Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/security/mac/mac_policy.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 4 * Copyright (c) 2005-2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * 9 * This software was developed for the FreeBSD Project in part by Network 10 * Associates Laboratories, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 12 * as part of the DARPA CHATS research program. 13 * 14 * This software was enhanced by SPARTA ISSO under SPAWAR contract 15 * N66001-04-C-6019 ("SEFOS"). 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * $FreeBSD$ 39 */ 40 /* 41 * Kernel interface for MAC policy modules. 42 */ 43 #ifndef _SECURITY_MAC_MAC_POLICY_H_ 44 #define _SECURITY_MAC_MAC_POLICY_H_ 45 46 #ifndef _KERNEL 47 #error "no user-serviceable parts inside" 48 #endif 49 50 /*- 51 * Pluggable access control policy definition structure. 52 * 53 * List of operations that are performed as part of the implementation of a 54 * MAC policy. Policy implementors declare operations with a mac_policy_ops 55 * structure, and using the MAC_POLICY_SET() macro. If an entry point is not 56 * declared, then then the policy will be ignored during evaluation of that 57 * event or check. 58 * 59 * Operations are sorted first by general class of operation, then 60 * alphabetically. 61 */ 62 #include <sys/acl.h> /* XXX acl_type_t */ 63 64 struct acl; 65 struct auditinfo; 66 struct auditinfo_addr; 67 struct bpf_d; 68 struct cdev; 69 struct componentname; 70 struct devfs_dirent; 71 struct ifnet; 72 struct image_params; 73 struct inpcb; 74 struct ipq; 75 struct ksem; 76 struct label; 77 struct mac_policy_conf; 78 struct mbuf; 79 struct mount; 80 struct msg; 81 struct msqid_kernel; 82 struct pipepair; 83 struct proc; 84 struct sbuf; 85 struct semid_kernel; 86 struct shmid_kernel; 87 struct sockaddr; 88 struct socket; 89 struct sysctl_oid; 90 struct sysctl_req; 91 struct thread; 92 struct ucred; 93 struct uio; 94 struct vattr; 95 struct vnode; 96 97 /* 98 * Policy module operations. 99 */ 100 typedef void (*mpo_destroy_t)(struct mac_policy_conf *mpc); 101 typedef void (*mpo_init_t)(struct mac_policy_conf *mpc); 102 103 /* 104 * General policy-directed security system call so that policies may 105 * implement new services without reserving explicit system call numbers. 106 */ 107 typedef int (*mpo_syscall_t)(struct thread *td, int call, void *arg); 108 109 /* 110 * Place-holder function pointers for ABI-compatibility purposes. 111 */ 112 typedef void (*mpo_placeholder_t)(void); 113 114 /* 115 * Label operations. Initialize label storage, destroy label storage, 116 * recycle for re-use without init/destroy, copy a label to initialized 117 * storage, and externalize/internalize from/to initialized storage. 118 */ 119 typedef void (*mpo_init_bpfdesc_label_t)(struct label *label); 120 typedef void (*mpo_init_cred_label_t)(struct label *label); 121 typedef void (*mpo_init_devfs_label_t)(struct label *label); 122 typedef void (*mpo_init_ifnet_label_t)(struct label *label); 123 typedef int (*mpo_init_inpcb_label_t)(struct label *label, int flag); 124 typedef void (*mpo_init_sysv_msgmsg_label_t)(struct label *label); 125 typedef void (*mpo_init_sysv_msgqueue_label_t)(struct label *label); 126 typedef void (*mpo_init_sysv_sem_label_t)(struct label *label); 127 typedef void (*mpo_init_sysv_shm_label_t)(struct label *label); 128 typedef int (*mpo_init_ipq_label_t)(struct label *label, int flag); 129 typedef int (*mpo_init_mbuf_label_t)(struct label *label, int flag); 130 typedef void (*mpo_init_mount_label_t)(struct label *label); 131 typedef int (*mpo_init_socket_label_t)(struct label *label, int flag); 132 typedef int (*mpo_init_socket_peer_label_t)(struct label *label, 133 int flag); 134 typedef void (*mpo_init_pipe_label_t)(struct label *label); 135 typedef void (*mpo_init_posix_sem_label_t)(struct label *label); 136 typedef void (*mpo_init_proc_label_t)(struct label *label); 137 typedef void (*mpo_init_vnode_label_t)(struct label *label); 138 typedef void (*mpo_destroy_bpfdesc_label_t)(struct label *label); 139 typedef void (*mpo_destroy_cred_label_t)(struct label *label); 140 typedef void (*mpo_destroy_devfs_label_t)(struct label *label); 141 typedef void (*mpo_destroy_ifnet_label_t)(struct label *label); 142 typedef void (*mpo_destroy_inpcb_label_t)(struct label *label); 143 typedef void (*mpo_destroy_sysv_msgmsg_label_t)(struct label *label); 144 typedef void (*mpo_destroy_sysv_msgqueue_label_t)(struct label *label); 145 typedef void (*mpo_destroy_sysv_sem_label_t)(struct label *label); 146 typedef void (*mpo_destroy_sysv_shm_label_t)(struct label *label); 147 typedef void (*mpo_destroy_ipq_label_t)(struct label *label); 148 typedef void (*mpo_destroy_mbuf_label_t)(struct label *label); 149 typedef void (*mpo_destroy_mount_label_t)(struct label *label); 150 typedef void (*mpo_destroy_socket_label_t)(struct label *label); 151 typedef void (*mpo_destroy_socket_peer_label_t)(struct label *label); 152 typedef void (*mpo_destroy_pipe_label_t)(struct label *label); 153 typedef void (*mpo_destroy_posix_sem_label_t)(struct label *label); 154 typedef void (*mpo_destroy_proc_label_t)(struct label *label); 155 typedef void (*mpo_destroy_vnode_label_t)(struct label *label); 156 typedef void (*mpo_cleanup_sysv_msgmsg_t)(struct label *msglabel); 157 typedef void (*mpo_cleanup_sysv_msgqueue_t)(struct label *msqlabel); 158 typedef void (*mpo_cleanup_sysv_sem_t)(struct label *semalabel); 159 typedef void (*mpo_cleanup_sysv_shm_t)(struct label *shmlabel); 160 typedef void (*mpo_copy_cred_label_t)(struct label *src, 161 struct label *dest); 162 typedef void (*mpo_copy_ifnet_label_t)(struct label *src, 163 struct label *dest); 164 typedef void (*mpo_copy_mbuf_label_t)(struct label *src, 165 struct label *dest); 166 typedef void (*mpo_copy_pipe_label_t)(struct label *src, 167 struct label *dest); 168 typedef void (*mpo_copy_socket_label_t)(struct label *src, 169 struct label *dest); 170 typedef void (*mpo_copy_vnode_label_t)(struct label *src, 171 struct label *dest); 172 typedef int (*mpo_externalize_cred_label_t)(struct label *label, 173 char *element_name, struct sbuf *sb, int *claimed); 174 typedef int (*mpo_externalize_ifnet_label_t)(struct label *label, 175 char *element_name, struct sbuf *sb, int *claimed); 176 typedef int (*mpo_externalize_pipe_label_t)(struct label *label, 177 char *element_name, struct sbuf *sb, int *claimed); 178 typedef int (*mpo_externalize_socket_label_t)(struct label *label, 179 char *element_name, struct sbuf *sb, int *claimed); 180 typedef int (*mpo_externalize_socket_peer_label_t)(struct label *label, 181 char *element_name, struct sbuf *sb, int *claimed); 182 typedef int (*mpo_externalize_vnode_label_t)(struct label *label, 183 char *element_name, struct sbuf *sb, int *claimed); 184 typedef int (*mpo_internalize_cred_label_t)(struct label *label, 185 char *element_name, char *element_data, int *claimed); 186 typedef int (*mpo_internalize_ifnet_label_t)(struct label *label, 187 char *element_name, char *element_data, int *claimed); 188 typedef int (*mpo_internalize_pipe_label_t)(struct label *label, 189 char *element_name, char *element_data, int *claimed); 190 typedef int (*mpo_internalize_socket_label_t)(struct label *label, 191 char *element_name, char *element_data, int *claimed); 192 typedef int (*mpo_internalize_vnode_label_t)(struct label *label, 193 char *element_name, char *element_data, int *claimed); 194 195 /* 196 * Labeling event operations: file system objects, and things that look a lot 197 * like file system objects. 198 */ 199 typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp, 200 struct label *mplabel, struct devfs_dirent *de, 201 struct label *delabel, struct vnode *vp, 202 struct label *vplabel); 203 typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp, 204 struct label *mplabel, struct vnode *vp, 205 struct label *vplabel); 206 typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp, 207 struct label *mplabel, struct vnode *vp, 208 struct label *vplabel); 209 typedef void (*mpo_create_devfs_device_t)(struct ucred *cred, 210 struct mount *mp, struct cdev *dev, 211 struct devfs_dirent *de, struct label *delabel); 212 typedef void (*mpo_create_devfs_directory_t)(struct mount *mp, 213 char *dirname, int dirnamelen, struct devfs_dirent *de, 214 struct label *delabel); 215 typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred, 216 struct mount *mp, struct devfs_dirent *dd, 217 struct label *ddlabel, struct devfs_dirent *de, 218 struct label *delabel); 219 typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred, 220 struct mount *mp, struct label *mplabel, 221 struct vnode *dvp, struct label *dvplabel, 222 struct vnode *vp, struct label *vplabel, 223 struct componentname *cnp); 224 typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp, 225 struct label *mplabel); 226 typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp, 227 struct label *vplabel, struct label *label); 228 typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred, 229 struct vnode *vp, struct label *vplabel, 230 struct label *intlabel); 231 typedef void (*mpo_update_devfs_t)(struct mount *mp, 232 struct devfs_dirent *de, struct label *delabel, 233 struct vnode *vp, struct label *vplabel); 234 235 /* 236 * Labeling event operations: IPC objects. 237 */ 238 typedef void (*mpo_create_mbuf_from_socket_t)(struct socket *so, 239 struct label *solabel, struct mbuf *m, 240 struct label *mlabel); 241 typedef void (*mpo_create_socket_t)(struct ucred *cred, struct socket *so, 242 struct label *solabel); 243 typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldso, 244 struct label *oldsolabel, struct socket *newso, 245 struct label *newsolabel); 246 typedef void (*mpo_relabel_socket_t)(struct ucred *cred, struct socket *so, 247 struct label *oldlabel, struct label *newlabel); 248 typedef void (*mpo_relabel_pipe_t)(struct ucred *cred, struct pipepair *pp, 249 struct label *oldlabel, struct label *newlabel); 250 typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *m, 251 struct label *mlabel, struct socket *so, 252 struct label *sopeerlabel); 253 typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldso, 254 struct label *oldsolabel, struct socket *newso, 255 struct label *newsopeerlabel); 256 typedef void (*mpo_create_pipe_t)(struct ucred *cred, struct pipepair *pp, 257 struct label *pplabel); 258 259 /* 260 * Labeling event operations: System V IPC primitives. 261 */ 262 typedef void (*mpo_create_sysv_msgmsg_t)(struct ucred *cred, 263 struct msqid_kernel *msqkptr, struct label *msqlabel, 264 struct msg *msgptr, struct label *msglabel); 265 typedef void (*mpo_create_sysv_msgqueue_t)(struct ucred *cred, 266 struct msqid_kernel *msqkptr, struct label *msqlabel); 267 typedef void (*mpo_create_sysv_sem_t)(struct ucred *cred, 268 struct semid_kernel *semakptr, struct label *semalabel); 269 typedef void (*mpo_create_sysv_shm_t)(struct ucred *cred, 270 struct shmid_kernel *shmsegptr, struct label *shmlabel); 271 272 /* 273 * Labeling event operations: POSIX (global/inter-process) semaphores. 274 */ 275 typedef void (*mpo_create_posix_sem_t)(struct ucred *cred, 276 struct ksem *ks, struct label *kslabel); 277 278 /* 279 * Labeling event operations: network objects. 