mac_policy.h revision 179963
1/*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 4 * Copyright (c) 2005-2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * 9 * This software was developed for the FreeBSD Project in part by Network 10 * Associates Laboratories, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 12 * as part of the DARPA CHATS research program. 13 * 14 * This software was enhanced by SPARTA ISSO under SPAWAR contract 15 * N66001-04-C-6019 ("SEFOS"). 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * $FreeBSD: head/sys/security/mac/mac_policy.h 179963 2008-06-23 21:37:53Z jhb $ 39 */ 40/* 41 * Kernel interface for MAC policy modules. 42 */ 43#ifndef _SECURITY_MAC_MAC_POLICY_H_ 44#define _SECURITY_MAC_MAC_POLICY_H_ 45 46#ifndef _KERNEL 47#error "no user-serviceable parts inside" 48#endif 49 50/*- 51 * Pluggable access control policy definition structure. 52 * 53 * List of operations that are performed as part of the implementation of a 54 * MAC policy. Policy implementors declare operations with a mac_policy_ops 55 * structure, and using the MAC_POLICY_SET() macro. If an entry point is not 56 * declared, then then the policy will be ignored during evaluation of that 57 * event or check. 58 * 59 * Operations are sorted first by general class of operation, then 60 * alphabetically. 61 */ 62#include <sys/acl.h> /* XXX acl_type_t */ 63 64struct acl; 65struct auditinfo; 66struct auditinfo_addr; 67struct bpf_d; 68struct cdev; 69struct componentname; 70struct devfs_dirent; 71struct ifnet; 72struct image_params; 73struct inpcb; 74struct ipq; 75struct ksem; 76struct label; 77struct mac_policy_conf; 78struct mbuf; 79struct mount; 80struct msg; 81struct msqid_kernel; 82struct pipepair; 83struct proc; 84struct sbuf; 85struct semid_kernel; 86struct shmfd; 87struct shmid_kernel; 88struct sockaddr; 89struct socket; 90struct sysctl_oid; 91struct sysctl_req; 92struct thread; 93struct ucred; 94struct uio; 95struct vattr; 96struct vnode; 97 98/* 99 * Policy module operations. 100 */ 101typedef void (*mpo_destroy_t)(struct mac_policy_conf *mpc); 102typedef void (*mpo_init_t)(struct mac_policy_conf *mpc); 103 104/* 105 * General policy-directed security system call so that policies may 106 * implement new services without reserving explicit system call numbers. 107 */ 108typedef int (*mpo_syscall_t)(struct thread *td, int call, void *arg); 109 110/* 111 * Place-holder function pointers for ABI-compatibility purposes. 112 */ 113typedef void (*mpo_placeholder_t)(void); 114 115/* 116 * Operations sorted alphabetically by primary object type and then method. 117 */ 118typedef int (*mpo_bpfdesc_check_receive_t)(struct bpf_d *d, 119 struct label *dlabel, struct ifnet *ifp, 120 struct label *ifplabel); 121typedef void (*mpo_bpfdesc_create_t)(struct ucred *cred, 122 struct bpf_d *d, struct label *dlabel); 123typedef void (*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d, 124 struct label *dlabel, struct mbuf *m, 125 struct label *mlabel); 126typedef void (*mpo_bpfdesc_destroy_label_t)(struct label *label); 127typedef void (*mpo_bpfdesc_init_label_t)(struct label *label); 128 129typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred, 130 struct label *newlabel); 131typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1, 132 struct ucred *cr2); 133typedef void (*mpo_cred_copy_label_t)(struct label *src, 134 struct label *dest); 135typedef void (*mpo_cred_destroy_label_t)(struct label *label); 136typedef int (*mpo_cred_externalize_label_t)(struct label *label, 137 char *element_name, struct sbuf *sb, int *claimed); 138typedef void (*mpo_cred_init_label_t)(struct label *label); 139typedef int (*mpo_cred_internalize_label_t)(struct label *label, 140 char *element_name, char *element_data, int *claimed); 141typedef void (*mpo_cred_relabel_t)(struct ucred *cred, 142 struct label *newlabel); 143 144typedef void (*mpo_devfs_create_device_t)(struct ucred *cred, 145 struct mount *mp, struct cdev *dev, 146 struct devfs_dirent *de, struct label *delabel); 147typedef void (*mpo_devfs_create_directory_t)(struct mount *mp, 148 char *dirname, int dirnamelen, struct devfs_dirent *de, 149 struct label *delabel); 150typedef void (*mpo_devfs_create_symlink_t)(struct ucred *cred, 151 struct mount *mp, struct devfs_dirent *dd, 152 struct label *ddlabel, struct devfs_dirent *de, 153 struct label *delabel); 154typedef void (*mpo_devfs_destroy_label_t)(struct label *label); 155typedef void (*mpo_devfs_init_label_t)(struct label *label); 156typedef void (*mpo_devfs_update_t)(struct mount *mp, 157 struct devfs_dirent *de, struct label *delabel, 158 struct vnode *vp, struct label *vplabel); 159typedef void (*mpo_devfs_vnode_associate_t)(struct mount *mp, 160 struct label *mplabel, struct devfs_dirent *de, 161 struct label *delabel, struct vnode *vp, 162 struct label *vplabel); 163 164typedef int (*mpo_ifnet_check_relabel_t)(struct ucred *cred, 165 struct ifnet *ifp, struct label *ifplabel, 166 struct label *newlabel); 167typedef int (*mpo_ifnet_check_transmit_t)(struct ifnet *ifp, 168 struct label *ifplabel, struct mbuf *m, 169 struct label *mlabel); 170typedef void (*mpo_ifnet_copy_label_t)(struct label *src, 171 struct label *dest); 172typedef void (*mpo_ifnet_create_t)(struct ifnet *ifp, 173 struct label *ifplabel); 174typedef void (*mpo_ifnet_create_mbuf_t)(struct ifnet *ifp, 175 struct label *ifplabel, struct mbuf *m, 176 struct label *mlabel); 177typedef void (*mpo_ifnet_destroy_label_t)(struct label *label); 178typedef int (*mpo_ifnet_externalize_label_t)(struct label *label, 179 char *element_name, struct sbuf *sb, int *claimed); 180typedef void (*mpo_ifnet_init_label_t)(struct label *label); 181typedef int (*mpo_ifnet_internalize_label_t)(struct label *label, 182 char *element_name, char *element_data, int *claimed); 183typedef void (*mpo_ifnet_relabel_t)(struct ucred *cred, struct ifnet *ifp, 184 struct label *ifplabel, struct label *newlabel); 185 186typedef int (*mpo_inpcb_check_deliver_t)(struct inpcb *inp, 187 struct label *inplabel, struct mbuf *m, 188 struct label *mlabel); 189typedef void (*mpo_inpcb_create_t)(struct socket *so, 190 struct label *solabel, struct inpcb *inp, 191 struct label *inplabel); 192typedef void (*mpo_inpcb_create_mbuf_t)(struct inpcb *inp, 193 struct label *inplabel, struct mbuf *m, 194 struct label *mlabel); 195typedef void (*mpo_inpcb_destroy_label_t)(struct label *label); 196typedef int (*mpo_inpcb_init_label_t)(struct label *label, int flag); 197typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, 198 struct label *label, struct inpcb *inp, 199 struct label *inplabel); 200 201typedef void (*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel, 202 struct ipq *q, struct label *qlabel); 203typedef void (*mpo_ipq_destroy_label_t)(struct label *label); 204typedef int (*mpo_ipq_init_label_t)(struct label *label, int flag); 205typedef int (*mpo_ipq_match_t)(struct mbuf *m, struct label *mlabel, 206 struct ipq *q, struct label *qlabel); 207typedef void (*mpo_ipq_reassemble)(struct ipq *q, struct label *qlabel, 208 struct mbuf *m, struct label *mlabel); 209typedef void (*mpo_ipq_update_t)(struct mbuf *m, struct label *mlabel, 210 struct ipq *q, struct label *qlabel); 211 212typedef int (*mpo_kenv_check_dump_t)(struct ucred *cred); 213typedef int (*mpo_kenv_check_get_t)(struct ucred *cred, char *name); 214typedef int (*mpo_kenv_check_set_t)(struct ucred *cred, char *name, 215 char *value); 216typedef int (*mpo_kenv_check_unset_t)(struct ucred *cred, char *name); 217 218typedef int (*mpo_kld_check_load_t)(struct ucred *cred, struct vnode *vp, 219 struct label *vplabel); 220typedef int (*mpo_kld_check_stat_t)(struct ucred *cred); 221 222typedef void (*mpo_mbuf_copy_label_t)(struct label *src, 223 struct label *dest); 224typedef void (*mpo_mbuf_destroy_label_t)(struct label *label); 225typedef int (*mpo_mbuf_init_label_t)(struct label *label, int flag); 226 227typedef int (*mpo_mount_check_stat_t)(struct ucred *cred, 228 struct mount *mp, struct label *mplabel); 229typedef void (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp, 230 struct label *mplabel); 231typedef void (*mpo_mount_destroy_label_t)(struct label *label); 232typedef void (*mpo_mount_init_label_t)(struct label *label); 233 234typedef void (*mpo_netatalk_aarp_send_t)(struct ifnet *ifp, 235 struct label *ifplabel, struct mbuf *m, 236 struct label *mlabel); 237 238typedef void (*mpo_netinet_arp_send_t)(struct ifnet *ifp, 239 struct label *ifplabel, struct mbuf *m, 240 struct label *mlabel); 241typedef void (*mpo_netinet_firewall_reply_t)(struct mbuf *mrecv, 242 struct label *mrecvlabel, struct mbuf *msend, 243 struct label *msendlabel); 244typedef void (*mpo_netinet_firewall_send_t)(struct mbuf *m, 245 struct label *mlabel); 246typedef void (*mpo_netinet_fragment_t)(struct mbuf *m, 247 struct label *mlabel, struct mbuf *frag, 248 struct label *fraglabel); 249typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *mrecv, 250 struct label *mrecvlabel, struct mbuf *msend, 251 struct label *msendlabel); 252typedef void (*mpo_netinet_icmp_replyinplace_t)(struct mbuf *m, 253 struct label *mlabel); 254typedef void (*mpo_netinet_igmp_send_t)(struct ifnet *ifp, 255 struct label *ifplabel, struct mbuf *m, 256 struct label *mlabel); 257typedef void (*mpo_netinet_tcp_reply_t)(struct mbuf *m, 258 struct label *mlabel); 259 260typedef void (*mpo_netinet6_nd6_send_t)(struct ifnet *ifp, 261 struct label *ifplabel, struct mbuf *m, 262 struct label *mlabel); 263 264typedef int (*mpo_pipe_check_ioctl_t)(struct ucred *cred, 265 struct pipepair *pp, struct label *pplabel, 266 unsigned long cmd, void *data); 267typedef int (*mpo_pipe_check_poll_t)(struct ucred *cred, 268 struct pipepair *pp, struct label *pplabel); 269typedef int (*mpo_pipe_check_read_t)(struct ucred *cred, 270 struct pipepair *pp, struct label *pplabel); 271typedef int (*mpo_pipe_check_relabel_t)(struct ucred *cred, 272 struct pipepair *pp, struct label *pplabel, 273 struct label *newlabel); 274typedef int (*mpo_pipe_check_stat_t)(struct ucred *cred, 275 struct pipepair *pp, struct label *pplabel); 276typedef int (*mpo_pipe_check_write_t)(struct ucred *cred, 277 struct pipepair *pp, struct label *pplabel); 278typedef void (*mpo_pipe_copy_label_t)(struct label *src, 279 struct label *dest); 280typedef void (*mpo_pipe_create_t)(struct ucred *cred, struct pipepair *pp, 281 struct label *pplabel); 282typedef void (*mpo_pipe_destroy_label_t)(struct label *label); 283typedef int (*mpo_pipe_externalize_label_t)(struct label *label, 284 char *element_name, struct sbuf *sb, int *claimed); 285typedef void (*mpo_pipe_init_label_t)(struct label *label); 286typedef int (*mpo_pipe_internalize_label_t)(struct label *label, 287 char *element_name, char *element_data, int *claimed); 288typedef void (*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp, 289 struct label *oldlabel, struct label *newlabel); 290 291typedef int (*mpo_posixsem_check_getvalue_t)(struct ucred *cred, 292 struct ksem *ks, struct label *kslabel); 293typedef int (*mpo_posixsem_check_open_t)(struct ucred *cred, 294 struct ksem *ks, struct label *kslabel); 295typedef int (*mpo_posixsem_check_post_t)(struct ucred *cred, 296 struct ksem *ks, struct label *kslabel); 297typedef int (*mpo_posixsem_check_unlink_t)(struct ucred *cred, 298 struct ksem *ks, struct label *kslabel); 299typedef int (*mpo_posixsem_check_wait_t)(struct ucred *cred, 300 struct ksem *ks, struct label *kslabel); 301typedef void (*mpo_posixsem_create_t)(struct ucred *cred, 302 struct ksem *ks, struct label *kslabel); 303typedef void (*mpo_posixsem_destroy_label_t)(struct label *label); 304typedef void (*mpo_posixsem_init_label_t)(struct label *label); 305 306typedef int (*mpo_posixshm_check_mmap_t)(struct ucred *cred, 307 struct shmfd *shmfd, struct label *shmlabel, int prot, 308 int flags); 309typedef int (*mpo_posixshm_check_open_t)(struct ucred *cred, 310 struct shmfd *shmfd, struct label *shmlabel); 311typedef int (*mpo_posixshm_check_stat_t)(struct ucred *active_cred, 312 struct ucred *file_cred, struct shmfd *shmfd, 313 struct label *shmlabel); 314typedef int (*mpo_posixshm_check_truncate_t)(struct ucred *active_cred, 315 struct ucred *file_cred, struct shmfd *shmfd, 316 struct label *shmlabel); 317typedef int (*mpo_posixshm_check_unlink_t)(struct ucred *cred, 318 struct shmfd *shmfd, struct label *shmlabel); 319typedef void (*mpo_posixshm_create_t)(struct ucred *cred, 320 struct shmfd *shmfd, struct label *shmlabel); 321typedef void (*mpo_posixshm_destroy_label_t)(struct label *label); 322typedef void (*mpo_posixshm_init_label_t)(struct label *label); 323 324typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv); 325typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv); 326 327typedef void (*mpo_proc_associate_nfsd_t)(struct ucred *cred); 328typedef int (*mpo_proc_check_debug_t)(struct ucred *cred, 329 struct proc *p); 330typedef int (*mpo_proc_check_sched_t)(struct ucred *cred, 331 struct proc *p); 332typedef int (*mpo_proc_check_setaudit_t)(struct ucred *cred, 333 struct auditinfo *ai); 334typedef int (*mpo_proc_check_setaudit_addr_t)(struct ucred *cred, 335 struct auditinfo_addr *aia); 336typedef int (*mpo_proc_check_setauid_t)(struct ucred *cred, uid_t auid); 337typedef int (*mpo_proc_check_setegid_t)(struct ucred *cred, gid_t egid); 338typedef int (*mpo_proc_check_seteuid_t)(struct ucred *cred, uid_t euid); 339typedef int (*mpo_proc_check_setgid_t)(struct ucred *cred, gid_t gid); 340typedef int (*mpo_proc_check_setgroups_t)(struct ucred *cred, int ngroups, 341 gid_t *gidset); 342typedef int (*mpo_proc_check_setregid_t)(struct ucred *cred, gid_t rgid, 343 gid_t egid); 344typedef int (*mpo_proc_check_setresgid_t)(struct ucred *cred, gid_t rgid, 345 gid_t egid, gid_t sgid); 346typedef int (*mpo_proc_check_setresuid_t)(struct ucred *cred, uid_t ruid, 347 uid_t euid, uid_t suid); 348typedef int (*mpo_proc_check_setreuid_t)(struct ucred *cred, uid_t ruid, 349 uid_t euid); 350typedef int (*mpo_proc_check_setuid_t)(struct ucred *cred, uid_t uid); 351typedef int (*mpo_proc_check_signal_t)(struct ucred *cred, 352 struct proc *proc, int signum); 353typedef int (*mpo_proc_check_wait_t)(struct ucred *cred, 354 struct proc *proc); 355typedef void (*mpo_proc_create_init_t)(struct ucred *cred); 356typedef void (*mpo_proc_create_swapper_t)(struct ucred *cred); 357typedef void (*mpo_proc_destroy_label_t)(struct label *label); 358typedef void (*mpo_proc_init_label_t)(struct label *label); 359 360typedef int (*mpo_socket_check_accept_t)(struct ucred *cred, 361 struct socket *so, struct label *solabel); 362typedef int (*mpo_socket_check_bind_t)(struct ucred *cred, 363 struct socket *so, struct label *solabel, 364 struct sockaddr *sa); 365typedef int (*mpo_socket_check_connect_t)(struct ucred *cred, 366 struct socket *so, struct label *solabel, 367 struct sockaddr *sa); 368typedef int (*mpo_socket_check_create_t)(struct ucred *cred, int domain, 369 int type, int protocol); 370typedef int (*mpo_socket_check_deliver_t)(struct socket *so, 371 struct label *solabel, struct mbuf *m, 372 struct label *mlabel); 373typedef int (*mpo_socket_check_listen_t)(struct ucred *cred, 374 struct socket *so, struct label *solabel); 375typedef int (*mpo_socket_check_poll_t)(struct ucred *cred, 376 struct socket *so, struct label *solabel); 377typedef int (*mpo_socket_check_receive_t)(struct ucred *cred, 378 struct socket *so, struct label *solabel); 379typedef int (*mpo_socket_check_relabel_t)(struct ucred *cred, 380 struct socket *so, struct label *solabel, 381 struct label *newlabel); 382typedef int (*mpo_socket_check_send_t)(struct ucred *cred, 383 struct socket *so, struct label *solabel); 384typedef int (*mpo_socket_check_stat_t)(struct ucred *cred, 385 struct socket *so, struct label *solabel); 386typedef int (*mpo_socket_check_visible_t)(struct ucred *cred, 387 struct socket *so, struct label *solabel); 388typedef void (*mpo_socket_copy_label_t)(struct label *src, 389 struct label *dest); 390typedef void (*mpo_socket_create_t)(struct ucred *cred, struct socket *so, 391 struct label *solabel); 392typedef void (*mpo_socket_create_mbuf_t)(struct socket *so, 393 struct label *solabel, struct mbuf *m, 394 struct label *mlabel); 395typedef void (*mpo_socket_destroy_label_t)(struct label *label); 396typedef int (*mpo_socket_externalize_label_t)(struct label *label, 397 char *element_name, struct sbuf *sb, int *claimed); 398typedef int (*mpo_socket_init_label_t)(struct label *label, int flag); 399typedef int (*mpo_socket_internalize_label_t)(struct label *label, 400 char *element_name, char *element_data, int *claimed); 401typedef void (*mpo_socket_newconn_t)(struct socket *oldso, 402 struct label *oldsolabel, struct socket *newso, 403 struct label *newsolabel); 404typedef void (*mpo_socket_relabel_t)(struct ucred *cred, struct socket *so, 405 struct label *oldlabel, struct label *newlabel); 406 407typedef void (*mpo_socketpeer_destroy_label_t)(struct label *label); 408typedef int (*mpo_socketpeer_externalize_label_t)(struct label *label, 409 char *element_name, struct sbuf *sb, int *claimed); 410typedef int (*mpo_socketpeer_init_label_t)(struct label *label, 411 int flag); 412typedef void (*mpo_socketpeer_set_from_mbuf_t)(struct mbuf *m, 413 struct label *mlabel, struct socket *so, 414 struct label *sopeerlabel); 415typedef void (*mpo_socketpeer_set_from_socket_t)(struct socket *oldso, 416 struct label *oldsolabel, struct socket *newso, 417 struct label *newsopeerlabel); 418 419typedef void (*mpo_syncache_create_t)(struct label *label, 420 struct inpcb *inp); 421typedef void (*mpo_syncache_create_mbuf_t)(struct label *sc_label, 422 struct mbuf *m, struct label *mlabel); 423typedef void (*mpo_syncache_destroy_label_t)(struct label *label); 424typedef int (*mpo_syncache_init_label_t)(struct label *label, int flag); 425 426typedef int (*mpo_system_check_acct_t)(struct ucred *cred, 427 struct vnode *vp, struct label *vplabel); 428typedef int (*mpo_system_check_audit_t)(struct ucred *cred, void *record, 429 int length); 430typedef int (*mpo_system_check_auditctl_t)(struct ucred *cred, 431 struct vnode *vp, struct label *vplabel); 432typedef int (*mpo_system_check_auditon_t)(struct ucred *cred, int cmd); 433typedef int (*mpo_system_check_reboot_t)(struct ucred *cred, int howto); 434typedef int (*mpo_system_check_swapon_t)(struct ucred *cred, 435 struct vnode *vp, struct label *vplabel); 436typedef int (*mpo_system_check_swapoff_t)(struct ucred *cred, 437 struct vnode *vp, struct label *vplabel); 438typedef int (*mpo_system_check_sysctl_t)(struct ucred *cred, 439 struct sysctl_oid *oidp, void *arg1, int arg2, 440 struct sysctl_req *req); 441 442typedef void (*mpo_sysvmsg_cleanup_t)(struct label *msglabel); 443typedef void (*mpo_sysvmsg_create_t)(struct ucred *cred, 444 struct msqid_kernel *msqkptr, struct label *msqlabel, 445 struct msg *msgptr, struct label *msglabel); 446typedef void (*mpo_sysvmsg_destroy_label_t)(struct label *label); 447typedef void (*mpo_sysvmsg_init_label_t)(struct label *label); 448 449typedef int (*mpo_sysvmsq_check_msgmsq_t)(struct ucred *cred, 450 struct msg *msgptr, struct label *msglabel, 451 struct msqid_kernel *msqkptr, struct label *msqklabel); 452typedef int (*mpo_sysvmsq_check_msgrcv_t)(struct ucred *cred, 453 struct msg *msgptr, struct label *msglabel); 454typedef int (*mpo_sysvmsq_check_msgrmid_t)(struct ucred *cred, 455 struct msg *msgptr, struct label *msglabel); 456typedef int (*mpo_sysvmsq_check_msqget_t)(struct ucred *cred, 457 struct msqid_kernel *msqkptr, struct label *msqklabel); 458typedef int (*mpo_sysvmsq_check_msqctl_t)(struct ucred *cred, 459 struct msqid_kernel *msqkptr, struct label *msqklabel, 460 int cmd); 461typedef int (*mpo_sysvmsq_check_msqrcv_t)(struct ucred *cred, 462 struct msqid_kernel *msqkptr, struct label *msqklabel); 463typedef int (*mpo_sysvmsq_check_msqsnd_t)(struct ucred *cred, 464 struct msqid_kernel *msqkptr, struct label *msqklabel); 465typedef void (*mpo_sysvmsq_cleanup_t)(struct label *msqlabel); 466typedef void (*mpo_sysvmsq_create_t)(struct ucred *cred, 467 struct msqid_kernel *msqkptr, struct label *msqlabel); 468typedef void (*mpo_sysvmsq_destroy_label_t)(struct label *label); 469typedef void (*mpo_sysvmsq_init_label_t)(struct label *label); 470 471typedef int (*mpo_sysvsem_check_semctl_t)(struct ucred *cred, 472 struct semid_kernel *semakptr, struct label *semaklabel, 473 int cmd); 474typedef int (*mpo_sysvsem_check_semget_t)(struct ucred *cred, 475 struct semid_kernel *semakptr, struct label *semaklabel); 476typedef int (*mpo_sysvsem_check_semop_t)(struct ucred *cred, 477 struct semid_kernel *semakptr, struct label *semaklabel, 478 size_t accesstype); 479typedef void (*mpo_sysvsem_cleanup_t)(struct label *semalabel); 480typedef void (*mpo_sysvsem_create_t)(struct ucred *cred, 481 struct semid_kernel *semakptr, struct label *semalabel); 482typedef void (*mpo_sysvsem_destroy_label_t)(struct label *label); 483typedef void (*mpo_sysvsem_init_label_t)(struct label *label); 484 485typedef int (*mpo_sysvshm_check_shmat_t)(struct ucred *cred, 486 struct shmid_kernel *shmsegptr, 487 struct label *shmseglabel, int shmflg); 488typedef int (*mpo_sysvshm_check_shmctl_t)(struct ucred *cred, 489 struct shmid_kernel *shmsegptr, 490 struct label *shmseglabel, int cmd); 491typedef int (*mpo_sysvshm_check_shmdt_t)(struct ucred *cred, 492 struct shmid_kernel *shmsegptr, 493 struct label *shmseglabel); 494typedef int (*mpo_sysvshm_check_shmget_t)(struct ucred *cred, 495 struct shmid_kernel *shmsegptr, 496 struct label *shmseglabel, int shmflg); 497typedef void (*mpo_sysvshm_cleanup_t)(struct label *shmlabel); 498typedef void (*mpo_sysvshm_create_t)(struct ucred *cred, 499 struct shmid_kernel *shmsegptr, struct label *shmlabel); 500typedef void (*mpo_sysvshm_destroy_label_t)(struct label *label); 501typedef void (*mpo_sysvshm_init_label_t)(struct label *label); 502 503typedef void (*mpo_thread_userret_t)(struct thread *thread); 504 505typedef int (*mpo_vnode_associate_extattr_t)(struct mount *mp, 506 struct label *mplabel, struct vnode *vp, 507 struct label *vplabel); 508typedef void (*mpo_vnode_associate_singlelabel_t)(struct mount *mp, 509 struct label *mplabel, struct vnode *vp, 510 struct label *vplabel); 511typedef int (*mpo_vnode_check_access_t)(struct ucred *cred, 512 struct vnode *vp, struct label *vplabel, int acc_mode); 513typedef int (*mpo_vnode_check_chdir_t)(struct ucred *cred, 514 struct vnode *dvp, struct label *dvplabel); 515typedef int (*mpo_vnode_check_chroot_t)(struct ucred *cred, 516 struct vnode *dvp, struct label *dvplabel); 517typedef int (*mpo_vnode_check_create_t)(struct ucred *cred, 518 struct vnode *dvp, struct label *dvplabel, 519 struct componentname *cnp, struct vattr *vap); 520typedef int (*mpo_vnode_check_deleteacl_t)(struct ucred *cred, 521 struct vnode *vp, struct label *vplabel, 522 acl_type_t type); 523typedef int (*mpo_vnode_check_deleteextattr_t)(struct ucred *cred, 524 struct vnode *vp, struct label *vplabel, 525 int attrnamespace, const char *name); 526typedef int (*mpo_vnode_check_exec_t)(struct ucred *cred, 527 struct vnode *vp, struct label *vplabel, 528 struct image_params *imgp, struct label *execlabel); 529typedef int (*mpo_vnode_check_getacl_t)(struct ucred *cred, 530 struct vnode *vp, struct label *vplabel, 531 acl_type_t type); 532typedef int (*mpo_vnode_check_getextattr_t)(struct ucred *cred, 533 struct vnode *vp, struct label *vplabel, 534 int attrnamespace, const char *name, struct uio *uio); 535typedef int (*mpo_vnode_check_link_t)(struct ucred *cred, 536 struct vnode *dvp, struct label *dvplabel, 537 struct vnode *vp, struct label *vplabel, 538 struct componentname *cnp); 539typedef int (*mpo_vnode_check_listextattr_t)(struct ucred *cred, 540 struct vnode *vp, struct label *vplabel, 541 int attrnamespace); 542typedef int (*mpo_vnode_check_lookup_t)(struct ucred *cred, 543 struct vnode *dvp, struct label *dvplabel, 544 struct componentname *cnp); 545typedef int (*mpo_vnode_check_mmap_t)(struct ucred *cred, 546 struct vnode *vp, struct label *label, int prot, 547 int flags); 548typedef void (*mpo_vnode_check_mmap_downgrade_t)(struct ucred *cred, 549 struct vnode *vp, struct label *vplabel, int *prot); 550typedef int (*mpo_vnode_check_mprotect_t)(struct ucred *cred, 551 struct vnode *vp, struct label *vplabel, int prot); 552typedef int (*mpo_vnode_check_open_t)(struct ucred *cred, 553 struct vnode *vp, struct label *vplabel, int acc_mode); 554typedef int (*mpo_vnode_check_poll_t)(struct ucred *active_cred, 555 struct ucred *file_cred, struct vnode *vp, 556 struct label *vplabel); 557typedef int (*mpo_vnode_check_read_t)(struct ucred *active_cred, 558 struct ucred *file_cred, struct vnode *vp, 559 struct label *vplabel); 560typedef int (*mpo_vnode_check_readdir_t)(struct ucred *cred, 561 struct vnode *dvp, struct label *dvplabel); 562typedef int (*mpo_vnode_check_readlink_t)(struct ucred *cred, 563 struct vnode *vp, struct label *vplabel); 564typedef int (*mpo_vnode_check_relabel_t)(struct ucred *cred, 565 struct vnode *vp, struct label *vplabel, 566 struct label *newlabel); 567typedef int (*mpo_vnode_check_rename_from_t)(struct ucred *cred, 568 struct vnode *dvp, struct label *dvplabel, 569 struct vnode *vp, struct label *vplabel, 570 struct componentname *cnp); 571typedef int (*mpo_vnode_check_rename_to_t)(struct ucred *cred, 572 struct vnode *dvp, struct label *dvplabel, 573 struct vnode *vp, struct label *vplabel, int samedir, 574 struct componentname *cnp); 575typedef int (*mpo_vnode_check_revoke_t)(struct ucred *cred, 576 struct vnode *vp, struct label *vplabel); 577typedef int (*mpo_vnode_check_setacl_t)(struct ucred *cred, 578 struct vnode *vp, struct label *vplabel, acl_type_t type, 579 struct acl *acl); 580typedef int (*mpo_vnode_check_setextattr_t)(struct ucred *cred, 581 struct vnode *vp, struct label *vplabel, 582 int attrnamespace, const char *name, struct uio *uio); 583typedef int (*mpo_vnode_check_setflags_t)(struct ucred *cred, 584 struct vnode *vp, struct label *vplabel, u_long flags); 585typedef int (*mpo_vnode_check_setmode_t)(struct ucred *cred, 586 struct vnode *vp, struct label *vplabel, mode_t mode); 587typedef int (*mpo_vnode_check_setowner_t)(struct ucred *cred, 588 struct vnode *vp, struct label *vplabel, uid_t uid, 589 gid_t gid); 590typedef int (*mpo_vnode_check_setutimes_t)(struct ucred *cred, 591 struct vnode *vp, struct label *vplabel, 592 struct timespec atime, struct timespec mtime); 593typedef int (*mpo_vnode_check_stat_t)(struct ucred *active_cred, 594 struct ucred *file_cred, struct vnode *vp, 595 struct label *vplabel); 596typedef int (*mpo_vnode_check_unlink_t)(struct ucred *cred, 597 struct vnode *dvp, struct label *dvplabel, 598 struct vnode *vp, struct label *vplabel, 599 struct componentname *cnp); 600typedef int (*mpo_vnode_check_write_t)(struct ucred *active_cred, 601 struct ucred *file_cred, struct vnode *vp, 602 struct label *vplabel); 603typedef void (*mpo_vnode_copy_label_t)(struct label *src, 604 struct label *dest); 605typedef int (*mpo_vnode_create_extattr_t)(struct ucred *cred, 606 struct mount *mp, struct label *mplabel, 607 struct vnode *dvp, struct label *dvplabel, 608 struct vnode *vp, struct label *vplabel, 609 struct componentname *cnp); 610typedef void (*mpo_vnode_destroy_label_t)(struct label *label); 611typedef void (*mpo_vnode_execve_transition_t)(struct ucred *old, 612 struct ucred *new, struct vnode *vp, 613 struct label *vplabel, struct label *interpvplabel, 614 struct image_params *imgp, struct label *execlabel); 615typedef int (*mpo_vnode_execve_will_transition_t)(struct ucred *old, 616 struct vnode *vp, struct label *vplabel, 617 struct label *interpvplabel, struct image_params *imgp, 618 struct label *execlabel); 619typedef int (*mpo_vnode_externalize_label_t)(struct label *label, 620 char *element_name, struct sbuf *sb, int *claimed); 621typedef void (*mpo_vnode_init_label_t)(struct label *label); 622typedef int (*mpo_vnode_internalize_label_t)(struct label *label, 623 char *element_name, char *element_data, int *claimed); 624typedef void (*mpo_vnode_relabel_t)(struct ucred *cred, struct vnode *vp, 625 struct label *vplabel, struct label *label); 626typedef int (*mpo_vnode_setlabel_extattr_t)(struct ucred *cred, 627 struct vnode *vp, struct label *vplabel, 628 struct label *intlabel); 629 630struct mac_policy_ops { 631 /* 632 * Policy module operations. 633 */ 634 mpo_destroy_t mpo_destroy; 635 mpo_init_t mpo_init; 636 637 /* 638 * General policy-directed security system call so that policies may 639 * implement new services without reserving explicit system call 640 * numbers. 641 */ 642 mpo_syscall_t mpo_syscall; 643 644 /* 645 * Label operations. Initialize label storage, destroy label 646 * storage, recycle for re-use without init/destroy, copy a label to 647 * initialized storage, and externalize/internalize from/to 648 * initialized storage. 649 */ 650 mpo_bpfdesc_check_receive_t mpo_bpfdesc_check_receive; 651 mpo_bpfdesc_create_t mpo_bpfdesc_create; 652 mpo_bpfdesc_create_mbuf_t mpo_bpfdesc_create_mbuf; 653 mpo_bpfdesc_destroy_label_t mpo_bpfdesc_destroy_label; 654 mpo_bpfdesc_init_label_t mpo_bpfdesc_init_label; 655 656 mpo_cred_check_relabel_t mpo_cred_check_relabel; 657 mpo_cred_check_visible_t mpo_cred_check_visible; 658 mpo_cred_copy_label_t mpo_cred_copy_label; 659 mpo_cred_destroy_label_t mpo_cred_destroy_label; 660 mpo_cred_externalize_label_t mpo_cred_externalize_label; 661 mpo_cred_init_label_t mpo_cred_init_label; 662 mpo_cred_internalize_label_t mpo_cred_internalize_label; 663 mpo_cred_relabel_t mpo_cred_relabel; 664 665 mpo_devfs_create_device_t mpo_devfs_create_device; 666 mpo_devfs_create_directory_t mpo_devfs_create_directory; 667 mpo_devfs_create_symlink_t mpo_devfs_create_symlink; 668 mpo_devfs_destroy_label_t mpo_devfs_destroy_label; 669 mpo_devfs_init_label_t mpo_devfs_init_label; 670 mpo_devfs_update_t mpo_devfs_update; 671 mpo_devfs_vnode_associate_t mpo_devfs_vnode_associate; 672 673 mpo_ifnet_check_relabel_t mpo_ifnet_check_relabel; 674 mpo_ifnet_check_transmit_t mpo_ifnet_check_transmit; 675 mpo_ifnet_copy_label_t mpo_ifnet_copy_label; 676 mpo_ifnet_create_t mpo_ifnet_create; 677 mpo_ifnet_create_mbuf_t mpo_ifnet_create_mbuf; 678 mpo_ifnet_destroy_label_t mpo_ifnet_destroy_label; 679 mpo_ifnet_externalize_label_t mpo_ifnet_externalize_label; 680 mpo_ifnet_init_label_t mpo_ifnet_init_label; 681 mpo_ifnet_internalize_label_t mpo_ifnet_internalize_label; 682 mpo_ifnet_relabel_t mpo_ifnet_relabel; 683 684 mpo_inpcb_check_deliver_t mpo_inpcb_check_deliver; 685 mpo_inpcb_create_t mpo_inpcb_create; 686 mpo_inpcb_create_mbuf_t mpo_inpcb_create_mbuf; 687 mpo_inpcb_destroy_label_t mpo_inpcb_destroy_label; 688 mpo_inpcb_init_label_t mpo_inpcb_init_label; 689 mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; 690 691 mpo_ipq_create_t mpo_ipq_create; 692 mpo_ipq_destroy_label_t mpo_ipq_destroy_label; 693 mpo_ipq_init_label_t mpo_ipq_init_label; 694 mpo_ipq_match_t mpo_ipq_match; 695 mpo_ipq_reassemble mpo_ipq_reassemble; 696 mpo_ipq_update_t mpo_ipq_update; 697 698 mpo_kenv_check_dump_t mpo_kenv_check_dump; 699 mpo_kenv_check_get_t mpo_kenv_check_get; 700 mpo_kenv_check_set_t mpo_kenv_check_set; 701 mpo_kenv_check_unset_t mpo_kenv_check_unset; 702 703 mpo_kld_check_load_t mpo_kld_check_load; 704 mpo_kld_check_stat_t mpo_kld_check_stat; 705 706 mpo_mbuf_copy_label_t mpo_mbuf_copy_label; 707 mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label; 708 mpo_mbuf_init_label_t mpo_mbuf_init_label; 709 710 mpo_mount_check_stat_t mpo_mount_check_stat; 711 mpo_mount_create_t mpo_mount_create; 712 mpo_mount_destroy_label_t mpo_mount_destroy_label; 713 mpo_mount_init_label_t mpo_mount_init_label; 714 715 mpo_netatalk_aarp_send_t mpo_netatalk_aarp_send; 716 717 mpo_netinet_arp_send_t mpo_netinet_arp_send; 718 mpo_netinet_firewall_reply_t mpo_netinet_firewall_reply; 719 mpo_netinet_firewall_send_t mpo_netinet_firewall_send; 720 mpo_netinet_fragment_t mpo_netinet_fragment; 721 mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply; 722 mpo_netinet_icmp_replyinplace_t mpo_netinet_icmp_replyinplace; 723 mpo_netinet_igmp_send_t mpo_netinet_igmp_send; 724 mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply; 725 726 mpo_netinet6_nd6_send_t mpo_netinet6_nd6_send; 727 728 mpo_pipe_check_ioctl_t mpo_pipe_check_ioctl; 729 mpo_pipe_check_poll_t mpo_pipe_check_poll; 730 mpo_pipe_check_read_t mpo_pipe_check_read; 731 mpo_pipe_check_relabel_t mpo_pipe_check_relabel; 732 mpo_pipe_check_stat_t mpo_pipe_check_stat; 733 mpo_pipe_check_write_t mpo_pipe_check_write; 734 mpo_pipe_copy_label_t mpo_pipe_copy_label; 735 mpo_pipe_create_t mpo_pipe_create; 736 mpo_pipe_destroy_label_t mpo_pipe_destroy_label; 737 mpo_pipe_externalize_label_t mpo_pipe_externalize_label; 738 mpo_pipe_init_label_t mpo_pipe_init_label; 739 mpo_pipe_internalize_label_t mpo_pipe_internalize_label; 740 mpo_pipe_relabel_t mpo_pipe_relabel; 741 742 mpo_posixsem_check_getvalue_t mpo_posixsem_check_getvalue; 743 mpo_posixsem_check_open_t mpo_posixsem_check_open; 744 mpo_posixsem_check_post_t mpo_posixsem_check_post; 745 mpo_posixsem_check_unlink_t mpo_posixsem_check_unlink; 746 mpo_posixsem_check_wait_t mpo_posixsem_check_wait; 747 mpo_posixsem_create_t mpo_posixsem_create; 748 mpo_posixsem_destroy_label_t mpo_posixsem_destroy_label; 749 mpo_posixsem_init_label_t mpo_posixsem_init_label; 750 751 mpo_posixshm_check_mmap_t mpo_posixshm_check_mmap; 752 mpo_posixshm_check_open_t mpo_posixshm_check_open; 753 mpo_posixshm_check_stat_t mpo_posixshm_check_stat; 754 mpo_posixshm_check_truncate_t mpo_posixshm_check_truncate; 755 mpo_posixshm_check_unlink_t mpo_posixshm_check_unlink; 756 mpo_posixshm_create_t mpo_posixshm_create; 757 mpo_posixshm_destroy_label_t mpo_posixshm_destroy_label; 758 mpo_posixshm_init_label_t mpo_posixshm_init_label; 759 760 mpo_priv_check_t mpo_priv_check; 761 mpo_priv_grant_t mpo_priv_grant; 762 763 mpo_proc_associate_nfsd_t mpo_proc_associate_nfsd; 764 mpo_proc_check_debug_t mpo_proc_check_debug; 765 mpo_proc_check_sched_t mpo_proc_check_sched; 766 mpo_proc_check_setaudit_t mpo_proc_check_setaudit; 767 mpo_proc_check_setaudit_addr_t mpo_proc_check_setaudit_addr; 768 mpo_proc_check_setauid_t mpo_proc_check_setauid; 769 mpo_proc_check_setuid_t mpo_proc_check_setuid; 770 mpo_proc_check_seteuid_t mpo_proc_check_seteuid; 771 mpo_proc_check_setgid_t mpo_proc_check_setgid; 772 mpo_proc_check_setegid_t mpo_proc_check_setegid; 773 mpo_proc_check_setgroups_t mpo_proc_check_setgroups; 774 mpo_proc_check_setreuid_t mpo_proc_check_setreuid; 775 mpo_proc_check_setregid_t mpo_proc_check_setregid; 776 mpo_proc_check_setresuid_t mpo_proc_check_setresuid; 777 mpo_proc_check_setresgid_t mpo_proc_check_setresgid; 778 mpo_proc_check_signal_t mpo_proc_check_signal; 779 mpo_proc_check_wait_t mpo_proc_check_wait; 780 mpo_proc_create_swapper_t mpo_proc_create_swapper; 781 mpo_proc_create_init_t mpo_proc_create_init; 782 mpo_proc_destroy_label_t mpo_proc_destroy_label; 783 mpo_proc_init_label_t mpo_proc_init_label; 784 785 mpo_socket_check_accept_t mpo_socket_check_accept; 786 mpo_socket_check_bind_t mpo_socket_check_bind; 787 mpo_socket_check_connect_t mpo_socket_check_connect; 788 mpo_socket_check_create_t mpo_socket_check_create; 789 mpo_socket_check_deliver_t mpo_socket_check_deliver; 790 mpo_socket_check_listen_t mpo_socket_check_listen; 791 mpo_socket_check_poll_t mpo_socket_check_poll; 792 mpo_socket_check_receive_t mpo_socket_check_receive; 793 mpo_socket_check_relabel_t mpo_socket_check_relabel; 794 mpo_socket_check_send_t mpo_socket_check_send; 795 mpo_socket_check_stat_t mpo_socket_check_stat; 796 mpo_socket_check_visible_t mpo_socket_check_visible; 797 mpo_socket_copy_label_t mpo_socket_copy_label; 798 mpo_socket_create_t mpo_socket_create; 799 mpo_socket_create_mbuf_t mpo_socket_create_mbuf; 800 mpo_socket_destroy_label_t mpo_socket_destroy_label; 801 mpo_socket_externalize_label_t mpo_socket_externalize_label; 802 mpo_socket_init_label_t mpo_socket_init_label; 803 mpo_socket_internalize_label_t mpo_socket_internalize_label; 804 mpo_socket_newconn_t mpo_socket_newconn; 805 mpo_socket_relabel_t mpo_socket_relabel; 806 807 mpo_socketpeer_destroy_label_t mpo_socketpeer_destroy_label; 808 mpo_socketpeer_externalize_label_t mpo_socketpeer_externalize_label; 809 mpo_socketpeer_init_label_t mpo_socketpeer_init_label; 810 mpo_socketpeer_set_from_mbuf_t mpo_socketpeer_set_from_mbuf; 811 mpo_socketpeer_set_from_socket_t mpo_socketpeer_set_from_socket; 812 813 mpo_syncache_init_label_t mpo_syncache_init_label; 814 mpo_syncache_destroy_label_t mpo_syncache_destroy_label; 815 mpo_syncache_create_t mpo_syncache_create; 816 mpo_syncache_create_mbuf_t mpo_syncache_create_mbuf; 817 818 mpo_system_check_acct_t mpo_system_check_acct; 819 mpo_system_check_audit_t mpo_system_check_audit; 820 mpo_system_check_auditctl_t mpo_system_check_auditctl; 821 mpo_system_check_auditon_t mpo_system_check_auditon; 822 mpo_system_check_reboot_t mpo_system_check_reboot; 823 mpo_system_check_swapon_t mpo_system_check_swapon; 824 mpo_system_check_swapoff_t mpo_system_check_swapoff; 825 mpo_system_check_sysctl_t mpo_system_check_sysctl; 826 827 mpo_sysvmsg_cleanup_t mpo_sysvmsg_cleanup; 828 mpo_sysvmsg_create_t mpo_sysvmsg_create; 829 mpo_sysvmsg_destroy_label_t mpo_sysvmsg_destroy_label; 830 mpo_sysvmsg_init_label_t mpo_sysvmsg_init_label; 831 832 mpo_sysvmsq_check_msgmsq_t mpo_sysvmsq_check_msgmsq; 833 mpo_sysvmsq_check_msgrcv_t mpo_sysvmsq_check_msgrcv; 834 mpo_sysvmsq_check_msgrmid_t mpo_sysvmsq_check_msgrmid; 835 mpo_sysvmsq_check_msqctl_t mpo_sysvmsq_check_msqctl; 836 mpo_sysvmsq_check_msqget_t mpo_sysvmsq_check_msqget; 837 mpo_sysvmsq_check_msqrcv_t mpo_sysvmsq_check_msqrcv; 838 mpo_sysvmsq_check_msqsnd_t mpo_sysvmsq_check_msqsnd; 839 mpo_sysvmsq_cleanup_t mpo_sysvmsq_cleanup; 840 mpo_sysvmsq_create_t mpo_sysvmsq_create; 841 mpo_sysvmsq_destroy_label_t mpo_sysvmsq_destroy_label; 842 mpo_sysvmsq_init_label_t mpo_sysvmsq_init_label; 843 844 mpo_sysvsem_check_semctl_t mpo_sysvsem_check_semctl; 845 mpo_sysvsem_check_semget_t mpo_sysvsem_check_semget; 846 mpo_sysvsem_check_semop_t mpo_sysvsem_check_semop; 847 mpo_sysvsem_cleanup_t mpo_sysvsem_cleanup; 848 mpo_sysvsem_create_t mpo_sysvsem_create; 849 mpo_sysvsem_destroy_label_t mpo_sysvsem_destroy_label; 850 mpo_sysvsem_init_label_t mpo_sysvsem_init_label; 851 852 mpo_sysvshm_check_shmat_t mpo_sysvshm_check_shmat; 853 mpo_sysvshm_check_shmctl_t mpo_sysvshm_check_shmctl; 854 mpo_sysvshm_check_shmdt_t mpo_sysvshm_check_shmdt; 855 mpo_sysvshm_check_shmget_t mpo_sysvshm_check_shmget; 856 mpo_sysvshm_cleanup_t mpo_sysvshm_cleanup; 857 mpo_sysvshm_create_t mpo_sysvshm_create; 858 mpo_sysvshm_destroy_label_t mpo_sysvshm_destroy_label; 859 mpo_sysvshm_init_label_t mpo_sysvshm_init_label; 860 861 mpo_thread_userret_t mpo_thread_userret; 862 863 mpo_vnode_check_access_t mpo_vnode_check_access; 864 mpo_vnode_check_chdir_t mpo_vnode_check_chdir; 865 mpo_vnode_check_chroot_t mpo_vnode_check_chroot; 866 mpo_vnode_check_create_t mpo_vnode_check_create; 867 mpo_vnode_check_deleteacl_t mpo_vnode_check_deleteacl; 868 mpo_vnode_check_deleteextattr_t mpo_vnode_check_deleteextattr; 869 mpo_vnode_check_exec_t mpo_vnode_check_exec; 870 mpo_vnode_check_getacl_t mpo_vnode_check_getacl; 871 mpo_vnode_check_getextattr_t mpo_vnode_check_getextattr; 872 mpo_vnode_check_link_t mpo_vnode_check_link; 873 mpo_vnode_check_listextattr_t mpo_vnode_check_listextattr; 874 mpo_vnode_check_lookup_t mpo_vnode_check_lookup; 875 mpo_vnode_check_mmap_t mpo_vnode_check_mmap; 876 mpo_vnode_check_mmap_downgrade_t mpo_vnode_check_mmap_downgrade; 877 mpo_vnode_check_mprotect_t mpo_vnode_check_mprotect; 878 mpo_vnode_check_open_t mpo_vnode_check_open; 879 mpo_vnode_check_poll_t mpo_vnode_check_poll; 880 mpo_vnode_check_read_t mpo_vnode_check_read; 881 mpo_vnode_check_readdir_t mpo_vnode_check_readdir; 882 mpo_vnode_check_readlink_t mpo_vnode_check_readlink; 883 mpo_vnode_check_relabel_t mpo_vnode_check_relabel; 884 mpo_vnode_check_rename_from_t mpo_vnode_check_rename_from; 885 mpo_vnode_check_rename_to_t mpo_vnode_check_rename_to; 886 mpo_vnode_check_revoke_t mpo_vnode_check_revoke; 887 mpo_vnode_check_setacl_t mpo_vnode_check_setacl; 888 mpo_vnode_check_setextattr_t mpo_vnode_check_setextattr; 889 mpo_vnode_check_setflags_t mpo_vnode_check_setflags; 890 mpo_vnode_check_setmode_t mpo_vnode_check_setmode; 891 mpo_vnode_check_setowner_t mpo_vnode_check_setowner; 892 mpo_vnode_check_setutimes_t mpo_vnode_check_setutimes; 893 mpo_vnode_check_stat_t mpo_vnode_check_stat; 894 mpo_vnode_check_unlink_t mpo_vnode_check_unlink; 895 mpo_vnode_check_write_t mpo_vnode_check_write; 896 mpo_vnode_associate_extattr_t mpo_vnode_associate_extattr; 897 mpo_vnode_associate_singlelabel_t mpo_vnode_associate_singlelabel; 898 mpo_vnode_destroy_label_t mpo_vnode_destroy_label; 899 mpo_vnode_copy_label_t mpo_vnode_copy_label; 900 mpo_vnode_create_extattr_t mpo_vnode_create_extattr; 901 mpo_vnode_execve_transition_t mpo_vnode_execve_transition; 902 mpo_vnode_execve_will_transition_t mpo_vnode_execve_will_transition; 903 mpo_vnode_externalize_label_t mpo_vnode_externalize_label; 904 mpo_vnode_init_label_t mpo_vnode_init_label; 905 mpo_vnode_internalize_label_t mpo_vnode_internalize_label; 906 mpo_vnode_relabel_t mpo_vnode_relabel; 907 mpo_vnode_setlabel_extattr_t mpo_vnode_setlabel_extattr; 908}; 909 910/* 911 * struct mac_policy_conf is the registration structure for policies, and is 912 * provided to the MAC Framework using MAC_POLICY_SET() to invoke a SYSINIT 913 * to register the policy. In general, the fields are immutable, with the 914 * exception of the "security field", run-time flags, and policy list entry, 915 * which are managed by the MAC Framework. Be careful when modifying this 916 * structure, as its layout is statically compiled into all policies. 917 */ 918struct mac_policy_conf { 919 char *mpc_name; /* policy name */ 920 char *mpc_fullname; /* policy full name */ 921 struct mac_policy_ops *mpc_ops; /* policy operations */ 922 int mpc_loadtime_flags; /* flags */ 923 int *mpc_field_off; /* security field */ 924 int mpc_runtime_flags; /* flags */ 925 LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ 926}; 927 928/* Flags for the mpc_loadtime_flags field. */ 929#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 930#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 931#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 932 933/* Flags for the mpc_runtime_flags field. */ 934#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 935 936/*- 937 * The TrustedBSD MAC Framework has a major version number, MAC_VERSION, 938 * which defines the ABI of the Framework present in the kernel (and depended 939 * on by policy modules compiled against that kernel). Currently, 940 * MAC_POLICY_SET() requires that the kernel and module ABI version numbers 941 * exactly match. The following major versions have been defined to date: 942 * 943 * MAC version FreeBSD versions 944 * 1 5.x 945 * 2 6.x 946 * 3 7.x 947 * 4 8.x 948 */ 949#define MAC_VERSION 4 950 951#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \ 952 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 953 #mpname, \ 954 mpfullname, \ 955 mpops, \ 956 mpflags, \ 957 privdata_wanted, \ 958 0, \ 959 }; \ 960 static moduledata_t mpname##_mod = { \ 961 #mpname, \ 962 mac_policy_modevent, \ 963 &mpname##_mac_policy_conf \ 964 }; \ 965 MODULE_DEPEND(mpname, kernel_mac_support, MAC_VERSION, \ 966 MAC_VERSION, MAC_VERSION); \ 967 DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \ 968 SI_ORDER_MIDDLE) 969 970int mac_policy_modevent(module_t mod, int type, void *data); 971 972/* 973 * Policy interface to map a struct label pointer to per-policy data. 974 * Typically, policies wrap this in their own accessor macro that casts a 975 * uintptr_t to a policy-specific data type. 976 */ 977intptr_t mac_label_get(struct label *l, int slot); 978void mac_label_set(struct label *l, int slot, intptr_t v); 979 980#endif /* !_SECURITY_MAC_MAC_POLICY_H_ */ 981