The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/security/mac/mac_policy.h

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
    3  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
    4  * Copyright (c) 2005-2006 SPARTA, Inc.
    5  * Copyright (c) 2008 Apple Inc.
    6  * All rights reserved.
    7  *
    8  * This software was developed by Robert Watson for the TrustedBSD Project.
    9  *
   10  * This software was developed for the FreeBSD Project in part by Network
   11  * Associates Laboratories, the Security Research Division of Network
   12  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
   13  * as part of the DARPA CHATS research program.
   14  *
   15  * This software was enhanced by SPARTA ISSO under SPAWAR contract 
   16  * N66001-04-C-6019 ("SEFOS").
   17  *
   18  * This software was developed at the University of Cambridge Computer
   19  * Laboratory with support from a grant from Google, Inc.
   20  *
   21  * Redistribution and use in source and binary forms, with or without
   22  * modification, are permitted provided that the following conditions
   23  * are met:
   24  * 1. Redistributions of source code must retain the above copyright
   25  *    notice, this list of conditions and the following disclaimer.
   26  * 2. Redistributions in binary form must reproduce the above copyright
   27  *    notice, this list of conditions and the following disclaimer in the
   28  *    documentation and/or other materials provided with the distribution.
   29  *
   30  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   31  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   32  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   33  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   34  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   35  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   36  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   37  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   38  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   39  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   40  * SUCH DAMAGE.
   41  *
   42  * $FreeBSD: releng/10.0/sys/security/mac/mac_policy.h 254603 2013-08-21 17:45:00Z kib $
   43  */
   44 /*
   45  * Kernel interface for MAC policy modules.
   46  */
   47 #ifndef _SECURITY_MAC_MAC_POLICY_H_
   48 #define _SECURITY_MAC_MAC_POLICY_H_
   49 
   50 #ifndef _KERNEL
   51 #error "no user-serviceable parts inside"
   52 #endif
   53 
   54 /*-
   55  * Pluggable access control policy definition structure.
   56  *
   57  * List of operations that are performed as part of the implementation of a
   58  * MAC policy.  Policy implementors declare operations with a mac_policy_ops
   59  * structure, and using the MAC_POLICY_SET() macro.  If an entry point is not
   60  * declared, then then the policy will be ignored during evaluation of that
   61  * event or check.
   62  *
   63  * Operations are sorted first by general class of operation, then
   64  * alphabetically.
   65  */
   66 #include <sys/acl.h>    /* XXX acl_type_t */
   67 #include <sys/types.h>  /* XXX accmode_t */
   68 
   69 struct acl;
   70 struct auditinfo;
   71 struct auditinfo_addr;
   72 struct bpf_d;
   73 struct cdev;
   74 struct componentname;
   75 struct devfs_dirent;
   76 struct ifnet;
   77 struct image_params;
   78 struct inpcb;
   79 struct ip6q;
   80 struct ipq;
   81 struct ksem;
   82 struct label;
   83 struct mac_policy_conf;
   84 struct mbuf;
   85 struct mount;
   86 struct msg;
   87 struct msqid_kernel;
   88 struct pipepair;
   89 struct proc;
   90 struct sbuf;
   91 struct semid_kernel;
   92 struct shmfd;
   93 struct shmid_kernel;
   94 struct sockaddr;
   95 struct socket;
   96 struct sysctl_oid;
   97 struct sysctl_req;
   98 struct thread;
   99 struct ucred;
  100 struct vattr;
  101 struct vnode;
  102 
  103 /*
  104  * Policy module operations.
  105  */
  106 typedef void    (*mpo_destroy_t)(struct mac_policy_conf *mpc);
  107 typedef void    (*mpo_init_t)(struct mac_policy_conf *mpc);
  108 
  109 /*
  110  * General policy-directed security system call so that policies may
  111  * implement new services without reserving explicit system call numbers.
  112  */
  113 typedef int     (*mpo_syscall_t)(struct thread *td, int call, void *arg);
  114 
  115 /*
  116  * Place-holder function pointers for ABI-compatibility purposes.
  117  */
  118 typedef void    (*mpo_placeholder_t)(void);
  119 
  120 /*
  121  * Operations sorted alphabetically by primary object type and then method.
  122  */
  123 typedef int     (*mpo_bpfdesc_check_receive_t)(struct bpf_d *d,
  124                     struct label *dlabel, struct ifnet *ifp,
  125                     struct label *ifplabel);
  126 typedef void    (*mpo_bpfdesc_create_t)(struct ucred *cred,
  127                     struct bpf_d *d, struct label *dlabel);
  128 typedef void    (*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d,
  129                     struct label *dlabel, struct mbuf *m,
  130                     struct label *mlabel);
  131 typedef void    (*mpo_bpfdesc_destroy_label_t)(struct label *label);
  132 typedef void    (*mpo_bpfdesc_init_label_t)(struct label *label);
  133 
  134 typedef void    (*mpo_cred_associate_nfsd_t)(struct ucred *cred);
  135 typedef int     (*mpo_cred_check_relabel_t)(struct ucred *cred,
  136                     struct label *newlabel);
  137 typedef int     (*mpo_cred_check_setaudit_t)(struct ucred *cred,
  138                     struct auditinfo *ai);
  139 typedef int     (*mpo_cred_check_setaudit_addr_t)(struct ucred *cred,
  140                     struct auditinfo_addr *aia);
  141 typedef int     (*mpo_cred_check_setauid_t)(struct ucred *cred, uid_t auid);
  142 typedef int     (*mpo_cred_check_setegid_t)(struct ucred *cred, gid_t egid);
  143 typedef int     (*mpo_cred_check_seteuid_t)(struct ucred *cred, uid_t euid);
  144 typedef int     (*mpo_cred_check_setgid_t)(struct ucred *cred, gid_t gid);
  145 typedef int     (*mpo_cred_check_setgroups_t)(struct ucred *cred, int ngroups,
  146                     gid_t *gidset);
  147 typedef int     (*mpo_cred_check_setregid_t)(struct ucred *cred, gid_t rgid,
  148                     gid_t egid);
  149 typedef int     (*mpo_cred_check_setresgid_t)(struct ucred *cred, gid_t rgid,
  150                     gid_t egid, gid_t sgid);
  151 typedef int     (*mpo_cred_check_setresuid_t)(struct ucred *cred, uid_t ruid,
  152                     uid_t euid, uid_t suid);
  153 typedef int     (*mpo_cred_check_setreuid_t)(struct ucred *cred, uid_t ruid,
  154                     uid_t euid);
  155 typedef int     (*mpo_cred_check_setuid_t)(struct ucred *cred, uid_t uid);
  156 typedef int     (*mpo_cred_check_visible_t)(struct ucred *cr1,
  157                     struct ucred *cr2);
  158 typedef void    (*mpo_cred_copy_label_t)(struct label *src,
  159                     struct label *dest);
  160 typedef void    (*mpo_cred_create_init_t)(struct ucred *cred);
  161 typedef void    (*mpo_cred_create_swapper_t)(struct ucred *cred);
  162 typedef void    (*mpo_cred_destroy_label_t)(struct label *label);
  163 typedef int     (*mpo_cred_externalize_label_t)(struct label *label,
  164                     char *element_name, struct sbuf *sb, int *claimed);
  165 typedef void    (*mpo_cred_init_label_t)(struct label *label);
  166 typedef int     (*mpo_cred_internalize_label_t)(struct label *label,
  167                     char *element_name, char *element_data, int *claimed);
  168 typedef void    (*mpo_cred_relabel_t)(struct ucred *cred,
  169                     struct label *newlabel);
  170 
  171 typedef void    (*mpo_devfs_create_device_t)(struct ucred *cred,
  172                     struct mount *mp, struct cdev *dev,
  173                     struct devfs_dirent *de, struct label *delabel);
  174 typedef void    (*mpo_devfs_create_directory_t)(struct mount *mp,
  175                     char *dirname, int dirnamelen, struct devfs_dirent *de,
  176                     struct label *delabel);
