The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/security/mac/mac_policy.h

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
    3  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
    4  * Copyright (c) 2005-2006 SPARTA, Inc.
    5  * Copyright (c) 2008 Apple Inc.
    6  * All rights reserved.
    7  *
    8  * This software was developed by Robert Watson for the TrustedBSD Project.
    9  *
   10  * This software was developed for the FreeBSD Project in part by Network
   11  * Associates Laboratories, the Security Research Division of Network
   12  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
   13  * as part of the DARPA CHATS research program.
   14  *
   15  * This software was enhanced by SPARTA ISSO under SPAWAR contract 
   16  * N66001-04-C-6019 ("SEFOS").
   17  *
   18  * This software was developed at the University of Cambridge Computer
   19  * Laboratory with support from a grant from Google, Inc.
   20  *
   21  * Redistribution and use in source and binary forms, with or without
   22  * modification, are permitted provided that the following conditions
   23  * are met:
   24  * 1. Redistributions of source code must retain the above copyright
   25  *    notice, this list of conditions and the following disclaimer.
   26  * 2. Redistributions in binary form must reproduce the above copyright
   27  *    notice, this list of conditions and the following disclaimer in the
   28  *    documentation and/or other materials provided with the distribution.
   29  *
   30  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   31  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   32  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   33  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   34  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   35  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   36  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   37  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   38  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   39  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   40  * SUCH DAMAGE.
   41  *
   42  * $FreeBSD: releng/8.3/sys/security/mac/mac_policy.h 189533 2009-03-08 12:32:06Z rwatson $
   43  */
   44 /*
   45  * Kernel interface for MAC policy modules.
   46  */
   47 #ifndef _SECURITY_MAC_MAC_POLICY_H_
   48 #define _SECURITY_MAC_MAC_POLICY_H_
   49 
   50 #ifndef _KERNEL
   51 #error "no user-serviceable parts inside"
   52 #endif
   53 
   54 /*-
   55  * Pluggable access control policy definition structure.
   56  *
   57  * List of operations that are performed as part of the implementation of a
   58  * MAC policy.  Policy implementors declare operations with a mac_policy_ops
   59  * structure, and using the MAC_POLICY_SET() macro.  If an entry point is not
   60  * declared, then then the policy will be ignored during evaluation of that
   61  * event or check.
   62  *
   63  * Operations are sorted first by general class of operation, then
   64  * alphabetically.
   65  */
   66 #include <sys/acl.h>    /* XXX acl_type_t */
   67 #include <sys/types.h>  /* XXX accmode_t */
   68 
   69 struct acl;
   70 struct auditinfo;
   71 struct auditinfo_addr;
   72 struct bpf_d;
   73 struct cdev;
   74 struct componentname;
   75 struct devfs_dirent;
   76 struct ifnet;
   77 struct image_params;
   78 struct inpcb;
   79 struct ip6q;
   80 struct ipq;
   81 struct ksem;
   82 struct label;
   83 struct mac_policy_conf;
   84 struct mbuf;
   85 struct mount;
   86 struct msg;
   87 struct msqid_kernel;
   88 struct pipepair;
   89 struct proc;
   90 struct sbuf;
   91 struct semid_kernel;
   92 struct shmfd;
   93 struct shmid_kernel;
   94 struct sockaddr;
   95 struct socket;
   96 struct sysctl_oid;
   97 struct sysctl_req;
   98 struct thread;
   99 struct ucred;
  100 struct vattr;
  101 struct vnode;
  102 
  103 /*
  104  * Policy module operations.
  105  */
  106 typedef void    (*mpo_destroy_t)(struct mac_policy_conf *mpc);
  107 typedef void    (*mpo_init_t)(struct mac_policy_conf *mpc);
  108 
  109 /*
  110  * General policy-directed security system call so that policies may
  111  * implement new services without reserving explicit system call numbers.
  112  */
  113 typedef int     (*mpo_syscall_t)(struct thread *td, int call, void *arg);
  114 
  115 /*
  116  * Place-holder function pointers for ABI-compatibility purposes.
  117  */
  118 typedef void    (*mpo_placeholder_t)(void);
  119 
  120 /*
  121  * Operations sorted alphabetically by primary object type and then method.
  122  */
  123 typedef int     (*mpo_bpfdesc_check_receive_t)(struct bpf_d *d,
  124                     struct label *dlabel, struct ifnet *ifp,
  125                     struct label *ifplabel);
  126 typedef void    (*mpo_bpfdesc_create_t)(struct ucred *cred,
  127                     struct bpf_d *d, struct label *dlabel);
  128 typedef void    (*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d,
  129                     struct label *dlabel, struct mbuf *m,
  130                     struct label *mlabel);
  131 typedef void    (*mpo_bpfdesc_destroy_label_t)(struct label *label);
  132 typedef void    (*mpo_bpfdesc_init_label_t)(struct label *label);
  133 
  134 typedef void    (*mpo_cred_associate_nfsd_t)(struct ucred *cred);
  135 typedef int     (*mpo_cred_check_relabel_t)(struct ucred *cred,
  136                     struct label *newlabel);
  137 typedef int     (*mpo_cred_check_setaudit_t)(struct ucred *cred,
  138                     struct auditinfo *ai);
  139 typedef int     (*mpo_cred_check_setaudit_addr_t)(struct ucred *cred,
  140                     struct auditinfo_addr *aia);
  141 typedef int     (*mpo_cred_check_setauid_t)(struct ucred *cred, uid_t auid);
  142 typedef int     (*mpo_cred_check_setegid_t)(struct ucred *cred, gid_t egid);
  143 typedef int     (*mpo_cred_check_seteuid_t)(struct ucred *cred, uid_t euid);
  144 typedef int     (*mpo_cred_check_setgid_t)(struct ucred *cred, gid_t gid);
  145 typedef int     (*mpo_cred_check_setgroups_t)(struct ucred *cred, int ngroups,
  146                     gid_t *gidset);
  147 typedef int     (*mpo_cred_check_setregid_t)(struct ucred *cred, gid_t rgid,
  148                     gid_t egid);
  149 typedef int     (*mpo_cred_check_setresgid_t)(struct ucred *cred, gid_t rgid,
  150                     gid_t egid, gid_t sgid);
  151 typedef int     (*mpo_cred_check_setresuid_t)(struct ucred *cred, uid_t ruid,
  152                     uid_t euid, uid_t suid);
  153 typedef int     (*mpo_cred_check_setreuid_t)(struct ucred *cred, uid_t ruid,
  154                     uid_t euid);
  155 typedef int     (*mpo_cred_check_setuid_t)(struct ucred *cred, uid_t uid);
  156 typedef int     (*mpo_cred_check_visible_t)(struct ucred *cr1,
  157                     struct ucred *cr2);
  158 typedef void    (*mpo_cred_copy_label_t)(struct label *src,
  159                     struct label *dest);
  160 typedef void    (*mpo_cred_create_init_t)(struct ucred *cred);
  161 typedef void    (*mpo_cred_create_swapper_t)(struct ucred *cred);
  162 typedef void    (*mpo_cred_destroy_label_t)(struct label *label);
  163 typedef int     (*mpo_cred_externalize_label_t)(struct label *label,
  164                     char *element_name, struct sbuf *sb, int *claimed);
  165 typedef void    (*mpo_cred_init_label_t)(struct label *label);
  166 typedef int     (*mpo_cred_internalize_label_t)(struct label *label,
  167                     char *element_name, char *element_data, int *claimed);
  168 typedef void    (*mpo_cred_relabel_t)(struct ucred *cred,
  169                     struct label *newlabel);
  170 
  171 typedef void    (*mpo_devfs_create_device_t)(struct ucred *cred,
  172                     struct mount *mp, struct cdev *dev,
  173                     struct devfs_dirent *de, struct label *delabel);