280 */ 281 typedef void (*mpo_create_bpfdesc_t)(struct ucred *cred, 282 struct bpf_d *d, struct label *dlabel); 283 typedef void (*mpo_create_ifnet_t)(struct ifnet *ifp, 284 struct label *ifplabel); 285 typedef void (*mpo_create_inpcb_from_socket_t)(struct socket *so, 286 struct label *solabel, struct inpcb *inp, 287 struct label *inplabel); 288 typedef void (*mpo_create_ipq_t)(struct mbuf *m, struct label *mlabel, 289 struct ipq *q, struct label *qlabel); 290 typedef void (*mpo_create_datagram_from_ipq) 291 (struct ipq *q, struct label *qlabel, struct mbuf *m, 292 struct label *mlabel); 293 typedef void (*mpo_create_fragment_t)(struct mbuf *m, 294 struct label *mlabel, struct mbuf *frag, 295 struct label *fraglabel); 296 typedef void (*mpo_create_mbuf_from_inpcb_t)(struct inpcb *inp, 297 struct label *inplabel, struct mbuf *m, 298 struct label *mlabel); 299 typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifp, 300 struct label *ifplabel, struct mbuf *m, 301 struct label *mlabel); 302 typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *d, 303 struct label *dlabel, struct mbuf *m, 304 struct label *mlabel); 305 typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifp, 306 struct label *ifplabel, struct mbuf *m, 307 struct label *mlabel); 308 typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *m, 309 struct label *mlabel, struct ifnet *ifp, 310 struct label *ifplabel, struct mbuf *mnew, 311 struct label *mnewlabel); 312 typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *m, 313 struct label *mlabel, struct mbuf *mnew, 314 struct label *mnewlabel); 315 typedef int (*mpo_fragment_match_t)(struct mbuf *m, struct label *mlabel, 316 struct ipq *q, struct label *qlabel); 317 typedef void (*mpo_reflect_mbuf_icmp_t)(struct mbuf *m, 318 struct label *mlabel); 319 typedef void (*mpo_reflect_mbuf_tcp_t)(struct mbuf *m, 320 struct label *mlabel); 321 typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred, struct ifnet *ifp, 322 struct label *ifplabel, struct label *newlabel); 323 typedef void (*mpo_update_ipq_t)(struct mbuf *m, struct label *mlabel, 324 struct ipq *ipq, struct label *ipqlabel); 325 typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, 326 struct label *label, struct inpcb *inp, 327 struct label *inplabel); 328 329 typedef void (*mpo_create_mbuf_from_firewall_t)(struct mbuf *m, 330 struct label *label); 331 typedef void (*mpo_destroy_syncache_label_t)(struct label *label); 332 typedef int (*mpo_init_syncache_label_t)(struct label *label, int flag); 333 typedef void (*mpo_init_syncache_from_inpcb_t)(struct label *label, 334 struct inpcb *inp); 335 typedef void (*mpo_create_mbuf_from_syncache_t)(struct label *sc_label, 336 struct mbuf *m, struct label *mlabel); 337 /* 338 * Labeling event operations: processes. 339 */ 340 typedef void (*mpo_execve_transition_t)(struct ucred *old, 341 struct ucred *new, struct vnode *vp, 342 struct label *vplabel, struct label *interpvnodelabel, 343 struct image_params *imgp, struct label *execlabel); 344 typedef int (*mpo_execve_will_transition_t)(struct ucred *old, 345 struct vnode *vp, struct label *vplabel, 346 struct label *interpvnodelabel, 347 struct image_params *imgp, struct label *execlabel); 348 typedef void (*mpo_create_proc0_t)(struct ucred *cred); 349 typedef void (*mpo_create_proc1_t)(struct ucred *cred); 350 typedef void (*mpo_relabel_cred_t)(struct ucred *cred, 351 struct label *newlabel); 352 typedef void (*mpo_thread_userret_t)(struct thread *thread); 353 354 /* 355 * Access control checks. 356 */ 357 typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *d, 358 struct label *dlabel, struct ifnet *ifp, 359 struct label *ifplabel); 360 typedef int (*mpo_check_cred_relabel_t)(struct ucred *cred, 361 struct label *newlabel); 362 typedef int (*mpo_check_cred_visible_t)(struct ucred *cr1, 363 struct ucred *cr2); 364 typedef int (*mpo_check_ifnet_relabel_t)(struct ucred *cred, 365 struct ifnet *ifp, struct label *ifplabel, 366 struct label *newlabel); 367 typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifp, 368 struct label *ifplabel, struct mbuf *m, 369 struct label *mlabel); 370 typedef int (*mpo_check_inpcb_deliver_t)(struct inpcb *inp, 371 struct label *inplabel, struct mbuf *m, 372 struct label *mlabel); 373 typedef int (*mpo_check_inpcb_visible_t)(struct ucred *cred, 374 struct inpcb *inp, struct label *inplabel); 375 typedef int (*mpo_check_sysv_msgmsq_t)(struct ucred *cred, 376 struct msg *msgptr, struct label *msglabel, 377 struct msqid_kernel *msqkptr, struct label *msqklabel); 378 typedef int (*mpo_check_sysv_msgrcv_t)(struct ucred *cred, 379 struct msg *msgptr, struct label *msglabel); 380 typedef int (*mpo_check_sysv_msgrmid_t)(struct ucred *cred, 381 struct msg *msgptr, struct label *msglabel); 382 typedef int (*mpo_check_sysv_msqget_t)(struct ucred *cred, 383 struct msqid_kernel *msqkptr, struct label *msqklabel); 384 typedef int (*mpo_check_sysv_msqsnd_t)(struct ucred *cred, 385 struct msqid_kernel *msqkptr, struct label *msqklabel); 386 typedef int (*mpo_check_sysv_msqrcv_t)(struct ucred *cred, 387 struct msqid_kernel *msqkptr, struct label *msqklabel); 388 typedef int (*mpo_check_sysv_msqctl_t)(struct ucred *cred, 389 struct msqid_kernel *msqkptr, struct label *msqklabel, 390 int cmd); 391 typedef int (*mpo_check_sysv_semctl_t)(struct ucred *cred, 392 struct semid_kernel *semakptr, struct label *semaklabel, 393 int cmd); 394 typedef int (*mpo_check_sysv_semget_t)(struct ucred *cred, 395 struct semid_kernel *semakptr, struct label *semaklabel); 396 typedef int (*mpo_check_sysv_semop_t)(struct ucred *cred, 397 struct semid_kernel *semakptr, struct label *semaklabel, 398 size_t accesstype); 399 typedef int (*mpo_check_sysv_shmat_t)(struct ucred *cred, 400 struct shmid_kernel *shmsegptr, 401 struct label *shmseglabel, int shmflg); 402 typedef int (*mpo_check_sysv_shmctl_t)(struct ucred *cred, 403 struct shmid_kernel *shmsegptr, 404 struct label *shmseglabel, int cmd); 405 typedef int (*mpo_check_sysv_shmdt_t)(struct ucred *cred, 406 struct shmid_kernel *shmsegptr, 407 struct label *shmseglabel); 408 typedef int (*mpo_check_sysv_shmget_t)(struct ucred *cred, 409 struct shmid_kernel *shmsegptr, 410 struct label *shmseglabel, int shmflg); 411 typedef int (*mpo_check_kenv_dump_t)(struct ucred *cred); 412 typedef int (*mpo_check_kenv_get_t)(struct ucred *cred, char *name); 413 typedef int (*mpo_check_kenv_set_t)(struct ucred *cred, char *name, 414 char *value); 415 typedef int (*mpo_check_kenv_unset_t)(struct ucred *cred, char *name); 416 typedef int (*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp, 417 struct label *vplabel); 418 typedef int (*mpo_check_kld_stat_t)(struct ucred *cred); 419 typedef int (*mpo_mpo_placeholder19_t)(void); 420 typedef int (*mpo_mpo_placeholder20_t)(void); 421 typedef int (*mpo_check_mount_stat_t)(struct ucred *cred, 422 struct mount *mp, struct label *mplabel); 423 typedef int (*mpo_mpo_placeholder21_t)(void); 424 typedef int (*mpo_check_pipe_ioctl_t)(struct ucred *cred, 425 struct pipepair *pp, struct label *pplabel, 426 unsigned long cmd, void *data); 427 typedef int (*mpo_check_pipe_poll_t)(struct ucred *cred, 428 struct pipepair *pp, struct label *pplabel); 429 typedef int (*mpo_check_pipe_read_t)(struct ucred *cred, 430 struct pipepair *pp, struct label *pplabel); 431 typedef int (*mpo_check_pipe_relabel_t)(struct ucred *cred, 432 struct pipepair *pp, struct label *pplabel, 433 struct label *newlabel); 434 typedef int (*mpo_check_pipe_stat_t)(struct ucred *cred, 435 struct pipepair *pp, struct label *pplabel); 436 typedef int (*mpo_check_pipe_write_t)(struct ucred *cred, 437 struct pipepair *pp, struct label *pplabel); 438 typedef int (*mpo_check_posix_sem_destroy_t)(struct ucred *cred, 439 struct ksem *ks, struct label *kslabel); 440 typedef int (*mpo_check_posix_sem_getvalue_t)(struct ucred *cred, 441 struct ksem *ks, struct label *kslabel); 442 typedef int (*mpo_check_posix_sem_open_t)(struct ucred *cred, 443 struct ksem *ks, struct label *kslabel); 444 typedef int (*mpo_check_posix_sem_post_t)(struct ucred *cred, 445 struct ksem *ks, struct label *kslabel); 446 typedef int (*mpo_check_posix_sem_unlink_t)(struct ucred *cred, 447 struct ksem *ks, struct label *kslabel); 448 typedef int (*mpo_check_posix_sem_wait_t)(struct ucred *cred, 449 struct ksem *ks, struct label *kslabel); 450 typedef int (*mpo_check_proc_debug_t)(struct ucred *cred, 451 struct proc *p); 452 typedef int (*mpo_check_proc_sched_t)(struct ucred *cred, 453 struct proc *p); 454 typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred, 455 struct auditinfo *ai); 456 typedef int (*mpo_check_proc_setaudit_addr_t)(struct ucred *cred, 457 struct auditinfo_addr *aia); 458 typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid); 459 typedef int (*mpo_check_proc_setuid_t)(struct ucred *cred, uid_t uid); 460 typedef int (*mpo_check_proc_seteuid_t)(struct ucred *cred, uid_t euid); 461 typedef int (*mpo_check_proc_setgid_t)(struct ucred *cred, gid_t gid); 462 typedef int (*mpo_check_proc_setegid_t)(struct ucred *cred, gid_t egid); 463 typedef int (*mpo_check_proc_setgroups_t)(struct ucred *cred, int ngroups, 464 gid_t *gidset); 465 typedef int (*mpo_check_proc_setreuid_t)(struct ucred *cred, uid_t ruid, 466 uid_t euid); 467 typedef int (*mpo_check_proc_setregid_t)(struct ucred *cred, gid_t rgid, 468 gid_t egid); 469 typedef int (*mpo_check_proc_setresuid_t)(struct ucred *cred, uid_t ruid, 470 uid_t euid, uid_t suid); 471 typedef int (*mpo_check_proc_setresgid_t)(struct ucred *cred, gid_t rgid, 472 gid_t egid, gid_t sgid); 473 typedef int (*mpo_check_proc_signal_t)(struct ucred *cred, 474 struct proc *proc, int signum); 475 typedef int (*mpo_check_proc_wait_t)(struct ucred *cred, 476 struct proc *proc); 477 typedef int (*mpo_check_socket_accept_t)(struct ucred *cred, 478 struct socket *so, struct label *solabel); 479 typedef int (*mpo_check_socket_bind_t)(struct ucred *cred, 480 struct socket *so, struct label *solabel, 481 struct sockaddr *sa); 482 typedef int (*mpo_check_socket_connect_t)(struct ucred *cred, 483 struct socket *so, struct label *solabel, 484 struct sockaddr *sa); 485 typedef int (*mpo_check_socket_create_t)(struct ucred *cred, int domain, 486 int type, int protocol); 487 typedef int (*mpo_check_socket_deliver_t)(struct socket *so, 488 struct label *solabel, struct mbuf *m, 489 struct label *mlabel); 490 typedef int (*mpo_check_socket_listen_t)(struct ucred *cred, 491 struct socket *so, struct label *solabel); 492 typedef int (*mpo_check_socket_poll_t)(struct ucred *cred, 493 struct socket *so, struct label *solabel); 494 typedef int (*mpo_check_socket_receive_t)(struct ucred *cred, 495 struct socket *so, struct label *solabel); 496 typedef int (*mpo_check_socket_relabel_t)(struct ucred *cred, 497 struct socket *so, struct label *solabel, 498 struct label *newlabel); 499 typedef int (*mpo_check_socket_send_t)(struct ucred *cred, 500 struct socket *so, struct label *solabel); 501 typedef int (*mpo_check_socket_stat_t)(struct ucred *cred, 502 struct socket *so, struct label *solabel); 503 typedef int (*mpo_check_socket_visible_t)(struct ucred *cred, 504 struct socket *so, struct label *solabel); 505 typedef int (*mpo_check_system_acct_t)(struct ucred *cred, 506 