mac_framework.h revision 224914
1/*- 2 * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson 3 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 4 * Copyright (c) 2005-2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * 9 * This software was developed for the FreeBSD Project in part by Network 10 * Associates Laboratories, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 12 * as part of the DARPA CHATS research program. 13 * 14 * This software was enhanced by SPARTA ISSO under SPAWAR contract 15 * N66001-04-C-6019 ("SEFOS"). 16 * 17 * This software was developed at the University of Cambridge Computer 18 * Laboratory with support from a grant from Google, Inc. 19 * 20 * Redistribution and use in source and binary forms, with or without 21 * modification, are permitted provided that the following conditions 22 * are met: 23 * 1. Redistributions of source code must retain the above copyright 24 * notice, this list of conditions and the following disclaimer. 25 * 2. Redistributions in binary form must reproduce the above copyright 26 * notice, this list of conditions and the following disclaimer in the 27 * documentation and/or other materials provided with the distribution. 28 * 29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 30 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 31 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 32 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 33 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 34 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 35 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 36 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 37 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 38 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 39 * SUCH DAMAGE. 40 * 41 * $FreeBSD: head/sys/security/mac/mac_framework.h 224914 2011-08-16 20:07:47Z kib $ 42 */ 43 44/* 45 * Kernel interface for Mandatory Access Control -- how kernel services 46 * interact with the TrustedBSD MAC Framework. 47 */ 48 49#ifndef _SECURITY_MAC_MAC_FRAMEWORK_H_ 50#define _SECURITY_MAC_MAC_FRAMEWORK_H_ 51 52#ifndef _KERNEL 53#error "no user-serviceable parts inside" 54#endif 55 56struct auditinfo; 57struct auditinfo_addr; 58struct bpf_d; 59struct cdev; 60struct componentname; 61struct devfs_dirent; 62struct ifnet; 63struct ifreq; 64struct image_params; 65struct inpcb; 66struct ip6q; 67struct ipq; 68struct ksem; 69struct label; 70struct m_tag; 71struct mac; 72struct mbuf; 73struct mount; 74struct msg; 75struct msqid_kernel; 76struct proc; 77struct semid_kernel; 78struct shmfd; 79struct shmid_kernel; 80struct sockaddr; 81struct socket; 82struct sysctl_oid; 83struct sysctl_req; 84struct pipepair; 85struct thread; 86struct timespec; 87struct ucred; 88struct vattr; 89struct vnode; 90struct vop_setlabel_args; 91 92#include <sys/acl.h> /* XXX acl_type_t */ 93#include <sys/types.h> /* accmode_t */ 94 95/* 96 * Entry points to the TrustedBSD MAC Framework from the remainder of the 97 * kernel: entry points are named based on a principle object type and an 98 * action relating to it. They are sorted alphabetically first by object 99 * type and then action. In some situations, the principle object type is 100 * obvious, and in other cases, less so as multiple objects may be inolved 101 * in the operation. 102 */ 103int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp); 104void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d); 105void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m); 106void mac_bpfdesc_destroy(struct bpf_d *); 107void mac_bpfdesc_init(struct bpf_d *); 108 109void mac_cred_associate_nfsd(struct ucred *cred); 110int mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai); 111int mac_cred_check_setaudit_addr(struct ucred *cred, 112 struct auditinfo_addr *aia); 113int mac_cred_check_setauid(struct ucred *cred, uid_t auid); 114int mac_cred_check_setegid(struct ucred *cred, gid_t egid); 115int mac_cred_check_seteuid(struct ucred *cred, uid_t euid); 116int mac_cred_check_setgid(struct ucred *cred, gid_t gid); 117int mac_cred_check_setgroups(struct ucred *cred, int ngroups, 118 gid_t *gidset); 119int mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid); 120int mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 121 gid_t sgid); 122int mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 123 uid_t suid); 124int mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid); 125int mac_cred_check_setuid(struct ucred *cred, uid_t uid); 126int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); 127void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); 128void mac_cred_create_init(struct ucred *cred); 129void mac_cred_create_swapper(struct ucred *cred); 130void mac_cred_destroy(struct ucred *); 131void mac_cred_init(struct ucred *); 132 133void mac_devfs_create_device(struct ucred *cred, struct mount *mp, 134 struct cdev *dev, struct devfs_dirent *de); 135void mac_devfs_create_directory(struct