  177 typedef void    (*mpo_devfs_create_symlink_t)(struct ucred *cred,
  178                     struct mount *mp, struct devfs_dirent *dd,
  179                     struct label *ddlabel, struct devfs_dirent *de,
  180                     struct label *delabel);
  181 typedef void    (*mpo_devfs_destroy_label_t)(struct label *label);
  182 typedef void    (*mpo_devfs_init_label_t)(struct label *label);
  183 typedef void    (*mpo_devfs_update_t)(struct mount *mp,
  184                     struct devfs_dirent *de, struct label *delabel,
  185                     struct vnode *vp, struct label *vplabel);
  186 typedef void    (*mpo_devfs_vnode_associate_t)(struct mount *mp,
  187                     struct label *mplabel, struct devfs_dirent *de,
  188                     struct label *delabel, struct vnode *vp,
  189                     struct label *vplabel);
  190 
  191 typedef int     (*mpo_ifnet_check_relabel_t)(struct ucred *cred,
  192                     struct ifnet *ifp, struct label *ifplabel,
  193                     struct label *newlabel);
  194 typedef int     (*mpo_ifnet_check_transmit_t)(struct ifnet *ifp,
  195                     struct label *ifplabel, struct mbuf *m,
  196                     struct label *mlabel);
  197 typedef void    (*mpo_ifnet_copy_label_t)(struct label *src,
  198                     struct label *dest);
  199 typedef void    (*mpo_ifnet_create_t)(struct ifnet *ifp,
  200                     struct label *ifplabel);
  201 typedef void    (*mpo_ifnet_create_mbuf_t)(struct ifnet *ifp,
  202                     struct label *ifplabel, struct mbuf *m,
  203                     struct label *mlabel);
  204 typedef void    (*mpo_ifnet_destroy_label_t)(struct label *label);
  205 typedef int     (*mpo_ifnet_externalize_label_t)(struct label *label,
  206                     char *element_name, struct sbuf *sb, int *claimed);
  207 typedef void    (*mpo_ifnet_init_label_t)(struct label *label);
  208 typedef int     (*mpo_ifnet_internalize_label_t)(struct label *label,
  209                     char *element_name, char *element_data, int *claimed);
  210 typedef void    (*mpo_ifnet_relabel_t)(struct ucred *cred, struct ifnet *ifp,
  211                     struct label *ifplabel, struct label *newlabel);
  212 
  213 typedef int     (*mpo_inpcb_check_deliver_t)(struct inpcb *inp,
  214                     struct label *inplabel, struct mbuf *m,
  215                     struct label *mlabel);
  216 typedef int     (*mpo_inpcb_check_visible_t)(struct ucred *cred,
  217                     struct inpcb *inp, struct label *inplabel);
  218 typedef void    (*mpo_inpcb_create_t)(struct socket *so,
  219                     struct label *solabel, struct inpcb *inp,
  220                     struct label *inplabel);
  221 typedef void    (*mpo_inpcb_create_mbuf_t)(struct inpcb *inp,
  222                     struct label *inplabel, struct mbuf *m,
  223                     struct label *mlabel);
  224 typedef void    (*mpo_inpcb_destroy_label_t)(struct label *label);
  225 typedef int     (*mpo_inpcb_init_label_t)(struct label *label, int flag);
  226 typedef void    (*mpo_inpcb_sosetlabel_t)(struct socket *so,
  227                     struct label *label, struct inpcb *inp,
  228                     struct label *inplabel);
  229 
  230 typedef void    (*mpo_ip6q_create_t)(struct mbuf *m, struct label *mlabel,
  231                     struct ip6q *q6, struct label *q6label);
  232 typedef void    (*mpo_ip6q_destroy_label_t)(struct label *label);
  233 typedef int     (*mpo_ip6q_init_label_t)(struct label *label, int flag);
  234 typedef int     (*mpo_ip6q_match_t)(struct mbuf *m, struct label *mlabel,
  235                     struct ip6q *q6, struct label *q6label);
  236 typedef void    (*mpo_ip6q_reassemble)(struct ip6q *q6, struct label *q6label,
  237                     struct mbuf *m, struct label *mlabel);
  238 typedef void    (*mpo_ip6q_update_t)(struct mbuf *m, struct label *mlabel,
  239                     struct ip6q *q6, struct label *q6label);
  240 
  241 typedef void    (*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel,
  242                     struct ipq *q, struct label *qlabel);
  243 typedef void    (*mpo_ipq_destroy_label_t)(struct label *label);
  244 typedef int     (*mpo_ipq_init_label_t)(struct label *label, int flag);
  245 typedef int     (*mpo_ipq_match_t)(struct mbuf *m, struct label *mlabel,
  246                     struct ipq *q, struct label *qlabel);
  247 typedef void    (*mpo_ipq_reassemble)(struct ipq *q, struct label *qlabel,
  248                     struct mbuf *m, struct label *mlabel);
  249 typedef void    (*mpo_ipq_update_t)(struct mbuf *m, struct label *mlabel,
  250                     struct ipq *q, struct label *qlabel);
  251 
  252 typedef int     (*mpo_kenv_check_dump_t)(struct ucred *cred);
  253 typedef int     (*mpo_kenv_check_get_t)(struct ucred *cred, char *name);
  254 typedef int     (*mpo_kenv_check_set_t)(struct ucred *cred, char *name,
  255                     char *value);
  256 typedef int     (*mpo_kenv_check_unset_t)(struct ucred *cred, char *name);
  257 
  258 typedef int     (*mpo_kld_check_load_t)(struct ucred *cred, struct vnode *vp,
  259                     struct label *vplabel);
  260 typedef int     (*mpo_kld_check_stat_t)(struct ucred *cred);
  261 
  262 typedef void    (*mpo_mbuf_copy_label_t)(struct label *src,
  263                     struct label *dest);
  264 typedef void    (*mpo_mbuf_destroy_label_t)(struct label *label);
  265 typedef int     (*mpo_mbuf_init_label_t)(struct label *label, int flag);
  266 
  267 typedef int     (*mpo_mount_check_stat_t)(struct ucred *cred,
  268                     struct mount *mp, struct label *mplabel);
  269 typedef void    (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp,
  270                     struct label *mplabel);
  271 typedef void    (*mpo_mount_destroy_label_t)(struct label *label);
  272 typedef void    (*mpo_mount_init_label_t)(struct label *label);
  273 
  274 typedef void    (*mpo_netatalk_aarp_send_t)(struct ifnet *ifp,
  275                     struct label *ifplabel, struct mbuf *m,
  276                     struct label *mlabel);
  277 
  278 typedef void    (*mpo_netinet_arp_send_t)(struct ifnet *ifp,
  279                     struct label *ifplabel, struct mbuf *m,
  280                     struct label *mlabel);
  281 typedef void    (*mpo_netinet_firewall_reply_t)(struct mbuf *mrecv,
  282                     struct label *mrecvlabel, struct mbuf *msend,
  283                     struct label *msendlabel);
  284 typedef void    (*mpo_netinet_firewall_send_t)(struct mbuf *m,
  285                     struct label *mlabel);
  286 typedef void    (*mpo_netinet_fragment_t)(struct mbuf *m,
  287                     struct label *mlabel, struct mbuf *frag,
  288                     struct label *fraglabel);
  289 typedef void    (*mpo_netinet_icmp_reply_t)(struct mbuf *mrecv,
  290                     struct label *mrecvlabel, struct mbuf *msend,
  291                     struct label *msendlabel);
  292 typedef void    (*mpo_netinet_icmp_replyinplace_t)(struct mbuf *m,
  293                     struct label *mlabel);
  294 typedef void    (*mpo_netinet_igmp_send_t)(struct ifnet *ifp,
  295                     struct label *ifplabel, struct mbuf *m,
  296                     struct label *mlabel);
  297 typedef void    (*mpo_netinet_tcp_reply_t)(struct mbuf *m,
  298                     struct label *mlabel);
  299 
  300 typedef void    (*mpo_netinet6_nd6_send_t)(struct ifnet *ifp,
  301                     struct label *ifplabel, struct mbuf *m,
  302                     struct label *mlabel);
  303 
  304 typedef int     (*mpo_pipe_check_ioctl_t)(struct ucred *cred,
  305                     struct pipepair *pp, struct label *pplabel,
  306                     unsigned long cmd, void *data);
  307 typedef int     (*mpo_pipe_check_poll_t)(struct ucred *cred,
  308                     struct pipepair *pp, struct label *pplabel);
  309 typedef int     (*mpo_pipe_check_read_t)(struct ucred *cred,