  174 typedef void    (*mpo_devfs_create_directory_t)(struct mount *mp,
  175                     char *dirname, int dirnamelen, struct devfs_dirent *de,
  176                     struct label *delabel);
  177 typedef void    (*mpo_devfs_create_symlink_t)(struct ucred *cred,
  178                     struct mount *mp, struct devfs_dirent *dd,
  179                     struct label *ddlabel, struct devfs_dirent *de,
  180                     struct label *delabel);
  181 typedef void    (*mpo_devfs_destroy_label_t)(struct label *label);
  182 typedef void    (*mpo_devfs_init_label_t)(struct label *label);
  183 typedef void    (*mpo_devfs_update_t)(struct mount *mp,
  184                     struct devfs_dirent *de, struct label *delabel,
  185                     struct vnode *vp, struct label *vplabel);
  186 typedef void    (*mpo_devfs_vnode_associate_t)(struct mount *mp,
  187                     struct label *mplabel, struct devfs_dirent *de,
  188                     struct label *delabel, struct vnode *vp,
  189                     struct label *vplabel);
  190 
  191 typedef int     (*mpo_ifnet_check_relabel_t)(struct ucred *cred,
  192                     struct ifnet *ifp, struct label *ifplabel,
  193                     struct label *newlabel);
  194 typedef int     (*mpo_ifnet_check_transmit_t)(struct ifnet *ifp,
  195                     struct label *ifplabel, struct mbuf *m,
  196                     struct label *mlabel);
  197 typedef void    (*mpo_ifnet_copy_label_t)(struct label *src,
  198                     struct label *dest);
  199 typedef void    (*mpo_ifnet_create_t)(struct ifnet *ifp,
  200                     struct label *ifplabel);
  201 typedef void    (*mpo_ifnet_create_mbuf_t)(struct ifnet *ifp,
  202                     struct label *ifplabel, struct mbuf *m,
  203                     struct label *mlabel);
  204 typedef void    (*mpo_ifnet_destroy_label_t)(struct label *label);
  205 typedef int     (*mpo_ifnet_externalize_label_t)(struct label *label,
  206                     char *element_name, struct sbuf *sb, int *claimed);
  207 typedef void    (*mpo_ifnet_init_label_t)(struct label *label);
  208 typedef int     (*mpo_ifnet_internalize_label_t)(struct label *label,
  209                     char *element_name, char *element_data, int *claimed);
  210 typedef void    (*mpo_ifnet_relabel_t)(struct ucred *cred, struct ifnet *ifp,
  211                     struct label *ifplabel, struct label *newlabel);
  212 
  213 typedef int     (*mpo_inpcb_check_deliver_t)(struct inpcb *inp,
  214                     struct label *inplabel, struct mbuf *m,
  215                     struct label *mlabel);
  216 typedef int     (*mpo_inpcb_check_visible_t)(struct ucred *cred,
  217                     struct inpcb *inp, struct label *inplabel);
  218 typedef void    (*mpo_inpcb_create_t)(struct socket *so,
  219                     struct label *solabel, struct inpcb *inp,
  220                     struct label *inplabel);
  221 typedef void    (*mpo_inpcb_create_mbuf_t)(struct inpcb *inp,
  222                     struct label *inplabel, struct mbuf *m,
  223                     struct label *mlabel);
  224 typedef void    (*mpo_inpcb_destroy_label_t)(struct label *label);
  225 typedef int     (*mpo_inpcb_init_label_t)(struct label *label, int flag);
  226 typedef void    (*mpo_inpcb_sosetlabel_t)(struct socket *so,
  227                     struct label *label, struct inpcb *inp,
  228                     struct label *inplabel);
  229 
  230 typedef void    (*mpo_ip6q_create_t)(struct mbuf *m, struct label *mlabel,
  231                     struct ip6q *q6, struct label *q6label);
  232 typedef void    (*mpo_ip6q_destroy_label_t)(struct label *label);
  233 typedef int     (*mpo_ip6q_init_label_t)(struct label *label, int flag);
  234 typedef int     (*mpo_ip6q_match_t)(struct mbuf *m, struct label *mlabel,
  235                     struct ip6q *q6, struct label *q6label);
  236 typedef void    (*mpo_ip6q_reassemble)(struct ip6q *q6, struct label *q6label,
  237                     struct mbuf *m, struct label *mlabel);
  238 typedef void    (*mpo_ip6q_update_t)(struct mbuf *m, struct label *mlabel,
  239                     struct ip6q *q6, struct label *q6label);
  240 
  241 typedef void    (*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel,
  242                     struct ipq *q, struct label *qlabel);
  243 typedef void    (*mpo_ipq_destroy_label_t)(struct label *label);
  244 typedef int     (*mpo_ipq_init_label_t)(struct label *label, int flag);
  245 typedef int     (*mpo_ipq_match_t)(struct mbuf *m, struct label *mlabel,
  246                     struct ipq *q, struct label *qlabel);
  247 typedef void    (*mpo_ipq_reassemble)(struct ipq *q, struct label *qlabel,
  248                     struct mbuf *m, struct label *mlabel);
  249 typedef void    (*mpo_ipq_update_t)(struct mbuf *m, struct label *mlabel,
  250                     struct ipq *q, struct label *qlabel);
  251 
  252 typedef int     (*mpo_kenv_check_dump_t)(struct ucred *cred);
  253 typedef int     (*mpo_kenv_check_get_t)(struct ucred *cred, char *name);
  254 typedef int     (*mpo_kenv_check_set_t)(struct ucred *cred, char *name,
  255                     char *value);
  256 typedef int     (*mpo_kenv_check_unset_t)(struct ucred *cred, char *name);
  257 
  258 typedef int     (*mpo_kld_check_load_t)(struct ucred *cred, struct vnode *vp,
  259                     struct label *vplabel);
  260 typedef int     (*mpo_kld_check_stat_t)(struct ucred *cred);
  261 
  262 typedef void    (*mpo_mbuf_copy_label_t)(struct label *src,
  263                     struct label *dest);
  264 typedef void    (*mpo_mbuf_destroy_label_t)(struct label *label);
  265 typedef int     (*mpo_mbuf_init_label_t)(struct label *label, int flag);
  266 
  267 typedef int     (*mpo_mount_check_stat_t)(struct ucred *cred,
  268                     struct mount *mp, struct label *mplabel);
  269 typedef void    (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp,
  270                     struct label *mplabel);
  271 typedef void    (*mpo_mount_destroy_label_t)(struct label *label);
  272 typedef void    (*mpo_mount_init_label_t)(struct label *label);
  273 
  274 typedef void    (*mpo_netatalk_aarp_send_t)(struct ifnet *ifp,
  275                     struct label *ifplabel, struct mbuf *m,
  276                     struct label *mlabel);
  277 
  278 typedef void    (*mpo_netinet_arp_send_t)(struct ifnet *ifp,
  279                     struct label *ifplabel, struct mbuf *m,
  280                     struct label *mlabel);
  281 typedef void    (*mpo_netinet_firewall_reply_t)(struct mbuf *mrecv,
  282                     struct label *mrecvlabel, struct mbuf *msend,
  283                     struct label *msendlabel);
  284 typedef void    (*mpo_netinet_firewall_send_t)(struct mbuf *m,
  285                     struct label *mlabel);
  286 typedef void    (*mpo_netinet_fragment_t)(struct mbuf *m,
  287                     struct label *mlabel, struct mbuf *frag,
  288                     struct label *fraglabel);
  289 typedef void    (*mpo_netinet_icmp_reply_t)(struct mbuf *mrecv,
  290                     struct label *mrecvlabel, struct mbuf *msend,
  291                     struct label *msendlabel);
  292 typedef void    (*mpo_netinet_icmp_replyinplace_t)(struct mbuf *m,
  293                     struct label *mlabel);
  294 typedef void    (*mpo_netinet_igmp_send_t)(struct ifnet *ifp,
  295                     struct label *ifplabel, struct mbuf *m,
  296                     struct label *mlabel);
  297 typedef void    (*mpo_netinet_tcp_reply_t)(struct mbuf *m,
  298                     struct label *mlabel);
  299 
  300 typedef void    (*mpo_netinet6_nd6_send_t)(struct ifnet *ifp,
  301                     struct label *ifplabel, struct mbuf *m,
  302                     struct label *mlabel);
  303 
