mac_policy.h revision 107105
1139776Simp/*- 21541Srgrimes * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 31541Srgrimes * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 41541Srgrimes * All rights reserved. 51541Srgrimes * 61541Srgrimes * This software was developed by Robert Watson for the TrustedBSD Project. 71541Srgrimes * 81541Srgrimes * This software was developed for the FreeBSD Project in part by Network 91541Srgrimes * Associates Laboratories, the Security Research Division of Network 101541Srgrimes * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 111541Srgrimes * as part of the DARPA CHATS research program. 121541Srgrimes * 131541Srgrimes * Redistribution and use in source and binary forms, with or without 141541Srgrimes * modification, are permitted provided that the following conditions 151541Srgrimes * are met: 161541Srgrimes * 1. Redistributions of source code must retain the above copyright 171541Srgrimes * notice, this list of conditions and the following disclaimer. 181541Srgrimes * 2. Redistributions in binary form must reproduce the above copyright 191541Srgrimes * notice, this list of conditions and the following disclaimer in the 201541Srgrimes * documentation and/or other materials provided with the distribution. 211541Srgrimes * 221541Srgrimes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 231541Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 241541Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 251541Srgrimes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 261541Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 271541Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 281541Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 291541Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 301541Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 311541Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3222521Sdyson * SUCH DAMAGE. 331541Srgrimes * 3422521Sdyson * $FreeBSD: head/sys/security/mac/mac_policy.h 107105 2002-11-20 15:41:25Z rwatson $ 3522521Sdyson */ 3622521Sdyson/* 3722521Sdyson * Kernel interface for MAC policy modules. 3822521Sdyson */ 3950477Speter#ifndef _SYS_MAC_POLICY_H 401541Srgrimes#define _SYS_MAC_POLICY_H 411541Srgrimes 421541Srgrimes/*- 431541Srgrimes * Pluggable access control policy definition structure. 441541Srgrimes * 4577130Sru * List of operations that are performed as part of the implementation 461541Srgrimes * of a MAC policy. Policy implementors declare operations with a 4796755Strhodes * mac_policy_ops structure, and using the MAC_POLICY_SET() macro. 481541Srgrimes * If an entry point is not declared, then then the policy will be ignored 4996755Strhodes * during evaluation of that event or check. 501541Srgrimes * 5135256Sdes * Operations are sorted first by general class of operation, then 521541Srgrimes * alphabetically. 531541Srgrimes */ 541541Srgrimesstruct mac_policy_conf; 551541Srgrimesstruct mac_policy_ops { 5696755Strhodes /* 571541Srgrimes * Policy module operations. 581541Srgrimes */ 5996755Strhodes void (*mpo_destroy)(struct mac_policy_conf *mpc); 601541Srgrimes void (*mpo_init)(struct mac_policy_conf *mpc); 611541Srgrimes 621541Srgrimes /* 631541Srgrimes * General policy-directed security system call so that policies 641541Srgrimes * may implement new services without reserving explicit 651541Srgrimes * system call numbers. 661541Srgrimes */ 671541Srgrimes int (*mpo_syscall)(struct thread *td, int call, void *arg); 6877130Sru 6977130Sru /* 701541Srgrimes * Label operations. 