  310                     struct pipepair *pp, struct label *pplabel);
  311 typedef int     (*mpo_pipe_check_relabel_t)(struct ucred *cred,
  312                     struct pipepair *pp, struct label *pplabel,
  313                     struct label *newlabel);
  314 typedef int     (*mpo_pipe_check_stat_t)(struct ucred *cred,
  315                     struct pipepair *pp, struct label *pplabel);
  316 typedef int     (*mpo_pipe_check_write_t)(struct ucred *cred,
  317                     struct pipepair *pp, struct label *pplabel);
  318 typedef void    (*mpo_pipe_copy_label_t)(struct label *src,
  319                     struct label *dest);
  320 typedef void    (*mpo_pipe_create_t)(struct ucred *cred, struct pipepair *pp,
  321                     struct label *pplabel);
  322 typedef void    (*mpo_pipe_destroy_label_t)(struct label *label);
  323 typedef int     (*mpo_pipe_externalize_label_t)(struct label *label,
  324                     char *element_name, struct sbuf *sb, int *claimed);
  325 typedef void    (*mpo_pipe_init_label_t)(struct label *label);
  326 typedef int     (*mpo_pipe_internalize_label_t)(struct label *label,
  327                     char *element_name, char *element_data, int *claimed);
  328 typedef void    (*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp,
  329                     struct label *oldlabel, struct label *newlabel);
  330 
  331 typedef int     (*mpo_posixsem_check_getvalue_t)(struct ucred *active_cred,
  332                     struct ucred *file_cred, struct ksem *ks,
  333                     struct label *kslabel);
  334 typedef int     (*mpo_posixsem_check_open_t)(struct ucred *cred,
  335                     struct ksem *ks, struct label *kslabel);
  336 typedef int     (*mpo_posixsem_check_post_t)(struct ucred *active_cred,
  337                     struct ucred *file_cred, struct ksem *ks,
  338                     struct label *kslabel);
  339 typedef int     (*mpo_posixsem_check_setmode_t)(struct ucred *cred,
  340                     struct ksem *ks, struct label *shmlabel,
  341                     mode_t mode);
  342 typedef int     (*mpo_posixsem_check_setowner_t)(struct ucred *cred,
  343                     struct ksem *ks, struct label *shmlabel,
  344                     uid_t uid, gid_t gid);
  345 typedef int     (*mpo_posixsem_check_stat_t)(struct ucred *active_cred,
  346                     struct ucred *file_cred, struct ksem *ks,
  347                     struct label *kslabel);
  348 typedef int     (*mpo_posixsem_check_unlink_t)(struct ucred *cred,
  349                     struct ksem *ks, struct label *kslabel);
  350 typedef int     (*mpo_posixsem_check_wait_t)(struct ucred *active_cred,
  351                     struct ucred *file_cred, struct ksem *ks,
  352                     struct label *kslabel);
  353 typedef void    (*mpo_posixsem_create_t)(struct ucred *cred,
  354                     struct ksem *ks, struct label *kslabel);
  355 typedef void    (*mpo_posixsem_destroy_label_t)(struct label *label);
  356 typedef void    (*mpo_posixsem_init_label_t)(struct label *label);
  357 
  358 typedef int     (*mpo_posixshm_check_create_t)(struct ucred *cred,
  359                     const char *path);
  360 typedef int     (*mpo_posixshm_check_mmap_t)(struct ucred *cred,
  361                     struct shmfd *shmfd, struct label *shmlabel, int prot,
  362                     int flags);
  363 typedef int     (*mpo_posixshm_check_open_t)(struct ucred *cred,
  364                     struct shmfd *shmfd, struct label *shmlabel,
  365                     accmode_t accmode);
  366 typedef int     (*mpo_posixshm_check_read_t)(struct ucred *active_cred,
  367                     struct ucred *file_cred, struct shmfd *shmfd,
  368                     struct label *shmlabel);
  369 typedef int     (*mpo_posixshm_check_setmode_t)(struct ucred *cred,
  370                     struct shmfd *shmfd, struct label *shmlabel,
  371                     mode_t mode);
  372 typedef int     (*mpo_posixshm_check_setowner_t)(struct ucred *cred,
  373                     struct shmfd *shmfd, struct label *shmlabel,
  374                     uid_t uid, gid_t gid);
  375 typedef int     (*mpo_posixshm_check_stat_t)(struct ucred *active_cred,
  376                     struct ucred *file_cred, struct shmfd *shmfd,
  377                     struct label *shmlabel);
  378 typedef int     (*mpo_posixshm_check_truncate_t)(struct ucred *active_cred,
  379                     struct ucred *file_cred, struct shmfd *shmfd,
  380                     struct label *shmlabel);
  381 typedef int     (*mpo_posixshm_check_unlink_t)(struct ucred *cred,
  382                     struct shmfd *shmfd, struct label *shmlabel);
  383 typedef int     (*mpo_posixshm_check_write_t)(struct ucred *active_cred,
  384                     struct ucred *file_cred, struct shmfd *shmfd,
  385                     struct label *shmlabel);
  386 typedef void    (*mpo_posixshm_create_t)(struct ucred *cred,
  387                     struct shmfd *shmfd, struct label *shmlabel);
  388 typedef void    (*mpo_posixshm_destroy_label_t)(struct label *label);
  389 typedef void    (*mpo_posixshm_init_label_t)(struct label *label);
  390 
  391 typedef int     (*mpo_priv_check_t)(struct ucred *cred, int priv);
  392 typedef int     (*mpo_priv_grant_t)(struct ucred *cred, int priv);
  393 
  394 typedef int     (*mpo_proc_check_debug_t)(struct ucred *cred,
  395                     struct proc *p);
  396 typedef int     (*mpo_proc_check_sched_t)(struct ucred *cred,
  397                     struct proc *p);
  398 typedef int     (*mpo_proc_check_signal_t)(struct ucred *cred,
  399                     struct proc *proc, int signum);
  400 typedef int     (*mpo_proc_check_wait_t)(struct ucred *cred,
  401                     struct proc *proc);
  402 typedef void    (*mpo_proc_destroy_label_t)(struct label *label);
  403 typedef void    (*mpo_proc_init_label_t)(struct label *label);
  404 
  405 typedef int     (*mpo_socket_check_accept_t)(struct ucred *cred,
  406                     struct socket *so, struct label *solabel);
  407 typedef int     (*mpo_socket_check_bind_t)(struct ucred *cred,
  408                     struct socket *so, struct label *solabel,
  409                     struct sockaddr *sa);
  410 typedef int     (*mpo_socket_check_connect_t)(struct ucred *cred,
  411                     struct socket *so, struct label *solabel,
  412                     struct sockaddr *sa);
  413 typedef int     (*mpo_socket_check_create_t)(struct ucred *cred, int domain,
  414                     int type, int protocol);
  415 typedef int     (*mpo_socket_check_deliver_t)(struct socket *so,
  416                     struct label *solabel, struct mbuf *m,
  417                     struct label *mlabel);
  418 typedef int     (*mpo_socket_check_listen_t)(struct ucred *cred,
  419                     struct socket *so, struct label *solabel);
  420 typedef int     (*mpo_socket_check_poll_t)(struct ucred *cred,
  421                     struct socket *so, struct label *solabel);
  422 typedef int     (*mpo_socket_check_receive_t)(struct ucred *cred,
  423                     struct socket *so, struct label *solabel);
  424 typedef int     (*mpo_socket_check_relabel_t)(struct ucred *cred,
  425                     struct socket *so, struct label *solabel,
  426                     struct label *newlabel);
  427 typedef int     (*mpo_socket_check_send_t)(struct ucred *cred,
  428                     struct socket *so, struct label *solabel);
  429 typedef int     (*mpo_socket_check_stat_t)(struct ucred *cred,
  430                     struct socket *so, struct label *solabel);
  431 typedef int     (*mpo_socket_check_visible_t)(struct ucred *cred,
  432                     struct socket *so, struct label *solabel);
  433 typedef void    (*mpo_socket_copy_label_t)(struct label *src,
  434                     struct label *dest);
  435 typedef void    (*mpo_socket_create_t)(struct ucred *cred, struct socket *so,
  436                     struct label *solabel);