  304 typedef int     (*mpo_pipe_check_ioctl_t)(struct ucred *cred,
  305                     struct pipepair *pp, struct label *pplabel,
  306                     unsigned long cmd, void *data);
  307 typedef int     (*mpo_pipe_check_poll_t)(struct ucred *cred,
  308                     struct pipepair *pp, struct label *pplabel);
  309 typedef int     (*mpo_pipe_check_read_t)(struct ucred *cred,
  310                     struct pipepair *pp, struct label *pplabel);
  311 typedef int     (*mpo_pipe_check_relabel_t)(struct ucred *cred,
  312                     struct pipepair *pp, struct label *pplabel,
  313                     struct label *newlabel);
  314 typedef int     (*mpo_pipe_check_stat_t)(struct ucred *cred,
  315                     struct pipepair *pp, struct label *pplabel);
  316 typedef int     (*mpo_pipe_check_write_t)(struct ucred *cred,
  317                     struct pipepair *pp, struct label *pplabel);
  318 typedef void    (*mpo_pipe_copy_label_t)(struct label *src,
  319                     struct label *dest);
  320 typedef void    (*mpo_pipe_create_t)(struct ucred *cred, struct pipepair *pp,
  321                     struct label *pplabel);
  322 typedef void    (*mpo_pipe_destroy_label_t)(struct label *label);
  323 typedef int     (*mpo_pipe_externalize_label_t)(struct label *label,
  324                     char *element_name, struct sbuf *sb, int *claimed);
  325 typedef void    (*mpo_pipe_init_label_t)(struct label *label);
  326 typedef int     (*mpo_pipe_internalize_label_t)(struct label *label,
  327                     char *element_name, char *element_data, int *claimed);
  328 typedef void    (*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp,
  329                     struct label *oldlabel, struct label *newlabel);
  330 
  331 typedef int     (*mpo_posixsem_check_getvalue_t)(struct ucred *active_cred,
  332                     struct ucred *file_cred, struct ksem *ks,
  333                     struct label *kslabel);
  334 typedef int     (*mpo_posixsem_check_open_t)(struct ucred *cred,
  335                     struct ksem *ks, struct label *kslabel);
  336 typedef int     (*mpo_posixsem_check_post_t)(struct ucred *active_cred,
  337                     struct ucred *file_cred, struct ksem *ks,
  338                     struct label *kslabel);
  339 typedef int     (*mpo_posixsem_check_stat_t)(struct ucred *active_cred,
  340                     struct ucred *file_cred, struct ksem *ks,
  341                     struct label *kslabel);
  342 typedef int     (*mpo_posixsem_check_unlink_t)(struct ucred *cred,
  343                     struct ksem *ks, struct label *kslabel);
  344 typedef int     (*mpo_posixsem_check_wait_t)(struct ucred *active_cred,
  345                     struct ucred *file_cred, struct ksem *ks,
  346                     struct label *kslabel);
  347 typedef void    (*mpo_posixsem_create_t)(struct ucred *cred,
  348                     struct ksem *ks, struct label *kslabel);
  349 typedef void    (*mpo_posixsem_destroy_label_t)(struct label *label);
  350 typedef void    (*mpo_posixsem_init_label_t)(struct label *label);
  351 
  352 typedef int     (*mpo_posixshm_check_mmap_t)(struct ucred *cred,
  353                     struct shmfd *shmfd, struct label *shmlabel, int prot,
  354                     int flags);
  355 typedef int     (*mpo_posixshm_check_open_t)(struct ucred *cred,
  356                     struct shmfd *shmfd, struct label *shmlabel);
  357 typedef int     (*mpo_posixshm_check_stat_t)(struct ucred *active_cred,
  358                     struct ucred *file_cred, struct shmfd *shmfd,
  359                     struct label *shmlabel);
  360 typedef int     (*mpo_posixshm_check_truncate_t)(struct ucred *active_cred,
  361                     struct ucred *file_cred, struct shmfd *shmfd,
  362                     struct label *shmlabel);
  363 typedef int     (*mpo_posixshm_check_unlink_t)(struct ucred *cred,
  364                     struct shmfd *shmfd, struct label *shmlabel);
  365 typedef void    (*mpo_posixshm_create_t)(struct ucred *cred,
  366                     struct shmfd *shmfd, struct label *shmlabel);
  367 typedef void    (*mpo_posixshm_destroy_label_t)(struct label *label);
  368 typedef void    (*mpo_posixshm_init_label_t)(struct label *label);
  369 
  370 typedef int     (*mpo_priv_check_t)(struct ucred *cred, int priv);
  371 typedef int     (*mpo_priv_grant_t)(struct ucred *cred, int priv);
  372 
  373 typedef int     (*mpo_proc_check_debug_t)(struct ucred *cred,
  374                     struct proc *p);
  375 typedef int     (*mpo_proc_check_sched_t)(struct ucred *cred,
  376                     struct proc *p);
  377 typedef int     (*mpo_proc_check_signal_t)(struct ucred *cred,
  378                     struct proc *proc, int signum);
  379 typedef int     (*mpo_proc_check_wait_t)(struct ucred *cred,
  380                     struct proc *proc);
  381 typedef void    (*mpo_proc_destroy_label_t)(struct label *label);
  382 typedef void    (*mpo_proc_init_label_t)(struct label *label);
  383 
  384 typedef int     (*mpo_socket_check_accept_t)(struct ucred *cred,
  385                     struct socket *so, struct label *solabel);
  386 typedef int     (*mpo_socket_check_bind_t)(struct ucred *cred,
  387                     struct socket *so, struct label *solabel,
  388                     struct sockaddr *sa);
  389 typedef int     (*mpo_socket_check_connect_t)(struct ucred *cred,
  390                     struct socket *so, struct label *solabel,
  391                     struct sockaddr *sa);
  392 typedef int     (*mpo_socket_check_create_t)(struct ucred *cred, int domain,
  393                     int type, int protocol);
  394 typedef int     (*mpo_socket_check_deliver_t)(struct socket *so,
  395                     struct label *solabel, struct mbuf *m,
  396                     struct label *mlabel);
  397 typedef int     (*mpo_socket_check_listen_t)(struct ucred *cred,
  398                     struct socket *so, struct label *solabel);
  399 typedef int     (*mpo_socket_check_poll_t)(struct ucred *cred,
  400                     struct socket *so, struct label *solabel);
  401 typedef int     (*mpo_socket_check_receive_t)(struct ucred *cred,
  402                     struct socket *so, struct label *solabel);
  403 typedef int     (*mpo_socket_check_relabel_t)(struct ucred *cred,
  404                     struct socket *so, struct label *solabel,
  405                     struct label *newlabel);
  406 typedef int     (*mpo_socket_check_send_t)(struct ucred *cred,
  407                     struct socket *so, struct label *solabel);
  408 typedef int     (*mpo_socket_check_stat_t)(struct ucred *cred,
  409                     struct socket *so, struct label *solabel);
  410 typedef int     (*mpo_socket_check_visible_t)(struct ucred *cred,
  411                     struct socket *so, struct label *solabel);
  412 typedef void    (*mpo_socket_copy_label_t)(struct label *src,
  413                     struct label *dest);
  414 typedef void    (*mpo_socket_create_t)(struct ucred *cred, struct socket *so,
  415                     struct label *solabel);
  416 typedef void    (*mpo_socket_create_mbuf_t)(struct socket *so,
  417                     struct label *solabel, struct mbuf *m,
  418                     struct label *mlabel);
  419 typedef void    (*mpo_socket_destroy_label_t)(struct label *label);
  420 typedef int     (*mpo_socket_externalize_label_t)(struct label *label,
  421                     char *element_name, struct sbuf *sb, int *claimed);
  422 typedef int     (*mpo_socket_init_label_t)(struct label *label, int flag);
  423 typedef int     (*mpo_socket_internalize_label_t)(struct label *label,
  424                     char *element_name, char *element_data, int *claimed);
  425 typedef void    (*mpo_socket_newconn_t)(struct socket *oldso,
  426                     struct label *oldsolabel, struct socket *newso,
