This is an archive of past FreeBSD releases; it's part of the FreeBSD Documentation Archive.
Four classes of entry points are offered to policies registered with the framework: entry points associated with the registration and management of policies, entry points denoting initialization, creation, destruction, and other life cycle events for kernel objects, events assocated with access control decisions that the policy module may influence, and calls associated with the management of labels on objects. In addition, a mac_syscall() entry point is provided so that policies may extend the kernel interface without registering new system calls.
Policy module writers should be aware of the kernel locking strategy, as well as what object locks are available during which entry points. Writers should attempt to avoid deadlock scenarios by avoiding grabbing non-leaf locks inside of entry points, and also follow the locking protocol for object access and modification. In particular, writers should be aware that while necessary locks to access objects and their labels are generally held, sufficient locks to modify an object or its label may not be present for all entry points. Locking information for arguments is documented in the MAC framework entry point document.
Policy entry points will pass a reference to the object label along with the object itself. This permits labeled policies to be unaware of the internals of the object yet still make decisions based on the label. The exception to this is the process credential, which is assumed to be understood by policies as a first class security object in the kernel. Policies that do not implement labels on kernel objects will be passed NULL pointers for label arguments to entry points.
Modules may be declared using the MAC_POLICY_SET() macro, which names the policy, provides a reference to the MAC entry point vector, provides load-time flags determining how the policy framework should handle the policy, and optionally requests the allocation of label state by the framework.
static struct mac_policy_ops mac_policy_ops =
{
.mpo_destroy = mac_policy_destroy,
.mpo_init = mac_policy_init,
.mpo_init_bpfdesc_label = mac_policy_init_bpfdesc_label,
.mpo_init_cred_label = mac_policy_init_label,
/* ... */
.mpo_check_vnode_setutimes = mac_policy_check_vnode_setutimes,
.mpo_check_vnode_stat = mac_policy_check_vnode_stat,
.mpo_check_vnode_write = mac_policy_check_vnode_write,
};
The MAC policy entry point vector, mac_policy_ops in this example, associates functions defined in the module with specific entry points. A complete listing of available entry points and their prototypes may be found in the MAC entry point reference section. Of specific interest during module registration are the .mpo_destroy and .mpo_init entry points. .mpo_init will be invoked once a policy is successfully registered with the module framework but prior to any other entry points becoming active. This permits the policy to perform any policy-specific allocation and initialization, such as initialization of any data or locks. .mpo_destroy will be invoked when a policy module is unloaded to permit releasing of any allocated memory and destruction of locks. Currently, these two entry points are invoked with the MAC policy list mutex held to prevent any other entry points from being invoked: this will be changed, but in the mean time, policies should be careful about what kernel primitives they invoke so as to avoid lock ordering or sleeping problems.
The policy declaration's module name field exists so that the module may be uniquely identified for the purposes of module dependencies. An appropriate string should be selected. The full string name of the policy is displayed to the user via the kernel log during load and unload events, and also exported when providing status information to userland processes.
The policy flags field permits the module to provide the framework with information about its loader-related capabilities. Currently, two flags are defined:
This flag indicates that the policy module may be unloaded. If this flag is not provided, then the policy framework will reject requests to unload the module. This flag might be used by modules that allocate label state and are unable to free that state at runtime.
This flag indicates that the policy module must be loaded and initialized early in the boot process. If the flag is specified, attempts to register the module following boot will be rejected. The flag may be used by policies that require pervasive labeling of all system objects, and cannot handle objects that have not been properly initialized by the policy.
Policy load event. The policy list mutex is held, so caution should be applied.
Policy load event. The policy list mutex is held, so caution should be applied.
| Parameter | Description | Locking |
|---|---|---|
| td | Calling thread | |
| call | Syscall number | |
| arg | Pointer to syscall arguments |
This entry point provides a policy-multiplexed system call so that policies may provide additional services to user processes without registering specific system calls. The policy name provided during registration is used to demux calls from userland, and the arguments will be forwarded to this entry point. When implementing new services, security modules should be sure to invoke appropriate access control checks from the MAC framework as needed. For example, if a policy implements an augmented signal functionality, it should call the necessary signal access control checks to invoke the MAC framework and other registered policies.
Note: Modules must currently perform the copyin() of the syscall data on their own.
This entry point permits policy modules to perform MAC-related events when a thread returns to user space. This is required for policies that have floating process labels, as it's not always possible to acquire the process lock at arbitrary points in the stack during system call processing; process labels might represent traditional authentication data, process history information, or other data.
Initialize the label on a newly instantiated bpfdesc (BPF descriptor)
Initialize the label for a newly instantiated user credential.
Initialize the label on a newly instantiated devfs entry.
Initialize the label on a newly instantiated network interface.
Initialize the label on a newly instantiated IP fragment reassembly queue.
| Parameter | Description | Locking |
|---|---|---|
| mbuf | Object; mbuf | |
| how | Blocking/non-blocking malloc(9); see below | |
| label | Policy label to initialize |
Initialize the label on a newly instantiated mbuf packet header (mbuf). The how field may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a blocking malloc(9) during this initialization call. Mbuf allocation frequently occurs in performance sensitive environments, and the implementation should be careful to avoid blocking or long-lived operations. This entry point is permitted to fail resulting in the failure to allocate the mbuf header.
| Parameter | Description | Locking |
|---|---|---|
| mount | Object; file system mount point | |
| mntlabel | Policy label to be initialized for the mount itself | |
| fslabel | Policy label to be initialized for the file system |
Initialize the labels on a newly instantiated mount point.
Initialize the label on a newly mounted file system.
Initialize a label for a newly instantiated pipe.
| Parameter | Description | Locking |
|---|---|---|
| label | New label to initialize | |
| flag | malloc(9) flags |
Initialize a label for a newly instantiated socket.
| Parameter | Description | Locking |
|---|---|---|
| label | New label to initialize | |
| flag | malloc(9) flags |
Initialize the peer label for a newly instantiated socket.
Initialize the label for a newly instantiated process.
Initialize the label on a newly instantiated vnode.
Destroy the label on a bpf descriptor. In this entry point a policy should free any internal storage associated with label so that it may be destroyed.