mount *mp, char *dirname, 136 int dirnamelen, struct devfs_dirent *de); 137void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, 138 struct devfs_dirent *dd, struct devfs_dirent *de); 139void mac_devfs_destroy(struct devfs_dirent *); 140void mac_devfs_init(struct devfs_dirent *); 141void mac_devfs_update(struct mount *mp, struct devfs_dirent *de, 142 struct vnode *vp); 143void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, 144 struct vnode *vp); 145 146int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m); 147void mac_ifnet_create(struct ifnet *ifp); 148void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m); 149void mac_ifnet_destroy(struct ifnet *); 150void mac_ifnet_init(struct ifnet *); 151int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, 152 struct ifnet *ifp); 153int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, 154 struct ifnet *ifp); 155 156int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m); 157int mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp); 158void mac_inpcb_create(struct socket *so, struct inpcb *inp); 159void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m); 160void mac_inpcb_destroy(struct inpcb *); 161int mac_inpcb_init(struct inpcb *, int); 162void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); 163 164void mac_ip6q_create(struct mbuf *m, struct ip6q *q6); 165void mac_ip6q_destroy(struct ip6q *q6); 166int mac_ip6q_init(struct ip6q *q6, int); 167int mac_ip6q_match(struct mbuf *m, struct ip6q *q6); 168void mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m); 169void mac_ip6q_update(struct mbuf *m, struct ip6q *q6); 170 171void mac_ipq_create(struct mbuf *m, struct ipq *q); 172void mac_ipq_destroy(struct ipq *q); 173int mac_ipq_init(struct ipq *q, int); 174int mac_ipq_match(struct mbuf *m, struct ipq *q); 175void mac_ipq_reassemble(struct ipq *q, struct mbuf *m); 176void mac_ipq_update(struct mbuf *m, struct ipq *q); 177 178int mac_kenv_check_dump(struct ucred *cred); 179int mac_kenv_check_get(struct ucred *cred, char *name); 180int mac_kenv_check_set(struct ucred *cred, char *name, char *value); 181int mac_kenv_check_unset(struct ucred *cred, char *name); 182 183int mac_kld_check_load(struct ucred *cred, struct vnode *vp); 184int mac_kld_check_stat(struct ucred *cred); 185 186void mac_mbuf_copy(struct mbuf *, struct mbuf *); 187int mac_mbuf_init(struct mbuf *, int); 188 189void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *); 190void mac_mbuf_tag_destroy(struct m_tag *); 191int mac_mbuf_tag_init(struct m_tag *, int); 192 193int mac_mount_check_stat(struct ucred *cred, struct mount *mp); 194void mac_mount_create(struct ucred *cred, struct mount *mp); 195void mac_mount_destroy(struct mount *); 196void mac_mount_init(struct mount *); 197 198void mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m); 199 200void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m); 201void mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend); 202void mac_netinet_firewall_send(struct mbuf *m); 203void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag); 204void mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend); 205void mac_netinet_icmp_replyinplace(struct mbuf *m); 206void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m); 207void mac_netinet_tcp_reply(struct mbuf *m); 208 209void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m); 210 211int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, 212 unsigned long cmd, void *data); 213int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp); 214int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp); 215int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp); 216int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp); 217void mac_pipe_create(struct ucred *cred, struct pipepair *pp); 218void mac_pipe_destroy(struct pipepair *); 219void mac_pipe_init(struct pipepair *); 220int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, 221 struct label *label); 222 223int mac_posixsem_check_getvalue(struct ucred *active_cred, 224 struct ucred *file_cred, struct ksem *ks); 225int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); 226int mac_posixsem_check_post(struct ucred *active_cred, 227 struct ucred *file_cred, struct ksem *ks); 228int mac_posixsem_check_setmode(struct ucred *cred, struct ksem *ks, 229 mode_t mode); 230int mac_posixsem_check_setowner(struct ucred *cred, struct ksem *ks, 231 uid_t uid, gid_t gid); 232int mac_posixsem_check_stat(struct ucred *active_cred, 233 struct ucred *file_cred, struct ksem *ks); 234int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks); 235int mac_posixsem_check_wait(struct ucred *active_cred, 236 struct ucred *file_cred, struct ksem *ks); 237void mac_posixsem_create(struct ucred *cred, struct ksem *ks); 238void mac_posixsem_destroy(struct ksem *); 239void mac_posixsem_init(struct ksem *); 240 241int mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, 242 int prot, int flags); 