37c37
< * $FreeBSD: head/sys/security/mac/mac_framework.h 105643 2002-10-21 18:42:01Z rwatson $
---
> * $FreeBSD: head/sys/security/mac/mac_framework.h 105693 2002-10-22 14:27:44Z rwatson $
65c65,68
< #define MAC_MAX_POLICY_NAME 32
---
> #define MAC_MAX_POLICY_NAME 32
> #define MAC_MAX_LABEL_ELEMENT_NAME 32
> #define MAC_MAX_LABEL_ELEMENT_DATA 4096
> #define MAC_MAX_LABEL_BUF_LEN 8192
66a70,78
> struct mac {
> size_t m_buflen;
> char *m_string;
> };
>
> typedef struct mac *mac_t;
>
> #ifndef _KERNEL
>
68,69c80,82
< * XXXMAC: Per-policy structures will be moved from mac.h to per-policy
< * include files once the revised user interface is available.
---
> * Location of the userland MAC framework configuration file. mac.conf
> * binds policy names to shared libraries that understand those policies,
> * as well as setting defaults for MAC-aware applications.
70a84
> #define MAC_CONFFILE "/etc/mac.conf"
73,77c87,88
< * Structures and constants associated with a Biba Integrity policy.
< * mac_biba represents a Biba label, with mb_type determining its properties,
< * and mb_grade represents the hierarchal grade if valid for the current
< * mb_type. These structures will move to mac_biba.h once we have dymamic
< * labels exposed to userland.
---
> * Extended non-POSIX.1e interfaces that offer additional services
> * available from the userland and kernel MAC frameworks.
78a90,116
> int mac_free(mac_t _label);
> int mac_from_text(mac_t *_label, const char *_text);
> int mac_get_fd(int _fd, mac_t _label);
> int mac_get_file(const char *_path, mac_t _label);
> int mac_get_link(const char *_path, mac_t _label);
> int mac_get_pid(pid_t _pid, mac_t _label);
> int mac_get_proc(mac_t _label);
> int mac_is_present(const char *_policyname);
> int mac_prepare(mac_t *_label, char *_elements);
> int mac_prepare_file_label(mac_t *_label);
> int mac_prepare_ifnet_label(mac_t *_label);
> int mac_prepare_process_label(mac_t *_label);
> int mac_set_fd(int _fildes, const mac_t _label);
> int mac_set_file(const char *_path, mac_t _label);
> int mac_set_link(const char *_path, mac_t _label);
> int mac_set_proc(const mac_t _label);
> int mac_syscall(const char *_policyname, int _call, void *_arg);
> int mac_to_text(mac_t mac, char **_text);
>
> #endif /* !_KERNEL */
>
> /*
> * XXXMAC: For compatibility until the labels on disk are changed. We
> * will enable the definitions in various policy include files once
> * these can be disabled.
> */
>
79a118
>
86,91d124
< /*
< * Biba labels consist of two components: a single label, and a label
< * range. Depending on the context, one or both may be used; the mb_flags
< * field permits the provider to indicate what fields are intended for
< * use.
< */
95c128
< struct mac_biba_element mb_rangelow, mb_rangehigh;
---
> struct mac_biba_element mb_rangelow, mb_rangehigh;
98,104d130
< /*
< * Structures and constants associated with a Multi-Level Security policy.
< * mac_mls represents an MLS label, with mm_type determining its properties,
< * and mm_level represents the hierarchal sensitivity level if valid for the
< * current mm_type. These structures will move to mac_mls.h once we have
< * dynamic labels exposed to userland.
< */
105a132
>
112,117d138
< /*
< * MLS labels consist of two components: a single label, and a label
< * range. Depending on the context, one or both may be used; the mb_flags
< * field permits the provider to indicate what fields are intended for
< * use.
< */
124,127d144
< /*
< * Structures and constants associated with a Type Enforcement policy.
< * mac_te represents a Type Enforcement label.
< */
130c147
< char mt_type[MAC_TE_TYPE_MAXLEN+1]; /* TE type */
---
> char mt_type[MAC_TE_TYPE_MAXLEN];
134c151
< uint32_t ms_psid; /* persistent sid storage */
---
> uint32_t ms_psid;
137,147c154,159
< /*
< * Composite structures and constants which combine the various policy
< * elements into common structures to be associated with subjects and
< * objects.