  437 typedef void    (*mpo_socket_create_mbuf_t)(struct socket *so,
  438                     struct label *solabel, struct mbuf *m,
  439                     struct label *mlabel);
  440 typedef void    (*mpo_socket_destroy_label_t)(struct label *label);
  441 typedef int     (*mpo_socket_externalize_label_t)(struct label *label,
  442                     char *element_name, struct sbuf *sb, int *claimed);
  443 typedef int     (*mpo_socket_init_label_t)(struct label *label, int flag);
  444 typedef int     (*mpo_socket_internalize_label_t)(struct label *label,
  445                     char *element_name, char *element_data, int *claimed);
  446 typedef void    (*mpo_socket_newconn_t)(struct socket *oldso,
  447                     struct label *oldsolabel, struct socket *newso,
  448                     struct label *newsolabel);
  449 typedef void    (*mpo_socket_relabel_t)(struct ucred *cred, struct socket *so,
  450                     struct label *oldlabel, struct label *newlabel);
  451 
  452 typedef void    (*mpo_socketpeer_destroy_label_t)(struct label *label);
  453 typedef int     (*mpo_socketpeer_externalize_label_t)(struct label *label,
  454                     char *element_name, struct sbuf *sb, int *claimed);
  455 typedef int     (*mpo_socketpeer_init_label_t)(struct label *label,
  456                     int flag);
  457 typedef void    (*mpo_socketpeer_set_from_mbuf_t)(struct mbuf *m,
  458                     struct label *mlabel, struct socket *so,
  459                     struct label *sopeerlabel);
  460 typedef void    (*mpo_socketpeer_set_from_socket_t)(struct socket *oldso,
  461                     struct label *oldsolabel, struct socket *newso,
  462                     struct label *newsopeerlabel);
  463 
  464 typedef void    (*mpo_syncache_create_t)(struct label *label,
  465                     struct inpcb *inp);
  466 typedef void    (*mpo_syncache_create_mbuf_t)(struct label *sc_label,
  467                     struct mbuf *m, struct label *mlabel);
  468 typedef void    (*mpo_syncache_destroy_label_t)(struct label *label);
  469 typedef int     (*mpo_syncache_init_label_t)(struct label *label, int flag);
  470 
  471 typedef int     (*mpo_system_check_acct_t)(struct ucred *cred,
  472                     struct vnode *vp, struct label *vplabel);
  473 typedef int     (*mpo_system_check_audit_t)(struct ucred *cred, void *record,
  474                     int length);
  475 typedef int     (*mpo_system_check_auditctl_t)(struct ucred *cred,
  476                     struct vnode *vp, struct label *vplabel);
  477 typedef int     (*mpo_system_check_auditon_t)(struct ucred *cred, int cmd);
  478 typedef int     (*mpo_system_check_reboot_t)(struct ucred *cred, int howto);
  479 typedef int     (*mpo_system_check_swapon_t)(struct ucred *cred,
  480                     struct vnode *vp, struct label *vplabel);
  481 typedef int     (*mpo_system_check_swapoff_t)(struct ucred *cred,
  482                     struct vnode *vp, struct label *vplabel);
  483 typedef int     (*mpo_system_check_sysctl_t)(struct ucred *cred,
  484                     struct sysctl_oid *oidp, void *arg1, int arg2,
  485                     struct sysctl_req *req);
  486 
  487 typedef void    (*mpo_sysvmsg_cleanup_t)(struct label *msglabel);
  488 typedef void    (*mpo_sysvmsg_create_t)(struct ucred *cred,
  489                     struct msqid_kernel *msqkptr, struct label *msqlabel,
  490                     struct msg *msgptr, struct label *msglabel);
  491 typedef void    (*mpo_sysvmsg_destroy_label_t)(struct label *label);
  492 typedef void    (*mpo_sysvmsg_init_label_t)(struct label *label);
  493 
  494 typedef int     (*mpo_sysvmsq_check_msgmsq_t)(struct ucred *cred,
  495                     struct msg *msgptr, struct label *msglabel,
  496                     struct msqid_kernel *msqkptr, struct label *msqklabel);
  497 typedef int     (*mpo_sysvmsq_check_msgrcv_t)(struct ucred *cred,
  498                     struct msg *msgptr, struct label *msglabel);
  499 typedef int     (*mpo_sysvmsq_check_msgrmid_t)(struct ucred *cred,
  500                     struct msg *msgptr, struct label *msglabel);
  501 typedef int     (*mpo_sysvmsq_check_msqget_t)(struct ucred *cred,
  502                     struct msqid_kernel *msqkptr, struct label *msqklabel);
  503 typedef int     (*mpo_sysvmsq_check_msqctl_t)(struct ucred *cred,
  504                     struct msqid_kernel *msqkptr, struct label *msqklabel,
  505                     int cmd);
  506 typedef int     (*mpo_sysvmsq_check_msqrcv_t)(struct ucred *cred,
  507                     struct msqid_kernel *msqkptr, struct label *msqklabel);
  508 typedef int     (*mpo_sysvmsq_check_msqsnd_t)(struct ucred *cred,
  509                     struct msqid_kernel *msqkptr, struct label *msqklabel);
  510 typedef void    (*mpo_sysvmsq_cleanup_t)(struct label *msqlabel);
  511 typedef void    (*mpo_sysvmsq_create_t)(struct ucred *cred,
  512                     struct msqid_kernel *msqkptr, struct label *msqlabel);
  513 typedef void    (*mpo_sysvmsq_destroy_label_t)(struct label *label);
  514 typedef void    (*mpo_sysvmsq_init_label_t)(struct label *label);
  515 
  516 typedef int     (*mpo_sysvsem_check_semctl_t)(struct ucred *cred,
  517                     struct semid_kernel *semakptr, struct label *semaklabel,
  518                     int cmd);
  519 typedef int     (*mpo_sysvsem_check_semget_t)(struct ucred *cred,
  520                     struct semid_kernel *semakptr, struct label *semaklabel);
  521 typedef int     (*mpo_sysvsem_check_semop_t)(struct ucred *cred,
  522                     struct semid_kernel *semakptr, struct label *semaklabel,
  523                     size_t accesstype);
  524 typedef void    (*mpo_sysvsem_cleanup_t)(struct label *semalabel);
  525 typedef void    (*mpo_sysvsem_create_t)(struct ucred *cred,
  526                     struct semid_kernel *semakptr, struct label *semalabel);
  527 typedef void    (*mpo_sysvsem_destroy_label_t)(struct label *label);
  528 typedef void    (*mpo_sysvsem_init_label_t)(struct label *label);
  529 
  530 typedef int     (*mpo_sysvshm_check_shmat_t)(struct ucred *cred,
  531                     struct shmid_kernel *shmsegptr,
  532                     struct label *shmseglabel, int shmflg);
  533 typedef int     (*mpo_sysvshm_check_shmctl_t)(struct ucred *cred,
  534                     struct shmid_kernel *shmsegptr,
  535                     struct label *shmseglabel, int cmd);
  536 typedef int     (*mpo_sysvshm_check_shmdt_t)(struct ucred *cred,
  537                     struct shmid_kernel *shmsegptr,
  538                     struct label *shmseglabel);
  539 typedef int     (*mpo_sysvshm_check_shmget_t)(struct ucred *cred,
  540                     struct shmid_kernel *shmsegptr,
  541                     struct label *shmseglabel, int shmflg);
  542 typedef void    (*mpo_sysvshm_cleanup_t)(struct label *shmlabel);
  543 typedef void    (*mpo_sysvshm_create_t)(struct ucred *cred,
  544                     struct shmid_kernel *shmsegptr, struct label *shmlabel);
  545 typedef void    (*mpo_sysvshm_destroy_label_t)(struct label *label);
  546 typedef void    (*mpo_sysvshm_init_label_t)(struct label *label);
  547 
  548 typedef void    (*mpo_thread_userret_t)(struct thread *thread);
  549 
  550 typedef int     (*mpo_vnode_associate_extattr_t)(struct mount *mp,
  551                     struct label *mplabel, struct vnode *vp,
  552                     struct label *vplabel);
  553 typedef void    (*mpo_vnode_associate_singlelabel_t)(struct mount *mp,
  554                     struct label *mplabel, struct vnode *vp,
  555                     struct label *vplabel);
  556 typedef int     (*mpo_vnode_check_access_t)(struct ucred *cred,
  557                     struct vnode *vp, struct label *vplabel,
  558                     accmode_t accmode);
  559 typedef int     (*mpo_vnode_check_chdir_t)(struct ucred *cred,
  560                     struct vnode *dvp, struct label *dvplabel);
  561 typedef int     (*mpo_vnode_check_chroot_t)(struct ucred *cred,