243int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd); 244int mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd, 245 mode_t mode); 246int mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd, 247 uid_t uid, gid_t gid); 248int mac_posixshm_check_stat(struct ucred *active_cred, 249 struct ucred *file_cred, struct shmfd *shmfd); 250int mac_posixshm_check_truncate(struct ucred *active_cred, 251 struct ucred *file_cred, struct shmfd *shmfd); 252int mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd); 253void mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd); 254void mac_posixshm_destroy(struct shmfd *); 255void mac_posixshm_init(struct shmfd *); 256 257int mac_priv_check(struct ucred *cred, int priv); 258int mac_priv_grant(struct ucred *cred, int priv); 259 260int mac_proc_check_debug(struct ucred *cred, struct proc *p); 261int mac_proc_check_sched(struct ucred *cred, struct proc *p); 262int mac_proc_check_signal(struct ucred *cred, struct proc *p, 263 int signum); 264int mac_proc_check_wait(struct ucred *cred, struct proc *p); 265void mac_proc_destroy(struct proc *); 266void mac_proc_init(struct proc *); 267void mac_proc_vm_revoke(struct thread *td); 268int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); 269void mac_execve_exit(struct image_params *imgp); 270void mac_execve_interpreter_enter(struct vnode *interpvp, 271 struct label **interplabel); 272void mac_execve_interpreter_exit(struct label *interpvplabel); 273 274int mac_socket_check_accept(struct ucred *cred, struct socket *so); 275int mac_socket_check_bind(struct ucred *cred, struct socket *so, 276 struct sockaddr *sa); 277int mac_socket_check_connect(struct ucred *cred, struct socket *so, 278 struct sockaddr *sa); 279int mac_socket_check_create(struct ucred *cred, int domain, int type, 280 int proto); 281int mac_socket_check_deliver(struct socket *so, struct mbuf *m); 282int mac_socket_check_listen(struct ucred *cred, struct socket *so); 283int mac_socket_check_poll(struct ucred *cred, struct socket *so); 284int mac_socket_check_receive(struct ucred *cred, struct socket *so); 285int mac_socket_check_send(struct ucred *cred, struct socket *so); 286int mac_socket_check_stat(struct ucred *cred, struct socket *so); 287int mac_socket_check_visible(struct ucred *cred, struct socket *so); 288void mac_socket_create_mbuf(struct socket *so, struct mbuf *m); 289void mac_socket_create(struct ucred *cred, struct socket *so); 290void mac_socket_destroy(struct socket *); 291int mac_socket_init(struct socket *, int); 292void mac_socket_newconn(struct socket *oldso, struct socket *newso); 293int mac_getsockopt_label(struct ucred *cred, struct socket *so, 294 struct mac *extmac); 295int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, 296 struct mac *extmac); 297int mac_setsockopt_label(struct ucred *cred, struct socket *so, 298 struct mac *extmac); 299 300void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); 301void mac_socketpeer_set_from_socket(struct socket *oldso, 302 struct socket *newso); 303 304void mac_syncache_create(struct label *l, struct inpcb *inp); 305void mac_syncache_create_mbuf(struct label *l, struct mbuf *m); 306void mac_syncache_destroy(struct label **l); 307int mac_syncache_init(struct label **l); 308 309int mac_system_check_acct(struct ucred *cred, struct vnode *vp); 310int mac_system_check_audit(struct ucred *cred, void *record, int length); 311int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp); 312int mac_system_check_auditon(struct ucred *cred, int cmd); 313int mac_system_check_reboot(struct ucred *cred, int howto); 314int mac_system_check_swapon(struct ucred *cred, struct vnode *vp); 315int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp); 316int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 317 void *arg1, int arg2, struct sysctl_req *req); 318 319void mac_sysvmsg_cleanup(struct msg *msgptr); 320void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, 321 struct msg *msgptr); 322void mac_sysvmsg_destroy(struct msg *); 323void mac_sysvmsg_init(struct msg *); 324 325int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, 326 struct msqid_kernel *msqkptr); 327int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr); 328int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr); 329int mac_sysvmsq_check_msqctl(struct ucred *cred, 330 struct msqid_kernel *msqkptr, int cmd); 331int mac_sysvmsq_check_msqget(struct ucred *cred, 332 struct msqid_kernel *msqkptr); 333int mac_sysvmsq_check_msqrcv(struct ucred *cred, 334 struct msqid_kernel *msqkptr); 335int mac_sysvmsq_check_msqsnd(struct ucred *cred, 336 struct msqid_kernel *msqkptr); 337void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr); 338void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr); 339void mac_sysvmsq_destroy(struct msqid_kernel *); 340void mac_sysvmsq_init(struct msqid_kernel *); 341 342int mac_sysvsem_check_semctl(struct ucred *cred, 343 struct semid_kernel *semakptr, int cmd); 344int mac_sysvsem_check_semget(struct ucred *cred, 345 struct semid_kernel *semakptr); 346int mac_sysvsem_check_semop(struct ucred *cred, 347 struct semid_kernel *semakptr, size_t accesstype); 348void mac_sysvsem_cleanup(struct semid_kernel *semakptr); 349void mac_sysvsem_create(struct ucred *cred, 350 struct semid_kernel *semakptr); 351void mac_sysvsem_destroy(struct semid_kernel *); 352void mac_sysvsem_init(struct semid_kernel *); 353 354int mac_sysvshm_check_shmat(struct ucred *cred, 355 struct shmid_kernel *shmsegptr, int shmflg); 356int mac_sysvshm_check_shmctl(struct ucred *cred, 357 struct shmid_kernel *shmsegptr, int cmd); 358int mac_sysvshm_check_shmdt(struct ucred *cred, 359 struct shmid_kernel *shmsegptr); 360int mac_sysvshm_check_shmget(struct ucred *cred, 361 struct shmid_kernel *shmsegptr, int shmflg); 362void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr); 363void mac_sysvshm_create(struct ucred *cred, 364 struct shmid_kernel *shmsegptr); 365void mac_sysvshm_destroy(struct shmid_kernel *); 366void mac_sysvshm_init(struct shmid_kernel *); 367 368void mac_thread_userret(struct thread *td); 369 370int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); 371void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); 372int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, 373 accmode_t accmode); 374int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); 375int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); 376int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, 377 struct componentname *cnp, struct vattr *vap); 378int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, 379 acl_type_t type); 380int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, 381 int attrnamespace, const char *name); 382int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, 383 struct image_params *imgp); 384int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, 385 acl_type_t type); 386int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, 387 int attrnamespace, const char *name); 388int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, 389 struct vnode *vp, struct componentname *cnp); 390int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, 391 int attrnamespace); 392int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, 393 struct componentname *cnp); 394int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, 395 int flags); 396int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, 397 int prot); 398int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, 399 accmode_t accmode); 400int mac_vnode_check_poll(struct ucred *active_cred, 401 struct ucred *file_cred, struct vnode *vp); 402int mac_vnode_check_read(struct ucred *active_cred, 403 struct ucred *file_cred, struct vnode *vp); 404int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); 405int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp); 406int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, 407 struct vnode *vp, struct componentname *cnp); 408int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, 409 struct vnode *vp, int samedir, struct componentname *cnp); 410int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp); 411int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, 412 acl_type_t type, struct acl *acl); 413int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, 414 int attrnamespace, const char *name); 415int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, 416 u_long flags); 417int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, 418 mode_t mode); 419int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, 420 uid_t uid, gid_t gid); 421int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, 422 struct timespec atime, struct timespec mtime); 423int mac_vnode_check_stat(struct ucred *active_cred, 424 struct ucred *file_cred, struct vnode *vp); 425int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, 426 struct vnode *vp, struct componentname *cnp); 427int mac_vnode_check_write(struct ucred *active_cred, 428 struct ucred *file_cred, struct vnode *vp); 429void mac_vnode_copy_label(struct label *, struct label *); 430void mac_vnode_init(struct vnode *); 431int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, 432 struct vnode *dvp, struct vnode *vp, struct componentname *cnp); 433void mac_vnode_destroy(struct vnode *); 434void mac_vnode_execve_transition(struct ucred *oldcred, 435 struct ucred *newcred, struct vnode *vp, 436 struct label *interpvplabel, struct image_params *imgp); 437int mac_vnode_execve_will_transition(struct ucred *cred, 438 struct vnode *vp, struct label *interpvplabel, 439 struct image_params *imgp); 440void mac_vnode_relabel(struct ucred *cred, struct vnode *vp, 441 struct label *newlabel); 442 443/* 444 * Calls to help various file systems implement labeling functionality using 445 * their existing EA implementation. 446 */ 447int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); 448 449#endif /* !_SECURITY_MAC_MAC_FRAMEWORK_H_ */ 450