711541Srgrimes */ 721541Srgrimes void (*mpo_init_bpfdesc_label)(struct label *label); 731541Srgrimes void (*mpo_init_cred_label)(struct label *label); 741541Srgrimes void (*mpo_init_devfsdirent_label)(struct label *label); 751541Srgrimes void (*mpo_init_ifnet_label)(struct label *label); 761541Srgrimes void (*mpo_init_ipq_label)(struct label *label); 771541Srgrimes int (*mpo_init_mbuf_label)(struct label *label, int flag); 7896755Strhodes void (*mpo_init_mount_label)(struct label *label); 791541Srgrimes void (*mpo_init_mount_fs_label)(struct label *label); 801541Srgrimes int (*mpo_init_socket_label)(struct label *label, int flag); 8126963Salex int (*mpo_init_socket_peer_label)(struct label *label, int flag); 821541Srgrimes void (*mpo_init_pipe_label)(struct label *label); 831541Srgrimes void (*mpo_init_proc_label)(struct label *label); 841541Srgrimes void (*mpo_init_vnode_label)(struct label *label); 851541Srgrimes void (*mpo_destroy_bpfdesc_label)(struct label *label); 861541Srgrimes void (*mpo_destroy_cred_label)(struct label *label); 871541Srgrimes void (*mpo_destroy_devfsdirent_label)(struct label *label); 881541Srgrimes void (*mpo_destroy_ifnet_label)(struct label *label); 891541Srgrimes void (*mpo_destroy_ipq_label)(struct label *label); 901541Srgrimes void (*mpo_destroy_mbuf_label)(struct label *label); 911541Srgrimes void (*mpo_destroy_mount_label)(struct label *label); 9222521Sdyson void (*mpo_destroy_mount_fs_label)(struct label *label); 9322521Sdyson void (*mpo_destroy_socket_label)(struct label *label); 9422521Sdyson void (*mpo_destroy_socket_peer_label)(struct label *label); 9522521Sdyson void (*mpo_destroy_pipe_label)(struct label *label); 9622521Sdyson void (*mpo_destroy_proc_label)(struct label *label); 971541Srgrimes void (*mpo_destroy_vnode_label)(struct label *label); 9822521Sdyson void (*mpo_copy_pipe_label)(struct label *src, 9922521Sdyson struct label *dest); 10022521Sdyson void (*mpo_copy_vnode_label)(struct label *src, 10122521Sdyson struct label *dest); 10222521Sdyson int (*mpo_externalize_cred_label)(struct label *label, 10322521Sdyson char *element_name, char *buffer, size_t buflen, 10422521Sdyson size_t *len, int *claimed); 10522521Sdyson int (*mpo_externalize_ifnet_label)(struct label *label, 10622521Sdyson char *element_name, char *buffer, size_t buflen, 1071541Srgrimes size_t *len, int *claimed); 1081541Srgrimes int (*mpo_externalize_pipe_label)(struct label *label, 1091541Srgrimes char *element_name, char *buffer, size_t buflen, 1101541Srgrimes size_t *len, int *claimed); 1111541Srgrimes int (*mpo_externalize_socket_label)(struct label *label, 1121541Srgrimes char *element_name, char *buffer, size_t buflen, 1131541Srgrimes size_t *len, int *claimed); 1141541Srgrimes int (*mpo_externalize_socket_peer_label)(struct label *label, 1151541Srgrimes char *element_name, char *buffer, size_t buflen, 1161541Srgrimes size_t *len, int *claimed); 1171541Srgrimes int (*mpo_externalize_vnode_label)(struct label *label, 1181541Srgrimes char *element_name, char *buffer, size_t buflen, 1191541Srgrimes size_t *len, int *claimed); 1201541Srgrimes int (*mpo_internalize_cred_label)(struct label *label, 1218876Srgrimes char *element_name, char *element_data, int *claimed); 1221541Srgrimes int (*mpo_internalize_ifnet_label)(struct label *label, 1231541Srgrimes char *element_name, char *element_data, int *claimed); 1241541Srgrimes int (*mpo_internalize_pipe_label)(struct label *label, 1251541Srgrimes char *element_name, char *element_data, int *claimed); 12677130Sru int (*mpo_internalize_socket_label)(struct label *label, 1271541Srgrimes char *element_name, char *element_data, int *claimed); 1281541Srgrimes int (*mpo_internalize_vnode_label)(struct label *label, 1291541Srgrimes char *element_name, char *element_data, int *claimed); 1301541Srgrimes 1318876Srgrimes /* 1321541Srgrimes * Labeling event operations: file system objects, and things that 1331541Srgrimes * look a lot like file system objects. 