  427                     struct label *newsolabel);
  428 typedef void    (*mpo_socket_relabel_t)(struct ucred *cred, struct socket *so,
  429                     struct label *oldlabel, struct label *newlabel);
  430 
  431 typedef void    (*mpo_socketpeer_destroy_label_t)(struct label *label);
  432 typedef int     (*mpo_socketpeer_externalize_label_t)(struct label *label,
  433                     char *element_name, struct sbuf *sb, int *claimed);
  434 typedef int     (*mpo_socketpeer_init_label_t)(struct label *label,
  435                     int flag);
  436 typedef void    (*mpo_socketpeer_set_from_mbuf_t)(struct mbuf *m,
  437                     struct label *mlabel, struct socket *so,
  438                     struct label *sopeerlabel);
  439 typedef void    (*mpo_socketpeer_set_from_socket_t)(struct socket *oldso,
  440                     struct label *oldsolabel, struct socket *newso,
  441                     struct label *newsopeerlabel);
  442 
  443 typedef void    (*mpo_syncache_create_t)(struct label *label,
  444                     struct inpcb *inp);
  445 typedef void    (*mpo_syncache_create_mbuf_t)(struct label *sc_label,
  446                     struct mbuf *m, struct label *mlabel);
  447 typedef void    (*mpo_syncache_destroy_label_t)(struct label *label);
  448 typedef int     (*mpo_syncache_init_label_t)(struct label *label, int flag);
  449 
  450 typedef int     (*mpo_system_check_acct_t)(struct ucred *cred,
  451                     struct vnode *vp, struct label *vplabel);
  452 typedef int     (*mpo_system_check_audit_t)(struct ucred *cred, void *record,
  453                     int length);
  454 typedef int     (*mpo_system_check_auditctl_t)(struct ucred *cred,
  455                     struct vnode *vp, struct label *vplabel);
  456 typedef int     (*mpo_system_check_auditon_t)(struct ucred *cred, int cmd);
  457 typedef int     (*mpo_system_check_reboot_t)(struct ucred *cred, int howto);
  458 typedef int     (*mpo_system_check_swapon_t)(struct ucred *cred,
  459                     struct vnode *vp, struct label *vplabel);
  460 typedef int     (*mpo_system_check_swapoff_t)(struct ucred *cred,
  461                     struct vnode *vp, struct label *vplabel);
  462 typedef int     (*mpo_system_check_sysctl_t)(struct ucred *cred,
  463                     struct sysctl_oid *oidp, void *arg1, int arg2,
  464                     struct sysctl_req *req);
  465 
  466 typedef void    (*mpo_sysvmsg_cleanup_t)(struct label *msglabel);
  467 typedef void    (*mpo_sysvmsg_create_t)(struct ucred *cred,
  468                     struct msqid_kernel *msqkptr, struct label *msqlabel,
  469                     struct msg *msgptr, struct label *msglabel);
  470 typedef void    (*mpo_sysvmsg_destroy_label_t)(struct label *label);
  471 typedef void    (*mpo_sysvmsg_init_label_t)(struct label *label);
  472 
  473 typedef int     (*mpo_sysvmsq_check_msgmsq_t)(struct ucred *cred,
  474                     struct msg *msgptr, struct label *msglabel,
  475                     struct msqid_kernel *msqkptr, struct label *msqklabel);
  476 typedef int     (*mpo_sysvmsq_check_msgrcv_t)(struct ucred *cred,
  477                     struct msg *msgptr, struct label *msglabel);
  478 typedef int     (*mpo_sysvmsq_check_msgrmid_t)(struct ucred *cred,
  479                     struct msg *msgptr, struct label *msglabel);
  480 typedef int     (*mpo_sysvmsq_check_msqget_t)(struct ucred *cred,
  481                     struct msqid_kernel *msqkptr, struct label *msqklabel);
  482 typedef int     (*mpo_sysvmsq_check_msqctl_t)(struct ucred *cred,
  483                     struct msqid_kernel *msqkptr, struct label *msqklabel,
  484                     int cmd);
  485 typedef int     (*mpo_sysvmsq_check_msqrcv_t)(struct ucred *cred,
  486                     struct msqid_kernel *msqkptr, struct label *msqklabel);
  487 typedef int     (*mpo_sysvmsq_check_msqsnd_t)(struct ucred *cred,
  488                     struct msqid_kernel *msqkptr, struct label *msqklabel);
  489 typedef void    (*mpo_sysvmsq_cleanup_t)(struct label *msqlabel);
  490 typedef void    (*mpo_sysvmsq_create_t)(struct ucred *cred,
  491                     struct msqid_kernel *msqkptr, struct label *msqlabel);
  492 typedef void    (*mpo_sysvmsq_destroy_label_t)(struct label *label);
  493 typedef void    (*mpo_sysvmsq_init_label_t)(struct label *label);
  494 
  495 typedef int     (*mpo_sysvsem_check_semctl_t)(struct ucred *cred,
  496                     struct semid_kernel *semakptr, struct label *semaklabel,
  497                     int cmd);
  498 typedef int     (*mpo_sysvsem_check_semget_t)(struct ucred *cred,
  499                     struct semid_kernel *semakptr, struct label *semaklabel);
  500 typedef int     (*mpo_sysvsem_check_semop_t)(struct ucred *cred,
  501                     struct semid_kernel *semakptr, struct label *semaklabel,
  502                     size_t accesstype);
  503 typedef void    (*mpo_sysvsem_cleanup_t)(struct label *semalabel);
  504 typedef void    (*mpo_sysvsem_create_t)(struct ucred *cred,
  505                     struct semid_kernel *semakptr, struct label *semalabel);
  506 typedef void    (*mpo_sysvsem_destroy_label_t)(struct label *label);
  507 typedef void    (*mpo_sysvsem_init_label_t)(struct label *label);
  508 
  509 typedef int     (*mpo_sysvshm_check_shmat_t)(struct ucred *cred,
  510                     struct shmid_kernel *shmsegptr,
  511                     struct label *shmseglabel, int shmflg);
  512 typedef int     (*mpo_sysvshm_check_shmctl_t)(struct ucred *cred,
  513                     struct shmid_kernel *shmsegptr,
  514                     struct label *shmseglabel, int cmd);
  515 typedef int     (*mpo_sysvshm_check_shmdt_t)(struct ucred *cred,
  516                     struct shmid_kernel *shmsegptr,
  517                     struct label *shmseglabel);
  518 typedef int     (*mpo_sysvshm_check_shmget_t)(struct ucred *cred,
  519                     struct shmid_kernel *shmsegptr,
  520                     struct label *shmseglabel, int shmflg);
  521 typedef void    (*mpo_sysvshm_cleanup_t)(struct label *shmlabel);
  522 typedef void    (*mpo_sysvshm_create_t)(struct ucred *cred,
  523                     struct shmid_kernel *shmsegptr, struct label *shmlabel);
  524 typedef void    (*mpo_sysvshm_destroy_label_t)(struct label *label);
  525 typedef void    (*mpo_sysvshm_init_label_t)(struct label *label);
  526 
  527 typedef void    (*mpo_thread_userret_t)(struct thread *thread);
  528 
  529 typedef int     (*mpo_vnode_associate_extattr_t)(struct mount *mp,
  530                     struct label *mplabel, struct vnode *vp,
  531                     struct label *vplabel);
  532 typedef void    (*mpo_vnode_associate_singlelabel_t)(struct mount *mp,
  533                     struct label *mplabel, struct vnode *vp,
  534                     struct label *vplabel);
  535 typedef int     (*mpo_vnode_check_access_t)(struct ucred *cred,
  536                     struct vnode *vp, struct label *vplabel,
  537                     accmode_t accmode);
  538 typedef int     (*mpo_vnode_check_chdir_t)(struct ucred *cred,
  539                     struct vnode *dvp, struct label *dvplabel);
  540 typedef int     (*mpo_vnode_check_chroot_t)(struct ucred *cred,
  541                     struct vnode *dvp, struct label *dvplabel);
  542 typedef int     (*mpo_vnode_check_create_t)(struct ucred *cred,
  543                     struct vnode *dvp, struct label *dvplabel,
  544                     struct componentname *cnp, struct vattr *vap);
  545 typedef int     (*mpo_vnode_check_deleteacl_t)(struct ucred *cred,
  546                     struct vnode *vp, struct label *vplabel,
  547                     acl_type_t type);
  548 typedef int     (*mpo_vnode_check_deleteextattr_t)(struct ucred *cred,
  549                     struct vnode *vp, struct label *vplabel,