struct vnode *vp, struct label *vplabel); 507 typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record, 508 int length); 509 typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred, 510 struct vnode *vp, struct label *vplabel); 511 typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd); 512 typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto); 513 typedef int (*mpo_check_system_swapon_t)(struct ucred *cred, 514 struct vnode *vp, struct label *vplabel); 515 typedef int (*mpo_check_system_swapoff_t)(struct ucred *cred, 516 struct vnode *vp, struct label *vplabel); 517 typedef int (*mpo_check_system_sysctl_t)(struct ucred *cred, 518 struct sysctl_oid *oidp, void *arg1, int arg2, 519 struct sysctl_req *req); 520 typedef int (*mpo_check_vnode_access_t)(struct ucred *cred, 521 struct vnode *vp, struct label *vplabel, int acc_mode); 522 typedef int (*mpo_check_vnode_chdir_t)(struct ucred *cred, 523 struct vnode *dvp, struct label *dvplabel); 524 typedef int (*mpo_check_vnode_chroot_t)(struct ucred *cred, 525 struct vnode *dvp, struct label *dvplabel); 526 typedef int (*mpo_check_vnode_create_t)(struct ucred *cred, 527 struct vnode *dvp, struct label *dvplabel, 528 struct componentname *cnp, struct vattr *vap); 529 typedef int (*mpo_check_vnode_deleteacl_t)(struct ucred *cred, 530 struct vnode *vp, struct label *vplabel, 531 acl_type_t type); 532 typedef int (*mpo_check_vnode_deleteextattr_t)(struct ucred *cred, 533 struct vnode *vp, struct label *vplabel, 534 int attrnamespace, const char *name); 535 typedef int (*mpo_check_vnode_exec_t)(struct ucred *cred, 536 struct vnode *vp, struct label *vplabel, 537 struct image_params *imgp, struct label *execlabel); 538 typedef int (*mpo_check_vnode_getacl_t)(struct ucred *cred, 539 struct vnode *vp, struct label *vplabel, 540 acl_type_t type); 541 typedef int (*mpo_check_vnode_getextattr_t)(struct ucred *cred, 542 struct vnode *vp, struct label *vplabel, 543 int attrnamespace, const char *name, struct uio *uio); 544 typedef int (*mpo_check_vnode_link_t)(struct ucred *cred, 545 struct vnode *dvp, struct label *dvplabel, 546 struct vnode *vp, struct label *vplabel, 547 struct componentname *cnp); 548 typedef int (*mpo_check_vnode_listextattr_t)(struct ucred *cred, 549 struct vnode *vp, struct label *vplabel, 550 int attrnamespace); 551 typedef int (*mpo_check_vnode_lookup_t)(struct ucred *cred, 552 struct vnode *dvp, struct label *dvplabel, 553 struct componentname *cnp); 554 typedef int (*mpo_check_vnode_mmap_t)(struct ucred *cred, 555 struct vnode *vp, struct label *label, int prot, 556 int flags); 557 typedef void (*mpo_check_vnode_mmap_downgrade_t)(struct ucred *cred, 558 struct vnode *vp, struct label *vplabel, int *prot); 559 typedef int (*mpo_check_vnode_mprotect_t)(struct ucred *cred, 560 struct vnode *vp, struct label *vplabel, int prot); 561 typedef int (*mpo_check_vnode_open_t)(struct ucred *cred, 562 struct vnode *vp, struct label *vplabel, int acc_mode); 563 typedef int (*mpo_check_vnode_poll_t)(struct ucred *active_cred, 564 struct ucred *file_cred, struct vnode *vp, 565 struct label *vplabel); 566 typedef int (*mpo_check_vnode_read_t)(struct ucred *active_cred, 567 struct ucred *file_cred, struct vnode *vp, 568 struct label *vplabel); 569 typedef int (*mpo_check_vnode_readdir_t)(struct ucred *cred, 570 struct vnode *dvp, struct label *dvplabel); 571 typedef int (*mpo_check_vnode_readlink_t)(struct ucred *cred, 572 struct vnode *vp, struct label *vplabel); 573 typedef int (*mpo_check_vnode_relabel_t)(struct ucred *cred, 574 struct vnode *vp, struct label *vplabel, 575 struct label *newlabel); 576 typedef int (*mpo_check_vnode_rename_from_t)(struct ucred *cred, 577 struct vnode *dvp, struct label *dvplabel, 578 struct vnode *vp, struct label *vplabel, 579 struct componentname *cnp); 580 typedef int (*mpo_check_vnode_rename_to_t)(struct ucred *cred, 581 struct vnode *dvp, struct label *dvplabel, 582 struct vnode *vp, struct label *vplabel, int samedir, 583 struct componentname *cnp); 584 typedef int (*mpo_check_vnode_revoke_t)(struct ucred *cred, 585 struct vnode *vp, struct label *vplabel); 586 typedef int (*mpo_check_vnode_setacl_t)(struct ucred *cred, 587 struct vnode *vp, struct label *vplabel, acl_type_t type, 588 struct acl *acl); 589 typedef int (*mpo_check_vnode_setextattr_t)(struct ucred *cred, 590 struct vnode *vp, struct label *vplabel, 591 int attrnamespace, const char *name, struct uio *uio); 592 typedef int (*mpo_check_vnode_setflags_t)(struct ucred *cred, 593 struct vnode *vp, struct label *vplabel, u_long flags); 594 typedef int (*mpo_check_vnode_setmode_t)(struct ucred *cred, 595 struct vnode *vp, struct label *vplabel, mode_t mode); 596 typedef int (*mpo_check_vnode_setowner_t)(struct ucred *cred, 597 struct vnode *vp, struct label *vplabel, uid_t uid, 598 gid_t gid); 599 typedef int (*mpo_check_vnode_setutimes_t)(struct ucred *cred, 600 struct vnode *vp, struct label *vplabel, 601 struct timespec atime, struct timespec mtime); 602 typedef int (*mpo_check_vnode_stat_t)(struct ucred *active_cred, 603 struct ucred *file_cred, struct vnode *vp, 604 struct label *vplabel); 605 typedef int (*mpo_check_vnode_unlink_t)(struct ucred *cred, 606 struct vnode *dvp, struct label *dvplabel, 607 struct vnode *vp, struct label *vplabel, 608 struct componentname *cnp); 609 typedef int (*mpo_check_vnode_write_t)(struct ucred *active_cred, 610 struct ucred *file_cred, struct vnode *vp, 611 struct label *vplabel); 612 typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred); 613 typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv); 614 typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv); 615 616 struct mac_policy_ops { 617 /* 618 * Policy module operations. 