1341541Srgrimes */ 1351541Srgrimes void (*mpo_associate_vnode_devfs)(struct mount *mp, 1361541Srgrimes struct label *fslabel, struct devfs_dirent *de, 1371541Srgrimes struct label *delabel, struct vnode *vp, 1381541Srgrimes struct label *vlabel); 1391541Srgrimes int (*mpo_associate_vnode_extattr)(struct mount *mp, 14096755Strhodes struct label *fslabel, struct vnode *vp, 1411541Srgrimes struct label *vlabel); 1421541Srgrimes void (*mpo_associate_vnode_singlelabel)(struct mount *mp, 1431541Srgrimes struct label *fslabel, struct vnode *vp, 1441541Srgrimes struct label *vlabel); 1458876Srgrimes void (*mpo_create_devfs_device)(dev_t dev, struct devfs_dirent *de, 1461541Srgrimes struct label *label); 1471541Srgrimes void (*mpo_create_devfs_directory)(char *dirname, int dirnamelen, 1481541Srgrimes struct devfs_dirent *de, struct label *label); 1491541Srgrimes void (*mpo_create_devfs_symlink)(struct ucred *cred, 1501541Srgrimes struct devfs_dirent *dd, struct label *ddlabel, 1518876Srgrimes struct devfs_dirent *de, struct label *delabel); 1521541Srgrimes int (*mpo_create_vnode_extattr)(struct ucred *cred, 1531541Srgrimes struct mount *mp, struct label *fslabel, 1541541Srgrimes struct vnode *dvp, struct label *dlabel, 1551541Srgrimes struct vnode *vp, struct label *vlabel, 156108470Sschweikh struct componentname *cnp); 1571541Srgrimes void (*mpo_create_mount)(struct ucred *cred, struct mount *mp, 1581541Srgrimes struct label *mntlabel, struct label *fslabel); 1591541Srgrimes void (*mpo_create_root_mount)(struct ucred *cred, struct mount *mp, 16026964Salex struct label *mountlabel, struct label *fslabel); 1611541Srgrimes void (*mpo_relabel_vnode)(struct ucred *cred, struct vnode *vp, 1621541Srgrimes struct label *vnodelabel, struct label *label); 1631541Srgrimes int (*mpo_setlabel_vnode_extattr)(struct ucred *cred, 16426964Salex struct vnode *vp, struct label *vlabel, 1651541Srgrimes struct label *intlabel); 1661541Srgrimes void (*mpo_update_devfsdirent)(struct devfs_dirent *devfs_dirent, 1671541Srgrimes struct label *direntlabel, struct vnode *vp, 16826964Salex struct label *vnodelabel); 1691541Srgrimes 1701541Srgrimes /* 1711541Srgrimes * Labeling event operations: IPC objects. 1721541Srgrimes */ 1731541Srgrimes void (*mpo_create_mbuf_from_socket)(struct socket *so, 17476166Smarkm struct label *socketlabel, struct mbuf *m, 1752960Swollman struct label *mbuflabel); 17676166Smarkm void (*mpo_create_socket)(struct ucred *cred, struct socket *so, 17776166Smarkm struct label *socketlabel); 17876166Smarkm void (*mpo_create_socket_from_socket)(struct socket *oldsocket, 17976166Smarkm struct label *oldsocketlabel, struct socket *newsocket, 18076166Smarkm struct label *newsocketlabel); 18112769Sphk void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so, 1821541Srgrimes struct label *oldlabel, struct label *newlabel); 18376166Smarkm void (*mpo_relabel_pipe)(struct ucred *cred, struct pipe *pipe, 18477031Sru struct label *oldlabel, struct label *newlabel); 1851541Srgrimes void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf, 18666356Sbp struct label *mbuflabel, struct socket *so, 18766356Sbp struct label *socketpeerlabel); 18866356Sbp void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket, 18966356Sbp struct label *oldsocketlabel, struct socket *newsocket, 19066356Sbp struct label *newsocketpeerlabel); 19112769Sphk void (*mpo_create_pipe)(struct ucred *cred, struct pipe *pipe, 19212769Sphk struct label *pipelabel); 19312769Sphk 1941541Srgrimes /* 1951541Srgrimes * Labeling event operations: network objects. 