  562                     struct vnode *dvp, struct label *dvplabel);
  563 typedef int     (*mpo_vnode_check_create_t)(struct ucred *cred,
  564                     struct vnode *dvp, struct label *dvplabel,
  565                     struct componentname *cnp, struct vattr *vap);
  566 typedef int     (*mpo_vnode_check_deleteacl_t)(struct ucred *cred,
  567                     struct vnode *vp, struct label *vplabel,
  568                     acl_type_t type);
  569 typedef int     (*mpo_vnode_check_deleteextattr_t)(struct ucred *cred,
  570                     struct vnode *vp, struct label *vplabel,
  571                     int attrnamespace, const char *name);
  572 typedef int     (*mpo_vnode_check_exec_t)(struct ucred *cred,
  573                     struct vnode *vp, struct label *vplabel,
  574                     struct image_params *imgp, struct label *execlabel);
  575 typedef int     (*mpo_vnode_check_getacl_t)(struct ucred *cred,
  576                     struct vnode *vp, struct label *vplabel,
  577                     acl_type_t type);
  578 typedef int     (*mpo_vnode_check_getextattr_t)(struct ucred *cred,
  579                     struct vnode *vp, struct label *vplabel,
  580                     int attrnamespace, const char *name);
  581 typedef int     (*mpo_vnode_check_link_t)(struct ucred *cred,
  582                     struct vnode *dvp, struct label *dvplabel,
  583                     struct vnode *vp, struct label *vplabel,
  584                     struct componentname *cnp);
  585 typedef int     (*mpo_vnode_check_listextattr_t)(struct ucred *cred,
  586                     struct vnode *vp, struct label *vplabel,
  587                     int attrnamespace);
  588 typedef int     (*mpo_vnode_check_lookup_t)(struct ucred *cred,
  589                     struct vnode *dvp, struct label *dvplabel,
  590                     struct componentname *cnp);
  591 typedef int     (*mpo_vnode_check_mmap_t)(struct ucred *cred,
  592                     struct vnode *vp, struct label *label, int prot,
  593                     int flags);
  594 typedef void    (*mpo_vnode_check_mmap_downgrade_t)(struct ucred *cred,
  595                     struct vnode *vp, struct label *vplabel, int *prot);
  596 typedef int     (*mpo_vnode_check_mprotect_t)(struct ucred *cred,
  597                     struct vnode *vp, struct label *vplabel, int prot);
  598 typedef int     (*mpo_vnode_check_open_t)(struct ucred *cred,
  599                     struct vnode *vp, struct label *vplabel,
  600                     accmode_t accmode);
  601 typedef int     (*mpo_vnode_check_poll_t)(struct ucred *active_cred,
  602                     struct ucred *file_cred, struct vnode *vp,
  603                     struct label *vplabel);
  604 typedef int     (*mpo_vnode_check_read_t)(struct ucred *active_cred,
  605                     struct ucred *file_cred, struct vnode *vp,
  606                     struct label *vplabel);
  607 typedef int     (*mpo_vnode_check_readdir_t)(struct ucred *cred,
  608                     struct vnode *dvp, struct label *dvplabel);
  609 typedef int     (*mpo_vnode_check_readlink_t)(struct ucred *cred,
  610                     struct vnode *vp, struct label *vplabel);
  611 typedef int     (*mpo_vnode_check_relabel_t)(struct ucred *cred,
  612                     struct vnode *vp, struct label *vplabel,
  613                     struct label *newlabel);
  614 typedef int     (*mpo_vnode_check_rename_from_t)(struct ucred *cred,
  615                     struct vnode *dvp, struct label *dvplabel,
  616                     struct vnode *vp, struct label *vplabel,
  617                     struct componentname *cnp);
  618 typedef int     (*mpo_vnode_check_rename_to_t)(struct ucred *cred,
  619                     struct vnode *dvp, struct label *dvplabel,
  620                     struct vnode *vp, struct label *vplabel, int samedir,
  621                     struct componentname *cnp);
  622 typedef int     (*mpo_vnode_check_revoke_t)(struct ucred *cred,
  623                     struct vnode *vp, struct label *vplabel);
  624 typedef int     (*mpo_vnode_check_setacl_t)(struct ucred *cred,
  625                     struct vnode *vp, struct label *vplabel, acl_type_t type,
  626                     struct acl *acl);
  627 typedef int     (*mpo_vnode_check_setextattr_t)(struct ucred *cred,
  628                     struct vnode *vp, struct label *vplabel,
  629                     int attrnamespace, const char *name);
  630 typedef int     (*mpo_vnode_check_setflags_t)(struct ucred *cred,
  631                     struct vnode *vp, struct label *vplabel, u_long flags);
  632 typedef int     (*mpo_vnode_check_setmode_t)(struct ucred *cred,
  633                     struct vnode *vp, struct label *vplabel, mode_t mode);
  634 typedef int     (*mpo_vnode_check_setowner_t)(struct ucred *cred,
  635                     struct vnode *vp, struct label *vplabel, uid_t uid,
  636                     gid_t gid);
  637 typedef int     (*mpo_vnode_check_setutimes_t)(struct ucred *cred,
  638                     struct vnode *vp, struct label *vplabel,
  639                     struct timespec atime, struct timespec mtime);
  640 typedef int     (*mpo_vnode_check_stat_t)(struct ucred *active_cred,
  641                     struct ucred *file_cred, struct vnode *vp,
  642                     struct label *vplabel);
  643 typedef int     (*mpo_vnode_check_unlink_t)(struct ucred *cred,
  644                     struct vnode *dvp, struct label *dvplabel,
  645                     struct vnode *vp, struct label *vplabel,
  646                     struct componentname *cnp);
  647 typedef int     (*mpo_vnode_check_write_t)(struct ucred *active_cred,
  648                     struct ucred *file_cred, struct vnode *vp,
  649                     struct label *vplabel);
  650 typedef void    (*mpo_vnode_copy_label_t)(struct label *src,
  651                     struct label *dest);
  652 typedef int     (*mpo_vnode_create_extattr_t)(struct ucred *cred,
  653                     struct mount *mp, struct label *mplabel,
  654                     struct vnode *dvp, struct label *dvplabel,
  655                     struct vnode *vp, struct label *vplabel,
  656                     struct componentname *cnp);
  657 typedef void    (*mpo_vnode_destroy_label_t)(struct label *label);
  658 typedef void    (*mpo_vnode_execve_transition_t)(struct ucred *old,
  659                     struct ucred *new, struct vnode *vp,
  660                     struct label *vplabel, struct label *interpvplabel,
  661                     struct image_params *imgp, struct label *execlabel);
  662 typedef int     (*mpo_vnode_execve_will_transition_t)(struct ucred *old,
  663                     struct vnode *vp, struct label *vplabel,
  664                     struct label *interpvplabel, struct image_params *imgp,
  665                     struct label *execlabel);
  666 typedef int     (*mpo_vnode_externalize_label_t)(struct label *label,
  667                     char *element_name, struct sbuf *sb, int *claimed);
  668 typedef void    (*mpo_vnode_init_label_t)(struct label *label);
  669 typedef int     (*mpo_vnode_internalize_label_t)(struct label *label,
  670                     char *element_name, char *element_data, int *claimed);
  671 typedef void    (*mpo_vnode_relabel_t)(struct ucred *cred, struct vnode *vp,
  672                     struct label *vplabel, struct label *label);
  673 typedef int     (*mpo_vnode_setlabel_extattr_t)(struct ucred *cred,
  674                     struct vnode *vp, struct label *vplabel,
  675                     struct label *intlabel);
  676 
  677 struct mac_policy_ops {
  678         /*
  679          * Policy module operations.
  680          */
  681         mpo_destroy_t                           mpo_destroy;
  682         mpo_init_t                              mpo_init;
  683 
  684         /*
  685          * General policy-directed security system call so that policies may
  686          * implement new services without reserving explicit system call
  687          * numbers.
  688          */
  689         mpo_syscall_t                           mpo_syscall;
  690 
  691         /*
  692          * Label operations.  Initialize label storage, destroy label
  693          * storage, recycle for re-use without init/destroy, copy a label to
  694          * initialized storage, and externalize/internalize from/to
  695          * initialized storage.
  696          */
  697         mpo_bpfdesc_check_receive_t             mpo_bpfdesc_check_receive;
  698         mpo_bpfdesc_create_t                    mpo_bpfdesc_create;
  699         mpo_bpfdesc_create_mbuf_t               mpo_bpfdesc_create_mbuf;
  700         mpo_bpfdesc_destroy_label_t             mpo_bpfdesc_destroy_label;
  701         mpo_bpfdesc_init_label_t                mpo_bpfdesc_init_label;
  702 
  703         mpo_cred_associate_nfsd_t               mpo_cred_associate_nfsd;
  704         mpo_cred_check_relabel_t                mpo_cred_check_relabel;
  705         mpo_cred_check_setaudit_t               mpo_cred_check_setaudit;
  706         mpo_cred_check_setaudit_addr_t          mpo_cred_check_setaudit_addr;
  707         mpo_cred_check_setauid_t                mpo_cred_check_setauid;
  708         mpo_cred_check_setuid_t                 mpo_cred_check_setuid;
  709         mpo_cred_check_seteuid_t                mpo_cred_check_seteuid;
  710         mpo_cred_check_setgid_t                 mpo_cred_check_setgid;
  711         mpo_cred_check_setegid_t                mpo_cred_check_setegid;
  712         mpo_cred_check_setgroups_t              mpo_cred_check_setgroups;
  713         mpo_cred_check_setreuid_t               mpo_cred_check_setreuid;
  714         mpo_cred_check_setregid_t               mpo_cred_check_setregid;
  715         mpo_cred_check_setresuid_t              mpo_cred_check_setresuid;
  716         mpo_cred_check_setresgid_t              mpo_cred_check_setresgid;
  717         mpo_cred_check_visible_t                mpo_cred_check_visible;
  718         mpo_cred_copy_label_t                   mpo_cred_copy_label;
  719         mpo_cred_create_swapper_t               mpo_cred_create_swapper;
  720         mpo_cred_create_init_t                  mpo_cred_create_init;
  721         mpo_cred_destroy_label_t                mpo_cred_destroy_label;
  722         mpo_cred_externalize_label_t            mpo_cred_externalize_label;
  723         mpo_cred_init_label_t                   mpo_cred_init_label;
  724         mpo_cred_internalize_label_t            mpo_cred_internalize_label;
  725         mpo_cred_relabel_t                      mpo_cred_relabel;
  726 
  727         mpo_devfs_create_device_t               mpo_devfs_create_device;
  728         mpo_devfs_create_directory_t            mpo_devfs_create_directory;
  729         mpo_devfs_create_symlink_t              mpo_devfs_create_symlink;
  730         mpo_devfs_destroy_label_t               mpo_devfs_destroy_label;
  731         mpo_devfs_init_label_t                  mpo_devfs_init_label;
  732         mpo_devfs_update_t                      mpo_devfs_update;
  733         mpo_devfs_vnode_associate_t             mpo_devfs_vnode_associate;
  734 
  735         mpo_ifnet_check_relabel_t               mpo_ifnet_check_relabel;
  736         mpo_ifnet_check_transmit_t              mpo_ifnet_check_transmit;
  737         mpo_ifnet_copy_label_t                  mpo_ifnet_copy_label;
  738         mpo_ifnet_create_t                      mpo_ifnet_create;
  739         mpo_ifnet_create_mbuf_t                 mpo_ifnet_create_mbuf;
  740         mpo_ifnet_destroy_label_t               mpo_ifnet_destroy_label;
  741         mpo_ifnet_externalize_label_t           mpo_ifnet_externalize_label;
  742         mpo_ifnet_init_label_t                  mpo_ifnet_init_label;
  743         mpo_ifnet_internalize_label_t           mpo_ifnet_internalize_label;
  744         mpo_ifnet_relabel_t                     mpo_ifnet_relabel;
  745 
  746         mpo_inpcb_check_deliver_t               mpo_inpcb_check_deliver;
  747         mpo_inpcb_check_visible_t               mpo_inpcb_check_visible;
  748         mpo_inpcb_create_t                      mpo_inpcb_create;
  749         mpo_inpcb_create_mbuf_t                 mpo_inpcb_create_mbuf;
  750         mpo_inpcb_destroy_label_t               mpo_inpcb_destroy_label;
  751         mpo_inpcb_init_label_t                  mpo_inpcb_init_label;
  752         mpo_inpcb_sosetlabel_t                  mpo_inpcb_sosetlabel;
  753 
  754         mpo_ip6q_create_t                       mpo_ip6q_create;
  755         mpo_ip6q_destroy_label_t                mpo_ip6q_destroy_label;
  756         mpo_ip6q_init_label_t                   mpo_ip6q_init_label;
  757         mpo_ip6q_match_t                        mpo_ip6q_match;
  758         mpo_ip6q_reassemble                     mpo_ip6q_reassemble;
  759         mpo_ip6q_update_t                       mpo_ip6q_update;
  760 
  761         mpo_ipq_create_t                        mpo_ipq_create;
  762         mpo_ipq_destroy_label_t                 mpo_ipq_destroy_label;
  763         mpo_ipq_init_label_t                    mpo_ipq_init_label;
  764         mpo_ipq_match_t                         mpo_ipq_match;
  765         mpo_ipq_reassemble                      mpo_ipq_reassemble;
  766         mpo_ipq_update_t                        mpo_ipq_update;
  767 
  768         mpo_kenv_check_dump_t                   mpo_kenv_check_dump;
  769         mpo_kenv_check_get_t                    mpo_kenv_check_get;
  770         mpo_kenv_check_set_t                    mpo_kenv_check_set;
  771         mpo_kenv_check_unset_t                  mpo_kenv_check_unset;
  772 
  773         mpo_kld_check_load_t                    mpo_kld_check_load;
  774         mpo_kld_check_stat_t                    mpo_kld_check_stat;
  775 
  776         mpo_mbuf_copy_label_t                   mpo_mbuf_copy_label;
  777         mpo_mbuf_destroy_label_t                mpo_mbuf_destroy_label;
  778         mpo_mbuf_init_label_t                   mpo_mbuf_init_label;
  779 
  780         mpo_mount_check_stat_t                  mpo_mount_check_stat;
  781         mpo_mount_create_t                      mpo_mount_create;
  782         mpo_mount_destroy_label_t               mpo_mount_destroy_label;
  783         mpo_mount_init_label_t                  mpo_mount_init_label;
  784 
  785         mpo_netatalk_aarp_send_t                mpo_netatalk_aarp_send;
  786 
  787         mpo_netinet_arp_send_t                  mpo_netinet_arp_send;
  788         mpo_netinet_firewall_reply_t            mpo_netinet_firewall_reply;
  789         mpo_netinet_firewall_send_t             mpo_netinet_firewall_send;
  790         mpo_netinet_fragment_t                  mpo_netinet_fragment;
  791         mpo_netinet_icmp_reply_t                mpo_netinet_icmp_reply;
  792         mpo_netinet_icmp_replyinplace_t         mpo_netinet_icmp_replyinplace;
  793         mpo_netinet_igmp_send_t                 mpo_netinet_igmp_send;
  794         mpo_netinet_tcp_reply_t                 mpo_netinet_tcp_reply;
  795 
  796         mpo_netinet6_nd6_send_t                 mpo_netinet6_nd6_send;
  797 
  798         mpo_pipe_check_ioctl_t                  mpo_pipe_check_ioctl;
  799         mpo_pipe_check_poll_t                   mpo_pipe_check_poll;
  800         mpo_pipe_check_read_t                   mpo_pipe_check_read;
  801         mpo_pipe_check_relabel_t                mpo_pipe_check_relabel;
  802         mpo_pipe_check_stat_t                   mpo_pipe_check_stat;
  803         mpo_pipe_check_write_t                  mpo_pipe_check_write;
  804         mpo_pipe_copy_label_t                   mpo_pipe_copy_label;
  805         mpo_pipe_create_t                       mpo_pipe_create;
  806         mpo_pipe_destroy_label_t                mpo_pipe_destroy_label;
  807         mpo_pipe_externalize_label_t            mpo_pipe_externalize_label;
  808         mpo_pipe_init_label_t                   mpo_pipe_init_label;