Destroy the label on a credential. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.
| Parameter | Description | Locking |
|---|---|---|
| devfs_dirent | Object; devfs directory entry | |
| label | Label being destroyed |
Destroy the label on a devfs entry. In this entry point, a policy module should free any internal storage asociated with label so that it may be destroyed.
Destroy the label on a removed interface. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.
Destroy the label on an IP fragment queue. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.
Destroy the label on an mbuf header. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.
Destroy the labels on a mount point. In this entry point, a policy module should free the internal storage associated with mntlabel so that they may be destroyed.
| Parameter | Description | Locking |
|---|---|---|
| mp | Object; file system mount point | |
| mntlabel | Mount point label being destroyed | |
| fslabel | File system label being destroyed> |
Destroy the labels on a mount point. In this entry point, a policy module should free the internal storage associated with mntlabel and fslabel so that they may be destroyed.
Destroy the label on a socket. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.
Destroy the peer label on a socket. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.
Destroy the label on a pipe. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.
Destroy the label on a process. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.
Copy the label information in src into dest.
Copy the label information in src into dest.
int
mpo_externalize_cred_label(struct label *label,
char *element_name, char *element_data, size_t size,
size_t *len, int *claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be externalized | |
| element_name | Name of the policy whose label should be externalized | |
| element_data | Buffer; to be filled in with text representation of label | |
| size | Size of element_data | |
| len | To be filled in with the length of the string representing the label data. | |
| claimed | Should be incremented when element_data can be filled in. |
Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in element_data. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.
int
mpo_externalize_ifnet_label(struct label *label,
char *element_name, char *element_data, size_t size,
size_t *len, int *claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be externalized | |
| element_name | Name of the policy whose label should be externalized | |
| element_data | Buffer; to be filled in with text representation of label | |
| size | Size of element_data | |
| len | To be filled in with the length of the string representing the label data. | |
| claimed | Should be incremented when element_data can be filled in. |
Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in element_data. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.
int
mpo_externalize_pipe_label(struct label *label,
char *element_name, char *element_data, size_t size,
size_t *len, int *claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be externalized | |
| element_name | Name of the policy whose label should be externalized | |
| element_data | Buffer; to be filled in with text representation of label | |
| size | Size of element_data | |
| len | To be filled in with the length of the string representing the label data. | |
| claimed | Should be incremented when element_data can be filled in. |
Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in element_data. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.
int
mpo_externalize_socket_label(struct label
*label, char *element_name, char *element_data, size_t
size, size_t *len, int *claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be externalized | |
| element_name | Name of the policy whose label should be externalized | |
| element_data | Buffer; to be filled in with text representation of label | |
| size | Size of element_data | |
| len | To be filled in with the length of the string representing the label data. | |
| claimed | Should be incremented when element_data can be filled in. |
Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in element_data. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.
int
mpo_externalize_socket_peer_label(struct label
*label, char *element_name, char *element_data, size_t
size, size_t *len, int *claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be externalized | |
| element_name | Name of the policy whose label should be externalized | |
| element_data | Buffer; to be filled in with text representation of label | |
| size | Size of element_data | |
| len | To be filled in with the length of the string representing the label data. | |
| claimed | Should be incremented when element_data can be filled in. |
Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in element_data. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.
int
mpo_externalize_vnode_label(struct label *label,
char *element_name, char *element_data, size_t size,
size_t *len, int *claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be externalized | |
| element_name | Name of the policy whose label should be externalized | |
| element_data | Buffer; to be filled in with text representation of label | |
| size | Size of element_data | |
| len | To be filled in with the length of the string representing the label data. | |
| claimed | Should be incremented when element_data can be filled in. |
Produce an externalized label based on the label structure passed. An externalized label consists of a text representation of the label contents that can be used with userland applications and read by the user. Currently, all policies' externalize entry points will be called, so the implementation should check the contents of element_name before attempting to fill in element_data. If element_name does not match the name of your policy, simply return 0. Only return nonzero if an error occurs while externalizing the label data. Once the policy fills in element_data, *claimed should be incremented.
int
mpo_internalize_cred_label(struct label *label,
char *element_name, char *element_data, int
*claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be filled in | |
| element_name | Name of the policy whose label should be internalized | |
| element_data | Text data to be internalized | |
| claimed | Should be incremented when data can be successfully internalized. |
Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.
int
mpo_internalize_ifnet_label(struct label *label,
char *element_name, char *element_data, int
*claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be filled in | |
| element_name | Name of the policy whose label should be internalized | |
| element_data | Text data to be internalized | |
| claimed | Should be incremented when data can be successfully internalized. |
Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.
int
mpo_internalize_pipe_label(struct label *label,
char *element_name, char *element_data, int
*claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be filled in | |
| element_name | Name of the policy whose label should be internalized | |
| element_data | Text data to be internalized | |
| claimed | Should be incremented when data can be successfully internalized. |
Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.
int
mpo_internalize_socket_label(struct label
*label, char *element_name, char *element_data, int
*claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be filled in | |
| element_name | Name of the policy whose label should be internalized | |
| element_data | Text data to be internalized | |
| claimed | Should be incremented when data can be successfully internalized. |
Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.
int
mpo_internalize_vnode_label(struct label *label,
char *element_name, char *element_data, int
*claimed);
| Parameter | Description | Locking |
|---|---|---|
| label | Label to be filled in | |
| element_name | Name of the policy whose label should be internalized | |
| element_data | Text data to be internalized | |
| claimed | Should be incremented when data can be successfully internalized. |
Produce an internal label structure based on externalized label data in text format. Currently, all policies' internalize entry points are called when internalization is requested, so the implementation should compare the contents of element_name to its own name in order to be sure it should be internalizing the data in element_data. Just as in the externalize entry points, the entry point should return 0 if element_name does not match its own name, or when data can successfully be internalized, in which case *claimed should be incremented.
This class of entry points is used by the MAC framework to permit policies to maintain label information on kernel objects. For each labeled kernel object of interest to a MAC policy, entry points may be registered for relevant life cycle events. All objects implement initialization, creation, and destruction hooks. Some objects will also implement relabeling, allowing user processes to change the labels on objects. Some objects will also implement object-specific events, such as label events associated with IP reassembly. A typical labeled object will have the following life cycle of entry points:
Label initialization o
(object-specific wait) \
Label creation o
\
Relabel events, o--<--.