1961541Srgrimes */ 1971541Srgrimes void (*mpo_create_bpfdesc)(struct ucred *cred, struct bpf_d *bpf_d, 1981541Srgrimes struct label *bpflabel); 1991541Srgrimes void (*mpo_create_ifnet)(struct ifnet *ifnet, 2001541Srgrimes struct label *ifnetlabel); 2011541Srgrimes void (*mpo_create_ipq)(struct mbuf *fragment, 2021541Srgrimes struct label *fragmentlabel, struct ipq *ipq, 2031541Srgrimes struct label *ipqlabel); 2041541Srgrimes void (*mpo_create_datagram_from_ipq) 2051541Srgrimes (struct ipq *ipq, struct label *ipqlabel, 2061541Srgrimes struct mbuf *datagram, struct label *datagramlabel); 2071541Srgrimes void (*mpo_create_fragment)(struct mbuf *datagram, 2081541Srgrimes struct label *datagramlabel, struct mbuf *fragment, 2091541Srgrimes struct label *fragmentlabel); 2101541Srgrimes void (*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf, 2111541Srgrimes struct label *oldlabel, struct mbuf *newmbuf, 2121541Srgrimes struct label *newlabel); 2131541Srgrimes void (*mpo_create_mbuf_linklayer)(struct ifnet *ifnet, 2141541Srgrimes struct label *ifnetlabel, struct mbuf *mbuf, 2151541Srgrimes struct label *mbuflabel); 2161541Srgrimes void (*mpo_create_mbuf_from_bpfdesc)(struct bpf_d *bpf_d, 2171541Srgrimes struct label *bpflabel, struct mbuf *mbuf, 2188876Srgrimes struct label *mbuflabel); 21922521Sdyson void (*mpo_create_mbuf_from_ifnet)(struct ifnet *ifnet, 220140728Sphk struct label *ifnetlabel, struct mbuf *mbuf, 2211541Srgrimes struct label *mbuflabel); 222140732Sphk void (*mpo_create_mbuf_multicast_encap)(struct mbuf *oldmbuf, 2231541Srgrimes struct label *oldmbuflabel, struct ifnet *ifnet, 2241541Srgrimes struct label *ifnetlabel, struct mbuf *newmbuf, 2251541Srgrimes struct label *newmbuflabel); 2261541Srgrimes void (*mpo_create_mbuf_netlayer)(struct mbuf *oldmbuf, 2271541Srgrimes struct label *oldmbuflabel, struct mbuf *newmbuf, 2281541Srgrimes struct label *newmbuflabel); 2291541Srgrimes int (*mpo_fragment_match)(struct mbuf *fragment, 2301541Srgrimes struct label *fragmentlabel, struct ipq *ipq, 2311541Srgrimes struct label *ipqlabel); 2321541Srgrimes void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, 23350616Sbde struct label *ifnetlabel, struct label *newlabel); 2341541Srgrimes void (*mpo_update_ipq)(struct mbuf *fragment, 2351541Srgrimes struct label *fragmentlabel, struct ipq *ipq, 2361541Srgrimes struct label *ipqlabel); 2371541Srgrimes 2381541Srgrimes /* 23950616Sbde * Labeling event operations: processes. 2401541Srgrimes */ 2411541Srgrimes void (*mpo_create_cred)(struct ucred *parent_cred, 2421541Srgrimes struct ucred *child_cred); 2431541Srgrimes void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, 2441541Srgrimes struct vnode *vp, struct label *vnodelabel, 2451541Srgrimes struct label *interpvnodelabel, 2461541Srgrimes struct image_params *imgp, struct label *execlabel); 2471541Srgrimes int (*mpo_execve_will_transition)(struct ucred *old, 2481541Srgrimes struct vnode *vp, struct label *vnodelabel, 2491541Srgrimes struct label *interpvnodelabel, 2501541Srgrimes struct image_params *imgp, struct label *execlabel); 2518876Srgrimes void (*mpo_create_proc0)(struct ucred *cred); 2521541Srgrimes void (*mpo_create_proc1)(struct ucred *cred); 2531541Srgrimes void (*mpo_relabel_cred)(struct ucred *cred, 2541541Srgrimes struct label *newlabel); 2551541Srgrimes void (*mpo_thread_userret)(struct thread *thread); 2561541Srgrimes 2571541Srgrimes /* 25824987Skato * Access control checks. 