  809         mpo_pipe_internalize_label_t            mpo_pipe_internalize_label;
  810         mpo_pipe_relabel_t                      mpo_pipe_relabel;
  811 
  812         mpo_posixsem_check_getvalue_t           mpo_posixsem_check_getvalue;
  813         mpo_posixsem_check_open_t               mpo_posixsem_check_open;
  814         mpo_posixsem_check_post_t               mpo_posixsem_check_post;
  815         mpo_posixsem_check_setmode_t            mpo_posixsem_check_setmode;
  816         mpo_posixsem_check_setowner_t           mpo_posixsem_check_setowner;
  817         mpo_posixsem_check_stat_t               mpo_posixsem_check_stat;
  818         mpo_posixsem_check_unlink_t             mpo_posixsem_check_unlink;
  819         mpo_posixsem_check_wait_t               mpo_posixsem_check_wait;
  820         mpo_posixsem_create_t                   mpo_posixsem_create;
  821         mpo_posixsem_destroy_label_t            mpo_posixsem_destroy_label;
  822         mpo_posixsem_init_label_t               mpo_posixsem_init_label;
  823 
  824         mpo_posixshm_check_create_t             mpo_posixshm_check_create;
  825         mpo_posixshm_check_mmap_t               mpo_posixshm_check_mmap;
  826         mpo_posixshm_check_open_t               mpo_posixshm_check_open;
  827         mpo_posixshm_check_read_t               mpo_posixshm_check_read;
  828         mpo_posixshm_check_setmode_t            mpo_posixshm_check_setmode;
  829         mpo_posixshm_check_setowner_t           mpo_posixshm_check_setowner;
  830         mpo_posixshm_check_stat_t               mpo_posixshm_check_stat;
  831         mpo_posixshm_check_truncate_t           mpo_posixshm_check_truncate;
  832         mpo_posixshm_check_unlink_t             mpo_posixshm_check_unlink;
  833         mpo_posixshm_check_write_t              mpo_posixshm_check_write;
  834         mpo_posixshm_create_t                   mpo_posixshm_create;
  835         mpo_posixshm_destroy_label_t            mpo_posixshm_destroy_label;
  836         mpo_posixshm_init_label_t               mpo_posixshm_init_label;
  837 
  838         mpo_priv_check_t                        mpo_priv_check;
  839         mpo_priv_grant_t                        mpo_priv_grant;
  840 
  841         mpo_proc_check_debug_t                  mpo_proc_check_debug;
  842         mpo_proc_check_sched_t                  mpo_proc_check_sched;
  843         mpo_proc_check_signal_t                 mpo_proc_check_signal;
  844         mpo_proc_check_wait_t                   mpo_proc_check_wait;
  845         mpo_proc_destroy_label_t                mpo_proc_destroy_label;
  846         mpo_proc_init_label_t                   mpo_proc_init_label;
  847 
  848         mpo_socket_check_accept_t               mpo_socket_check_accept;
  849         mpo_socket_check_bind_t                 mpo_socket_check_bind;
  850         mpo_socket_check_connect_t              mpo_socket_check_connect;
  851         mpo_socket_check_create_t               mpo_socket_check_create;
  852         mpo_socket_check_deliver_t              mpo_socket_check_deliver;
  853         mpo_socket_check_listen_t               mpo_socket_check_listen;
  854         mpo_socket_check_poll_t                 mpo_socket_check_poll;
  855         mpo_socket_check_receive_t              mpo_socket_check_receive;
  856         mpo_socket_check_relabel_t              mpo_socket_check_relabel;
  857         mpo_socket_check_send_t                 mpo_socket_check_send;
  858         mpo_socket_check_stat_t                 mpo_socket_check_stat;
  859         mpo_socket_check_visible_t              mpo_socket_check_visible;
  860         mpo_socket_copy_label_t                 mpo_socket_copy_label;
  861         mpo_socket_create_t                     mpo_socket_create;
  862         mpo_socket_create_mbuf_t                mpo_socket_create_mbuf;
  863         mpo_socket_destroy_label_t              mpo_socket_destroy_label;
  864         mpo_socket_externalize_label_t          mpo_socket_externalize_label;
  865         mpo_socket_init_label_t                 mpo_socket_init_label;
  866         mpo_socket_internalize_label_t          mpo_socket_internalize_label;
  867         mpo_socket_newconn_t                    mpo_socket_newconn;
  868         mpo_socket_relabel_t                    mpo_socket_relabel;
  869 
  870         mpo_socketpeer_destroy_label_t          mpo_socketpeer_destroy_label;
  871         mpo_socketpeer_externalize_label_t      mpo_socketpeer_externalize_label;
  872         mpo_socketpeer_init_label_t             mpo_socketpeer_init_label;
  873         mpo_socketpeer_set_from_mbuf_t          mpo_socketpeer_set_from_mbuf;
  874         mpo_socketpeer_set_from_socket_t        mpo_socketpeer_set_from_socket;
  875 
  876         mpo_syncache_init_label_t               mpo_syncache_init_label;
  877         mpo_syncache_destroy_label_t            mpo_syncache_destroy_label;
  878         mpo_syncache_create_t                   mpo_syncache_create;
  879         mpo_syncache_create_mbuf_t              mpo_syncache_create_mbuf;
  880 
  881         mpo_system_check_acct_t                 mpo_system_check_acct;
  882         mpo_system_check_audit_t                mpo_system_check_audit;
  883         mpo_system_check_auditctl_t             mpo_system_check_auditctl;
  884         mpo_system_check_auditon_t              mpo_system_check_auditon;
  885         mpo_system_check_reboot_t               mpo_system_check_reboot;
  886         mpo_system_check_swapon_t               mpo_system_check_swapon;
  887         mpo_system_check_swapoff_t              mpo_system_check_swapoff;
  888         mpo_system_check_sysctl_t               mpo_system_check_sysctl;
  889 
  890         mpo_sysvmsg_cleanup_t                   mpo_sysvmsg_cleanup;
  891         mpo_sysvmsg_create_t                    mpo_sysvmsg_create;
  892         mpo_sysvmsg_destroy_label_t             mpo_sysvmsg_destroy_label;
  893         mpo_sysvmsg_init_label_t                mpo_sysvmsg_init_label;
  894 
  895         mpo_sysvmsq_check_msgmsq_t              mpo_sysvmsq_check_msgmsq;
  896         mpo_sysvmsq_check_msgrcv_t              mpo_sysvmsq_check_msgrcv;
  897         mpo_sysvmsq_check_msgrmid_t             mpo_sysvmsq_check_msgrmid;
  898         mpo_sysvmsq_check_msqctl_t              mpo_sysvmsq_check_msqctl;
  899         mpo_sysvmsq_check_msqget_t              mpo_sysvmsq_check_msqget;
  900         mpo_sysvmsq_check_msqrcv_t              mpo_sysvmsq_check_msqrcv;
  901         mpo_sysvmsq_check_msqsnd_t              mpo_sysvmsq_check_msqsnd;
  902         mpo_sysvmsq_cleanup_t                   mpo_sysvmsq_cleanup;
  903         mpo_sysvmsq_create_t                    mpo_sysvmsq_create;
  904         mpo_sysvmsq_destroy_label_t             mpo_sysvmsq_destroy_label;
  905         mpo_sysvmsq_init_label_t                mpo_sysvmsq_init_label;
  906 
  907         mpo_sysvsem_check_semctl_t              mpo_sysvsem_check_semctl;
  908         mpo_sysvsem_check_semget_t              mpo_sysvsem_check_semget;
  909         mpo_sysvsem_check_semop_t               mpo_sysvsem_check_semop;
  910         mpo_sysvsem_cleanup_t                   mpo_sysvsem_cleanup;
  911         mpo_sysvsem_create_t                    mpo_sysvsem_create;
  912         mpo_sysvsem_destroy_label_t             mpo_sysvsem_destroy_label;
  913         mpo_sysvsem_init_label_t                mpo_sysvsem_init_label;
  914 
  915         mpo_sysvshm_check_shmat_t               mpo_sysvshm_check_shmat;
  916         mpo_sysvshm_check_shmctl_t              mpo_sysvshm_check_shmctl;
  917         mpo_sysvshm_check_shmdt_t               mpo_sysvshm_check_shmdt;
  918         mpo_sysvshm_check_shmget_t              mpo_sysvshm_check_shmget;
  919         mpo_sysvshm_cleanup_t                   mpo_sysvshm_cleanup;
  920         mpo_sysvshm_create_t                    mpo_sysvshm_create;
  921         mpo_sysvshm_destroy_label_t             mpo_sysvshm_destroy_label;