< */
< struct mac {
< int m_macflags;
< struct mac_biba m_biba;
< struct mac_mls m_mls;
< struct mac_te m_te;
< struct mac_sebsd m_sebsd;
---
> struct oldmac {
> int m_macflags;
> struct mac_biba m_biba;
> struct mac_mls m_mls;
> struct mac_te m_te;
> struct mac_sebsd m_sebsd;
149d160
< typedef struct mac *mac_t;
151c162
< #define MAC_FLAG_INITIALIZED 0x00000001 /* Is initialized. */
---
> #ifdef _KERNEL
153,154d163
< #ifndef _KERNEL
<
156,192d164
< * POSIX.1e functions visible in the application namespace.
< */
< int mac_dominate(const mac_t _labela, const mac_t _labelb);
< int mac_equal(const mac_t labela, const mac_t _labelb);
< int mac_free(void *_buf_p);
< mac_t mac_from_text(const char *_text_p);
< mac_t mac_get_fd(int _fildes);
< mac_t mac_get_file(const char *_path_p);
< mac_t mac_get_proc(void);
< mac_t mac_glb(const mac_t _labela, const mac_t _labelb);
< mac_t mac_lub(const mac_t _labela, const mac_t _labelb);
< int mac_set_fd(int _fildes, const mac_t _label);
< int mac_set_file(const char *_path_p, mac_t _label);
< int mac_set_proc(const mac_t _label);
< ssize_t mac_size(mac_t _label);
< char * mac_to_text(const mac_t _label, size_t *_len_p);
< int mac_valid(const mac_t _label);
<
< /*
< * Extensions to POSIX.1e visible in the application namespace.
< */
< int mac_is_present_np(const char *_policyname);
< int mac_syscall(const char *_policyname, int call, void *arg);
<
< /*
< * System calls wrapped by some POSIX.1e functions.
< */
< int __mac_get_fd(int _fd, struct mac *_mac_p);
< int __mac_get_file(const char *_path_p, struct mac *_mac_p);
< int __mac_get_proc(struct mac *_mac_p);
< int __mac_set_fd(int fd, struct mac *_mac_p);
< int __mac_set_file(const char *_path_p, struct mac *_mac_p);
< int __mac_set_proc(struct mac *_mac_p);
<
< #else /* _KERNEL */
<
< /*
250d221
< void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp);
252a224
> void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp);
< * $FreeBSD: head/sys/security/mac/mac_framework.h 105643 2002-10-21 18:42:01Z rwatson $
---
> * $FreeBSD: head/sys/security/mac/mac_framework.h 105693 2002-10-22 14:27:44Z rwatson $
65c65,68
< #define MAC_MAX_POLICY_NAME 32
---
> #define MAC_MAX_POLICY_NAME 32
> #define MAC_MAX_LABEL_ELEMENT_NAME 32
> #define MAC_MAX_LABEL_ELEMENT_DATA 4096
> #define MAC_MAX_LABEL_BUF_LEN 8192
66a70,78
> struct mac {
> size_t m_buflen;
> char *m_string;
> };
>
> typedef struct mac *mac_t;
>
> #ifndef _KERNEL
>
68,69c80,82
< * XXXMAC: Per-policy structures will be moved from mac.h to per-policy
< * include files once the revised user interface is available.
---
> * Location of the userland MAC framework configuration file. mac.conf
> * binds policy names to shared libraries that understand those policies,
> * as well as setting defaults for MAC-aware applications.
70a84
> #define MAC_CONFFILE "/etc/mac.conf"
73,77c87,88
< * Structures and constants associated with a Biba Integrity policy.
< * mac_biba represents a Biba label, with mb_type determining its properties,
< * and mb_grade represents the hierarchal grade if valid for the current
< * mb_type. These structures will move to mac_biba.h once we have dymamic
< * labels exposed to userland.
---
> * Extended non-POSIX.1e interfaces that offer additional services
> * available from the userland and kernel MAC frameworks.
78a90,116
> int mac_free(mac_t _label);
> int mac_from_text(mac_t *_label, const char *_text);
> int mac_get_fd(int _fd, mac_t _label);
> int mac_get_file(const char *_path, mac_t _label);
> int mac_get_link(const char *_path, mac_t _label);
> int mac_get_pid(pid_t _pid, mac_t _label);
> int mac_get_proc(mac_t _label);
> int mac_is_present(const char *_policyname);
> int mac_prepare(mac_t *_label, char *_elements);
> int mac_prepare_file_label(mac_t *_label);
> int mac_prepare_ifnet_label(mac_t *_label);
> int mac_prepare_process_label(mac_t *_label);
> int mac_set_fd(int _fildes, const mac_t _label);
> int mac_set_file(const char *_path, mac_t _label);
> int mac_set_link(const char *_path, mac_t _label);
> int mac_set_proc(const mac_t _label);
> int mac_syscall(const char *_policyname, int _call, void *_arg);
> int mac_to_text(mac_t mac, char **_text);
>
> #endif /* !_KERNEL */
>
> /*
> * XXXMAC: For compatibility until the labels on disk are changed. We
> * will enable the definitions in various policy include files once
> * these can be disabled.