Various object-specific, | |
Access control events ~-->--o
\
Label destruction o
Label initialization permits policies to allocate memory and set initial values for labels without context for the use of the object. The label slot allocated to a policy will be zero'd by default, so some policies may not need to perform initialization.
Label creation occurs when the kernel structure is associated with an actual kernel object. For example, mbufs may be allocated and remain unused in a pool until they are required. mbuf allocation causes label initialization on the mbuf to take place, but mbuf creation occurs when the mbuf is associated with a datagram. Typically, context will be provided for a creation event, including the circumstances of the creation, and labels of other relevant objects in the creation process. For example, when an mbuf is created from a socket, the socket and its label will be presented to registered policies in addition to the new mbuf and its label. Memory allocation in creation events is discouraged, as it may occur in performance sensitive ports of the kernel; in addition, creation calls are not permitted to fail so a failure to allocate memory cannot be reported.
Object specific events do not generally fall into the other broad classes of label events, but will generally provide an opportunity to modify or update the label on an object based on additional context. For example, the label on an IP fragment reassembly queue may be updated during the MAC_UPDATE_IPQ entry point as a result of the acceptance of an additional mbuf to that queue.
Access control events are discussed in detail in the following section.
Label destruction permits policies to release storage or state associated with a label during its association with an object so that the kernel data structures supporting the object may be reused or released.
In addition to labels associated with specific kernel objects, an additional class of labels exists: temporary labels. These labels are used to store update information submitted by user processes. These labels are initialized and destroyed as with other label types, but the creation event is MAC_INTERNALIZE, which accepts a user label to be converted to an in-kernel representation.
void
mpo_associate_vnode_devfs(struct mount *mp,
struct label *fslabel, struct devfs_dirent *de,
struct label *delabel, struct vnode *vp, struct label
*vlabel);
| Parameter | Description | Locking |
|---|---|---|
| mp | Devfs mount point | |
| fslabel | Devfs file system label (mp->mnt_fslabel) | |
| de | Devfs directory entry | |
| delabel | Policy label associated with de | |
| vp | vnode associated with de | |
| vlabel | Policy label associated with vp |
Fill in the label (vlabel) for a newly created devfs vnode based on the devfs directory entry passed in de and its label.
int
mpo_associate_vnode_extattr(struct mount *mp,
struct label *fslabel, struct vnode *vp, struct label
*vlabel);
| Parameter | Description | Locking |
|---|---|---|
| mp | File system mount point | |
| fslabel | File system label | |
| vp | Vnode to label | |
| vlabel | Policy label associated with vp |
Attempt to retrieve the label for vp from the file system extended attributes. Upon success, the value 0 is returned. Should extended attribute retrieval not be supported, an accepted fallback is to copy fslabel into vlabel. In the event of an error, an appropriate value for errno should be returned.
void
mpo_associate_vnode_singlelabel(struct mount
*mp, struct label *fslabel, struct vnode *vp, struct
label *vlabel);
| Parameter | Description | Locking |
|---|---|---|
| mp | File system mount point | |
| fslabel | File system label | |
| vp | Vnode to label | |
| vlabel | Policy label associated with vp |
On non-multilabel file systems, this entry point is called to set the policy label for vp based on the file system label, fslabel.
| Parameter | Description | Locking |
|---|---|---|
| dev | Device corresponding with devfs_dirent | |
| devfs_dirent | Devfs directory entry to be labeled. | |
| label | Label for devfs_dirent to be filled in. |
Fill out the label on a devfs_dirent being created for the passed device. This call will be made when the device file system is mounted, regenerated, or a new device is made available.
void
mpo_create_devfs_directory(char *dirname, int
dirnamelen, struct devfs_dirent *devfs_dirent, struct
label *label);
| Parameter | Description | Locking |
|---|---|---|
| dirname | Name of directory being created | |
| namelen | Length of string dirname | |
| devfs_dirent | Devfs directory entry for directory being created. |
Fill out the label on a devfs_dirent being created for the passed directory. This call will be made when the device file system is mounted, regenerated, or a new device requiring a specific directory hierarchy is made available.
void
mpo_create_devfs_symlink(struct ucred *cred,
struct mount *mp, struct devfs_dirent *dd, struct
label *ddlabel, struct devfs_dirent *de, struct label
*delabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| mp | Devfs mount point | |
| dd | Link destination | |
| ddlabel | Label associated with dd | |
| de | Symlink entry | |
| delabel | Label associated with de |
Fill in the label (delabel) for a newly created devfs(5) symbolic link entry.
int
mpo_create_vnode_extattr(struct ucred *cred,
struct mount *mp, struct label *fslabel, struct vnode
*dvp, struct label *dlabel, struct vnode *vp, struct
label *vlabel, struct componentname *cnp);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| mount | File system mount point | |
| label | File system label | |
| dvp | Parent directory vnode | |
| dlabel | Label associated with dvp | |
| vp | Newly created vnode | |
| vlabel | Policy label associated with vp | |
| cnp | Component name for vp |
Write out the label for vp to the appropriate extended attribute. If the write succeeds, fill in vlabel with the label, and return 0. Otherwise, return an appropriate error.
void
mpo_create_mount(struct ucred *cred, struct
mount *mp, struct label *mnt, struct label
*fslabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| mp | Object; file system being mounted | |
| mntlabel | Policy label to be filled in for mp | |
| fslabel | Policy label for the file system mp mounts. |
Fill out the labels on the mount point being created by the passed subject credential. This call will be made when a new file system is mounted.
void
mpo_create_root_mount(struct ucred *cred,
struct mount *mp, struct label *mntlabel, struct
label *fslabel);
| Parameter | Description | Locking |
|---|---|---|
| See Section 14.6.3.1.8. | ||
Fill out the labels on the mount point being created by the passed subject credential. This call will be made when the root file system is mounted, after mpo_create_mount;.
void
mpo_relabel_vnode(struct ucred *cred, struct
vnode *vp, struct label *vnodelabel, struct label
*newlabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | vnode to relabel | |
| vnodelabel | Existing policy label for vp | |
| newlabel | New, possibly partial label to replace vnodelabel |
Update the label on the passed vnode given the passed update vnode label and the passed subject credential.