619 */ 620 mpo_destroy_t mpo_destroy; 621 mpo_init_t mpo_init; 622 623 /* 624 * General policy-directed security system call so that policies may 625 * implement new services without reserving explicit system call 626 * numbers. 627 */ 628 mpo_syscall_t mpo_syscall; 629 630 /* 631 * Label operations. Initialize label storage, destroy label 632 * storage, recycle for re-use without init/destroy, copy a label to 633 * initialized storage, and externalize/internalize from/to 634 * initialized storage. 635 */ 636 mpo_init_bpfdesc_label_t mpo_init_bpfdesc_label; 637 mpo_init_cred_label_t mpo_init_cred_label; 638 mpo_init_devfs_label_t mpo_init_devfs_label; 639 mpo_placeholder_t _mpo_placeholder0; 640 mpo_init_ifnet_label_t mpo_init_ifnet_label; 641 mpo_init_inpcb_label_t mpo_init_inpcb_label; 642 mpo_init_sysv_msgmsg_label_t mpo_init_sysv_msgmsg_label; 643 mpo_init_sysv_msgqueue_label_t mpo_init_sysv_msgqueue_label; 644 mpo_init_sysv_sem_label_t mpo_init_sysv_sem_label; 645 mpo_init_sysv_shm_label_t mpo_init_sysv_shm_label; 646 mpo_init_ipq_label_t mpo_init_ipq_label; 647 mpo_init_mbuf_label_t mpo_init_mbuf_label; 648 mpo_init_mount_label_t mpo_init_mount_label; 649 mpo_init_socket_label_t mpo_init_socket_label; 650 mpo_init_socket_peer_label_t mpo_init_socket_peer_label; 651 mpo_init_pipe_label_t mpo_init_pipe_label; 652 mpo_init_posix_sem_label_t mpo_init_posix_sem_label; 653 mpo_init_proc_label_t mpo_init_proc_label; 654 mpo_init_vnode_label_t mpo_init_vnode_label; 655 mpo_destroy_bpfdesc_label_t mpo_destroy_bpfdesc_label; 656 mpo_destroy_cred_label_t mpo_destroy_cred_label; 657 mpo_destroy_devfs_label_t mpo_destroy_devfs_label; 658 mpo_placeholder_t _mpo_placeholder1; 659 mpo_destroy_ifnet_label_t mpo_destroy_ifnet_label; 660 mpo_destroy_inpcb_label_t mpo_destroy_inpcb_label; 661 mpo_destroy_sysv_msgmsg_label_t mpo_destroy_sysv_msgmsg_label; 662 mpo_destroy_sysv_msgqueue_label_t mpo_destroy_sysv_msgqueue_label; 663 mpo_destroy_sysv_sem_label_t mpo_destroy_sysv_sem_label; 664 mpo_destroy_sysv_shm_label_t mpo_destroy_sysv_shm_label; 665 mpo_destroy_ipq_label_t mpo_destroy_ipq_label; 666 mpo_destroy_mbuf_label_t mpo_destroy_mbuf_label; 667 mpo_destroy_mount_label_t mpo_destroy_mount_label; 668 mpo_destroy_socket_label_t mpo_destroy_socket_label; 669 mpo_destroy_socket_peer_label_t mpo_destroy_socket_peer_label; 670 mpo_destroy_pipe_label_t mpo_destroy_pipe_label; 671 mpo_destroy_posix_sem_label_t mpo_destroy_posix_sem_label; 672 mpo_destroy_proc_label_t mpo_destroy_proc_label; 673 mpo_destroy_vnode_label_t mpo_destroy_vnode_label; 674 mpo_cleanup_sysv_msgmsg_t mpo_cleanup_sysv_msgmsg; 675 mpo_cleanup_sysv_msgqueue_t mpo_cleanup_sysv_msgqueue; 676 mpo_cleanup_sysv_sem_t mpo_cleanup_sysv_sem; 677 mpo_cleanup_sysv_shm_t mpo_cleanup_sysv_shm; 678 mpo_copy_cred_label_t mpo_copy_cred_label; 679 mpo_copy_ifnet_label_t mpo_copy_ifnet_label; 680 mpo_copy_mbuf_label_t mpo_copy_mbuf_label; 681 mpo_placeholder_t _mpo_placeholder2; 682 mpo_copy_pipe_label_t mpo_copy_pipe_label; 683 mpo_copy_socket_label_t mpo_copy_socket_label; 684 mpo_copy_vnode_label_t mpo_copy_vnode_label; 685 mpo_externalize_cred_label_t mpo_externalize_cred_label; 686 mpo_externalize_ifnet_label_t mpo_externalize_ifnet_label; 687 mpo_placeholder_t _mpo_placeholder3; 688 mpo_externalize_pipe_label_t mpo_externalize_pipe_label; 689 mpo_externalize_socket_label_t mpo_externalize_socket_label; 690 mpo_externalize_socket_peer_label_t mpo_externalize_socket_peer_label; 691 mpo_externalize_vnode_label_t mpo_externalize_vnode_label; 692 mpo_internalize_cred_label_t mpo_internalize_cred_label; 693 mpo_internalize_ifnet_label_t mpo_internalize_ifnet_label; 694 mpo_placeholder_t _mpo_placeholder4; 695 mpo_internalize_pipe_label_t mpo_internalize_pipe_label; 696 mpo_internalize_socket_label_t mpo_internalize_socket_label; 697 mpo_internalize_vnode_label_t mpo_internalize_vnode_label; 698 699 /* 700 * Labeling event operations: file system objects, and things that 701 * look a lot like file system objects. 702 */ 703 mpo_associate_vnode_devfs_t mpo_associate_vnode_devfs; 704 mpo_associate_vnode_extattr_t mpo_associate_vnode_extattr; 705 mpo_associate_vnode_singlelabel_t mpo_associate_vnode_singlelabel; 706 mpo_create_devfs_device_t mpo_create_devfs_device; 707 mpo_create_devfs_directory_t mpo_create_devfs_directory; 708 mpo_create_devfs_symlink_t mpo_create_devfs_symlink; 709 mpo_placeholder_t _mpo_placeholder5; 710 mpo_create_vnode_extattr_t mpo_create_vnode_extattr; 711 mpo_create_mount_t mpo_create_mount; 712 mpo_relabel_vnode_t mpo_relabel_vnode; 713 mpo_setlabel_vnode_extattr_t mpo_setlabel_vnode_extattr; 714 mpo_update_devfs_t mpo_update_devfs; 715 716 /* 717 * Labeling event operations: IPC objects. 718 */ 719 mpo_create_mbuf_from_socket_t mpo_create_mbuf_from_socket; 720 mpo_create_socket_t mpo_create_socket; 721 mpo_create_socket_from_socket_t mpo_create_socket_from_socket; 722 mpo_relabel_socket_t mpo_relabel_socket; 723 mpo_relabel_pipe_t mpo_relabel_pipe; 724 mpo_set_socket_peer_from_mbuf_t mpo_set_socket_peer_from_mbuf; 725 mpo_set_socket_peer_from_socket_t mpo_set_socket_peer_from_socket; 726 mpo_create_pipe_t mpo_create_pipe; 727 728 /* 729 * Labeling event operations: System V IPC primitives. 730 */ 731 mpo_create_sysv_msgmsg_t mpo_create_sysv_msgmsg; 732 mpo_create_sysv_msgqueue_t mpo_create_sysv_msgqueue; 733 mpo_create_sysv_sem_t mpo_create_sysv_sem; 734 mpo_create_sysv_shm_t mpo_create_sysv_shm; 735 736 /* 737 * Labeling event operations: POSIX (global/inter-process) semaphores. 