  550                     int attrnamespace, const char *name);
  551 typedef int     (*mpo_vnode_check_exec_t)(struct ucred *cred,
  552                     struct vnode *vp, struct label *vplabel,
  553                     struct image_params *imgp, struct label *execlabel);
  554 typedef int     (*mpo_vnode_check_getacl_t)(struct ucred *cred,
  555                     struct vnode *vp, struct label *vplabel,
  556                     acl_type_t type);
  557 typedef int     (*mpo_vnode_check_getextattr_t)(struct ucred *cred,
  558                     struct vnode *vp, struct label *vplabel,
  559                     int attrnamespace, const char *name);
  560 typedef int     (*mpo_vnode_check_link_t)(struct ucred *cred,
  561                     struct vnode *dvp, struct label *dvplabel,
  562                     struct vnode *vp, struct label *vplabel,
  563                     struct componentname *cnp);
  564 typedef int     (*mpo_vnode_check_listextattr_t)(struct ucred *cred,
  565                     struct vnode *vp, struct label *vplabel,
  566                     int attrnamespace);
  567 typedef int     (*mpo_vnode_check_lookup_t)(struct ucred *cred,
  568                     struct vnode *dvp, struct label *dvplabel,
  569                     struct componentname *cnp);
  570 typedef int     (*mpo_vnode_check_mmap_t)(struct ucred *cred,
  571                     struct vnode *vp, struct label *label, int prot,
  572                     int flags);
  573 typedef void    (*mpo_vnode_check_mmap_downgrade_t)(struct ucred *cred,
  574                     struct vnode *vp, struct label *vplabel, int *prot);
  575 typedef int     (*mpo_vnode_check_mprotect_t)(struct ucred *cred,
  576                     struct vnode *vp, struct label *vplabel, int prot);
  577 typedef int     (*mpo_vnode_check_open_t)(struct ucred *cred,
  578                     struct vnode *vp, struct label *vplabel,
  579                     accmode_t accmode);
  580 typedef int     (*mpo_vnode_check_poll_t)(struct ucred *active_cred,
  581                     struct ucred *file_cred, struct vnode *vp,
  582                     struct label *vplabel);
  583 typedef int     (*mpo_vnode_check_read_t)(struct ucred *active_cred,
  584                     struct ucred *file_cred, struct vnode *vp,
  585                     struct label *vplabel);
  586 typedef int     (*mpo_vnode_check_readdir_t)(struct ucred *cred,
  587                     struct vnode *dvp, struct label *dvplabel);
  588 typedef int     (*mpo_vnode_check_readlink_t)(struct ucred *cred,
  589                     struct vnode *vp, struct label *vplabel);
  590 typedef int     (*mpo_vnode_check_relabel_t)(struct ucred *cred,
  591                     struct vnode *vp, struct label *vplabel,
  592                     struct label *newlabel);
  593 typedef int     (*mpo_vnode_check_rename_from_t)(struct ucred *cred,
  594                     struct vnode *dvp, struct label *dvplabel,
  595                     struct vnode *vp, struct label *vplabel,
  596                     struct componentname *cnp);
  597 typedef int     (*mpo_vnode_check_rename_to_t)(struct ucred *cred,
  598                     struct vnode *dvp, struct label *dvplabel,
  599                     struct vnode *vp, struct label *vplabel, int samedir,
  600                     struct componentname *cnp);
  601 typedef int     (*mpo_vnode_check_revoke_t)(struct ucred *cred,
  602                     struct vnode *vp, struct label *vplabel);
  603 typedef int     (*mpo_vnode_check_setacl_t)(struct ucred *cred,
  604                     struct vnode *vp, struct label *vplabel, acl_type_t type,
  605                     struct acl *acl);
  606 typedef int     (*mpo_vnode_check_setextattr_t)(struct ucred *cred,
  607                     struct vnode *vp, struct label *vplabel,
  608                     int attrnamespace, const char *name);
  609 typedef int     (*mpo_vnode_check_setflags_t)(struct ucred *cred,
  610                     struct vnode *vp, struct label *vplabel, u_long flags);
  611 typedef int     (*mpo_vnode_check_setmode_t)(struct ucred *cred,
  612                     struct vnode *vp, struct label *vplabel, mode_t mode);
  613 typedef int     (*mpo_vnode_check_setowner_t)(struct ucred *cred,
  614                     struct vnode *vp, struct label *vplabel, uid_t uid,
  615                     gid_t gid);
  616 typedef int     (*mpo_vnode_check_setutimes_t)(struct ucred *cred,
  617                     struct vnode *vp, struct label *vplabel,
  618                     struct timespec atime, struct timespec mtime);
  619 typedef int     (*mpo_vnode_check_stat_t)(struct ucred *active_cred,
  620                     struct ucred *file_cred, struct vnode *vp,
  621                     struct label *vplabel);
  622 typedef int     (*mpo_vnode_check_unlink_t)(struct ucred *cred,
  623                     struct vnode *dvp, struct label *dvplabel,
  624                     struct vnode *vp, struct label *vplabel,
  625                     struct componentname *cnp);
  626 typedef int     (*mpo_vnode_check_write_t)(struct ucred *active_cred,
  627                     struct ucred *file_cred, struct vnode *vp,
  628                     struct label *vplabel);
  629 typedef void    (*mpo_vnode_copy_label_t)(struct label *src,
  630                     struct label *dest);
  631 typedef int     (*mpo_vnode_create_extattr_t)(struct ucred *cred,
  632                     struct mount *mp, struct label *mplabel,
  633                     struct vnode *dvp, struct label *dvplabel,
  634                     struct vnode *vp, struct label *vplabel,
  635                     struct componentname *cnp);
  636 typedef void    (*mpo_vnode_destroy_label_t)(struct label *label);
  637 typedef void    (*mpo_vnode_execve_transition_t)(struct ucred *old,
  638                     struct ucred *new, struct vnode *vp,
  639                     struct label *vplabel, struct label *interpvplabel,
  640                     struct image_params *imgp, struct label *execlabel);
  641 typedef int     (*mpo_vnode_execve_will_transition_t)(struct ucred *old,
  642                     struct vnode *vp, struct label *vplabel,
  643                     struct label *interpvplabel, struct image_params *imgp,
  644                     struct label *execlabel);
  645 typedef int     (*mpo_vnode_externalize_label_t)(struct label *label,
  646                     char *element_name, struct sbuf *sb, int *claimed);
  647 typedef void    (*mpo_vnode_init_label_t)(struct label *label);
  648 typedef int     (*mpo_vnode_internalize_label_t)(struct label *label,
  649                     char *element_name, char *element_data, int *claimed);
  650 typedef void    (*mpo_vnode_relabel_t)(struct ucred *cred, struct vnode *vp,
  651                     struct label *vplabel, struct label *label);
  652 typedef int     (*mpo_vnode_setlabel_extattr_t)(struct ucred *cred,
  653                     struct vnode *vp, struct label *vplabel,
  654                     struct label *intlabel);
  655 
  656 struct mac_policy_ops {
  657         /*
  658          * Policy module operations.
  659          */
  660         mpo_destroy_t                           mpo_destroy;
  661         mpo_init_t                              mpo_init;
  662 
  663         /*
  664          * General policy-directed security system call so that policies may
  665          * implement new services without reserving explicit system call
  666          * numbers.
  667          */
  668         mpo_syscall_t                           mpo_syscall;
  669 
  670         /*
  671          * Label operations.  Initialize label storage, destroy label
  672          * storage, recycle for re-use without init/destroy, copy a label to
  673          * initialized storage, and externalize/internalize from/to
  674          * initialized storage.