  922         mpo_sysvshm_init_label_t                mpo_sysvshm_init_label;
  923 
  924         mpo_thread_userret_t                    mpo_thread_userret;
  925 
  926         mpo_vnode_check_access_t                mpo_vnode_check_access;
  927         mpo_vnode_check_chdir_t                 mpo_vnode_check_chdir;
  928         mpo_vnode_check_chroot_t                mpo_vnode_check_chroot;
  929         mpo_vnode_check_create_t                mpo_vnode_check_create;
  930         mpo_vnode_check_deleteacl_t             mpo_vnode_check_deleteacl;
  931         mpo_vnode_check_deleteextattr_t         mpo_vnode_check_deleteextattr;
  932         mpo_vnode_check_exec_t                  mpo_vnode_check_exec;
  933         mpo_vnode_check_getacl_t                mpo_vnode_check_getacl;
  934         mpo_vnode_check_getextattr_t            mpo_vnode_check_getextattr;
  935         mpo_vnode_check_link_t                  mpo_vnode_check_link;
  936         mpo_vnode_check_listextattr_t           mpo_vnode_check_listextattr;
  937         mpo_vnode_check_lookup_t                mpo_vnode_check_lookup;
  938         mpo_vnode_check_mmap_t                  mpo_vnode_check_mmap;
  939         mpo_vnode_check_mmap_downgrade_t        mpo_vnode_check_mmap_downgrade;
  940         mpo_vnode_check_mprotect_t              mpo_vnode_check_mprotect;
  941         mpo_vnode_check_open_t                  mpo_vnode_check_open;
  942         mpo_vnode_check_poll_t                  mpo_vnode_check_poll;
  943         mpo_vnode_check_read_t                  mpo_vnode_check_read;
  944         mpo_vnode_check_readdir_t               mpo_vnode_check_readdir;
  945         mpo_vnode_check_readlink_t              mpo_vnode_check_readlink;
  946         mpo_vnode_check_relabel_t               mpo_vnode_check_relabel;
  947         mpo_vnode_check_rename_from_t           mpo_vnode_check_rename_from;
  948         mpo_vnode_check_rename_to_t             mpo_vnode_check_rename_to;
  949         mpo_vnode_check_revoke_t                mpo_vnode_check_revoke;
  950         mpo_vnode_check_setacl_t                mpo_vnode_check_setacl;
  951         mpo_vnode_check_setextattr_t            mpo_vnode_check_setextattr;
  952         mpo_vnode_check_setflags_t              mpo_vnode_check_setflags;
  953         mpo_vnode_check_setmode_t               mpo_vnode_check_setmode;
  954         mpo_vnode_check_setowner_t              mpo_vnode_check_setowner;
  955         mpo_vnode_check_setutimes_t             mpo_vnode_check_setutimes;
  956         mpo_vnode_check_stat_t                  mpo_vnode_check_stat;
  957         mpo_vnode_check_unlink_t                mpo_vnode_check_unlink;
  958         mpo_vnode_check_write_t                 mpo_vnode_check_write;
  959         mpo_vnode_associate_extattr_t           mpo_vnode_associate_extattr;
  960         mpo_vnode_associate_singlelabel_t       mpo_vnode_associate_singlelabel;
  961         mpo_vnode_destroy_label_t               mpo_vnode_destroy_label;
  962         mpo_vnode_copy_label_t                  mpo_vnode_copy_label;
  963         mpo_vnode_create_extattr_t              mpo_vnode_create_extattr;
  964         mpo_vnode_execve_transition_t           mpo_vnode_execve_transition;
  965         mpo_vnode_execve_will_transition_t      mpo_vnode_execve_will_transition;
  966         mpo_vnode_externalize_label_t           mpo_vnode_externalize_label;
  967         mpo_vnode_init_label_t                  mpo_vnode_init_label;
  968         mpo_vnode_internalize_label_t           mpo_vnode_internalize_label;
  969         mpo_vnode_relabel_t                     mpo_vnode_relabel;
  970         mpo_vnode_setlabel_extattr_t            mpo_vnode_setlabel_extattr;
  971 };
  972 
  973 /*
  974  * struct mac_policy_conf is the registration structure for policies, and is
  975  * provided to the MAC Framework using MAC_POLICY_SET() to invoke a SYSINIT
  976  * to register the policy.  In general, the fields are immutable, with the
  977  * exception of the "security field", run-time flags, and policy list entry,
  978  * which are managed by the MAC Framework.  Be careful when modifying this
  979  * structure, as its layout is statically compiled into all policies.
  980  */
  981 struct mac_policy_conf {
  982         char                            *mpc_name;      /* policy name */
  983         char                            *mpc_fullname;  /* policy full name */
  984         struct mac_policy_ops           *mpc_ops;       /* policy operations */
  985         int                              mpc_loadtime_flags;    /* flags */
  986         int                             *mpc_field_off; /* security field */
  987         int                              mpc_runtime_flags; /* flags */
  988         int                              _mpc_spare1;   /* Spare. */
  989         uint64_t                         _mpc_spare2;   /* Spare. */
  990         uint64_t                         _mpc_spare3;   /* Spare. */
  991         void                            *_mpc_spare4;   /* Spare. */
  992         LIST_ENTRY(mac_policy_conf)      mpc_list;      /* global list */
  993 };
  994 
  995 /* Flags for the mpc_loadtime_flags field. */
  996 #define MPC_LOADTIME_FLAG_NOTLATE       0x00000001
  997 #define MPC_LOADTIME_FLAG_UNLOADOK      0x00000002
  998 
  999 /* Flags for the mpc_runtime_flags field. */
 1000 #define MPC_RUNTIME_FLAG_REGISTERED     0x00000001
 1001 
 1002 /*-
 1003  * The TrustedBSD MAC Framework has a major version number, MAC_VERSION,
 1004  * which defines the ABI of the Framework present in the kernel (and depended
 1005  * on by policy modules compiled against that kernel).  Currently,
 1006  * MAC_POLICY_SET() requires that the kernel and module ABI version numbers
 1007  * exactly match.  The following major versions have been defined to date:
 1008  *
 1009  *   MAC version             FreeBSD versions
 1010  *   1                       5.x
 1011  *   2                       6.x
 1012  *   3                       7.x
 1013  *   4                       8.x
 1014  */
 1015 #define MAC_VERSION     4
 1016 
 1017 #define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
 1018         static struct mac_policy_conf mpname##_mac_policy_conf = {      \
 1019                 .mpc_name = #mpname,                                    \
 1020                 .mpc_fullname = mpfullname,                             \
 1021                 .mpc_ops = mpops,                                       \
 1022                 .mpc_loadtime_flags = mpflags,                          \
 1023                 .mpc_field_off = privdata_wanted,                       \
 1024         };                                                              \
 1025         static moduledata_t mpname##_mod = {                            \
 1026                 #mpname,                                                \
 1027                 mac_policy_modevent,                                    \
 1028                 &mpname##_mac_policy_conf                               \
 1029         };                                                              \
 1030         MODULE_DEPEND(mpname, kernel_mac_support, MAC_VERSION,          \
 1031             MAC_VERSION, MAC_VERSION);                                  \
 1032         DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY,         \
 1033             SI_ORDER_MIDDLE)
 1034 
 1035 int     mac_policy_modevent(module_t mod, int type, void *data);
 1036 
 1037 /*
 1038  * Policy interface to map a struct label pointer to per-policy data.
 1039  * Typically, policies wrap this in their own accessor macro that casts a
 1040  * uintptr_t to a policy-specific data type.
 1041  */
 1042 intptr_t        mac_label_get(struct label *l, int slot);
 1043 void            mac_label_set(struct label *l, int slot, intptr_t v);
 1044 
 1045 #endif /* !_SECURITY_MAC_MAC_POLICY_H_ */

Cache object: 6a115e40a3a9e531c1f9ba102c7460be


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.