int
mpo_setlabel_vnode_extattr(struct ucred *cred,
struct vnode *vp, struct label *vlabel, struct label
*intlabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Vnode for which the label is being written | |
| vlabel | Policy label associated with vp | |
| intlabel | Label to write out |
Write out the policy from intlabel to an extended attribute. This is called from vop_stdcreatevnode_ea.
void
mpo_update_devfsdirent(struct devfs_dirent
*devfs_dirent, struct label *direntlabel, struct
vnode *vp, struct label *vnodelabel);
| Parameter | Description | Locking |
|---|---|---|
| devfs_dirent | Object; devfs directory entry | |
| direntlabel | Policy label for devfs_dirent to be updated. | |
| vp | Parent vnode | Locked |
| vnodelabel | Policy label for vp |
Update the devfs_dirent label from the passed devfs vnode label. This call will be made when a devfs vnode has been successfully relabeled to commit the label change such that it lasts even if the vnode is recycled. It will also be made when when a symlink is created in devfs, following a call to mac_vnode_create_from_vnode to initialize the vnode label.
void
mpo_create_mbuf_from_socket(struct socket *so,
struct label *socketlabel, struct mbuf *m, struct
label *mbuflabel);
| Parameter | Description | Locking |
|---|---|---|
| socket | Socket | Socket locking WIP |
| socketlabel | Policy label for socket | |
| m | Object; mbuf | |
| mbuflabel | Policy label to fill in for m |
Set the label on a newly created mbuf header from the passed socket label. This call is made when a new datagram or message is generated by the socket and stored in the passed mbuf.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| pipe | Pipe | |
| pipelabel | Policy label associated with pipe |
Set the label on a newly created pipe from the passed subject credential. This call is made when a new pipe is created.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | Immutable |
| so | Object; socket to label | |
| socketlabel | Label to fill in for so |
Set the label on a newly created socket from the passed subject credential. This call is made when a socket is created.
void
mpo_create_socket_from_socket(struct socket
*oldsocket, struct label *oldsocketlabel, struct
socket *newsocket, struct label
*newsocketlabel);
| Parameter | Description | Locking |
|---|---|---|
| oldsocket | Listening socket | |
| oldsocketlabel | Policy label associated with oldsocket | |
| newsocket | New socket | |
| newsocketlabel | Policy label associated with newsocketlabel |
Label a socket, newsocket, newly accept(2)ed, based on the listen(2) socket, oldsocket.
void
mpo_relabel_pipe(struct ucred *cred, struct
pipe *pipe, struct label *oldlabel, struct label
*newlabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| pipe | Pipe | |
| oldlabel | Current policy label associated with pipe | |
| newlabel | Policy label update to apply to pipe |
Apply a new label, newlabel, to pipe.
void
mpo_relabel_socket(struct ucred *cred, struct
socket *so, struct label *oldlabel, struct label
*newlabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | Immutable |
| so | Object; socket | |
| oldlabel | Current label for so | |
| newlabel | Label update for so |
Update the label on a socket from the passed socket label update.
void
mpo_set_socket_peer_from_mbuf(struct mbuf
*mbuf, struct label *mbuflabel, struct label
*oldlabel, struct label *newlabel);
| Parameter | Description | Locking |
|---|---|---|
| mbuf | First datagram received over socket | |
| mbuflabel | Label for mbuf | |
| oldlabel | Current label for the socket | |
| newlabel | Policy label to be filled out for the socket |
Set the peer label on a stream socket from the passed mbuf label. This call will be made when the first datagram is received by the stream socket, with the exception of Unix domain sockets.
void
mpo_set_socket_peer_from_socket(struct socket
*oldsocket, struct label *oldsocketlabel, struct
socket *newsocket, struct label
*newsocketpeerlabel);
| Parameter | Description | Locking |
|---|---|---|
| oldsocket | Local socket | |
| oldsocketlabel | Policy label for oldsocket | |
| newsocket | Peer socket | |
| newsocketpeerlabel | Policy label to fill in for newsocket |
Set the peer label on a stream UNIX domain socket from the passed remote socket endpoint. This call will be made when the socket pair is connected, and will be made for both endpoints.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | Immutable |
| bpf_d | Object; bpf descriptor | |
| bpf | Policy label to be filled in for bpf_d |
Set the label on a newly created BPF descriptor from the passed subject credential. This call will be made when a BPF device node is opened by a process with the passed subject credential.
Set the label on a newly created interface. This call may be made when a new physical interface becomes available to the system, or when a pseudo-interface is instantiated during the boot or as a result of a user action.
void
mpo_create_ipq(struct mbuf *fragment, struct
label *fragmentlabel, struct ipq *ipq, struct label
*ipqlabel);
| Parameter | Description | Locking |
|---|---|---|
| fragment | First received IP fragment | |
| fragmentlabel | Policy label for fragment | |
| ipq | IP reassembly queue to be labeled | |
| ipqlabel | Policy label to be filled in for ipq |
Set the label on a newly created IP fragment reassembly queue from the mbuf header of the first received fragment.
void
mpo_create_create_datagram_from_ipq(struct ipq
*ipq, struct label *ipqlabel, struct mbuf *datagram,
struct label *datagramlabel);
| Parameter | Description | Locking |
|---|---|---|
| ipq | IP reassembly queue | |
| ipqlabel | Policy label for ipq | |
| datagram | Datagram to be labeled | |
| datagramlabel | Policy label to be filled in for datagramlabel |
Set the label on a newly reassembled IP datagram from the IP fragment reassembly queue from which it was generated.
void
mpo_create_fragment(struct mbuf *datagram,
struct label *datagramlabel, struct mbuf *fragment,
struct label *fragmentlabel);
| Parameter | Description | Locking |
|---|---|---|
| datagram | Datagram | |
| datagramlabel | Policy label for datagram | |
| fragment | Fragment to be labeled | |
| fragmentlabel | Policy label to be filled in for datagram |
Set the label on the mbuf header of a newly created IP fragment from the label on the mbuf header of the datagram it was generate from.