  675          */
  676         mpo_bpfdesc_check_receive_t             mpo_bpfdesc_check_receive;
  677         mpo_bpfdesc_create_t                    mpo_bpfdesc_create;
  678         mpo_bpfdesc_create_mbuf_t               mpo_bpfdesc_create_mbuf;
  679         mpo_bpfdesc_destroy_label_t             mpo_bpfdesc_destroy_label;
  680         mpo_bpfdesc_init_label_t                mpo_bpfdesc_init_label;
  681 
  682         mpo_cred_associate_nfsd_t               mpo_cred_associate_nfsd;
  683         mpo_cred_check_relabel_t                mpo_cred_check_relabel;
  684         mpo_cred_check_setaudit_t               mpo_cred_check_setaudit;
  685         mpo_cred_check_setaudit_addr_t          mpo_cred_check_setaudit_addr;
  686         mpo_cred_check_setauid_t                mpo_cred_check_setauid;
  687         mpo_cred_check_setuid_t                 mpo_cred_check_setuid;
  688         mpo_cred_check_seteuid_t                mpo_cred_check_seteuid;
  689         mpo_cred_check_setgid_t                 mpo_cred_check_setgid;
  690         mpo_cred_check_setegid_t                mpo_cred_check_setegid;
  691         mpo_cred_check_setgroups_t              mpo_cred_check_setgroups;
  692         mpo_cred_check_setreuid_t               mpo_cred_check_setreuid;
  693         mpo_cred_check_setregid_t               mpo_cred_check_setregid;
  694         mpo_cred_check_setresuid_t              mpo_cred_check_setresuid;
  695         mpo_cred_check_setresgid_t              mpo_cred_check_setresgid;
  696         mpo_cred_check_visible_t                mpo_cred_check_visible;
  697         mpo_cred_copy_label_t                   mpo_cred_copy_label;
  698         mpo_cred_create_swapper_t               mpo_cred_create_swapper;
  699         mpo_cred_create_init_t                  mpo_cred_create_init;
  700         mpo_cred_destroy_label_t                mpo_cred_destroy_label;
  701         mpo_cred_externalize_label_t            mpo_cred_externalize_label;
  702         mpo_cred_init_label_t                   mpo_cred_init_label;
  703         mpo_cred_internalize_label_t            mpo_cred_internalize_label;
  704         mpo_cred_relabel_t                      mpo_cred_relabel;
  705 
  706         mpo_devfs_create_device_t               mpo_devfs_create_device;
  707         mpo_devfs_create_directory_t            mpo_devfs_create_directory;
  708         mpo_devfs_create_symlink_t              mpo_devfs_create_symlink;
  709         mpo_devfs_destroy_label_t               mpo_devfs_destroy_label;
  710         mpo_devfs_init_label_t                  mpo_devfs_init_label;
  711         mpo_devfs_update_t                      mpo_devfs_update;
  712         mpo_devfs_vnode_associate_t             mpo_devfs_vnode_associate;
  713 
  714         mpo_ifnet_check_relabel_t               mpo_ifnet_check_relabel;
  715         mpo_ifnet_check_transmit_t              mpo_ifnet_check_transmit;
  716         mpo_ifnet_copy_label_t                  mpo_ifnet_copy_label;
  717         mpo_ifnet_create_t                      mpo_ifnet_create;
  718         mpo_ifnet_create_mbuf_t                 mpo_ifnet_create_mbuf;
  719         mpo_ifnet_destroy_label_t               mpo_ifnet_destroy_label;
  720         mpo_ifnet_externalize_label_t           mpo_ifnet_externalize_label;
  721         mpo_ifnet_init_label_t                  mpo_ifnet_init_label;
  722         mpo_ifnet_internalize_label_t           mpo_ifnet_internalize_label;
  723         mpo_ifnet_relabel_t                     mpo_ifnet_relabel;
  724 
  725         mpo_inpcb_check_deliver_t               mpo_inpcb_check_deliver;
  726         mpo_inpcb_check_visible_t               mpo_inpcb_check_visible;
  727         mpo_inpcb_create_t                      mpo_inpcb_create;
  728         mpo_inpcb_create_mbuf_t                 mpo_inpcb_create_mbuf;
  729         mpo_inpcb_destroy_label_t               mpo_inpcb_destroy_label;
  730         mpo_inpcb_init_label_t                  mpo_inpcb_init_label;
  731         mpo_inpcb_sosetlabel_t                  mpo_inpcb_sosetlabel;
  732 
  733         mpo_ip6q_create_t                       mpo_ip6q_create;
  734         mpo_ip6q_destroy_label_t                mpo_ip6q_destroy_label;
  735         mpo_ip6q_init_label_t                   mpo_ip6q_init_label;
  736         mpo_ip6q_match_t                        mpo_ip6q_match;
  737         mpo_ip6q_reassemble                     mpo_ip6q_reassemble;
  738         mpo_ip6q_update_t                       mpo_ip6q_update;
  739 
  740         mpo_ipq_create_t                        mpo_ipq_create;
  741         mpo_ipq_destroy_label_t                 mpo_ipq_destroy_label;
  742         mpo_ipq_init_label_t                    mpo_ipq_init_label;
  743         mpo_ipq_match_t                         mpo_ipq_match;
  744         mpo_ipq_reassemble                      mpo_ipq_reassemble;
  745         mpo_ipq_update_t                        mpo_ipq_update;
  746 
  747         mpo_kenv_check_dump_t                   mpo_kenv_check_dump;
  748         mpo_kenv_check_get_t                    mpo_kenv_check_get;
  749         mpo_kenv_check_set_t                    mpo_kenv_check_set;
  750         mpo_kenv_check_unset_t                  mpo_kenv_check_unset;
  751 
  752         mpo_kld_check_load_t                    mpo_kld_check_load;
  753         mpo_kld_check_stat_t                    mpo_kld_check_stat;
  754 
  755         mpo_mbuf_copy_label_t                   mpo_mbuf_copy_label;
  756         mpo_mbuf_destroy_label_t                mpo_mbuf_destroy_label;
  757         mpo_mbuf_init_label_t                   mpo_mbuf_init_label;
  758 
  759         mpo_mount_check_stat_t                  mpo_mount_check_stat;
  760         mpo_mount_create_t                      mpo_mount_create;
  761         mpo_mount_destroy_label_t               mpo_mount_destroy_label;
  762         mpo_mount_init_label_t                  mpo_mount_init_label;
  763 
  764         mpo_netatalk_aarp_send_t                mpo_netatalk_aarp_send;
  765 
  766         mpo_netinet_arp_send_t                  mpo_netinet_arp_send;
  767         mpo_netinet_firewall_reply_t            mpo_netinet_firewall_reply;
  768         mpo_netinet_firewall_send_t             mpo_netinet_firewall_send;
  769         mpo_netinet_fragment_t                  mpo_netinet_fragment;
  770         mpo_netinet_icmp_reply_t                mpo_netinet_icmp_reply;
  771         mpo_netinet_icmp_replyinplace_t         mpo_netinet_icmp_replyinplace;
  772         mpo_netinet_igmp_send_t                 mpo_netinet_igmp_send;
  773         mpo_netinet_tcp_reply_t                 mpo_netinet_tcp_reply;
  774 
  775         mpo_netinet6_nd6_send_t                 mpo_netinet6_nd6_send;
  776 
  777         mpo_pipe_check_ioctl_t                  mpo_pipe_check_ioctl;
  778         mpo_pipe_check_poll_t                   mpo_pipe_check_poll;
  779         mpo_pipe_check_read_t                   mpo_pipe_check_read;
  780         mpo_pipe_check_relabel_t                mpo_pipe_check_relabel;
  781         mpo_pipe_check_stat_t                   mpo_pipe_check_stat;
  782         mpo_pipe_check_write_t                  mpo_pipe_check_write;
  783         mpo_pipe_copy_label_t                   mpo_pipe_copy_label;
  784         mpo_pipe_create_t                       mpo_pipe_create;
  785         mpo_pipe_destroy_label_t                mpo_pipe_destroy_label;
  786         mpo_pipe_externalize_label_t            mpo_pipe_externalize_label;
  787         mpo_pipe_init_label_t                   mpo_pipe_init_label;
  788         mpo_pipe_internalize_label_t            mpo_pipe_internalize_label;
  789         mpo_pipe_relabel_t                      mpo_pipe_relabel;
  790 
  791         mpo_posixsem_check_getvalue_t           mpo_posixsem_check_getvalue;
  792         mpo_posixsem_check_open_t               mpo_posixsem_check_open;
  793         mpo_posixsem_check_post_t               mpo_posixsem_check_post;
  794         mpo_posixsem_check_stat_t               mpo_posixsem_check_stat;
  795         mpo_posixsem_check_unlink_t             mpo_posixsem_check_unlink;
  796         mpo_posixsem_check_wait_t               mpo_posixsem_check_wait;
  797         mpo_posixsem_create_t                   mpo_posixsem_create;
  798         mpo_posixsem_destroy_label_t            mpo_posixsem_destroy_label;
  799         mpo_posixsem_init_label_t               mpo_posixsem_init_label;
  800 
  801         mpo_posixshm_check_mmap_t               mpo_posixshm_check_mmap;
  802         mpo_posixshm_check_open_t               mpo_posixshm_check_open;
  803         mpo_posixshm_check_stat_t               mpo_posixshm_check_stat;
  804         mpo_posixshm_check_truncate_t           mpo_posixshm_check_truncate;
  805         mpo_posixshm_check_unlink_t             mpo_posixshm_check_unlink;
  806         mpo_posixshm_create_t                   mpo_posixshm_create;
  807         mpo_posixshm_destroy_label_t            mpo_posixshm_destroy_label;
  808         mpo_posixshm_init_label_t               mpo_posixshm_init_label;
  809 
  810         mpo_priv_check_t                        mpo_priv_check;
  811         mpo_priv_grant_t                        mpo_priv_grant;
  812 
  813         mpo_proc_check_debug_t                  mpo_proc_check_debug;
  814         mpo_proc_check_sched_t                  mpo_proc_check_sched;
  815         mpo_proc_check_signal_t                 mpo_proc_check_signal;
  816         mpo_proc_check_wait_t                   mpo_proc_check_wait;
  817         mpo_proc_destroy_label_t                mpo_proc_destroy_label;
  818         mpo_proc_init_label_t                   mpo_proc_init_label;
  819 
  820         mpo_socket_check_accept_t               mpo_socket_check_accept;
  821         mpo_socket_check_bind_t                 mpo_socket_check_bind;
  822         mpo_socket_check_connect_t              mpo_socket_check_connect;
  823         mpo_socket_check_create_t               mpo_socket_check_create;
  824         mpo_socket_check_deliver_t              mpo_socket_check_deliver;
  825         mpo_socket_check_listen_t               mpo_socket_check_listen;
  826         mpo_socket_check_poll_t                 mpo_socket_check_poll;
  827         mpo_socket_check_receive_t              mpo_socket_check_receive;
  828         mpo_socket_check_relabel_t              mpo_socket_check_relabel;
  829         mpo_socket_check_send_t                 mpo_socket_check_send;
  830         mpo_socket_check_stat_t                 mpo_socket_check_stat;
  831         mpo_socket_check_visible_t              mpo_socket_check_visible;
  832         mpo_socket_copy_label_t                 mpo_socket_copy_label;
  833         mpo_socket_create_t                     mpo_socket_create;
  834         mpo_socket_create_mbuf_t                mpo_socket_create_mbuf;
  835         mpo_socket_destroy_label_t              mpo_socket_destroy_label;
  836         mpo_socket_externalize_label_t          mpo_socket_externalize_label;
  837         mpo_socket_init_label_t                 mpo_socket_init_label;
  838         mpo_socket_internalize_label_t          mpo_socket_internalize_label;
  839         mpo_socket_newconn_t                    mpo_socket_newconn;
  840         mpo_socket_relabel_t                    mpo_socket_relabel;
  841 
  842         mpo_socketpeer_destroy_label_t          mpo_socketpeer_destroy_label;
  843         mpo_socketpeer_externalize_label_t      mpo_socketpeer_externalize_label;
  844         mpo_socketpeer_init_label_t             mpo_socketpeer_init_label;
  845         mpo_socketpeer_set_from_mbuf_t          mpo_socketpeer_set_from_mbuf;
  846         mpo_socketpeer_set_from_socket_t        mpo_socketpeer_set_from_socket;
  847 
  848         mpo_syncache_init_label_t               mpo_syncache_init_label;
  849         mpo_syncache_destroy_label_t            mpo_syncache_destroy_label;
  850         mpo_syncache_create_t                   mpo_syncache_create;
  851         mpo_syncache_create_mbuf_t              mpo_syncache_create_mbuf;
  852 
  853         mpo_system_check_acct_t                 mpo_system_check_acct;
  854         mpo_system_check_audit_t                mpo_system_check_audit;
  855         mpo_system_check_auditctl_t             mpo_system_check_auditctl;
  856         mpo_system_check_auditon_t              mpo_system_check_auditon;
  857         mpo_system_check_reboot_t               mpo_system_check_reboot;
  858         mpo_system_check_swapon_t               mpo_system_check_swapon;
  859         mpo_system_check_swapoff_t              mpo_system_check_swapoff;
  860         mpo_system_check_sysctl_t               mpo_system_check_sysctl;
  861 
  862         mpo_sysvmsg_cleanup_t                   mpo_sysvmsg_cleanup;
  863         mpo_sysvmsg_create_t                    mpo_sysvmsg_create;
  864         mpo_sysvmsg_destroy_label_t             mpo_sysvmsg_destroy_label;
  865         mpo_sysvmsg_init_label_t                mpo_sysvmsg_init_label;
  866 
  867         mpo_sysvmsq_check_msgmsq_t              mpo_sysvmsq_check_msgmsq;
  868         mpo_sysvmsq_check_msgrcv_t              mpo_sysvmsq_check_msgrcv;
  869         mpo_sysvmsq_check_msgrmid_t             mpo_sysvmsq_check_msgrmid;
  870         mpo_sysvmsq_check_msqctl_t              mpo_sysvmsq_check_msqctl;
  871         mpo_sysvmsq_check_msqget_t              mpo_sysvmsq_check_msqget;
  872         mpo_sysvmsq_check_msqrcv_t              mpo_sysvmsq_check_msqrcv;
  873         mpo_sysvmsq_check_msqsnd_t              mpo_sysvmsq_check_msqsnd;
  874         mpo_sysvmsq_cleanup_t                   mpo_sysvmsq_cleanup;
  875         mpo_sysvmsq_create_t                    mpo_sysvmsq_create;
  876         mpo_sysvmsq_destroy_label_t             mpo_sysvmsq_destroy_label;
  877         mpo_sysvmsq_init_label_t                mpo_sysvmsq_init_label;
  878 
  879         mpo_sysvsem_check_semctl_t              mpo_sysvsem_check_semctl;
  880         mpo_sysvsem_check_semget_t              mpo_sysvsem_check_semget;
  881         mpo_sysvsem_check_semop_t               mpo_sysvsem_check_semop;
  882         mpo_sysvsem_cleanup_t                   mpo_sysvsem_cleanup;
  883         mpo_sysvsem_create_t                    mpo_sysvsem_create;
  884         mpo_sysvsem_destroy_label_t             mpo_sysvsem_destroy_label;
  885         mpo_sysvsem_init_label_t                mpo_sysvsem_init_label;
  886 
  887         mpo_sysvshm_check_shmat_t               mpo_sysvshm_check_shmat;
  888         mpo_sysvshm_check_shmctl_t              mpo_sysvshm_check_shmctl;
  889         mpo_sysvshm_check_shmdt_t               mpo_sysvshm_check_shmdt;
  890         mpo_sysvshm_check_shmget_t              mpo_sysvshm_check_shmget;
  891         mpo_sysvshm_cleanup_t                   mpo_sysvshm_cleanup;
  892         mpo_sysvshm_create_t                    mpo_sysvshm_create;
  893         mpo_sysvshm_destroy_label_t             mpo_sysvshm_destroy_label;
  894         mpo_sysvshm_init_label_t                mpo_sysvshm_init_label;
  895 
  896         mpo_thread_userret_t                    mpo_thread_userret;
  897 
  898         mpo_vnode_check_access_t                mpo_vnode_check_access;
  899         mpo_vnode_check_chdir_t                 mpo_vnode_check_chdir;