738 */ 739 mpo_create_posix_sem_t mpo_create_posix_sem; 740 741 /* 742 * Labeling event operations: network objects. 743 */ 744 mpo_create_bpfdesc_t mpo_create_bpfdesc; 745 mpo_create_ifnet_t mpo_create_ifnet; 746 mpo_create_inpcb_from_socket_t mpo_create_inpcb_from_socket; 747 mpo_create_ipq_t mpo_create_ipq; 748 mpo_create_datagram_from_ipq mpo_create_datagram_from_ipq; 749 mpo_create_fragment_t mpo_create_fragment; 750 mpo_create_mbuf_from_inpcb_t mpo_create_mbuf_from_inpcb; 751 mpo_create_mbuf_linklayer_t mpo_create_mbuf_linklayer; 752 mpo_create_mbuf_from_bpfdesc_t mpo_create_mbuf_from_bpfdesc; 753 mpo_create_mbuf_from_ifnet_t mpo_create_mbuf_from_ifnet; 754 mpo_create_mbuf_multicast_encap_t mpo_create_mbuf_multicast_encap; 755 mpo_create_mbuf_netlayer_t mpo_create_mbuf_netlayer; 756 mpo_fragment_match_t mpo_fragment_match; 757 mpo_reflect_mbuf_icmp_t mpo_reflect_mbuf_icmp; 758 mpo_reflect_mbuf_tcp_t mpo_reflect_mbuf_tcp; 759 mpo_relabel_ifnet_t mpo_relabel_ifnet; 760 mpo_update_ipq_t mpo_update_ipq; 761 mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; 762 763 /* 764 * Labeling event operations: processes. 765 */ 766 mpo_execve_transition_t mpo_execve_transition; 767 mpo_execve_will_transition_t mpo_execve_will_transition; 768 mpo_create_proc0_t mpo_create_proc0; 769 mpo_create_proc1_t mpo_create_proc1; 770 mpo_relabel_cred_t mpo_relabel_cred; 771 mpo_placeholder_t _mpo_placeholder6; 772 mpo_thread_userret_t mpo_thread_userret; 773 774 /* 775 * Access control checks. 776 */ 777 mpo_check_bpfdesc_receive_t mpo_check_bpfdesc_receive; 778 mpo_placeholder_t _mpo_placeholder7; 779 mpo_check_cred_relabel_t mpo_check_cred_relabel; 780 mpo_check_cred_visible_t mpo_check_cred_visible; 781 mpo_placeholder_t _mpo_placeholder8; 782 mpo_placeholder_t _mpo_placeholder9; 783 mpo_placeholder_t _mpo_placeholder10; 784 mpo_placeholder_t _mpo_placeholder11; 785 mpo_placeholder_t _mpo_placeholder12; 786 mpo_placeholder_t _mpo_placeholder13; 787 mpo_placeholder_t _mpo_placeholder14; 788 mpo_placeholder_t _mpo_placeholder15; 789 mpo_placeholder_t _mpo_placeholder16; 790 mpo_placeholder_t _mpo_placeholder17; 791 mpo_check_inpcb_visible_t mpo_check_inpcb_visible; 792 mpo_check_ifnet_relabel_t mpo_check_ifnet_relabel; 793 mpo_check_ifnet_transmit_t mpo_check_ifnet_transmit; 794 mpo_check_inpcb_deliver_t mpo_check_inpcb_deliver; 795 mpo_check_sysv_msgmsq_t mpo_check_sysv_msgmsq; 796 mpo_check_sysv_msgrcv_t mpo_check_sysv_msgrcv; 797 mpo_check_sysv_msgrmid_t mpo_check_sysv_msgrmid; 798 mpo_check_sysv_msqget_t mpo_check_sysv_msqget; 799 mpo_check_sysv_msqsnd_t mpo_check_sysv_msqsnd; 800 mpo_check_sysv_msqrcv_t mpo_check_sysv_msqrcv; 801 mpo_check_sysv_msqctl_t mpo_check_sysv_msqctl; 802 mpo_check_sysv_semctl_t mpo_check_sysv_semctl; 803 mpo_check_sysv_semget_t mpo_check_sysv_semget; 804 mpo_check_sysv_semop_t mpo_check_sysv_semop; 805 mpo_check_sysv_shmat_t mpo_check_sysv_shmat; 806 mpo_check_sysv_shmctl_t mpo_check_sysv_shmctl; 807 mpo_check_sysv_shmdt_t mpo_check_sysv_shmdt; 808 mpo_check_sysv_shmget_t mpo_check_sysv_shmget; 809 mpo_check_kenv_dump_t mpo_check_kenv_dump; 810 mpo_check_kenv_get_t mpo_check_kenv_get; 811 mpo_check_kenv_set_t mpo_check_kenv_set; 812 mpo_check_kenv_unset_t mpo_check_kenv_unset; 813 mpo_check_kld_load_t mpo_check_kld_load; 814 mpo_check_kld_stat_t mpo_check_kld_stat; 815 mpo_placeholder_t _mpo_placeholder19; 816 mpo_placeholder_t _mpo_placeholder20; 817 mpo_check_mount_stat_t mpo_check_mount_stat; 818 mpo_placeholder_t _mpo_placeholder_21; 819 mpo_check_pipe_ioctl_t mpo_check_pipe_ioctl; 820 mpo_check_pipe_poll_t mpo_check_pipe_poll; 821 mpo_check_pipe_read_t mpo_check_pipe_read; 822 mpo_check_pipe_relabel_t mpo_check_pipe_relabel; 823 mpo_check_pipe_stat_t mpo_check_pipe_stat; 824 mpo_check_pipe_write_t mpo_check_pipe_write; 825 mpo_check_posix_sem_destroy_t mpo_check_posix_sem_destroy; 826 mpo_check_posix_sem_getvalue_t mpo_check_posix_sem_getvalue; 827 mpo_check_posix_sem_open_t mpo_check_posix_sem_open; 828 mpo_check_posix_sem_post_t mpo_check_posix_sem_post; 829 mpo_check_posix_sem_unlink_t mpo_check_posix_sem_unlink; 830 mpo_check_posix_sem_wait_t mpo_check_posix_sem_wait; 831 mpo_check_proc_debug_t mpo_check_proc_debug; 832 mpo_check_proc_sched_t mpo_check_proc_sched; 833 mpo_check_proc_setaudit_t mpo_check_proc_setaudit; 834 mpo_check_proc_setaudit_addr_t mpo_check_proc_setaudit_addr; 835 mpo_check_proc_setauid_t mpo_check_proc_setauid; 836 mpo_check_proc_setuid_t mpo_check_proc_setuid; 837 mpo_check_proc_seteuid_t mpo_check_proc_seteuid; 838 mpo_check_proc_setgid_t mpo_check_proc_setgid; 839 mpo_check_proc_setegid_t mpo_check_proc_setegid; 840 mpo_check_proc_setgroups_t mpo_check_proc_setgroups; 841 mpo_check_proc_setreuid_t mpo_check_proc_setreuid; 842 mpo_check_proc_setregid_t mpo_check_proc_setregid; 843 mpo_check_proc_setresuid_t mpo_check_proc_setresuid; 844 mpo_check_proc_setresgid_t mpo_check_proc_setresgid; 845 mpo_check_proc_signal_t mpo_check_proc_signal; 846 mpo_check_proc_wait_t mpo_check_proc_wait; 847 mpo_check_socket_accept_t mpo_check_socket_accept; 848 mpo_check_socket_bind_t mpo_check_socket_bind; 849 mpo_check_socket_connect_t mpo_check_socket_connect; 850 mpo_check_socket_create_t mpo_check_socket_create; 851 mpo_check_socket_deliver_t mpo_check_socket_deliver; 852 mpo_placeholder_t _mpo_placeholder22; 853 mpo_check_socket_listen_t mpo_check_socket_listen; 854 mpo_check_socket_poll_t mpo_check_socket_poll; 855 mpo_check_socket_receive_t mpo_check_socket_receive; 856 mpo_check_socket_relabel_t mpo_check_socket_relabel; 857 mpo_check_socket_send_t mpo_check_socket_send; 858 mpo_check_socket_stat_t