void
mpo_create_mbuf_from_mbuf(struct mbuf
*oldmbuf, struct label *oldmbuflabel, struct mbuf
*newmbuf, struct label *newmbuflabel);
| Parameter | Description | Locking |
|---|---|---|
| oldmbuf | Existing (source) mbuf | |
| oldmbuflabel | Policy label for oldmbuf | |
| newmbuf | New mbuf to be labeled | |
| newmbuflabel | Policy label to be filled in for newmbuf |
Set the label on the mbuf header of a newly created datagram from the mbuf header of an existing datagram. This call may be made in a number of situations, including when an mbuf is re-allocated for alignment purposes.
void
mpo_create_mbuf_linklayer(struct ifnet *ifnet,
struct label *ifnetlabel, struct mbuf *mbuf, struct
label *mbuflabel);
| Parameter | Description | Locking |
|---|---|---|
| ifnet | Network interface | |
| ifnetlabel | Policy label for ifnet | |
| mbuf | mbuf header for new datagram | |
| mbuflabel | Policy label to be filled in for mbuf |
Set the label on the mbuf header of a newly created datagram generated for the purposes of a link layer response for the passed interface. This call may be made in a number of situations, including for ARP or ND6 responses in the IPv4 and IPv6 stacks.
void
mpo_create_mbuf_from_bpfdesc(struct bpf_d
*bpf_d, struct label *bpflabel, struct mbuf *mbuf,
struct label *mbuflabel);
| Parameter | Description | Locking |
|---|---|---|
| bpf_d | BPF descriptor | |
| bpflabel | Policy label for bpflabel | |
| mbuf | New mbuf to be labeled | |
| mbuflabel | Policy label to fill in for mbuf |
Set the label on the mbuf header of a newly created datagram generated using the passed BPF descriptor. This call is made when a write is performed to the BPF device associated with the passed BPF descriptor.
void
mpo_create_mbuf_from_ifnet(struct ifnet
*ifnet, struct label *ifnetlabel, struct mbuf *mbuf,
struct label *mbuflabel);
| Parameter | Description | Locking |
|---|---|---|
| ifnet | Network interface | |
| ifnetlabel | Policy label for ifnetlabel | |
| mbuf | mbuf header for new datagram | |
| mbuflabel | Policy label to be filled in for mbuf |
Set the label on the mbuf header of a newly created datagram generated from the passed network interface.
void
mpo_create_mbuf_multicast_encap(struct mbuf
*oldmbuf, struct label *oldmbuflabel, struct ifnet
*ifnet, struct label *ifnetlabel, struct mbuf
*newmbuf, struct label *newmbuflabel);
| Parameter | Description | Locking |
|---|---|---|
| oldmbuf | mbuf header for existing datagram | |
| oldmbuflabel | Policy label for oldmbuf | |
| ifnet | Network interface | |
| ifnetlabel | Policy label for ifnet | |
| newmbuf | mbuf header to be labeled for new datagram | |
| newmbuflabel | Policy label to be filled in for newmbuf |
Set the label on the mbuf header of a newly created datagram generated from the existing passed datagram when it is processed by the passed multicast encapsulation interface. This call is made when an mbuf is to be delivered using the virtual interface.
void
mpo_create_mbuf_netlayer(struct mbuf *oldmbuf,
struct label *oldmbuflabel, struct mbuf *newmbuf,
struct label *newmbuflabel);
| Parameter | Description | Locking |
|---|---|---|
| oldmbuf | Received datagram | |
| oldmbuflabel | Policy label for oldmbuf | |
| newmbuf | Newly created datagram | |
| newmbuflabel | Policy label for newmbuf |
Set the label on the mbuf header of a newly created datagram generated by the IP stack in response to an existing received datagram (oldmbuf). This call may be made in a number of situations, including when responding to ICMP request datagrams.
int
mpo_fragment_match(struct mbuf *fragment,
struct label *fragmentlabel, struct ipq *ipq, struct
label *ipqlabel);
| Parameter | Description | Locking |
|---|---|---|
| fragment | IP datagram fragment | |
| fragmentlabel | Policy label for fragment | |
| ipq | IP fragment reassembly queue | |
| ipqlabel | Policy label for ipq |
Determine whether an mbuf header containing an IP datagram (fragment) fragment matches the label of the passed IP fragment reassembly queue (ipq). Return (1) for a successful match, or (0) for no match. This call is made when the IP stack attempts to find an existing fragment reassembly queue for a newly received fragment; if this fails, a new fragment reassembly queue may be instantiated for the fragment. Policies may use this entry point to prevent the reassembly of otherwise matching IP fragments if policy does not permit them to be reassembled based on the label or other information.
void
mpo_relabel_ifnet(struct ucred *cred, struct
ifnet *ifnet, struct label *ifnetlabel, struct label
*newlabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| ifnet | Object; Network interface | |
| ifnetlabel | Policy label for ifnet | |
| newlabel | Label update to apply to ifnet |
Update the label of network interface, ifnet, based on the passed update label, newlabel, and the passed subject credential, cred.
void
mpo_update_ipq(struct mbuf *fragment, struct
label *fragmentlabel, struct ipq *ipq, struct label
*ipqlabel);
| Parameter | Description | Locking |
|---|---|---|
| mbuf | IP fragment | |
| mbuflabel | Policy label for mbuf | |
| ipq | IP fragment reassembly queue | |
| ipqlabel | Policy label to be updated for ipq |
Update the label on an IP fragment reassembly queue (ipq) based on the acceptance of the passed IP fragment mbuf header (mbuf).
| Parameter | Description | Locking |
|---|---|---|
| parent_cred | Parent subject credential | |
| child_cred | Child subject credential |
Set the label of a newly created subject credential from the passed subject credential. This call will be made when crcopy(9) is invoked on a newly created struct ucred. This call should not be confused with a process forking or creation event.
void
mpo_execve_transition(struct ucred *old,
struct ucred *new, struct vnode *vp, struct label
*vnodelabel);
| Parameter | Description | Locking |
|---|---|---|
| old | Existing subject credential | Immutable |
| new | New subject credential to be labeled | |
| vp | File to execute | Locked |
| vnodelabel | Policy label for vp |
Update the label of a newly created subject credential (new) from the passed existing subject credential (old) based on a label transition caused by executing the passed vnode (vp). This call occurs when a process executes the passed vnode and one of the policies returns a success from the mpo_execve_will_transition entry point. Policies may choose to implement this call simply by invoking mpo_create_cred and passing the two subject credentials so as not to implement a transitioning event. Policies should not leave this entry point unimplemented if they implement mpo_create_cred, even if they do not implement mpo_execve_will_transition.
| Parameter | Description | Locking |
|---|---|---|
| old | Subject credential prior to execve(2) | Immutable |
| vp | File to execute | |
| vnodelabel | Policy label for vp |
Determine whether the policy will want to perform a transition event as a result of the execution of the passed vnode by the passed subject credential. Return 1 if a transition is required, 0 if not. Even if a policy returns 0, it should behave correctly in the presence of an unexpected invocation of mpo_execve_transition, as that call may happen as a result of another policy requesting a transition.
Create the subject credential of process 0, the parent of all kernel processes.
Create the subject credential of process 1, the parent of all user processes.
Update the label on a subject credential from the passed update label.
Access control entry points permit policy modules to influence access control decisions made by the kernel. Generally, although not always, arguments to an access control entry point will include one or more authorizing credentials, information (possibly including a label) for any other objects involved in the operation. An access control entry point may return 0 to permit the operation, or an errno(2) error value. The results of invoking the entry point across various registered policy modules will be composed as follows: if all modules permit the operation to succeed, success will be returned. If one or modules returns a failure, a failure will be returned. If more than one module returns a failure, the errno value to return to the user will be selected using the following precedence, implemented by the error_select() function in kern_mac.c:
If none of the error values returned by all modules are listed in the precedence chart then an arbitrarily selected value from the set will be returned. In general, the rules provide precedence to errors in the following order: kernel failures, invalid arguments, object not present, access not permitted, other.
int
mpo_check_bpfdesc_receive(struct bpf_d *bpf_d,
struct label *bpflabel, struct ifnet *ifnet, struct
label *ifnetlabel);
| Parameter | Description | Locking |
|---|---|---|
| bpf_d | Subject; BPF descriptor | |
| bpflabel | Policy label for bpf_d | |
| ifnet | Object; network interface | |
| ifnetlabel | Policy label for ifnet |
Determine whether the MAC framework should permit datagrams from the passed interface to be delivered to the buffers of the passed BPF descriptor. Return (0) for success, or an errno value for failure Suggested failure: EACCES for label mismatches, EPERM for lack of privilege.
Determine whether the subject should be allowed to retrieve the kernel environment (see kenv(2)).
Determine whether the subject should be allowed to retrieve the value of the specified kernel environment variable.
Determine whether the subject should be allowed to set the specified kernel environment variable.
Determine whether the subject should be allowed to unset the specified kernel environment variable.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Kernel module vnode | |
| vlabel | Label associated with vp |
Determine whether the subject should be allowed to load the specified module file.
Determine whether the subject should be allowed to retrieve a list of loaded kernel module files and associated statistics.
Determine whether the subject should be allowed to unload a kernel module.
int
mpo_check_pipe_ioctl(struct ucred *cred, struct
pipe *pipe, struct label *pipelabel, unsigned long cmd,
void *data);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| pipe | Pipe | |
| pipelabel | Policy label associated with pipe | |
| cmd | ioctl(2) command | |
| data | ioctl(2) data |
Determine whether the subject should be allowed to make the specified ioctl(2) call.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| pipe | Pipe | |
| pipelabel | Policy label associated with pipe |
Determine whether the subject should be allowed to poll pipe.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| pipe | Pipe | |
| pipelabel | Policy label associated with pipe |
Determine whether the subject should be allowed read access to pipe.
int
mpo_check_pipe_relabel(struct ucred *cred,
struct pipe *pipe, struct label *pipelabel, struct
label *newlabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| pipe | Pipe | |
| pipelabel | Current policy label associated with pipe | |
| newlabel | Label update to pipelabel |
Determine whether the subject should be allowed to relabel pipe.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| pipe | Pipe | |
| pipelabel | Policy label associated with pipe |
Determine whether the subject should be allowed to retrieve statistics related to pipe.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| pipe | Pipe | |
| pipelabel | Policy label associated with pipe |
Determine whether the subject should be allowed to write to pipe.
int
mpo_check_socket_connect(struct ucred *cred,
struct socket *socket, struct label *socketlabel,
struct sockaddr *sockaddr);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| socket | Socket to be connected | |
| socketlabel | Policy label for socket | |
| sockaddr | Address of socket |
Determine whether the subject credential (cred) can connect the passed socket (socket) to the passed socket address (sockaddr). Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches, EPERM for lack of privilege.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| so | Socket | |
| socketlabel | Policy label associated with so |
Determine whether the subject should be allowed to receive information from the socket so.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| so | Socket | |
| socketlabel | Policy label associated with so |
Determine whether the subject should be allowed to send information across the socket so.
Determine whether the subject credential u1 can ``see'' other subjects with the passed subject credential u2. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches, EPERM for lack of privilege, or ESRCH to hide visibility. This call may be made in a number of situations, including inter-process status sysctls used by ps, and in procfs lookups.
int
mpo_check_ifnet_relabel(struct ucred *cred,
struct ifnet *ifnet, struct label *ifnetlabel, struct
label *newlabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| ifnet | Object; network interface | |
| ifnetlabel | Existing policy label for ifnet | |
| newlabel | Policy label update to later be applied to ifnet |
Determine whether the subject credential can relabel the passed network interface to the passed label update.
int
mpo_check_socket_relabel(struct ucred *cred,
struct socket *socket, struct label *socketlabel,
struct label *newlabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| socket | Object; socket | |
| socketlabel | Existing policy label for socket | |
| newlabel | Label update to later be applied to socketlabel |
Determine whether the subject credential can relabel the passed socket to the passed label update.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| newlabel | Label update to later be applied to cred |
Determine whether the subject credential can relabel itself to the passed label update.
int
mpo_check_vnode_relabel(struct ucred *cred,
struct vnode *vp, struct label *vnodelabel, struct
label *newlabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | Immutable |
| vp | Object; vnode | Locked |
| vnodelabel | Existing policy label for vp | |
| newlabel | Policy label update to later be applied to vp |
Determine whether the subject credential can relabel the passed vnode to the passed label update.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| mp | Object; file system mount | |
| mountlabel | Policy label for mp |
Determine whether the subject credential can see the results of a statfs performed on the file system. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches or EPERM for lack of privilege. This call may be made in a number of situations, including during invocations of statfs(2) and related calls, as well as to determine what file systems to exclude from listings of file systems, such as when getfsstat(2) is invoked.