259138290Sphk */ 26024987Skato int (*mpo_check_bpfdesc_receive)(struct bpf_d *bpf_d, 2611541Srgrimes struct label *bpflabel, struct ifnet *ifnet, 2621541Srgrimes struct label *ifnetlabel); 2631541Srgrimes int (*mpo_check_cred_relabel)(struct ucred *cred, 2641541Srgrimes struct label *newlabel); 2651541Srgrimes int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2); 2661541Srgrimes int (*mpo_check_ifnet_relabel)(struct ucred *cred, 2671541Srgrimes struct ifnet *ifnet, struct label *ifnetlabel, 2681541Srgrimes struct label *newlabel); 26966356Sbp int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet, 2701541Srgrimes struct label *ifnetlabel, struct mbuf *m, 2711541Srgrimes struct label *mbuflabel); 2728876Srgrimes int (*mpo_check_kenv_dump)(struct ucred *cred); 2731541Srgrimes int (*mpo_check_kenv_get)(struct ucred *cred, char *name); 2741541Srgrimes int (*mpo_check_kenv_set)(struct ucred *cred, char *name, 2751541Srgrimes char *value); 2761541Srgrimes int (*mpo_check_kenv_unset)(struct ucred *cred, char *name); 2771541Srgrimes int (*mpo_check_kld_load)(struct ucred *cred, struct vnode *vp, 2781541Srgrimes struct label *vlabel); 27966356Sbp int (*mpo_check_kld_stat)(struct ucred *cred); 280140165Sphk int (*mpo_check_kld_unload)(struct ucred *cred); 28166356Sbp int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp, 28266356Sbp struct label *mntlabel); 28366356Sbp int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, 28466356Sbp struct label *pipelabel, unsigned long cmd, void *data); 2851541Srgrimes int (*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe, 2861541Srgrimes struct label *pipelabel); 2871541Srgrimes int (*mpo_check_pipe_read)(struct ucred *cred, struct pipe *pipe, 2881541Srgrimes struct label *pipelabel); 2891541Srgrimes int (*mpo_check_pipe_relabel)(struct ucred *cred, 2901541Srgrimes struct pipe *pipe, struct label *pipelabel, 2911541Srgrimes struct label *newlabel); 2921541Srgrimes int (*mpo_check_pipe_stat)(struct ucred *cred, struct pipe *pipe, 2931541Srgrimes struct label *pipelabel); 2941541Srgrimes int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe, 2951541Srgrimes struct label *pipelabel); 2961541Srgrimes int (*mpo_check_proc_debug)(struct ucred *cred, 29766356Sbp struct proc *proc); 29866356Sbp int (*mpo_check_proc_sched)(struct ucred *cred, 299175294Sattilio struct proc *proc); 30066356Sbp int (*mpo_check_proc_signal)(struct ucred *cred, 30166356Sbp struct proc *proc, int signum); 3021541Srgrimes int (*mpo_check_socket_bind)(struct ucred *cred, 3031541Srgrimes struct socket *so, struct label *socketlabel, 3041541Srgrimes struct sockaddr *sockaddr); 3051541Srgrimes int (*mpo_check_socket_connect)(struct ucred *cred, 3061541Srgrimes struct socket *so, struct label *socketlabel, 3071541Srgrimes struct sockaddr *sockaddr); 3081541Srgrimes int (*mpo_check_socket_deliver)(struct socket *so, 3091541Srgrimes struct label *socketlabel, struct mbuf *m, 3101541Srgrimes struct label *mbuflabel); 3111541Srgrimes int (*mpo_check_socket_listen)(struct ucred *cred, 3121541Srgrimes struct socket *so, struct label *socketlabel); 3131541Srgrimes int (*mpo_check_socket_receive)(struct ucred *cred, 3141541Srgrimes struct socket *so, struct label *socketlabel); 3151541Srgrimes int (*mpo_check_socket_relabel)(struct ucred *cred, 3161541Srgrimes struct socket *so, struct label *socketlabel, 3171541Srgrimes struct label *newlabel); 3181541Srgrimes int (*mpo_check_socket_send)(struct ucred *cred, 3191541Srgrimes struct socket *so, struct label *socketlabel); 3201541Srgrimes int (*mpo_check_socket_visible)(struct ucred *cred, 3211541Srgrimes struct socket *so, struct label *socketlabel); 3221541Srgrimes int (*mpo_check_system_acct)(struct ucred *cred, 3231541Srgrimes struct vnode *vp, struct label *vlabel); 32429584Sphk int (*mpo_check_system_nfsd)(struct ucred *cred); 32598183Ssemenu int (*mpo_check_system_reboot)(struct ucred *cred, int howto); 3261541Srgrimes int (*mpo_check_system_settime)(struct ucred *cred); 3271541Srgrimes int (*mpo_check_system_swapon)(struct ucred *cred, 3281541Srgrimes struct vnode *vp, struct label *label); 3291541Srgrimes int (*mpo_check_system_sysctl)(struct ucred *cred, int *name, 3301541Srgrimes u_int namelen, void *old, size_t *oldlenp, int inkernel, 3311541Srgrimes void *new, size_t newlen); 33222521Sdyson int (*mpo_check_vnode_access)(struct ucred *cred, 33322521Sdyson struct vnode *vp, struct label *label, int acc_mode); 33422521Sdyson int (*mpo_check_vnode_chdir)(struct ucred *cred, 33522521Sdyson struct vnode *dvp, struct label *dlabel); 33622521Sdyson int (*mpo_check_vnode_chroot)(struct ucred *cred, 33722521Sdyson struct vnode *dvp, struct label *dlabel); 338140728Sphk int (*mpo_check_vnode_create)(struct ucred *cred, 33922521Sdyson struct vnode *dvp, struct label *dlabel, 34022521Sdyson struct componentname *cnp, struct vattr *vap); 34166356Sbp int (*mpo_check_vnode_delete)(struct ucred *cred, 34222521Sdyson struct vnode *dvp, struct label *dlabel, 34366356Sbp struct vnode *vp, struct label *label, 34422521Sdyson struct componentname *cnp); 3451541Srgrimes int (*mpo_check_vnode_deleteacl)(struct ucred *cred, 34666356Sbp struct vnode *vp, struct label *label, acl_type_t type); 34722521Sdyson int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, 34822521Sdyson struct label *label, struct image_params *imgp, 34966356Sbp struct label *execlabel); 35066356Sbp int (*mpo_check_vnode_getacl)(struct ucred *cred, 35166356Sbp struct vnode *vp, struct label *label, acl_type_t type); 35266356Sbp int (*mpo_check_vnode_getextattr)(struct ucred *cred, 35366356Sbp struct vnode *vp, struct label *label, int attrnamespace, 35466356Sbp const char *name, struct uio *uio); 35566356Sbp int (*mpo_check_vnode_link)(struct ucred *cred, struct vnode *dvp, 35622521Sdyson struct label *dlabel, struct vnode *vp, 35766356Sbp struct label *label, struct componentname *cnp); 35822521Sdyson int (*mpo_check_vnode_lookup)(struct ucred *cred, 35922521Sdyson struct vnode *dvp, struct label *dlabel, 36066356Sbp struct componentname *cnp); 36166356Sbp int (*mpo_check_vnode_mmap)(struct ucred *cred, struct vnode *vp, 36266356Sbp struct label *label, int prot); 36366356Sbp void (*mpo_check_vnode_mmap_downgrade)(struct ucred *cred, 36466356Sbp struct vnode *vp, struct label *label, int *prot); 36566356Sbp int (*mpo_check_vnode_mprotect)(struct ucred *cred, 36666356Sbp struct vnode *vp, struct label *label, int prot); 36798183Ssemenu int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, 368229431Skib struct label *label, int acc_mode); 369185335Skib int (*mpo_check_vnode_poll)(struct ucred *active_cred, 37066356Sbp struct ucred *file_cred, struct vnode *vp, 37122521Sdyson struct label *label); 37222521Sdyson int (*mpo_check_vnode_read)(struct ucred *active_cred, 37322521Sdyson struct ucred *file_cred, struct vnode *vp, 37422521Sdyson struct label *label); 375140776Sphk int (*mpo_check_vnode_readdir)(struct ucred *cred, 376140776Sphk struct vnode *dvp, struct label *dlabel); 377140776Sphk int (*mpo_check_vnode_readlink)(struct ucred *cred, 378140776Sphk struct vnode *vp, struct label *label); 379140776Sphk int (*mpo_check_vnode_relabel)(struct ucred *cred, 380140776Sphk struct vnode *vp, struct label *vnodelabel, 381140776Sphk struct label *newlabel); 382140776Sphk int (*mpo_check_vnode_rename_from)(struct ucred *cred, 383140776Sphk struct vnode *dvp, struct label *dlabel, struct vnode *vp, 384140776Sphk struct label *label, struct componentname *cnp); 385140776Sphk int (*mpo_check_vnode_rename_to)(struct ucred *cred, 386140776Sphk struct vnode *dvp, struct label *dlabel, struct vnode *vp, 387140776Sphk struct label *label, int samedir, 388140776Sphk struct componentname *cnp); 3891541Srgrimes int (*mpo_check_vnode_revoke)(struct ucred *cred, 39022521Sdyson struct vnode *vp, struct label *label); 39122521Sdyson int (*mpo_check_vnode_setacl)(struct ucred *cred, 392105211Sphk struct vnode *vp, struct label *label, acl_type_t type, 393140728Sphk struct acl *acl); 39422521Sdyson int (*mpo_check_vnode_setextattr)(struct ucred *cred, 39522521Sdyson struct vnode *vp, struct label *label, int attrnamespace, 39622521Sdyson const char *name, struct uio *uio); 39722521Sdyson int (*mpo_check_vnode_setflags)(struct ucred *cred, 39822521Sdyson struct vnode *vp, struct label *label, u_long flags); 39922597Smpp int (*mpo_check_vnode_setmode)(struct ucred *cred, 40022597Smpp struct vnode *vp, struct label *label, mode_t mode); 40122521Sdyson int (*mpo_check_vnode_setowner)(struct ucred *cred, 40222521Sdyson struct vnode *vp, struct label *label, uid_t uid, 40322521Sdyson gid_t gid); 40422521Sdyson int (*mpo_check_vnode_setutimes)(struct ucred *cred, 40522521Sdyson struct vnode *vp, struct label *label, 40622521Sdyson struct timespec atime, struct timespec mtime); 40722521Sdyson int (*mpo_check_vnode_stat)(struct ucred *active_cred, 40822521Sdyson struct ucred *file_cred, struct vnode *vp, 40922521Sdyson struct label *label); 41022521Sdyson int (*mpo_check_vnode_write)(struct ucred *active_cred, 41136840Speter struct ucred *file_cred, struct vnode *vp, 41236840Speter struct label *label); 41322521Sdyson}; 41422521Sdyson 41522521Sdysonstruct mac_policy_conf { 41622521Sdyson char *mpc_name; /* policy name */ 41722521Sdyson char *mpc_fullname; /* policy full name */ 41822521Sdyson struct mac_policy_ops *mpc_ops; /* policy operations */ 41922521Sdyson int mpc_loadtime_flags; /* flags */ 42022521Sdyson int *mpc_field_off; /* security field */ 42122521Sdyson int mpc_runtime_flags; /* flags */ 42222521Sdyson LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ 42322521Sdyson}; 42422521Sdyson 42566356Sbp/* Flags for the mpc_loadtime_flags field. */ 42622607Smpp#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 42722521Sdyson#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 42822521Sdyson 42922521Sdyson/* Flags for the mpc_runtime_flags field. */ 4301541Srgrimes#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 4311541Srgrimes 43212769Sphk#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \ 433140728Sphk static struct mac_policy_conf mpname##_mac_policy_conf = { \ 4341541Srgrimes #mpname, \ 4351541Srgrimes mpfullname, \ 43622521Sdyson mpops, \ 43743311Sdillon mpflags, \ 4381541Srgrimes privdata_wanted, \ 43965467Sbp 0, \ 44065467Sbp }; \ 4411541Srgrimes static moduledata_t mpname##_mod = { \ 4421541Srgrimes #mpname, \ 4431541Srgrimes mac_policy_modevent, \ 44466356Sbp &mpname##_mac_policy_conf \ 44566356Sbp }; \ 44666356Sbp MODULE_DEPEND(mpname, kernel_mac_support, 1, 1, 1); \ 44722521Sdyson DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \ 448140728Sphk SI_ORDER_MIDDLE) 44922521Sdyson 45022521Sdysonint mac_policy_modevent(module_t mod, int type, void *data); 451184413Strasz 4521541Srgrimes#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s] 45322521Sdyson 45422521Sdyson#endif /* !_SYS_MAC_POLICY_H */ 45522521Sdyson