mpo_check_socket_stat; 859 mpo_check_socket_visible_t mpo_check_socket_visible; 860 mpo_check_system_acct_t mpo_check_system_acct; 861 mpo_check_system_audit_t mpo_check_system_audit; 862 mpo_check_system_auditctl_t mpo_check_system_auditctl; 863 mpo_check_system_auditon_t mpo_check_system_auditon; 864 mpo_check_system_reboot_t mpo_check_system_reboot; 865 mpo_check_system_swapon_t mpo_check_system_swapon; 866 mpo_check_system_swapoff_t mpo_check_system_swapoff; 867 mpo_check_system_sysctl_t mpo_check_system_sysctl; 868 mpo_placeholder_t _mpo_placeholder23; 869 mpo_check_vnode_access_t mpo_check_vnode_access; 870 mpo_check_vnode_chdir_t mpo_check_vnode_chdir; 871 mpo_check_vnode_chroot_t mpo_check_vnode_chroot; 872 mpo_check_vnode_create_t mpo_check_vnode_create; 873 mpo_check_vnode_deleteacl_t mpo_check_vnode_deleteacl; 874 mpo_check_vnode_deleteextattr_t mpo_check_vnode_deleteextattr; 875 mpo_check_vnode_exec_t mpo_check_vnode_exec; 876 mpo_check_vnode_getacl_t mpo_check_vnode_getacl; 877 mpo_check_vnode_getextattr_t mpo_check_vnode_getextattr; 878 mpo_placeholder_t _mpo_placeholder24; 879 mpo_check_vnode_link_t mpo_check_vnode_link; 880 mpo_check_vnode_listextattr_t mpo_check_vnode_listextattr; 881 mpo_check_vnode_lookup_t mpo_check_vnode_lookup; 882 mpo_check_vnode_mmap_t mpo_check_vnode_mmap; 883 mpo_check_vnode_mmap_downgrade_t mpo_check_vnode_mmap_downgrade; 884 mpo_check_vnode_mprotect_t mpo_check_vnode_mprotect; 885 mpo_check_vnode_open_t mpo_check_vnode_open; 886 mpo_check_vnode_poll_t mpo_check_vnode_poll; 887 mpo_check_vnode_read_t mpo_check_vnode_read; 888 mpo_check_vnode_readdir_t mpo_check_vnode_readdir; 889 mpo_check_vnode_readlink_t mpo_check_vnode_readlink; 890 mpo_check_vnode_relabel_t mpo_check_vnode_relabel; 891 mpo_check_vnode_rename_from_t mpo_check_vnode_rename_from; 892 mpo_check_vnode_rename_to_t mpo_check_vnode_rename_to; 893 mpo_check_vnode_revoke_t mpo_check_vnode_revoke; 894 mpo_check_vnode_setacl_t mpo_check_vnode_setacl; 895 mpo_check_vnode_setextattr_t mpo_check_vnode_setextattr; 896 mpo_check_vnode_setflags_t mpo_check_vnode_setflags; 897 mpo_check_vnode_setmode_t mpo_check_vnode_setmode; 898 mpo_check_vnode_setowner_t mpo_check_vnode_setowner; 899 mpo_check_vnode_setutimes_t mpo_check_vnode_setutimes; 900 mpo_check_vnode_stat_t mpo_check_vnode_stat; 901 mpo_check_vnode_unlink_t mpo_check_vnode_unlink; 902 mpo_check_vnode_write_t mpo_check_vnode_write; 903 mpo_associate_nfsd_label_t mpo_associate_nfsd_label; 904 mpo_create_mbuf_from_firewall_t mpo_create_mbuf_from_firewall; 905 mpo_init_syncache_label_t mpo_init_syncache_label; 906 mpo_destroy_syncache_label_t mpo_destroy_syncache_label; 907 mpo_init_syncache_from_inpcb_t mpo_init_syncache_from_inpcb; 908 mpo_create_mbuf_from_syncache_t mpo_create_mbuf_from_syncache; 909 mpo_priv_check_t mpo_priv_check; 910 mpo_priv_grant_t mpo_priv_grant; 911 }; 912 913 /* 914 * struct mac_policy_conf is the registration structure for policies, and is 915 * provided to the MAC Framework using MAC_POLICY_SET() to invoke a SYSINIT 916 * to register the policy. In general, the fields are immutable, with the 917 * exception of the "security field", run-time flags, and policy list entry, 918 * which are managed by the MAC Framework. Be careful when modifying this 919 * structure, as its layout is statically compiled into all policies. 920 */ 921 struct mac_policy_conf { 922 char *mpc_name; /* policy name */ 923 char *mpc_fullname; /* policy full name */ 924 struct mac_policy_ops *mpc_ops; /* policy operations */ 925 int mpc_loadtime_flags; /* flags */ 926 int *mpc_field_off; /* security field */ 927 int mpc_runtime_flags; /* flags */ 928 LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ 929 }; 930 931 /* Flags for the mpc_loadtime_flags field. */ 932 #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 933 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 934 #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 935 936 /* Flags for the mpc_runtime_flags field. */ 937 #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 938 939 /*- 940 * The TrustedBSD MAC Framework has a major version number, MAC_VERSION, 941 * which defines the ABI of the Framework present in the kernel (and depended 942 * on by policy modules compiled against that kernel). Currently, 943 * MAC_POLICY_SET() requires that the kernel and module ABI version numbers 944 * exactly match. The following major versions have been defined to date: 945 * 946 * MAC version FreeBSD versions 947 * 1 5.x 948 * 2 6.x 949 * 3 7.x 950 */ 951 #define MAC_VERSION 3 952 953 #define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \ 954 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 955 #mpname, \ 956 mpfullname, \ 957 mpops, \ 958 mpflags, \ 959 privdata_wanted, \ 960 0, \ 961 }; \ 962 static moduledata_t mpname##_mod = { \ 963 #mpname, \ 964 mac_policy_modevent, \ 965 &mpname##_mac_policy_conf \ 966 }; \ 967 MODULE_DEPEND(mpname, kernel_mac_support, MAC_VERSION, \ 968 MAC_VERSION, MAC_VERSION); \ 969 DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \ 970 SI_ORDER_MIDDLE) 971 972 int mac_policy_modevent(module_t mod, int type, void *data); 973 974 /* 975 * Policy interface to map a struct label pointer to per-policy data. 976 * Typically, policies wrap this in their own accessor macro that casts a 977 * uintptr_t to a policy-specific data type. 978 */ 979 intptr_t mac_label_get(struct label *l, int slot); 980 void mac_label_set(struct label *l, int slot, intptr_t v); 981 982 #endif /* !_SECURITY_MAC_MAC_POLICY_H_ */
Cache object: c8da529ad98da415cd3e81731a6e7577
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]