or - an errno value for failure. Suggested failure: - EACCES for label mismatch, or - EPERM for lack of privilege. + Determine whether the subject credential can perform an + open operation on the passed vnode with the passed access + mode. Return 0 for success, or + an errno value for failure. Suggested failure: + EACCES for label mismatch, or + EPERM for lack of privilege. - <function>&mac.mpo;_check_vnode_readdir</function> + <function>&mac.mpo;_check_vnode_readdir</function> - - - int - &mac.mpo;_check_vnode_readdir + + + int + &mac.mpo;_check_vnode_readdir - struct ucred - *cred - struct vnode - *dvp - struct label - *dlabel - - + struct ucred *cred + struct vnode *dvp + struct label *dlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - dvp - Object; directory vnode - + + dvp + Object; directory vnode + - - dlabel - Policy label for - dvp - - - - + + dlabel + Policy label for + dvp + + + + - Determine whether the subject credential can perform a - readdir operation on the passed - directory vnode. Return 0 for - success, or an errno value for failure. - Suggested failure: EACCES for label - mismatch, or EPERM for lack of - privilege. + Determine whether the subject credential can perform a + readdir operation on the passed + directory vnode. Return 0 for + success, or an errno value for failure. + Suggested failure: EACCES for label + mismatch, or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_readlink</function> + <function>&mac.mpo;_check_vnode_readlink</function> - - - int - &mac.mpo;_check_vnode_readlink + + + int + &mac.mpo;_check_vnode_readlink - struct ucred - *cred - struct vnode - *vp - struct label - *label - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for - vp - - - - + + label + Policy label for + vp + + + + - Determine whether the subject credential can perform a - readlink operation on the passed - symlink vnode. Return 0 for - success, or an errno value for failure. - Suggested failure: EACCES for label - mismatch, or EPERM for lack of - privilege. This call may be made in a number of situations, - including an explicit readlink call by - the user process, or as a result of an implicit - readlink during a name lookup by the - process. + Determine whether the subject credential can perform a + readlink operation on the passed + symlink vnode. Return 0 for + success, or an errno value for failure. + Suggested failure: EACCES for label + mismatch, or EPERM for lack of + privilege. This call may be made in a number of situations, + including an explicit readlink call by + the user process, or as a result of an implicit + readlink during a name lookup by the + process. - <function>&mac.mpo;_check_vnode_revoke</function> + <function>&mac.mpo;_check_vnode_revoke</function> - - - int - &mac.mpo;_check_vnode_revoke + + + int + &mac.mpo;_check_vnode_revoke - struct ucred - *cred - struct vnode - *vp - struct label - *label - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for - vp - - - - + + label + Policy label for + vp + + + + - Determine whether the subject credential can revoke - access to the passed vnode. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can revoke + access to the passed vnode. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_setacl</function> + <function>&mac.mpo;_check_vnode_setacl</function> - - - int - &mac.mpo;_check_vnode_setacl + + + int + &mac.mpo;_check_vnode_setacl - struct ucred - *cred - struct vnode - *vp - struct label - *label - acl_type_t - type - struct acl - *acl - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + acl_type_t + type + struct acl + *acl + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for - vp - + + label + Policy label for + vp + - - type - ACL type - + + type + ACL type + - - acl - ACL - - - - + + acl + ACL + + + + - Determine whether the subject credential can set the - passed ACL of passed type on the passed vnode. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can set the + passed ACL of passed type on the passed vnode. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_setextattr</function> + <function>&mac.mpo;_check_vnode_setextattr</function> - - - int - &mac.mpo;_check_vnode_setextattr + + + int + &mac.mpo;_check_vnode_setextattr - struct ucred - *cred - struct vnode - *vp - struct label - *label - int - attrnamespace - const char - *name - struct uio - *uio - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + int + attrnamespace + const char + *name + struct uio + *uio + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for vp - + + label + Policy label for + vp + - - attrnamespace - Extended attribute namespace - + + attrnamespace + Extended attribute namespace + - - name - Extended attribute name - + + name + Extended attribute name + - - uio - I/O structure pointer; see &man.uio.9; - - - - + + uio + I/O structure pointer; see &man.uio.9; + + + + - Determine whether the subject credential can set the - extended attribute of passed name and passed namespace on - the passed vnode. Policies implementing security labels - backed into extended attributes may want to provide - additional protections for those attributes. Additionally, - policies should avoid making decisions based on the data - referenced from uio, as there is a - potential race condition between this check and the actual - operation. The uio may also be - NULL if a delete operation is being - performed. Return 0 for success, - or an errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can set the + extended attribute of passed name and passed namespace on + the passed vnode. Policies implementing security labels + backed into extended attributes may want to provide + additional protections for those attributes. Additionally, + policies should avoid making decisions based on the data + referenced from uio, as there is a + potential race condition between this check and the actual + operation. The uio may also be + NULL if a delete operation is being + performed. Return 0 for success, + or an errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_setflags</function> + <function>&mac.mpo;_check_vnode_setflags</function> - - - int - &mac.mpo;_check_vnode_setflags + + + int + &mac.mpo;_check_vnode_setflags - struct ucred - *cred - struct vnode - *vp - struct label - *label - u_long flags - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + u_long flags + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for - vp - + + label + Policy label for + vp + - - flags - File flags; see &man.chflags.2; - - - - + + flags + File flags; see &man.chflags.2; + + + + - Determine whether the subject credential can set the - passed flags on the passed vnode. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can set the + passed flags on the passed vnode. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_setmode</function> + <function>&mac.mpo;_check_vnode_setmode</function> - - - int - &mac.mpo;_check_vnode_setmode + + + int + &mac.mpo;_check_vnode_setmode - struct ucred - *cred - struct vnode - *vp - struct label - *label - mode_t mode - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + mode_t mode + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for vp - + + label + Policy label for + vp + - - mode - File mode; see &man.chmod.2; - - - - + + mode + File mode; see &man.chmod.2; + + + + - Determine whether the subject credential can set the - passed mode on the passed vnode. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can set the + passed mode on the passed vnode. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_vnode_setowner</function> + <function>&mac.mpo;_check_vnode_setowner</function> - - - int - &mac.mpo;_check_vnode_setowner + + + int + &mac.mpo;_check_vnode_setowner - struct ucred - *cred - struct vnode - *vp - struct label - *label - uid_t uid - gid_t gid - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + uid_t uid + gid_t gid + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for vp - + + label + Policy label for + vp + - - uid - User ID - + + uid + User ID + - - gid - Group ID - - - - + + gid + Group ID + + + + - Determine whether the subject credential can set the - passed uid and passed gid as file uid and file gid on the - passed vnode. The IDs may be set to (-1) - to request no update. Return 0 - for success, or an errno value for - failure. Suggested failure: EACCES - for label mismatch, or EPERM for lack - of privilege. + Determine whether the subject credential can set the + passed uid and passed gid as file uid and file gid on the + passed vnode. The IDs may be set to (-1) + to request no update. Return 0 + for success, or an errno value for + failure. Suggested failure: EACCES + for label mismatch, or EPERM for lack + of privilege. - <function>&mac.mpo;_check_vnode_setutimes</function> + <function>&mac.mpo;_check_vnode_setutimes</function> - - - int - &mac.mpo;_check_vnode_setutimes + + + int + &mac.mpo;_check_vnode_setutimes - struct ucred - *cred - struct vnode - *vp - struct label - *label - struct timespec - atime - struct timespec - mtime - - + struct ucred *cred + struct vnode *vp + struct label *label + struct timespec atime + struct timespec mtime + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vp - + + vp + Object; vp + - - label - Policy label for - vp - + + label + Policy label for + vp + - - atime - Access time; see &man.utimes.2; - + + atime + Access time; see &man.utimes.2; + - - mtime - Modification time; see &man.utimes.2; - - - - + + mtime + Modification time; see &man.utimes.2; + + + + - Determine whether the subject credential can set the - passed access timestamps on the passed vnode. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can set the + passed access timestamps on the passed vnode. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_proc_sched</function> + <function>&mac.mpo;_check_proc_sched</function> - - - int - &mac.mpo;_check_proc_sched + + + int + &mac.mpo;_check_proc_sched - struct ucred - *ucred - struct proc - *proc - - + struct ucred + *ucred + struct proc + *proc + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - proc - Object; process - - - - + + proc + Object; process + + + + - Determine whether the subject credential can change the - scheduling parameters of the passed process. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - EPERM for lack of privilege, or - ESRCH to limit visibility. + Determine whether the subject credential can change the + scheduling parameters of the passed process. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + EPERM for lack of privilege, or + ESRCH to limit visibility. - See &man.setpriority.2; for more information. + See &man.setpriority.2; for more information. - <function>&mac.mpo;_check_proc_signal</function> + <function>&mac.mpo;_check_proc_signal</function> - - - int - &mac.mpo;_check_proc_signal + + + int + &mac.mpo;_check_proc_signal - struct ucred - *cred - struct proc - *proc - int signal - - + struct ucred + *cred + struct proc + *proc + int signal + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - proc - Object; process - + + proc + Object; process + - - signal - Signal; see &man.kill.2; - - - - + + signal + Signal; see &man.kill.2; + + + + - Determine whether the subject credential can deliver the - passed signal to the passed process. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - EPERM for lack of privilege, or - ESRCH to limit visibility. + Determine whether the subject credential can deliver the + passed signal to the passed process. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + EPERM for lack of privilege, or + ESRCH to limit visibility. - <function>&mac.mpo;_check_vnode_stat</function> + <function>&mac.mpo;_check_vnode_stat</function> - - - int - &mac.mpo;_check_vnode_stat + + + int + &mac.mpo;_check_vnode_stat - struct ucred - *cred - struct vnode - *vp - struct label - *label - - + struct ucred + *cred + struct vnode + *vp + struct label + *label + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Object; vnode - + + vp + Object; vnode + - - label - Policy label for - vp - - - - + + label + Policy label for + vp + + + + - Determine whether the subject credential can - stat the passed vnode. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the subject credential can + stat the passed vnode. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatch, + or EPERM for lack of + privilege. - See &man.stat.2; for more information. + See &man.stat.2; for more information. - <function>&mac.mpo;_check_ifnet_transmit</function> + <function>&mac.mpo;_check_ifnet_transmit</function> - - - int - &mac.mpo;_check_ifnet_transmit + + + int + &mac.mpo;_check_ifnet_transmit - struct ucred - *cred - struct ifnet - *ifnet - struct label - *ifnetlabel - struct mbuf - *mbuf - struct label - *mbuflabel - - + struct ucred + *cred + struct ifnet + *ifnet + struct label + *ifnetlabel + struct mbuf + *mbuf + struct label + *mbuflabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - ifnet - Network interface - + + ifnet + Network interface + - - ifnetlabel - Policy label for - ifnet - + + ifnetlabel + Policy label for + ifnet + - - mbuf - Object; mbuf to be sent - + + mbuf + Object; mbuf to be sent + - - mbuflabel - Policy label for - mbuf - - - - + + mbuflabel + Policy label for + mbuf + + + + - Determine whether the network interface can transmit the - passed mbuf. Return 0 for - success, or an errno value for failure. - Suggested failure: EACCES for label - mismatch, or EPERM for lack of - privilege. + Determine whether the network interface can transmit the + passed mbuf. Return 0 for + success, or an errno value for failure. + Suggested failure: EACCES for label + mismatch, or EPERM for lack of + privilege. - <function>&mac.mpo;_check_socket_deliver</function> + <function>&mac.mpo;_check_socket_deliver</function> - - - int - &mac.mpo;_check_socket_deliver + + + int + &mac.mpo;_check_socket_deliver - struct ucred - *cred - struct ifnet - *ifnet - struct label - *ifnetlabel - struct mbuf - *mbuf - struct label - *mbuflabel - - + struct ucred + *cred + struct ifnet + *ifnet + struct label + *ifnetlabel + struct mbuf + *mbuf + struct label + *mbuflabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - ifnet - Network interface - + + ifnet + Network interface + - - ifnetlabel - Policy label for - ifnet - + + ifnetlabel + Policy label for + ifnet + - - mbuf - Object; mbuf to be delivered - + + mbuf + Object; mbuf to be delivered + - - mbuflabel - Policy label for - mbuf - - - - + + mbuflabel + Policy label for + mbuf + + + + - Determine whether the socket may receive the datagram - stored in the passed mbuf header. Return - 0 for success, or an - errno value for failure. Suggested - failures: EACCES for label mismatch, - or EPERM for lack of - privilege. + Determine whether the socket may receive the datagram + stored in the passed mbuf header. Return + 0 for success, or an + errno value for failure. Suggested + failures: EACCES for label mismatch, + or EPERM for lack of + privilege. - <function>&mac.mpo;_check_socket_visible</function> + <function>&mac.mpo;_check_socket_visible</function> - - - int - &mac.mpo;_check_socket_visible + + + int + &mac.mpo;_check_socket_visible - struct ucred - *cred - struct socket - *so - struct label - *socketlabel - - + struct ucred + *cred + struct socket + *so + struct label + *socketlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - Immutable - + + + cred + Subject credential + Immutable + - - so - Object; socket - + + so + Object; socket + - - socketlabel - Policy label for - so - - - - + + socketlabel + Policy label for + so + + + + - Determine whether the subject credential cred can "see" - the passed socket (socket) using - system monitoring functions, such as those