> */
>
79a118
>
86,91d124
< /*
< * Biba labels consist of two components: a single label, and a label
< * range. Depending on the context, one or both may be used; the mb_flags
< * field permits the provider to indicate what fields are intended for
< * use.
< */
95c128
< struct mac_biba_element mb_rangelow, mb_rangehigh;
---
> struct mac_biba_element mb_rangelow, mb_rangehigh;
98,104d130
< /*
< * Structures and constants associated with a Multi-Level Security policy.
< * mac_mls represents an MLS label, with mm_type determining its properties,
< * and mm_level represents the hierarchal sensitivity level if valid for the
< * current mm_type. These structures will move to mac_mls.h once we have
< * dynamic labels exposed to userland.
< */
105a132
>
112,117d138
< /*
< * MLS labels consist of two components: a single label, and a label
< * range. Depending on the context, one or both may be used; the mb_flags
< * field permits the provider to indicate what fields are intended for
< * use.
< */
124,127d144
< /*
< * Structures and constants associated with a Type Enforcement policy.
< * mac_te represents a Type Enforcement label.
< */
130c147
< char mt_type[MAC_TE_TYPE_MAXLEN+1]; /* TE type */
---
> char mt_type[MAC_TE_TYPE_MAXLEN];
134c151
< uint32_t ms_psid; /* persistent sid storage */
---
> uint32_t ms_psid;
137,147c154,159
< /*
< * Composite structures and constants which combine the various policy
< * elements into common structures to be associated with subjects and
< * objects.
< */
< struct mac {
< int m_macflags;
< struct mac_biba m_biba;
< struct mac_mls m_mls;
< struct mac_te m_te;
< struct mac_sebsd m_sebsd;
---
> struct oldmac {
> int m_macflags;
> struct mac_biba m_biba;
> struct mac_mls m_mls;
> struct mac_te m_te;
> struct mac_sebsd m_sebsd;
149d160
< typedef struct mac *mac_t;
151c162
< #define MAC_FLAG_INITIALIZED 0x00000001 /* Is initialized. */
---
> #ifdef _KERNEL
153,154d163
< #ifndef _KERNEL
<
156,192d164
< * POSIX.1e functions visible in the application namespace.
< */
< int mac_dominate(const mac_t _labela, const mac_t _labelb);
< int mac_equal(const mac_t labela, const mac_t _labelb);
< int mac_free(void *_buf_p);
< mac_t mac_from_text(const char *_text_p);
< mac_t mac_get_fd(int _fildes);
< mac_t mac_get_file(const char *_path_p);
< mac_t mac_get_proc(void);
< mac_t mac_glb(const mac_t _labela, const mac_t _labelb);
< mac_t mac_lub(const mac_t _labela, const mac_t _labelb);
< int mac_set_fd(int _fildes, const mac_t _label);
< int mac_set_file(const char *_path_p, mac_t _label);
< int mac_set_proc(const mac_t _label);
< ssize_t mac_size(mac_t _label);
< char * mac_to_text(const mac_t _label, size_t *_len_p);
< int mac_valid(const mac_t _label);
<
< /*
< * Extensions to POSIX.1e visible in the application namespace.
< */
< int mac_is_present_np(const char *_policyname);
< int mac_syscall(const char *_policyname, int call, void *arg);
<
< /*
< * System calls wrapped by some POSIX.1e functions.
< */
< int __mac_get_fd(int _fd, struct mac *_mac_p);
< int __mac_get_file(const char *_path_p, struct mac *_mac_p);
< int __mac_get_proc(struct mac *_mac_p);
< int __mac_set_fd(int fd, struct mac *_mac_p);
< int __mac_set_file(const char *_path_p, struct mac *_mac_p);
< int __mac_set_proc(struct mac *_mac_p);
<
< #else /* _KERNEL */
<
< /*
250d221
< void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp);
252a224
> void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp);