Lines Matching refs:label
93 struct label;
142 sleep during label initialization operations; it will be noted when
146 generic label for the given object. What follows initialization is
147 creation, where a label is made specific to the object it is associated
148 with. Destruction occurs when the label is no longer needed, such as
150 be performed in label destroy operations.
152 Where possible, the label entry points have identical parameters. If
153 the policy module does not require structure-specific label
223 @brief Initialize BPF descriptor label
224 @param label New label to initialize
226 Initialize the label for a newly instantiated BPF descriptor.
230 struct label *label
233 @brief Destroy BPF descriptor label
234 @param label The label to be destroyed
236 Destroy a BPF descriptor label. Since the BPF descriptor
238 storage associated with the label so that it may be destroyed.
241 struct label *label
244 @brief Associate a BPF descriptor with a label
247 @param bpflabel The new label
249 Set the label on a newly created BPF descriptor from the passed
256 struct label *bpflabel
261 @param bpflabel Policy label for bpf_d
263 @param ifnetlabel Policy label for ifp
268 value for failure. Suggested failure: EACCES for label mismatches,
273 struct label *bpflabel,
275 struct label *ifnetlabel
278 @brief Indicate desire to change the process label at exec time
282 @param scriptvnodelabel Script vnode label
283 @param execlabel Userspace provided execution label
289 Indicate whether this policy intends to update the label of a newly
300 example, a script), the label of the original exec-time vnode has
303 The final label, execlabel, corresponds to a label supplied by a
318 struct label *vnodelabel,
319 struct label *scriptvnodelabel,
320 struct label *execlabel,
326 @param newlabel New label to apply to the user credential
331 itself to the supplied new label (newlabel). This access control check
341 struct label *newlabel
354 errno should be returned. Suggested failure: EACCES for label mismatch,
370 catch label destroy callback.
381 kernel processes. Policies should update the label in the
388 @brief Create a credential label
392 Set the label of a newly created credential, most likely using the
408 user processes. Policies should update the label in the previously
415 @brief Destroy credential label
416 @param label The label to be destroyed
418 Destroy a user credential label. Since the user credential
420 storage associated with the label so that it may be destroyed.
423 struct label *label
426 @brief Externalize a user credential label for auditing
427 @param label Label to be externalized
428 @param element_name Name of the label namespace for which labels should be
430 @param sb String buffer to be filled with a text representation of the label
432 Produce an external representation of the label on a user credential for
433 inclusion in an audit record. An externalized label consists of a text
434 representation of the label contents that will be added to the audit record
439 externalizing the label data.
443 struct label *label,
448 @brief Externalize a user credential label
449 @param label Label to be externalized
450 @param element_name Name of the label namespace for which labels should be
452 @param sb String buffer to be filled with a text representation of the label
454 Produce an external representation of the label on a user
455 credential. An externalized label consists of a text representation
456 of the label contents that can be used with user applications.
461 externalizing the label data.
465 struct label *label,
470 @brief Initialize user credential label
471 @param label New label to initialize
473 Initialize the label for a newly instantiated user credential.
477 struct label *label
480 @brief Internalize a user credential label
481 @param label Label to be internalized
482 @param element_name Name of the label namespace for which the label should
486 Produce a user credential label from an external representation. An
487 externalized label consists of a text representation of the label
493 policy has registered interest in the label namespace.
496 while internalizing the label data.
500 struct label *label,
510 @param scriptvnodelabel Script vnode label
511 @param execlabel Userspace provided execution label
516 Update the label of a newly created credential (new) from the
525 example, a script), the label of the original exec-time vnode has
528 The final label, execlabel, corresponds to a label supplied by a
542 struct label *vnodelabel,
543 struct label *scriptvnodelabel,
544 struct label *execlabel,
548 @brief Update a credential label
550 @param newlabel A new label to apply to the credential
554 Update the label on a user credential, using the supplied new label.
560 struct label *newlabel
566 @param label Destination label
569 This entry point labels a new devfs device. The label will likely be based
571 The policy should store an appropriate label into 'label'.
576 struct label *label,
584 @param label Destination label
587 This entry point labels a new devfs directory. The label will likely be
589 label into 'label'. The devfs root directory is labelled in this way.
595 struct label *label,
599 @brief Copy a devfs label
600 @param src Source devfs label
601 @param dest Destination devfs label
603 Copy the label information from src to dest. The devfs file system
608 struct label *src,
609 struct label *dest
612 @brief Destroy devfs label
613 @param label The label to be destroyed
615 Destroy a devfs entry label. Since the object is going out
617 with the label so that it may be destroyed.
620 struct label *label
623 @brief Initialize devfs label
624 @param label New label to initialize
626 Initialize the label for a newly instantiated devfs entry. Sleeping
630 struct label *label
633 @brief Update a devfs label after relabelling its vnode
638 @param vnodelabel New label of vnode
640 Update a devfs label when its vnode is manually relabelled,
642 the vnode label into the devfs label.
647 struct label *delabel,
649 struct label *vnodelabel
655 @param label Policy label for fg
666 struct label *label
685 @param label Policy label for fg
698 struct label *label,
705 @param label Policy label for fg
718 struct label *label,
730 to get an externalized version of the label on the object indicated by fd.
745 @param label Policy label for fg
756 struct label *label
762 @param label Policy label for fg
773 struct label *label
779 @param label Policy label for fg
796 struct label *label,
803 @param label Policy label for fg
817 struct label *label,
825 @param label Policy label associated with vp
838 errno should be returned. Suggested failure: EACCES for label mismatch or
844 struct label *label,
853 @param label Policy label associated with vp
861 struct label *label,
868 @param label Policy label for fg
879 struct label *label
890 to associate a MAC label with a file.
902 @brief Create file label
905 @param label Policy label for fg
910 struct label *label
913 @brief Destroy file label
914 @param label The label to be destroyed
916 Destroy the label on a file descriptor. In this entry point, a
918 label so that it may be destroyed.
921 struct label *label
924 @brief Initialize file label
925 @param label New label to initialize
928 struct label *label
934 @param ifnetlabel Current label of the network interfaces
935 @param newlabel New label to apply to the network interfaces
940 new label (newlabel).
948 struct label *ifnetlabel,
949 struct label *newlabel
960 Determine whether the mbuf with label mbuflabel may be transmitted
962 label ifnetlabel.
969 struct label *ifnetlabel,
971 struct label *mbuflabel,
976 @brief Create a network interface label
980 Set the label of a newly created network interface, most likely
985 struct label *ifnetlabel
988 @brief Copy an ifnet label
989 @param src Source ifnet label
990 @param dest Destination ifnet label
992 Copy the label information from src to dest.
995 struct label *src,
996 struct label *dest
999 @brief Destroy ifnet label
1000 @param label The label to be destroyed
1002 Destroy the label on an ifnet label. In this entry point, a
1004 label so that it may be destroyed.
1007 struct label *label
1010 @brief Externalize an ifnet label
1011 @param label Label to be externalized
1012 @param element_name Name of the label namespace for which labels should be
1014 @param sb String buffer to be filled with a text representation of the label
1016 Produce an external representation of the label on an interface.
1017 An externalized label consists of a text representation of the
1018 label contents that can be used with user applications.
1023 externalizing the label data.
1027 struct label *label,
1032 @brief Initialize ifnet label
1033 @param label New label to initialize
1036 struct label *label
1039 @brief Internalize an interface label
1040 @param label Label to be internalized
1041 @param element_name Name of the label namespace for which the label should
1045 Produce an interface label from an external representation. An
1046 externalized label consists of a text representation of the label
1052 policy has registered interest in the label namespace.
1055 while internalizing the label data.
1059 struct label *label,
1064 @brief Recycle up a network interface label
1065 @param label The label to be recycled
1067 Recycle a network interface label. Darwin caches the struct ifnet
1070 present in the label.
1073 struct label *label
1076 @brief Update a network interface label
1079 @param ifnetlabel The current label of the network interface
1080 @param newlabel A new label to apply to the network interface
1083 Update the label on a network interface, using the supplied new label.
1088 struct label *ifnetlabel,
1089 struct label *newlabel
1100 Determine whether the mbuf with label mbuflabel may be received
1101 by the socket associated with inpcb that has the label inplabel.
1108 struct label *inplabel,
1110 struct label *mbuflabel,
1115 @brief Create an inpcb label
1121 Set the label of a newly created inpcb, most likely
1122 using the information in the socket and/or socket label.
1126 struct label *solabel,
1128 struct label *inplabel
1131 @brief Destroy inpcb label
1132 @param label The label to be destroyed
1134 Destroy the label on an inpcb label. In this entry point, a
1136 label so that it may be destroyed.
1139 struct label *label
1142 @brief Initialize inpcb label
1143 @param label New label to initialize
1147 struct label *label,
1151 @brief Recycle up an inpcb label
1152 @param label The label to be recycled
1154 Recycle an inpcb label. Darwin allocates the inpcb as part of
1159 struct label *label
1162 @brief Update an inpcb label from a socket label
1164 @param solabel New label of the socket
1168 Set the label of a newly created inpcb due to a change in the
1169 underlying socket label.
1173 struct label *solabel,
1175 struct label *inplabel
1203 @brief Create an IP reassembly queue label
1205 @param fragmentlabel Policy label for fragment
1207 @param ipqlabel Policy label to be filled in for ipq
1209 Set the label on a newly created IP reassembly queue from
1214 struct label *fragmentlabel,
1216 struct label *ipqlabel
1219 @brief Compare an mbuf header label to an ipq label
1221 @param fragmentlabel Policy label for fragment
1223 @param ipqlabel Policy label for ipq
1225 Compare the label of the mbuf header containing an IP datagram
1226 (fragment) fragment with the label of the passed IP fragment
1233 policy does not permit them to be reassembled based on the label
1238 struct label *fragmentlabel,
1240 struct label *ipqlabel
1243 @brief Destroy IP reassembly queue label
1244 @param label The label to be destroyed
1246 Destroy the label on an IP fragment queue. In this entry point, a
1248 label so that it may be destroyed.
1251 struct label *label
1254 @brief Initialize IP reassembly queue label
1255 @param label New label to initialize
1258 Initialize the label on a newly instantiated IP fragment reassembly
1268 struct label *label,
1272 @brief Update the label on an IP fragment reassembly queue
1274 @param fragmentlabel Policy label for fragment
1276 @param ipqlabel Policy label to be updated for ipq
1278 Update the label on an IP fragment reassembly queue (ipq) based
1283 struct label *fragmentlabel,
1285 struct label *ipqlabel
1290 @param newlabel New label to apply to the Login Context
1296 itself to the supplied new label (newlabel). This access control check
1306 struct label *newlabel
1309 @brief Destroy Login Context label
1310 @param label The label to be destroyed
1313 struct label *label
1316 @brief Externalize a Login Context label
1317 @param label Label to be externalized
1318 @param element_name Name of the label namespace for which labels should be
1320 @param sb String buffer to be filled with a text representation of the label
1322 Produce an external representation of the label on a Login Context.
1323 An externalized label consists of a text representation
1324 of the label contents that can be used with user applications.
1329 externalizing the label data.
1333 struct label *label,
1338 @brief Initialize Login Context label
1339 @param label New label to initialize
1342 struct label *label
1345 @brief Internalize a Login Context label
1346 @param label Label to be internalized
1347 @param element_name Name of the label namespace for which the label should
1351 Produce a Login Context label from an external representation. An
1352 externalized label consists of a text representation of the label
1358 policy has registered interest in the label namespace.
1361 while internalizing the label data.
1365 struct label *label,
1370 @brief Update a Login Context label
1372 @param newlabel A new label to apply to the Login Context
1377 Update the label on a login context, using the supplied new label.
1383 struct label *newlabel
1425 @brief Assign a label to a new mbuf
1427 @param b_label Policy label for bpf_d
1429 @param m_label Policy label to fill in for m
1431 Set the label on the mbuf header of a newly created datagram
1438 struct label *b_label,
1440 struct label *m_label
1443 @brief Assign a label to a new mbuf
1445 @param i_label Existing label of ifp
1447 @param m_label Policy label to fill in for m
1453 struct label *i_label,
1455 struct label *m_label
1458 @brief Assign a label to a new mbuf
1460 @param i_label Existing label of inp
1462 @param m_label Policy label to fill in for m
1468 struct label *i_label,
1470 struct label *m_label
1473 @brief Set the label on a newly reassembled IP datagram
1475 @param ipqlabel Policy label for ipq
1477 @param mbuflabel Policy label to be filled in for mbuf
1479 Set the label on a newly reassembled IP datagram (mbuf) from the IP
1484 struct label *ipqlabel,
1486 struct label *mbuflabel
1489 @brief Assign a label to a new mbuf
1491 @param i_label Existing label of ifp
1493 @param m_label Policy label to fill in for m
1495 Set the label on the mbuf header of a newly created datagram
1502 struct label *i_label,
1504 struct label *m_label
1507 @brief Assign a label to a new mbuf
1509 @param oldmbuflabel Policy label for oldmbuf
1511 @param ifplabel Policy label for ifp
1513 @param newmbuflabel Policy label for newmbuf
1515 Set the label on the mbuf header of a newly created datagram
1522 struct label *oldmbuflabel,
1524 struct label *ifplabel,
1526 struct label *newmbuflabel
1529 @brief Assign a label to a new mbuf
1531 @param oldmbuflabel Policy label for oldmbuf
1533 @param newmbuflabel Policy label for newmbuf
1535 Set the label on the mbuf header of a newly created datagram generated
1542 struct label *oldmbuflabel,
1544 struct label *newmbuflabel
1547 @brief Assign a label to a new mbuf
1548 @param so Socket to label
1549 @param so_label Policy label for socket
1551 @param m_label Policy label to fill in for m
1555 in an mbuf first. This function sets the label on a newly created mbuf header
1556 based on the socket sending the data. The contents of the label should be
1564 struct label *so_label,
1566 struct label *m_label
1569 @brief Copy a mbuf label
1570 @param src Source label
1571 @param dest Destination label
1573 Copy the mbuf label information in src into dest.
1578 struct label *src,
1579 struct label *dest
1582 @brief Destroy mbuf label
1583 @param label The label to be destroyed
1585 Destroy a mbuf label. Since the
1587 internal storage associated with the label so that it may be
1591 struct label *label
1594 @brief Initialize mbuf label
1595 @param label New label to initialize
1598 Initialize the label for a newly instantiated mbuf.
1606 struct label *label,
1613 @param label Label associated with the mount point
1630 struct label *label,
1650 struct label *mp_label,
1657 @param mntlabel Policy label for fle system mount point
1663 errno should be returned. Suggested failure: EACCES for label mismatch
1669 struct label *mntlabel
1688 struct label *vlabel,
1707 struct label *mlabel
1725 struct label *mp_label,
1732 @param mntlabel Policy label for mp
1742 errno should be returned. Suggested failure: EACCES for label mismatch
1748 struct label *mntlabel
1765 struct label *mlabel
1780 struct label *mntlabel
1783 @brief Destroy mount label
1784 @param label The label to be destroyed
1786 Destroy a file system mount label. Since the
1788 internal storage associated with the label so that it may be
1792 struct label *label
1795 @brief Externalize a mount point label
1796 @param label Label to be externalized
1797 @param element_name Name of the label namespace for which labels should be
1799 @param sb String buffer to be filled with a text representation of the label
1801 Produce an external representation of the mount point label. An
1802 externalized label consists of a text representation of the label
1807 policy has registered interest in the label namespace.
1810 externalizing the label data.
1814 struct label *label,
1819 @brief Initialize mount point label
1820 @param label New label to initialize
1822 Initialize the label for a newly instantiated mount structure.
1823 This label is typically used to store a default label in the case
1827 a default label separately from the label of the mount point
1831 struct label *label
1834 @brief Internalize a mount point label
1835 @param label Label to be internalized
1836 @param element_name Name of the label namespace for which the label should
1840 Produce a mount point file system label from an external representation.
1841 An externalized label consists of a text representation of the label
1847 policy has registered interest in the label namespace.
1850 while internalizing the label data.
1854 struct label *label,
1859 @brief Set the label on an IPv4 datagram fragment
1861 @param datagramlabel Policy label for datagram
1863 @param fragmentlabel Policy label for fragment
1866 Policies implementing mbuf labels will typically copy the label from the
1871 struct label *datagramlabel,
1873 struct label *fragmentlabel
1876 @brief Set the label on an ICMP reply
1878 @param mlabel Policy label for m
1880 A policy may wish to update the label of an mbuf that refers to
1886 struct label *mlabel
1889 @brief Set the label on a TCP reply
1891 @param mlabel Policy label for m
1897 struct label *mlabel
1903 @param pipelabel The label on the pipe
1920 struct label *pipelabel,
1928 @param pipelabel Policy label for the pipe
1940 struct label *pipelabel
1946 @param pipelabel The current label on the pipe
1947 @param newlabel The new label to be used
1960 struct label *pipelabel,
1961 struct label *newlabel
1967 @param pipelabel The label on the pipe
1980 struct label *pipelabel
1986 @param pipelabel The label on the pipe
2000 struct label *pipelabel,
2007 @param pipelabel The label on the pipe
2020 struct label *pipelabel
2026 @param pipelabel The label on the pipe
2039 struct label *pipelabel
2042 @brief Create a pipe label
2045 @param label Label for the pipe object
2047 Create a label for the pipe object being created by the supplied
2055 struct label *pipelabel
2058 @brief Copy a pipe label
2059 @param src Source pipe label
2060 @param dest Destination pipe label
2062 Copy the pipe label associated with src to dest.
2067 struct label *src,
2068 struct label *dest
2071 @brief Destroy pipe label
2072 @param label The label to be destroyed
2074 Destroy a pipe label. Since the object is going out of scope,
2076 label so that it may be destroyed.
2079 struct label *label
2082 @brief Externalize a pipe label
2083 @param label Label to be externalized
2084 @param element_name Name of the label namespace for which labels should be
2086 @param sb String buffer to be filled with a text representation of the label
2088 Produce an external representation of the label on a pipe.
2089 An externalized label consists of a text representation
2090 of the label contents that can be used with user applications.
2095 policy has registered interest in the label namespace.
2098 externalizing the label data.
2102 struct label *label,
2107 @brief Initialize pipe label
2108 @param label New label to initialize
2110 Initialize label storage for use with a newly instantiated pipe object.
2114 struct label *label
2117 @brief Internalize a pipe label
2118 @param label Label to be internalized
2119 @param element_name Name of the label namespace for which the label should
2123 Produce a pipe label from an external representation. An
2124 externalized label consists of a text representation of the label
2130 policy has registered interest in the label namespace.
2133 while internalizing the label data.
2137 struct label *label,
2142 @brief Update a pipe label
2145 @param oldlabel Existing pipe label
2146 @param newlabel New label to replace existing label
2152 update oldlabel using the label stored in the newlabel parameter.
2158 struct label *oldlabel,
2159 struct label *newlabel
2270 The task label and the port are locked. Sleeping is permitted.
2275 struct label *task,
2276 struct label *port
2290 The task label and the port are locked. Sleeping is permitted.
2295 struct label *task,
2296 struct label *port
2309 The task label and the port are locked. Sleeping is permitted.
2314 struct label *task,
2315 struct label *port
2328 The task label and the port are locked. Sleeping is permitted.
2333 struct label *task,
2334 struct label *port
2338 @param task Subject's task label
2339 @param oldlabel Original label of port
2340 @param newlabel New label for port
2343 indicate whether the subject is permitted to change the label
2345 the subject's task label is not locked.
2347 @warning XXX In future releases, the task label lock will likely
2353 struct label *task,
2354 struct label *oldlabel,
2355 struct label *newlabel
2370 The task label and the port are locked. Sleeping is permitted.
2375 struct label *task,
2376 struct label *port
2391 The task label and the port are locked. Sleeping is permitted.
2396 struct label *task,
2397 struct label *port
2402 @param task Sender's task label
2403 @param port Destination port label
2420 struct label *task,
2421 struct label *port,
2437 The task label and the port are locked. Sleeping is permitted.
2442 struct label *task,
2443 struct label *port
2457 The task label and the port are locked. Sleeping is permitted.
2462 struct label *task,
2463 struct label *port
2477 The task label and the port are locked. Sleeping is permitted.
2482 struct label *task,
2483 struct label *port
2500 struct label *task,
2501 struct label *sender
2508 Access control check for sending messages. The task label and the
2519 struct label *task,
2520 struct label *port
2524 @param subj Caller-provided subject label
2525 @param obj Caller-provided object label
2534 label strings or label handles (ports) to be provided.
2539 struct label *subj,
2540 struct label *obj,
2545 @brief Assign a label to a new Mach port created by the kernel
2549 Assign a label to a new port created by the kernel. If the port is being
2553 struct label *portlabel,
2557 @brief Assign a label to a new Mach port
2558 @param it Task label of issuer
2559 @param st Task label of target
2562 Assign a label to a new port. The policy can base this label on
2563 the label of the calling task, as well as the label of the target task.
2568 struct label *it,
2569 struct label *st,
2570 struct label *portlabel
2573 @brief Request label for new (userspace) object
2574 @param subj Subject label
2575 @param obj Parent or existing object label
2577 @param out Computed label
2579 Ask the loaded policies to compute a label based on the two input labels
2582 a suggestion). If successful, the computed label is stored in out. All labels
2584 allow label handles (ports) to be provided.
2589 struct label *subj,
2590 struct label *obj,
2592 struct label *out
2595 @brief Copy a Mach port label
2596 @param src Source port label
2597 @param dest Destination port label
2599 Copy the Mach port label information from src to dest. This is used
2603 struct label *src,
2604 struct label *dest
2607 @brief Destroy Mach port label
2608 @param label The label to be destroyed
2610 Destroy a Mach port label. Since the object is going out of
2612 with the label so that it may be destroyed.
2615 struct label *label
2618 @brief Initialize Mach port label
2619 @param label New label to initialize
2621 Initialize the label for a newly instantiated Mach port. Sleeping
2625 struct label *label
2628 @brief Update a Mach task port label
2629 @param cred User credential label to be used as the source
2630 @param task Mach port label to be used as the destination
2634 Update the label on a Mach task port, using the supplied user
2635 credential label. When a mac_cred_label_update_execve or a mac_cred_label_update
2636 operation causes the label on a user credential to change, the Mach
2637 task port label also needs to be updated to reflect the change.
2641 struct label *cred,
2642 struct label *task
2645 @brief Assign a label to a Mach port connected to a kernel object
2651 <kern/ipc_kobject.h>. The port already has a valid label from either
2652 mpo_port_label_associate_kernel, or because it is a task port and has a label
2656 struct label *portlabel,
2681 the named POSIX semaphore with label semlabel.
2689 struct label *semlabel
2698 the named POSIX semaphore with label semlabel.
2706 struct label *semlabel
2716 the named POSIX semaphore with label semlabel.
2724 struct label *semlabel,
2734 the named POSIX semaphore with label semlabel.
2742 struct label *semlabel
2745 @brief Create a POSIX semaphore label
2751 Label a new POSIX semaphore. The label was previously
2753 appropriate initial label value should be assigned to the object and
2759 struct label *semlabel,
2763 @brief Destroy POSIX semaphore label
2764 @param label The label to be destroyed
2766 Destroy a POSIX semaphore label. Since the object is
2768 associated with the label so that it may be destroyed.
2771 struct label *label
2774 @brief Initialize POSIX semaphore label
2775 @param label New label to initialize
2777 Initialize the label for a newly instantiated POSIX semaphore. Sleeping
2781 struct label *label
2815 struct label *shmlabel,
2834 struct label *shmlabel
2851 struct label *shmlabel
2869 struct label *shmlabel,
2888 struct label *shmlabel,
2892 @brief Create a POSIX shared memory region label
2898 Label a new POSIX shared memory region. The label was previously
2900 time, an appropriate initial label value should be assigned to the
2906 struct label *shmlabel,
2910 @brief Destroy POSIX shared memory label
2911 @param label The label to be destroyed
2913 Destroy a POSIX shared memory region label. Since the
2915 internal storage associated with the label so that it may be
2919 struct label *label
2922 @brief Initialize POSIX Shared Memory region label
2923 @param label New label to initialize
2925 Initialize the label for newly a instantiated POSIX Shared Memory
2929 struct label *label
2942 errno should be returned. Suggested failure: EACCES for label mismatch,
3041 errno should be returned. Suggested failure: EACCES for label mismatch,
3117 errno should be returned. Suggested failure: EACCES for label mismatch,
3146 @brief Destroy process label
3147 @param label The label to be destroyed
3149 Destroy a process label. Since the object is going
3151 associated with the label so that it may be destroyed.
3154 struct label *label
3157 @brief Initialize process label
3158 @param label New label to initialize
3161 Initialize the label for a newly instantiated BSD process structure.
3162 Normally, security policies will store the process label in the user
3164 there are some floating label policies that may need to temporarily
3165 store a label in the process structure until it is safe to update
3166 the user credential label. Sleeping is permitted.
3169 struct label *label
3175 @param socklabel Policy label for socket
3186 struct label *socklabel
3192 @param socklabel Policy label for socket
3204 struct label *socklabel,
3211 @param socklabel Policy label for socket
3223 struct label *socklabel,
3230 @param socklabel Policy label for socket
3242 struct label *socklabel,
3267 @param so_label The label of so
3269 @param m_label The label of the sender of the data.
3286 requires using the "failed label" occasionally. In that case, on rejection,
3305 struct label *so_label,
3307 struct label *m_label
3314 @param socklabel Policy label for socket
3326 struct label *socklabel
3332 @param so_label The current label of so
3333 @param newlabel The label to be assigned to so
3336 change the label on the socket.
3344 struct label *so_label,
3345 struct label *newlabel
3351 @param socklabel Policy label for socket
3362 struct label *socklabel
3368 @param socklabel Policy label for socket
3379 struct label *socklabel
3386 @param socklabel Policy label for socket
3398 struct label *socklabel,
3407 @param socklabel Policy label for socket
3419 struct label *socklabel,
3426 @param socklabel Policy label for socket
3438 struct label *socklabel,
3445 @param socklabel Policy label for so
3456 struct label *socklabel
3462 @param socklabel Policy label for so
3474 struct label *socklabel,
3481 @param socklabel Policy label for so
3493 struct label *socklabel,
3499 @param oldlabel Policy label associated with oldsock
3501 @param newlabel Policy label associated with newsock
3509 struct label *oldlabel,
3511 struct label *newlabel
3514 @brief Assign a label to a new socket
3517 @param solabel The label
3520 Set the label on a newly created socket from the passed subject
3528 struct label *solabel
3531 @brief Copy a socket label
3532 @param src Source label
3533 @param dest Destination label
3535 Copy the socket label information in src into dest.
3538 struct label *src,
3539 struct label *dest
3542 @brief Destroy socket label
3543 @param label The label to be destroyed
3545 Destroy a socket label. Since the object is going out of
3547 with the label so that it may be destroyed.
3550 struct label *label
3553 @brief Externalize a socket label
3554 @param label Label to be externalized
3555 @param element_name Name of the label namespace for which labels should be
3557 @param sb String buffer to be filled with a text representation of label
3559 Produce an externalized socket label based on the label structure passed.
3560 An externalized label consists of a text representation of the label
3564 the label data.
3570 struct label *label,
3575 @brief Initialize socket label
3576 @param label New label to initialize
3579 Initialize the label of a newly instantiated socket. The waitok
3591 struct label *label,
3595 @brief Internalize a socket label
3596 @param label Label to be filled in
3597 @param element_name Name of the label namespace for which the label should
3601 Produce an internal socket label structure based on externalized label
3605 policy has registered interest in the label namespace.
3611 struct label *label,
3619 @param so_label Current label of the socket
3620 @param newlabel The label to be assigned to so
3624 policies to perform the actual label update operation.
3631 struct label *so_label,
3632 struct label *newlabel
3635 @brief Set the peer label on a socket from mbuf
3638 @param so Current label for the socket
3639 @param so_label Policy label to be filled out for the socket
3641 Set the peer label of a socket based on the label of the sender of the
3645 socket operates on a newly initialized label, and subsequent calls operate
3646 on existing label data.
3652 initialize and destroy a label every time data is received for the socket.
3653 Instead, it is up to the policies to determine how to replace the label data.
3658 struct label *m_label,
3660 struct label *so_label
3663 @brief Set the peer label on a socket from socket
3665 @param sourcelabel Policy label for source
3667 @param targetlabel Policy label to fill in for target
3669 Set the peer label on a stream UNIX domain socket from the passed
3678 struct label *sourcelabel,
3680 struct label *targetlabel
3683 @brief Destroy socket peer label
3684 @param label The peer label to be destroyed
3686 Destroy a socket peer label. Since the object is going out of
3688 with the label so that it may be destroyed.
3691 struct label *label
3694 @brief Externalize a socket peer label
3695 @param label Label to be externalized
3696 @param element_name Name of the label namespace for which labels should be
3698 @param sb String buffer to be filled with a text representation of label
3700 Produce an externalized socket peer label based on the label structure
3701 passed. An externalized label consists of a text representation of the
3702 label contents that can be used with userland applications and read by the
3705 the label data.
3711 struct label *label,
3716 @brief Initialize socket peer label
3717 @param label New label to initialize
3720 Initialize the peer label of a newly instantiated socket. The
3733 struct label *label,
3743 based on its label and the label of the accounting log file. See
3755 struct label *vlabel
3781 the auditctl() system call, based on its label and the label of the proposed
3790 struct label *vl
3864 @param label Label associated with vp
3875 struct label *label
3881 @param label Label associated with vp
3892 struct label *label
3926 @brief Create a System V message label
3929 @param msqlabel The label of the message queue
3931 @param msglabel The label of the message
3938 struct label *msqlabel,
3940 struct label *msglabel
3943 @brief Destroy System V message label
3944 @param label The label to be destroyed
3946 Destroy a System V message label. Since the object is
3948 associated with the label so that it may be destroyed.
3951 struct label *label
3954 @brief Initialize System V message label
3955 @param label New label to initialize
3957 Initialize the label for a newly instantiated System V message.
3960 struct label *label
3963 @brief Clean up a System V message label
3964 @param label The label to be destroyed
3966 Clean up a System V message label. Darwin pre-allocates
3970 the label.
3973 struct label *label
3979 @param msglabel The message's label
3981 @param msqlabel The message queue's label
3992 struct label *msglabel,
3994 struct label *msqlabel
4000 @param msglabel The message's label
4011 struct label *msglabel
4017 @param msglabel The message's label
4030 struct label *msglabel
4036 @param msqlabel The message queue's label
4046 struct label *msqlabel,
4053 @param msqlabel The message queue's label
4065 struct label *msqlabel
4071 @param msqlabel The message queue's label
4082 struct label *msqlabel
4088 @param msqlabel The message queue's label
4099 struct label *msqlabel
4102 @brief Create a System V message queue label
4105 @param msqlabel The label of the message queue
4111 struct label *msqlabel
4114 @brief Destroy System V message queue label
4115 @param label The label to be destroyed
4117 Destroy a System V message queue label. Since the object is
4119 associated with the label so that it may be destroyed.
4122 struct label *label
4125 @brief Initialize System V message queue label
4126 @param label New label to initialize
4128 Initialize the label for a newly instantiated System V message queue.
4131 struct label *label
4134 @brief Clean up a System V message queue label
4135 @param label The label to be destroyed
4137 Clean up a System V message queue label. Darwin pre-allocates
4141 the label.
4144 struct label *label
4162 struct label *semaklabel,
4180 struct label *semaklabel
4202 struct label *semaklabel,
4206 @brief Create a System V semaphore label
4211 Label a new System V semaphore. The label was previously
4213 appropriate initial label value should be assigned to the object and
4219 struct label *semalabel
4222 @brief Destroy System V semaphore label
4223 @param label The label to be destroyed
4225 Destroy a System V semaphore label. Since the object is
4227 associated with the label so that it may be destroyed.
4230 struct label *label
4233 @brief Initialize System V semaphore label
4234 @param label New label to initialize
4236 Initialize the label for a newly instantiated System V semaphore. Sleeping
4240 struct label *label
4243 @brief Clean up a System V semaphore label
4244 @param label The label to be cleaned
4246 Clean up a System V semaphore label. Darwin pre-allocates
4250 the label.
4253 struct label *label
4271 struct label *shmseglabel,
4291 struct label *shmseglabel,
4309 struct label *shmseglabel
4327 struct label *shmseglabel,
4331 @brief Create a System V shared memory region label
4336 Label a new System V shared memory region. The label was previously
4338 time, an appropriate initial label value should be assigned to the
4344 struct label *shmlabel
4347 @brief Destroy System V shared memory label
4348 @param label The label to be destroyed
4350 Destroy a System V shared memory region label. Since the
4352 internal storage associated with the label so that it may be
4356 struct label *label
4359 @brief Initialize System V Shared Memory region label
4360 @param label New label to initialize
4362 Initialize the label for a newly instantiated System V Shared Memory
4366 struct label *label
4369 @brief Clean up a System V Share Memory Region label
4370 @param shmlabel The label to be cleaned
4372 Clean up a System V Shared Memory Region label. Darwin
4376 information present in the label.
4379 struct label *shmlabel
4391 errno should be returned. Suggested failure: EACCES for label mismatch,
4408 errno should be returned. Suggested failure: EACCES for label mismatch,
4435 @brief Assign a label to a new kernelspace Mach task
4448 struct label *tasklabel,
4449 struct label *portlabel
4452 @brief Assign a label to a new (userspace) Mach task
4467 struct label *parentlabel,
4468 struct label *childlabel,
4469 struct label *childportlabel
4472 @brief Copy a Mach task label
4473 @param src Source task label
4474 @param dest Destination task label
4476 Copy the Mach task label information from src to dest. This is used
4477 when duplicating label handles to implement copy-on-write semantics.
4480 struct label *src,
4481 struct label *dest
4484 @brief Destroy Mach task label
4485 @param label The label to be destroyed
4487 Destroy a Mach task label. Since the object is going out of
4489 with the label so that it may be destroyed.
4492 struct label *label
4495 @brief Externalize a task label
4496 @param label Label to be externalized
4497 @param element_name Name of the label namespace for which labels should be
4499 @param sb String buffer to be filled with a text representation of the label
4501 Produce an external representation of the label on a task. An
4502 externalized label consists of a text representation of the label
4507 externalizing the label data.
4511 struct label *label,
4516 @brief Initialize Mach task label
4517 @param label New label to initialize
4519 Initialize the label for a newly instantiated Mach task. Sleeping
4523 struct label *label
4526 @brief Internalize a task label
4527 @param label Label to be internalized
4528 @param element_name Name of the label namespace for which the label should
4532 Produce a task label from an external representation. An
4533 externalized label consists of a text representation of the label
4539 policy has registered interest in the label namespace.
4542 while internalizing the label data.
4546 struct label *label,
4551 @brief Update a Mach task label
4552 @param cred User credential label to be used as the source
4553 @param task Mach task label to be used as the destination
4557 Update the label on a Mach task, using the supplied user credential
4558 label. When a mac_cred_label_update_execve or a mac_cred_label_update operation
4559 causes the label on a user credential to change, the Mach task label
4567 struct label *cred,
4568 struct label *task
4589 @param label Label for vp
4599 errno should be returned. Suggested failure: EACCES for label mismatch or
4605 struct label *label,
4612 @param dlabel Policy label for dvp
4618 errno should be returned. Suggested failure: EACCES for label mismatch or
4624 struct label *dlabel
4630 @param dlabel Policy label associated with dvp
4642 struct label *dlabel,
4649 @param dlabel Policy label for dvp
4660 errno should be returned. Suggested failure: EACCES for label mismatch or
4666 struct label *dlabel,
4681 errno should be returned. Suggested failure: EACCES for label mismatch or
4687 struct label *vlabel,
4694 @param vl1 Policy label for v1
4696 @param vl2 Policy label for v2
4702 errno should be returned. Suggested failure: EACCES for label mismatch or
4708 struct label *vl1,
4710 struct label *vl2
4716 @param label Policy label for vp
4717 @param execlabel Userspace provided execution label
4722 from decisions about any process label transitioning event.
4724 The final label, execlabel, corresponds to a label supplied by a
4726 This label will be NULL if the user application uses the the vendor
4730 errno should be returned. Suggested failure: EACCES for label mismatch or
4736 struct label *label,
4737 struct label *execlabel, /* NULLOK */
4744 typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label,
4752 @param vlabel Policy label for vp
4761 errno should be returned. Suggested failure: EACCES for label mismatch or
4769 struct label *vlabel,
4776 @param label Policy label for vp
4786 errno should be returned. Suggested failure: EACCES for label mismatch or
4792 struct label *label, /* NULLOK */
4800 @param label Policy label for vp
4817 struct label *label,
4825 @param label Policy label for vp
4838 struct label *label
4844 @param vnodelabel Existing policy label for vp
4845 @param newlabel Policy label update to later be applied to vp
4849 the passed vnode to the passed label update. If all policies permit
4850 the label change, the actual relabel entry point (mpo_vnode_label_update)
4859 struct label *vnodelabel,
4860 struct label *newlabel
4866 @param dlabel Policy label associated with dvp
4868 @param label Policy label associated with vp
4880 struct label *dlabel,
4882 struct label *label,
4889 @param vlabel Policy label associated with vp
4900 struct label *vlabel
4906 @param dlabel Policy label for dvp
4913 errno should be returned. Suggested failure: EACCES for label mismatch or
4919 struct label *dlabel,
4926 @param label Policy label associated with vp
4933 errno should be returned. Suggested failure: EACCES for label mismatch or
4939 struct label *label,
4947 @param label Policy label for vp
4955 errno should be returned. Suggested failure: EACCES for label mismatch or
4962 struct label *label /* LABEL */
4968 @param dlabel Policy label for dvp
4974 errno should be returned. Suggested failure: EACCES for label mismatch or
4980 struct label *dlabel /* LABEL */
4986 @param label Policy label for vp
4995 errno should be returned. Suggested failure: EACCES for label mismatch or
5001 struct label *label
5007 @param dlabel Policy label associated with dvp
5009 @param label Policy label associated with vp
5026 struct label *dlabel,
5028 struct label *label,
5035 @param dlabel Policy label associated with dvp
5037 @param label Policy label associated with vp
5045 vp and label will be NULL.
5057 struct label *dlabel,
5059 struct label *label, /* NULLOK */
5067 @param label Policy label for vp
5073 errno should be returned. Suggested failure: EACCES for label mismatch or
5079 struct label *label
5085 @param label Policy label for vp
5097 struct label *label,
5104 @param vlabel Policy label for vp
5113 errno should be returned. Suggested failure: EACCES for label mismatch or
5120 struct label *vlabel,
5127 @param label Policy label for vp
5141 errno should be returned. Suggested failure: EACCES for label mismatch or
5147 struct label *label,
5155 @param label Policy label for vp
5162 errno should be returned. Suggested failure: EACCES for label mismatch or
5168 struct label *label,
5175 @param label Policy label for vp
5182 errno should be returned. Suggested failure: EACCES for label mismatch or
5188 struct label *label,
5195 @param label Policy label for vp
5204 errno should be returned. Suggested failure: EACCES for label mismatch or
5210 struct label *label,
5218 @param label Policy label for vp
5226 errno should be returned. Suggested failure: EACCES for label mismatch or
5232 struct label *label,
5241 @param label Policy label for vp
5250 errno should be returned. Suggested failure: EACCES for label mismatch or
5257 struct label *label
5264 @param label Policy label for vp
5273 errno should be returned. Suggested failure: EACCES for label mismatch or
5280 struct label *label
5286 @param dlabel Policy label for dvp
5288 @param label Policy label for vp
5300 errno should be returned. Suggested failure: EACCES for label mismatch or
5306 struct label *dlabel,
5308 struct label *label,
5316 @param label Policy label for vp
5325 errno should be returned. Suggested failure: EACCES for label mismatch or
5332 struct label *label
5337 @param mntlabel Devfs mount point label
5343 Fill in the label (vlabel) for a newly created devfs vnode. The
5344 label is typically derived from the label on the devfs directory
5345 entry or the label on the filesystem, supplied as parameters.
5349 struct label *mntlabel,
5351 struct label *delabel,
5353 struct label *vlabel
5356 @brief Associate a label with a vnode
5358 @param mntlabel File system mount point label
5359 @param vp Vnode to label
5362 Attempt to retrieve label information for the vnode, vp, from the
5363 file system extended attribute store. The label should be stored in
5368 If the policy requires vnodes to have a valid label elsewhere it
5370 a valid label of some sort. Returning an error will cause vnode
5380 struct label *mntlabel,
5382 struct label *vlabel
5385 @brief Associate a file label with a vnode
5388 @param mntlabel Fdesc mount point label
5390 @param label Policy label for fg
5391 @param vp Vnode to label
5394 Associate label information for the vnode, vp, with the label of
5396 The label should be stored in the supplied vlabel parameter.
5401 struct label *mntlabel,
5403 struct label *label,
5405 struct label *vlabel
5408 @brief Associate a pipe label with a vnode
5412 @param vp Vnode to label
5415 Associate label information for the vnode, vp, with the label of
5417 The label should be stored in the supplied vlabel parameter.
5422 struct label *pipelabel,
5424 struct label *vlabel
5427 @brief Associate a POSIX semaphore label with a vnode
5431 @param vp Vnode to label
5434 Associate label information for the vnode, vp, with the label of
5436 The label should be stored in the supplied vlabel parameter.
5441 struct label *psemlabel,
5443 struct label *vlabel
5446 @brief Associate a POSIX shared memory label with a vnode
5450 @param vp Vnode to label
5453 Associate label information for the vnode, vp, with the label of
5455 The label should be stored in the supplied vlabel parameter.
5460 struct label *pshmlabel,
5462 struct label *vlabel
5465 @brief Associate a label with a vnode
5467 @param mntlabel File system mount point label
5468 @param vp Vnode to label
5471 On non-multilabel file systems, set the label for a vnode. The
5472 label will most likely be based on the file system label.
5476 struct label *mntlabel,
5478 struct label *vlabel
5481 @brief Associate a socket label with a vnode
5485 @param vp Vnode to label
5488 Associate label information for the vnode, vp, with the label of
5490 The label should be stored in the supplied vlabel parameter.
5495 struct label *solabel,
5497 struct label *vlabel
5500 @brief Copy a vnode label
5501 @param src Source vnode label
5502 @param dest Destination vnode label
5504 Copy the vnode label information from src to dest. On Darwin, this
5506 will later be used if vnode label externalization cannot be an
5510 struct label *src,
5511 struct label *dest
5514 @brief Destroy vnode label
5515 @param label The label to be destroyed
5517 Destroy a vnode label. Since the object is going out of scope,
5519 label so that it may be destroyed.
5522 struct label *label
5525 @brief Externalize a vnode label for auditing
5526 @param label Label to be externalized
5527 @param element_name Name of the label namespace for which labels should be
5529 @param sb String buffer to be filled with a text representation of the label
5531 Produce an external representation of the label on a vnode suitable for
5532 inclusion in an audit record. An externalized label consists of a text
5533 representation of the label contents that will be added to the audit record
5538 externalizing the label data.
5542 struct label *label,
5547 @brief Externalize a vnode label
5548 @param label Label to be externalized
5549 @param element_name Name of the label namespace for which labels should be
5551 @param sb String buffer to be filled with a text representation of the label
5553 Produce an external representation of the label on a vnode. An
5554 externalized label consists of a text representation of the label
5559 externalizing the label data.
5563 struct label *label,
5568 @brief Initialize vnode label
5569 @param label New label to initialize
5571 Initialize label storage for use with a newly instantiated vnode, or
5573 vnode label. While it is necessary to allocate space for a
5574 kernel-resident vnode label, it is not yet necessary to link this vnode
5575 with persistent label storage facilities, such as extended attributes.
5579 struct label *label
5582 @brief Internalize a vnode label
5583 @param label Label to be internalized
5584 @param element_name Name of the label namespace for which the label should
5588 Produce a vnode label from an external representation. An
5589 externalized label consists of a text representation of the label
5595 policy has registered interest in the label namespace.
5598 while internalizing the label data.
5601 struct label *label,
5606 @brief Clean up a vnode label
5607 @param label The label to be cleaned for re-use
5609 Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
5611 re-use, policies can cleanup or overwrite any information present in the label.
5614 struct label *label
5617 @brief Write a label to a extended attribute
5619 @param vp The vnode for which the label is being stored
5621 @param intlabel The new label to store
5623 Store a new label in the extended attribute corresponding to the
5637 struct label *vlabel,
5638 struct label *intlabel
5641 @brief Update vnode label from extended attributes
5643 @param mntlabel Mount point label
5644 @param vp Vnode to label
5650 functions, the MAC vnode label might also require an update.
5651 Policies should first determine if 'name' matches their xattr label
5654 vnode. Normally labels should only be modified via MAC Framework label
5659 This entry point is called after the label update has occurred, so
5663 If the vnode label needs to be updated the policy should return
5664 a non-zero value. The vnode label will be marked for re-association
5669 struct label *mntlabel,
5671 struct label *vlabel,
5675 @brief Update a vnode label
5678 @param vnodelabel Existing vnode label
5679 @param label New label to replace existing label
5685 update vnodelabel using the label stored in the label parameter.
5690 struct label *vnodelabel,
5691 struct label *label
5697 @param mntlabel File system mount point label
5699 @param dlabel Parent directory vnode label
5704 Write out the label for the newly created vnode, most likely storing
5706 derive the new vnode label using information from a combination
5707 of the subject (user) credential, the file system label, the parent
5708 directory label, and potentially the path name component.
5710 @return If the operation succeeds, store the new label in vlabel and
5716 struct label *mntlabel,
5718 struct label *dlabel,
5720 struct label *vlabel,
6066 a short unique policy name, a more descriptive full name, a list of label
6068 any load time flags, and optionally, a pointer to a label slot identifier.
6073 If the label slot identifier (mpc_field_off) is NULL, the Framework
6074 will not provide label storage for the policy. Otherwise, the
6075 Framework will store the label location (slot) in this field.
6084 const char **mpc_labelnames; /** managed label namespaces */
6085 unsigned int mpc_labelname_count; /** number of managed label namespaces */
6088 int *mpc_field_off; /** label slot */
6173 label state and are unable to free that state at runtime, or for