employed by - &man.netstat.8; and &man.sockstat.1;. Return - 0 for success, or an - errno value for failure. Suggested - failure: EACCES for label mismatches, - EPERM for lack of privilege, or - ESRCH to hide visibility. + Determine whether the subject credential cred can "see" + the passed socket (socket) using + system monitoring functions, such as those employed by + &man.netstat.8; and &man.sockstat.1;. Return + 0 for success, or an + errno value for failure. Suggested + failure: EACCES for label mismatches, + EPERM for lack of privilege, or + ESRCH to hide visibility. - <function>&mac.mpo;_check_system_acct</function> + <function>&mac.mpo;_check_system_acct</function> - - - int - &mac.mpo;_check_system_acct + + + int + &mac.mpo;_check_system_acct - struct ucred - *ucred - struct vnode - *vp - struct label - *vlabel - - + struct ucred + *ucred + struct vnode + *vp + struct label + *vlabel + + - - - &mac.thead; + + + &mac.thead; - - - ucred - Subject credential - + + + ucred + Subject credential + - - vp - Accounting file; &man.acct.5; - + + vp + Accounting file; &man.acct.5; + - - vlabel - Label associated with - vp - - - - + + vlabel + Label associated with + vp + + + + - Determine whether the subject should be allowed to - enable accounting, based on its label and the label of the - accounting log file. + Determine whether the subject should be allowed to + enable accounting, based on its label and the label of the + accounting log file. - <function>&mac.mpo;_check_system_nfsd</function> + <function>&mac.mpo;_check_system_nfsd</function> - - - int - &mac.mpo;_check_system_nfsd + + + int + &mac.mpo;_check_system_nfsd - struct ucred - *cred - - + struct ucred + *cred + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - - - - + + + cred + Subject credential + + + + - Determine whether the subject should be allowed to call - &man.nfssvc.2;. + Determine whether the subject should be allowed to call + &man.nfssvc.2;. - <function>&mac.mpo;_check_system_reboot</function> + <function>&mac.mpo;_check_system_reboot</function> - - - int - &mac.mpo;_check_system_reboot + + + int + &mac.mpo;_check_system_reboot - struct ucred - *cred - int howto - - + struct ucred + *cred + int howto + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - howto - howto parameter from - &man.reboot.2; - - - - + + howto + howto parameter from + &man.reboot.2; + + + + - Determine whether the subject should be allowed to - reboot the system in the specified manner. + Determine whether the subject should be allowed to + reboot the system in the specified manner. - <function>&mac.mpo;_check_system_settime</function> + <function>&mac.mpo;_check_system_settime</function> - - - int - &mac.mpo;_check_system_settime + + + int + &mac.mpo;_check_system_settime - struct ucred - *cred - - + struct ucred + *cred + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - - - - + + + cred + Subject credential + + + + - Determine whether the user should be allowed to set the - system clock. + Determine whether the user should be allowed to set the + system clock. - <function>&mac.mpo;_check_system_swapon</function> + <function>&mac.mpo;_check_system_swapon</function> - - - int - &mac.mpo;_check_system_swapon + + + int + &mac.mpo;_check_system_swapon - struct ucred - *cred - struct vnode - *vp - struct label - *vlabel - - + struct ucred + *cred + struct vnode + *vp + struct label + *vlabel + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - vp - Swap device - + + vp + Swap device + - - vlabel - Label associated with - vp - - - - + + vlabel + Label associated with + vp + + + + - Determine whether the subject should be allowed to add - vp as a swap device. + Determine whether the subject should be allowed to add + vp as a swap device. - <function>&mac.mpo;_check_system_sysctl</function> + <function>&mac.mpo;_check_system_sysctl</function> - - - int - &mac.mpo;_check_system_sysctl + + + int + &mac.mpo;_check_system_sysctl - struct ucred - *cred - int *name - u_int *namelen - void *old - size_t - *oldlenp - int inkernel - void *new - size_t newlen - - + struct ucred + *cred + int *name + u_int *namelen + void *old + size_t + *oldlenp + int inkernel + void *new + size_t newlen + + - - - &mac.thead; + + + &mac.thead; - - - cred - Subject credential - + + + cred + Subject credential + - - name - See &man.sysctl.3; - + + name + See &man.sysctl.3; + - - namelen - + + namelen + - - old - + + old + - - oldlenp - + + oldlenp + - - inkernel - Boolean; 1 if called from - kernel - + + inkernel + Boolean; 1 if called from + kernel + - - new - See &man.sysctl.3; - + + new + See &man.sysctl.3; + - - newlen - - - - + + newlen + + + + - Determine whether the subject should be allowed to make - the specified &man.sysctl.3; transaction. + Determine whether the subject should be allowed to make + the specified &man.sysctl.3; transaction. Label Management Calls Relabel events occur when a user process has requested - that the label on an object be modified. A two-phase update - occurs: first, an access control check will be performed to - determine if the update is both valid and permitted, and then - the update itself is performed via a separate entry point. - Relabel entry points typically accept the object, object label - reference, and an update label submitted by the process. - Memory allocation during relabel is discouraged, as relabel - calls are not permitted to fail (failure should be reported - earlier in the relabel check). - + that the label on an object be modified. A two-phase update + occurs: first, an access control check will be performed to + determine if the update is both valid and permitted, and then + the update itself is performed via a separate entry point. + Relabel entry points typically accept the object, object label + reference, and an update label submitted by the process. + Memory allocation during relabel is discouraged, as relabel + calls are not permitted to fail (failure should be reported + earlier in the relabel check). Userland Architecture The TrustedBSD MAC Framework includes a number of - policy-agnostic elements, including MAC library interfaces - for abstractly managing labels, modifications to the system + policy-agnostic elements, including MAC library interfaces for + abstractly managing labels, modifications to the system credential management and login libraries to support the - assignment of MAC labels to users, and a set of tools to - monitor and modify labels on processes, files, and network - interfaces. More details on the user architecture will - be added to this section in the near future. + assignment of MAC labels to users, and a set of tools to monitor + and modify labels on processes, files, and network interfaces. + More details on the user architecture will be added to this + section in the near future. APIs for Policy-Agnostic Label Management The TrustedBSD MAC Framework provides a number of library and system calls permitting applications to manage MAC labels on objects using a policy-agnostic interface. This permits applications to manipulate labels for a variety of policies without being written to support specific policies. These interfaces are used by general-purpose tools such as &man.ifconfig.8;, &man.ls.1; and &man.ps.1; to view labels on network interfaces, files, and processes. The APIs also support MAC management tools including &man.getfmac.8;, &man.getpmac.8;, &man.setfmac.8;, &man.setfsmac.8;, and &man.setpmac.8;. The MAC APIs are documented in &man.mac.3;. Applications handle MAC labels in two forms: an internalized form used to return and set labels on processes and objects (mac_t), and externalized form based on C strings appropriate for storage in configuration files, display to the user, or input from the user. Each MAC label contains a number of elements, each consisting of a name and value pair. Policy modules in the kernel bind to specific names and interpret the values in policy-specific ways. In the externalized string form, labels are represented by a comma-delimited list of name and value pairs separated by the / character. Labels may be directly converted to and from text using provided APIs; when retrieving labels from the kernel, internalized label storage must first be prepared for the desired label element set. Typically, this is done in one of two ways: using &man.mac.prepare.3; and an arbitrary list of desired label elements, or one of the variants of the call that loads a default element set from the &man.mac.conf.5; configuration file. Per-object defaults permit application writers to usefully display labels associated with objects without being aware of the policies present in the system. - Currently, direct manipulation of label elements - other than by conversion to a text string, string editing, - and conversion back to an internalized label is not supported - by the MAC library. Such interfaces may be added in the - future if they prove necessary for application - writers. + + Currently, direct manipulation of label elements other + than by conversion to a text string, string editing, and + conversion back to an internalized label is not supported by + the MAC library. Such interfaces may be added in the future + if they prove necessary for application + writers. + Binding of Labels to Users The standard user context management interface, &man.setusercontext.3;, has been modified to retrieve MAC labels associated with a user's class from &man.login.conf.5;. These labels are then set along with other user context when either LOGIN_SETALL is specified, or when LOGIN_SETMAC is explicitly specified. It is expected that, in a future version of FreeBSD, the MAC label database will be separated from the login.conf user class abstraction, and be maintained in a separate database. However, the &man.setusercontext.3; API should remain the same following such a change. Conclusion The TrustedBSD MAC framework permits kernel modules to augment the system security policy in a highly integrated manner. They may do this based on existing object properties, or based on label data that is maintained with the assistance of the MAC framework. The framework is sufficiently flexible to implement a variety of policy types, including information flow security policies such as MLS and Biba, as well as policies based on existing BSD credentials or file protections. Policy authors may wish to consult this documentation as well as existing security modules when implementing a new security service.