Determine whether the subject credential can debug the passed process. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide visibility of the target. This call may be made in a number of situations, including use of the ptrace(2) and ktrace(2) APIs, as well as for some types of procfs operations.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode | |
| label | Policy label for vp | |
| flags | access(2) flags |
Determine how invocations of access(2) and related calls by the subject credential should return when performed on the passed vnode using the passed access flags. This should generally be implemented using the same semantics used in mpo_check_vnode_open. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches or EPERM for lack of privilege.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| dvp | Object; vnode to chdir(2) into | |
| dlabel | Policy label for dvp |
Determine whether the subject credential can change the process working directory to the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| dvp | Directory vnode | |
| dlabel | Policy label associated with dvp |
Determine whether the subject should be allowed to chroot(2) into the specified directory (dvp).
int
mpo_check_vnode_create(struct ucred *cred,
struct vnode *dvp, struct label *dlabel, struct
componentname *cnp, struct vattr *vap);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| dvp | Object; vnode | |
| dlabel | Policy label for dvp | |
| cnp | Component name for dvp | |
| vap | vnode attributes for vap |
Determine whether the subject credential can create a vnode with the passed parent directory, passed name information, and passed attribute information. Return 0 for success, or an errno value for failure. Suggested failure: EACCES. for label mismatch, or EPERM for lack of privilege. This call may be made in a number of situations, including as a result of calls to open(2) with O_CREAT, mknod(2), mkfifo(2), and others.
int
mpo_check_vnode_delete(struct ucred *cred,
struct vnode *dvp, struct label *dlabel, struct vnode
*vp, void *label, struct componentname
*cnp);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| dvp | Parent directory vnode | |
| dlabel | Policy label for dvp | |
| vp | Object; vnode to delete | |
| label | Policy label for vp | |
| cnp | Component name for vp |
Determine whether the subject credential can delete a vnode from the passed parent directory and passed name information. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege. This call may be made in a number of situations, including as a result of calls to unlink(2) and rmdir(2). Policies implementing this entry point should also implement mpo_check_rename_to to authorize deletion of objects as a result of being the target of a rename.
int
mpo_check_vnode_deleteacl(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t
type);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | Immutable |
| vp | Object; vnode | Locked |
| label | Policy label for vp | |
| type | ACL type |
Determine whether the subject credential can delete the ACL of passed type from the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode to execute | |
| label | Policy label for vp |
Determine whether the subject credential can execute the passed vnode. Determination of execute privilege is made seperately from decisions about any transitioning event. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_getacl(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t
type);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode | |
| label | Policy label for vp | |
| type | ACL type |
Determine whether the subject credentical can retrieve the ACL of passed type from the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_getextattr(struct ucred *cred,
struct vnode *vp, struct label *label, int
attrnamespace, const char *name, struct uio
*uio);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode | |
| label | Policy label for vp | |
| attrnamespace | Extended attribute namespace | |
| name | Extended attribute name | |
| uio | I/O structure pointer; see uio(9) |
Determine whether the subject credential can retrieve the extended attribute with the passed namespace and name from the passed vnode. Policies implementing labeling using extended attributes may be interested in special handling of operations on those extended attributes. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_link(struct ucred *cred, struct
vnode *dvp, struct label *dlabel, struct vnode *vp,
struct label *label, struct componentname
*cnp);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| dvp | Directory vnode | |
| dlabel | Policy label associated with dvp | |
| vp | Link destination vnode | |
| label | Policy label associated with vp | |
| cnp | Component name for the link being created |
Determine whether the subject should be allowed to create a link to the vnode vp with the name specified by cnp.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Vnode to map | |
| label | Policy label associated with vp | |
| prot | Mmap protections (see mmap(2)) |
Determine whether the subject should be allowed to map the vnode vp with the protections specified in prot.
void
mpo_check_vnode_mmap_downgrade(struct ucred
*cred, struct vnode *vp, struct label *label, int
*prot);
| Parameter | Description | Locking |
|---|---|---|
| cred | See Section 14.6.4.37. | |
| vp | ||
| label | ||
| prot | Mmap protections to be downgraded |
Downgrade the mmap protections based on the subject and object labels.
Determine whether the subject should be allowed to set the specified memory protections on memory mapped from the vnode vp.
int
mpo_check_vnode_poll(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label
*label);
| Parameter | Description | Locking |
|---|---|---|
| active_cred | Subject credential | |
| file_cred | Credential associated with the struct file | |
| vp | Polled vnode | |
| label | Policy label associated with vp |
Determine whether the subject should be allowed to poll the vnode vp.
int
mpo_vnode_rename_from(struct ucred *cred, struct
vnode *dvp, struct label *dlabel, struct vnode *vp,
struct label *label, struct componentname
*cnp);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| dvp | Directory vnode | |
| dlabel | Policy label associated with dvp | |
| vp | Vnode to be renamed | |
| label | Policy label asociated with vp | |
| cnp | Component name for vp |
Determine whether the subject should be allowed to rename the vnode vp to something else.
int
mpo_check_vnode_rename_to(struct ucred *cred,
struct vnode *dvp, struct label *dlabel, struct vnode
*vp, struct label *label, int samedir, struct
componentname *cnp);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| dvp | Directory vnode | |
| dlabel | Policy label associated with dvp | |
| vp | Overwritten vnode | |
| label | Policy label associated with vp | |
| samedir | Boolean; 1 if the source and destination directories are the same | |
| cnp | Destination component name |
Determine whether the subject should be allowed to rename to the vnode vp, into the directory dvp, or to the name represented by cnp. If there is no existing file to overwrite, vp and label will be NULL.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| socket | Object; socket | |
| socketlabel | Policy label for socket |
Determine whether the subject credential can listen on the passed socket. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_lookup(struct ucred *cred,
struct vnode *dvp, struct label *dlabel, struct
componentname *cnp);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| dvp | Object; vnode | |
| dlabel | Policy label for dvp | |
| cnp | Component name being looked up |
Determine whether the subject credential can perform a lookup in the passed directory vnode for the passed name. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode | |
| label | Policy label for vp | |
| acc_mode | open(2) access mode |
Determine whether the subject credential can perform an open operation on the passed vnode with the passed access mode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| dvp | Object; directory vnode | |
| dlabel | Policy label for dvp |
Determine whether the subject credential can perform a readdir operation on the passed directory vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
Determine whether the subject credential can perform a readlink operation on the passed symlink vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege. This call may be made in a number of situations, including an explicit readlink call by the user process, or as a result of an implicit readlink during a name lookup by the process.
Determine whether the subject credential can revoke access to the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_setacl(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t type,
struct acl *acl);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode | |
| label | Policy label for vp | |
| type | ACL type | |
| acl | ACL |
Determine whether the subject credential can set the passed ACL of passed type on the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_setextattr(struct ucred *cred,
struct vnode *vp, struct label *label, int
attrnamespace, const char *name, struct uio
*uio);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode | |
| label | Policy label for vp | |
| attrnamespace | Extended attribute namespace | |
| name | Extended attribute name | |
| uio | I/O structure pointer; see uio(9) |
Determine whether the subject credentical can set the extended attribute of passed name and passed namespace on the passed vnode. Policies implementing security labels backed into extended attributes may want to provide additional protections for those attributes. Additionally, policies should avoid making decisions based on the data referenced from uio, as there is a potential race condition between this check and the actual operation. The uio may also be NULL if a delete operation is being performed. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_setflags(struct ucred *cred,
struct vnode *vp, struct label *label, u_long
flags);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode | |
| label | Policy label for vp | |
| flags | File flags; see chflags(2) |
Determine whether the subject credential can set the passed flags on the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_setmode(struct ucred *cred,
struct vnode *vp, struct label *label, mode_t
mode);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode | |
| label | Policy label for vp | |
| mode | File mode; see chmod(2) |
Determine whether the subject credential can set the pased mode on the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_setowner(struct ucred *cred,
struct vnode *vp, struct label *label, uid_t uid, gid_t
gid);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vnode | |
| label | Policy label for vp | |
| uid | User ID | |
| gid | Group ID |
Determine whether the subject credential can set the passed uid and passed gid as file uid and file gid on the passed vnode. The IDs may be set to (-1) to request no update. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_vnode_setutimes(struct ucred *cred,
struct vnode *vp, struct label *label, struct timespec
atime, struct timespec mtime);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Object; vp | |
| label | Policy label for vp | |
| atime | Access time; see utimes(2) | |
| mtime | Modification time; see utimes(2) |
Determine whether the subject credential can set the passed access timestamps on the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
Determine whether the subject credential can change the scheduling parameters of the passed process. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.
See setpriority(2) for more information.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| proc | Object; process | |
| signal | Signal; see kill(2) |
Determine whether the subject credential can deliver the passed signal to the passed process. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to limit visibility.
Determine whether the subject credential can stat the passed vnode. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
See stat(2) for more information.
int
mpo_check_ifnet_transmit(struct ucred *cred,
struct ifnet *ifnet, struct label *ifnetlabel, struct
mbuf *mbuf, struct label *mbuflabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| ifnet | Network interface | |
| ifnetlabel | Policy label for ifnet | |
| mbuf | Object; mbuf to be sent | |
| mbuflabel | Policy label for mbuf |
Determine whether the network interface can transmit the passed mbuf. Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege.
int
mpo_check_socket_deliver(struct ucred *cred,
struct ifnet *ifnet, struct label *ifnetlabel, struct
mbuf *mbuf, struct label *mbuflabel);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| ifnet | Network interface | |
| ifnetlabel | Policy label for ifnet | |
| mbuf | Object; mbuf to be delivered | |
| mbuflabel | Policy label for mbuf |
Determine whether the socket may receive the datagram stored in the passed mbuf header. Return 0 for success, or an errno value for failure. Suggested failures: EACCES for label mismatch, or EPERM for lack of privilege.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | Immutable |
| so | Object; socket | |
| socketlabel | Policy label for so |
Determine whether the subject credential cred can "see" the passed socket (socket) using system monitoring functions, such as those employed by netstat(8) and sockstat(1). Return 0 for success, or an errno value for failure. Suggested failure: EACCES for label mismatches, EPERM for lack of privilege, or ESRCH to hide visibility.
| Parameter | Description | Locking |
|---|---|---|
| ucred | Subject credential | |
| vp | Accounting file; acct(5) | |
| vlabel | Label associated with vp |
Determine whether the subject should be allowed to enable accounting, based on its label and the label of the accounting log file.
Determine whether the subject should be allowed to call nfssvc(2).
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| howto | howto parameter from reboot(2) |
Determine whether the subject should be allowed to reboot the system in the specified manner.
Determine whether the user should be allowed to set the system clock.
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| vp | Swap device | |
| vlabel | Label associated with vp |
Determine whether the subject should be allowed to add vp as a swap device.
int
mpo_check_system_sysctl(struct ucred *cred, int
*name, u_int *namelen, void *old, size_t *oldlenp, int
inkernel, void *new, size_t newlen);
| Parameter | Description | Locking |
|---|---|---|
| cred | Subject credential | |
| name | See sysctl(3) | |
| namelen | ||
| old | ||
| oldlenp | ||
| inkernel | Boolean; 1 if called from kernel | |
| new | See sysctl(3) | |
| newlen |
Determine whether the subject should be allowed to make the specified sysctl(3) transaction.
Relabel events occur when a user process has requested that the label on an object be modified. A two-phase update occurs: first, an access control check will be performed to determine if the update is both valid and permitted, and then the update itself is performed via a seperate entry point. Relabel entry points typically accept the object, object label reference, and an update label submitted by the process. Memory allocation during relabel is discouraged, as relabel calls are not permitted to fail (failure should be reported earlier in the relabel check).
Destroy the label on a vnode. In this entry point, a policy module should free any internal storage associated with label so that it may be destroyed.
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the
documentation
before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.