  900         mpo_vnode_check_chroot_t                mpo_vnode_check_chroot;
  901         mpo_vnode_check_create_t                mpo_vnode_check_create;
  902         mpo_vnode_check_deleteacl_t             mpo_vnode_check_deleteacl;
  903         mpo_vnode_check_deleteextattr_t         mpo_vnode_check_deleteextattr;
  904         mpo_vnode_check_exec_t                  mpo_vnode_check_exec;
  905         mpo_vnode_check_getacl_t                mpo_vnode_check_getacl;
  906         mpo_vnode_check_getextattr_t            mpo_vnode_check_getextattr;
  907         mpo_vnode_check_link_t                  mpo_vnode_check_link;
  908         mpo_vnode_check_listextattr_t           mpo_vnode_check_listextattr;
  909         mpo_vnode_check_lookup_t                mpo_vnode_check_lookup;
  910         mpo_vnode_check_mmap_t                  mpo_vnode_check_mmap;
  911         mpo_vnode_check_mmap_downgrade_t        mpo_vnode_check_mmap_downgrade;
  912         mpo_vnode_check_mprotect_t              mpo_vnode_check_mprotect;
  913         mpo_vnode_check_open_t                  mpo_vnode_check_open;
  914         mpo_vnode_check_poll_t                  mpo_vnode_check_poll;
  915         mpo_vnode_check_read_t                  mpo_vnode_check_read;
  916         mpo_vnode_check_readdir_t               mpo_vnode_check_readdir;
  917         mpo_vnode_check_readlink_t              mpo_vnode_check_readlink;
  918         mpo_vnode_check_relabel_t               mpo_vnode_check_relabel;
  919         mpo_vnode_check_rename_from_t           mpo_vnode_check_rename_from;
  920         mpo_vnode_check_rename_to_t             mpo_vnode_check_rename_to;
  921         mpo_vnode_check_revoke_t                mpo_vnode_check_revoke;
  922         mpo_vnode_check_setacl_t                mpo_vnode_check_setacl;
  923         mpo_vnode_check_setextattr_t            mpo_vnode_check_setextattr;
  924         mpo_vnode_check_setflags_t              mpo_vnode_check_setflags;
  925         mpo_vnode_check_setmode_t               mpo_vnode_check_setmode;
  926         mpo_vnode_check_setowner_t              mpo_vnode_check_setowner;
  927         mpo_vnode_check_setutimes_t             mpo_vnode_check_setutimes;
  928         mpo_vnode_check_stat_t                  mpo_vnode_check_stat;
  929         mpo_vnode_check_unlink_t                mpo_vnode_check_unlink;
  930         mpo_vnode_check_write_t                 mpo_vnode_check_write;
  931         mpo_vnode_associate_extattr_t           mpo_vnode_associate_extattr;
  932         mpo_vnode_associate_singlelabel_t       mpo_vnode_associate_singlelabel;
  933         mpo_vnode_destroy_label_t               mpo_vnode_destroy_label;
  934         mpo_vnode_copy_label_t                  mpo_vnode_copy_label;
  935         mpo_vnode_create_extattr_t              mpo_vnode_create_extattr;
  936         mpo_vnode_execve_transition_t           mpo_vnode_execve_transition;
  937         mpo_vnode_execve_will_transition_t      mpo_vnode_execve_will_transition;
  938         mpo_vnode_externalize_label_t           mpo_vnode_externalize_label;
  939         mpo_vnode_init_label_t                  mpo_vnode_init_label;
  940         mpo_vnode_internalize_label_t           mpo_vnode_internalize_label;
  941         mpo_vnode_relabel_t                     mpo_vnode_relabel;
  942         mpo_vnode_setlabel_extattr_t            mpo_vnode_setlabel_extattr;
  943 };
  944 
  945 /*
  946  * struct mac_policy_conf is the registration structure for policies, and is
  947  * provided to the MAC Framework using MAC_POLICY_SET() to invoke a SYSINIT
  948  * to register the policy.  In general, the fields are immutable, with the
  949  * exception of the "security field", run-time flags, and policy list entry,
  950  * which are managed by the MAC Framework.  Be careful when modifying this
  951  * structure, as its layout is statically compiled into all policies.
  952  */
  953 struct mac_policy_conf {
  954         char                            *mpc_name;      /* policy name */
  955         char                            *mpc_fullname;  /* policy full name */
  956         struct mac_policy_ops           *mpc_ops;       /* policy operations */
  957         int                              mpc_loadtime_flags;    /* flags */
  958         int                             *mpc_field_off; /* security field */
  959         int                              mpc_runtime_flags; /* flags */
  960         int                              _mpc_spare1;   /* Spare. */
  961         uint64_t                         _mpc_spare2;   /* Spare. */
  962         uint64_t                         _mpc_spare3;   /* Spare. */
  963         void                            *_mpc_spare4;   /* Spare. */
  964         LIST_ENTRY(mac_policy_conf)      mpc_list;      /* global list */
  965 };
  966 
  967 /* Flags for the mpc_loadtime_flags field. */
  968 #define MPC_LOADTIME_FLAG_NOTLATE       0x00000001
  969 #define MPC_LOADTIME_FLAG_UNLOADOK      0x00000002
  970 
  971 /* Flags for the mpc_runtime_flags field. */
  972 #define MPC_RUNTIME_FLAG_REGISTERED     0x00000001
  973 
  974 /*-
  975  * The TrustedBSD MAC Framework has a major version number, MAC_VERSION,
  976  * which defines the ABI of the Framework present in the kernel (and depended
  977  * on by policy modules compiled against that kernel).  Currently,
  978  * MAC_POLICY_SET() requires that the kernel and module ABI version numbers
  979  * exactly match.  The following major versions have been defined to date:
  980  *
  981  *   MAC version             FreeBSD versions
  982  *   1                       5.x
  983  *   2                       6.x
  984  *   3                       7.x
  985  *   4                       8.x
  986  */
  987 #define MAC_VERSION     4
  988 
  989 #define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
  990         static struct mac_policy_conf mpname##_mac_policy_conf = {      \
  991                 .mpc_name = #mpname,                                    \
  992                 .mpc_fullname = mpfullname,                             \
  993                 .mpc_ops = mpops,                                       \
  994                 .mpc_loadtime_flags = mpflags,                          \
  995                 .mpc_field_off = privdata_wanted,                       \
  996         };                                                              \
  997         static moduledata_t mpname##_mod = {                            \
  998                 #mpname,                                                \
  999                 mac_policy_modevent,                                    \
 1000                 &mpname##_mac_policy_conf                               \
 1001         };                                                              \
 1002         MODULE_DEPEND(mpname, kernel_mac_support, MAC_VERSION,          \
 1003             MAC_VERSION, MAC_VERSION);                                  \
 1004         DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY,         \
 1005             SI_ORDER_MIDDLE)
 1006 
 1007 int     mac_policy_modevent(module_t mod, int type, void *data);
 1008 
 1009 /*
 1010  * Policy interface to map a struct label pointer to per-policy data.
 1011  * Typically, policies wrap this in their own accessor macro that casts a
 1012  * uintptr_t to a policy-specific data type.
 1013  */
 1014 intptr_t        mac_label_get(struct label *l, int slot);
 1015 void            mac_label_set(struct label *l, int slot, intptr_t v);
 1016 
 1017 #endif /* !_SECURITY_MAC_MAC_POLICY_H_ */

Cache object: 564bf973c00ec1af4c6a149fbf7e1499


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.