# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2025-05-01 19:56-0300\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: Title = #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:19 #, no-wrap msgid "The TrustedBSD MAC Framework" msgstr "" #. type: YAML Front Matter: title #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1 #, no-wrap msgid "Chapter 6. The TrustedBSD MAC Framework" msgstr "" #. type: Title == #: documentation/content/en/books/arch-handbook/mac/_index.adoc:57 #, no-wrap msgid "MAC Documentation Copyright" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:60 msgid "" "This documentation was developed for the FreeBSD Project by Chris Costello " "at Safeport Network Services and Network Associates Laboratories, the " "Security Research Division of Network Associates, Inc. under DARPA/SPAWAR " "contract N66001-01-C-8035 (\"CBOSS\"), as part of the DARPA CHATS research " "program." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:62 msgid "" "Redistribution and use in source (SGML DocBook) and 'compiled' forms (SGML, " "HTML, PDF, PostScript, RTF and so forth) with or without modification, are " "permitted provided that the following conditions are met:" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:64 msgid "" "Redistributions of source code (SGML DocBook) must retain the above " "copyright notice, this list of conditions and the following disclaimer as " "the first lines of this file unmodified." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:65 msgid "" "Redistributions in compiled form (transformed to other DTDs, converted to " "PDF, PostScript, RTF and other formats) must reproduce the above copyright " "notice, this list of conditions and the following disclaimer in the " "documentation and/or other materials provided with the distribution." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:70 msgid "" "THIS DOCUMENTATION IS PROVIDED BY THE NETWORKS ASSOCIATES TECHNOLOGY, INC " "\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED " "TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR " "PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NETWORKS ASSOCIATES TECHNOLOGY, " "INC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR " "CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF " "SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS " "INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN " "CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) " "ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF " "THE POSSIBILITY OF SUCH DAMAGE." msgstr "" #. type: Title == #: documentation/content/en/books/arch-handbook/mac/_index.adoc:73 #, no-wrap msgid "Synopsis" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:78 msgid "" "FreeBSD includes experimental support for several mandatory access control " "policies, as well as a framework for kernel security extensibility, the " "TrustedBSD MAC Framework. The MAC Framework is a pluggable access control " "framework, permitting new security policies to be easily linked into the " "kernel, loaded at boot, or loaded dynamically at run-time. The framework " "provides a variety of features to make it easier to implement new security " "policies, including the ability to easily tag security labels (such as " "confidentiality information) onto system objects." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:80 msgid "" "This chapter introduces the MAC policy framework and provides documentation " "for a sample MAC policy module." msgstr "" #. type: Title == #: documentation/content/en/books/arch-handbook/mac/_index.adoc:82 #, no-wrap msgid "Introduction" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:88 msgid "" "The TrustedBSD MAC framework provides a mechanism to allow the compile-time " "or run-time extension of the kernel access control model. New system " "policies may be implemented as kernel modules and linked to the kernel; if " "multiple policy modules are present, their results will be composed. The " "MAC Framework provides a variety of access control infrastructure services " "to assist policy writers, including support for transient and persistent " "policy-agnostic object security labels. This support is currently " "considered experimental." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:90 msgid "" "This chapter provides information appropriate for developers of policy " "modules, as well as potential consumers of MAC-enabled environments, to " "learn about how the MAC Framework supports access control extension of the " "kernel." msgstr "" #. type: Title == #: documentation/content/en/books/arch-handbook/mac/_index.adoc:92 #, no-wrap msgid "Policy Background" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:99 msgid "" "Mandatory Access Control (MAC), refers to a set of access control policies " "that are mandatorily enforced on users by the operating system. MAC " "policies may be contrasted with Discretionary Access Control (DAC) " "protections, by which non-administrative users may (at their discretion) " "protect objects. In traditional UNIX systems, DAC protections include file " "permissions and access control lists; MAC protections include process " "controls preventing inter-user debugging and firewalls. A variety of MAC " "policies have been formulated by operating system designers and security " "researches, including the Multi-Level Security (MLS) confidentiality policy, " "the Biba integrity policy, Role-Based Access Control (RBAC), Domain and Type " "Enforcement (DTE), and Type Enforcement (TE). Each model bases decisions on " "a variety of factors, including user identity, role, and security clearance, " "as well as security labels on objects representing concepts such as data " "sensitivity and integrity." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:102 msgid "" "The TrustedBSD MAC Framework is capable of supporting policy modules that " "implement all of these policies, as well as a broad class of system " "hardening policies, which may use existing security attributes, such as user " "and group IDs, as well as extended attributes on files, and other system " "properties. In addition, despite the name, the MAC Framework can also be " "used to implement purely discretionary policies, as policy modules are given " "substantial flexibility in how they authorize protections." msgstr "" #. type: Title == #: documentation/content/en/books/arch-handbook/mac/_index.adoc:104 #, no-wrap msgid "MAC Framework Kernel Architecture" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:108 msgid "" "The TrustedBSD MAC Framework permits kernel modules to extend the operating " "system security policy, as well as providing infrastructure functionality " "required by many access control modules. If multiple policies are " "simultaneously loaded, the MAC Framework will usefully (for some definition " "of useful) compose the results of the policies." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:110 #, no-wrap msgid "Kernel Elements" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:113 msgid "The MAC Framework contains a number of kernel elements:" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:115 msgid "Framework management interfaces" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:116 msgid "Concurrency and synchronization primitives." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:117 msgid "Policy registration" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:118 msgid "Extensible security label for kernel objects" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:119 msgid "Policy entry point composition operators" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:120 msgid "Label management primitives" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:121 msgid "Entry point API invoked by kernel services" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:122 msgid "Entry point API to policy modules" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:123 msgid "" "Entry points implementations (policy life cycle, object life cycle/label " "management, access control checks)." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:124 msgid "Policy-agnostic label-management system calls" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:125 msgid "`mac_syscall()` multiplex system call" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:126 msgid "Various security policies implemented as MAC policy modules" msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:128 #, no-wrap msgid "Framework Management Interfaces" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:131 msgid "" "The TrustedBSD MAC Framework may be directly managed using sysctl's, loader " "tunables, and system calls." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:136 msgid "" "In most cases, sysctl's and loader tunables of the same name modify the same " "parameters, and control behavior such as enforcement of protections relating " "to various kernel subsystems. In addition, if MAC debugging support is " "compiled into the kernel, several counters will be maintained tracking label " "allocation. It is generally advisable that per-subsystem enforcement " "controls not be used to control policy behavior in production environments, " "as they broadly impact the operation of all active policies. Instead, per-" "policy controls should be preferred, as they provide greater granularity and " "greater operational consistency for policy modules." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:138 msgid "" "Loading and unloading of policy modules is performed using the system module " "management system calls and other system interfaces, including boot loader " "variables; policy modules will have the opportunity to influence load and " "unload events, including preventing undesired unloading of the policy." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:140 #, no-wrap msgid "Policy List Concurrency and Synchronization" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:147 msgid "" "As the set of active policies may change at run-time, and the invocation of " "entry points is non-atomic, synchronization is required to prevent loading " "or unloading of policies while an entry point invocation is in progress, " "freezing the set of active policies for the duration. This is accomplished " "by means of a framework busy count: whenever an entry point is entered, the " "busy count is incremented; whenever it is exited, the busy count is " "decremented. While the busy count is elevated, policy list changes are not " "permitted, and threads attempting to modify the policy list will sleep until " "the list is not busy. The busy count is protected by a mutex, and a " "condition variable is used to wake up sleepers waiting on policy list " "modifications. One side effect of this synchronization model is that " "recursion into the MAC Framework from within a policy module is permitted, " "although not generally used." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:150 msgid "" "Various optimizations are used to reduce the overhead of the busy count, " "including avoiding the full cost of incrementing and decrementing if the " "list is empty or contains only static entries (policies that are loaded " "before the system starts, and cannot be unloaded). A compile-time option is " "also provided which prevents any change in the set of loaded policies at run-" "time, which eliminates the mutex locking costs associated with supporting " "dynamically loaded and unloaded policies as synchronization is no longer " "required." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:152 msgid "" "As the MAC Framework is not permitted to block in some entry points, a " "normal sleep lock cannot be used; as a result, it is possible for the load " "or unload attempt to block for a substantial period of time waiting for the " "framework to become idle." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:154 #, no-wrap msgid "Label Synchronization" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:161 msgid "" "As kernel objects of interest may generally be accessed from more than one " "thread at a time, and simultaneous entry of more than one thread into the " "MAC Framework is permitted, security attribute storage maintained by the MAC " "Framework is carefully synchronized. In general, existing kernel " "synchronization on kernel object data is used to protect MAC Framework " "security labels on the object: for example, MAC labels on sockets are " "protected using the existing socket mutex. Likewise, semantics for " "concurrent access are generally identical to those of the container objects: " "for credentials, copy-on-write semantics are maintained for label contents " "as with the remainder of the credential structure. The MAC Framework " "asserts necessary locks on objects when invoked with an object reference. " "Policy authors must be aware of these synchronization semantics, as they " "will sometimes limit the types of accesses permitted on labels: for example, " "when a read-only reference to a credential is passed to a policy via an " "entry point, only read operations are permitted on the label state attached " "to the credential." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:163 #, no-wrap msgid "Policy Synchronization and Concurrency" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:169 msgid "" "Policy modules must be written to assume that many kernel threads may " "simultaneously enter one more policy entry points due to the parallel and " "preemptive nature of the FreeBSD kernel. If the policy module makes use of " "mutable state, this may require the use of synchronization primitives within " "the policy to prevent inconsistent views on that state resulting in " "incorrect operation of the policy. Policies will generally be able to make " "use of existing FreeBSD synchronization primitives for this purpose, " "including mutexes, sleep locks, condition variables, and counting " "semaphores. However, policies should be written to employ these primitives " "carefully, respecting existing kernel lock orders, and recognizing that some " "entry points are not permitted to sleep, limiting the use of primitives in " "those entry points to mutexes and wakeup operations." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:172 msgid "" "When policy modules call out to other kernel subsystems, they will generally " "need to release any in-policy locks in order to avoid violating the kernel " "lock order or risking lock recursion. This will maintain policy locks as " "leaf locks in the global lock order, helping to avoid deadlock." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:174 #, no-wrap msgid "Policy Registration" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:181 msgid "" "The MAC Framework maintains two lists of active policies: a static list, and " "a dynamic list. The lists differ only with regards to their locking " "semantics: an elevated reference count is not required to make use of the " "static list. When kernel modules containing MAC Framework policies are " "loaded, the policy module will use `SYSINIT` to invoke a registration " "function; when a policy module is unloaded, `SYSINIT` will likewise invoke a " "de-registration function. Registration may fail if a policy module is " "loaded more than once, if insufficient resources are available for the " "registration (for example, the policy might require labeling and " "insufficient labeling state might be available), or other policy " "prerequisites might not be met (some policies may only be loaded prior to " "boot). Likewise, de-registration may fail if a policy is flagged as not " "unloadable." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:183 #, no-wrap msgid "Entry Points" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:190 msgid "" "Kernel services interact with the MAC Framework in two ways: they invoke a " "series of APIs to notify the framework of relevant events, and they provide " "a policy-agnostic label structure pointer in security-relevant objects. The " "label pointer is maintained by the MAC Framework via label management entry " "points, and permits the Framework to offer a labeling service to policy " "modules through relatively non-invasive changes to the kernel subsystem " "maintaining the object. For example, label pointers have been added to " "processes, process credentials, sockets, pipes, vnodes, Mbufs, network " "interfaces, IP reassembly queues, and a variety of other security-relevant " "structures. Kernel services also invoke the MAC Framework when they perform " "important security decisions, permitting policy modules to augment those " "decisions based on their own criteria (possibly including data stored in " "security labels). Most of these security critical decisions will be " "explicit access control checks; however, some affect more general decision " "functions such as packet matching for sockets and label transition at " "program execution." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:192 #, no-wrap msgid "Policy Composition" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:200 msgid "" "When more than one policy module is loaded into the kernel at a time, the " "results of the policy modules will be composed by the framework using a " "composition operator. This operator is currently hard-coded, and requires " "that all active policies must approve a request for it to return success. " "As policies may return a variety of error conditions (success, access " "denied, object does not exist, ...), a precedence operator selects the " "resulting error from the set of errors returned by policies. In general, " "errors indicating that an object does not exist will be preferred to errors " "indicating that access to an object is denied. While it is not guaranteed " "that the resulting composition will be useful or secure, we have found that " "it is for many useful selections of policies. For example, traditional " "trusted systems often ship with two or more policies using a similar " "composition." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:202 #, no-wrap msgid "Labeling Support" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:208 msgid "" "As many interesting access control extensions rely on security labels on " "objects, the MAC Framework provides a set of policy-agnostic label " "management system calls covering a variety of user-exposed objects. Common " "label types include partition identifiers, sensitivity labels, integrity " "labels, compartments, domains, roles, and types. By policy agnostic, we " "mean that policy modules are able to completely define the semantics of meta-" "data associated with an object. Policy modules participate in the " "internalization and externalization of string-based labels provides by user " "applications, and can expose multiple label elements to applications if " "desired." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:216 msgid "" "In-memory labels are stored in slab-allocated `struct label`, which consists " "of a fixed-length array of unions, each holding a `void *` pointer and a " "`long`. Policies registering for label storage will be assigned a \"slot\" " "identifier, which may be used to dereference the label storage. The " "semantics of the storage are left entirely up to the policy module: modules " "are provided with a variety of entry points associated with the kernel " "object life cycle, including initialization, association/creation, and " "destruction. Using these interfaces, it is possible to implement reference " "counting and other storage models. Direct access to the object structure is " "generally not required by policy modules to retrieve a label, as the MAC " "Framework generally passes both a pointer to the object and a direct pointer " "to the object's label into entry points. The primary exception to this rule " "is the process credential, which must be manually dereferenced to access the " "credential label. This may change in future revisions of the MAC Framework." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:223 msgid "" "Initialization entry points frequently include a sleeping disposition flag " "indicating whether or not an initialization is permitted to sleep; if " "sleeping is not permitted, a failure may be returned to cancel allocation of " "the label (and hence object). This may occur, for example, in the network " "stack during interrupt handling, where sleeping is not permitted, or while " "the caller holds a mutex. Due to the performance cost of maintaining labels " "on in-flight network packets (Mbufs), policies must specifically declare a " "requirement that Mbuf labels be allocated. Dynamically loaded policies " "making use of labels must be able to handle the case where their init " "function has not been called on an object, as objects may already exist when " "the policy is loaded. The MAC Framework guarantees that uninitialized label " "slots will hold a 0 or NULL value, which policies may use to detect " "uninitialized values. However, as allocation of Mbuf labels is conditional, " "policies must also be able to handle a NULL label pointer for Mbufs if they " "have been loaded dynamically." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:229 msgid "" "In the case of file system labels, special support is provided for the " "persistent storage of security labels in extended attributes. Where " "available, extended attribute transactions are used to permit consistent " "compound updates of security labels on vnodes--currently this support is " "present only in the UFS2 file system. Policy authors may choose to " "implement multilabel file system object labels using one (or more) extended " "attributes. For efficiency reasons, the vnode label (`v_label`) is a cache " "of any on-disk label; policies are able to load values into the cache when " "the vnode is instantiated, and update the cache as needed. As a result, the " "extended attribute need not be directly accessed with every access control " "check." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:233 msgid "" "Currently, if a labeled policy permits dynamic unloading, its state slot " "cannot be reclaimed, which places a strict (and relatively low) bound on the " "number of unload-reload operations for labeled policies." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:236 #, no-wrap msgid "System Calls" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:239 msgid "" "The MAC Framework implements a number of system calls: most of these calls " "support the policy-agnostic label retrieval and manipulation APIs exposed to " "user applications." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:245 msgid "" "The label management calls accept a label description structure, `struct " "mac`, which contains a series of MAC label elements. Each element contains " "a character string name, and character string value. Each policy will be " "given the chance to claim a particular element name, permitting policies to " "expose multiple independent elements if desired. Policy modules perform the " "internalization and externalization between kernel labels and user-provided " "labels via entry points, permitting a variety of semantics. Label " "management system calls are generally wrapped by user library functions to " "perform memory allocation and error handling, simplifying user applications " "that must manage labels." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:247 msgid "" "The following MAC-related system calls are present in the FreeBSD kernel:" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:249 msgid "" "`mac_get_proc()` may be used to retrieve the label of the current process." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:250 msgid "" "`mac_set_proc()` may be used to request a change in the label of the current " "process." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:251 msgid "" "`mac_get_fd()` may be used to retrieve the label of an object (file, socket, " "pipe, ...) referenced by a file descriptor." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:252 msgid "" "`mac_get_file()` may be used to retrieve the label of an object referenced " "by a file system path." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:253 msgid "" "`mac_set_fd()` may be used to request a change in the label of an object " "(file, socket, pipe, ...) referenced by a file descriptor." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:254 msgid "" "`mac_set_file()` may be used to request a change in the label of an object " "referenced by a file system path." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:255 msgid "" "`mac_syscall()` permits policy modules to create new system calls without " "modifying the system call table; it accepts a target policy name, operation " "number, and opaque argument for use by the policy." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:256 msgid "" "`mac_get_pid()` may be used to request the label of another process by " "process id." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:257 msgid "" "`mac_get_link()` is identical to `mac_get_file()`, only it will not follow a " "symbolic link if it is the final entry in the path, so may be used to " "retrieve the label on a symlink." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:258 msgid "" "`mac_set_link()` is identical to `mac_set_file()`, only it will not follow a " "symbolic link if it is the final entry in a path, so may be used to " "manipulate the label on a symlink." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:260 msgid "" "`mac_execve()` is identical to the `execve()` system call, only it also " "accepts a requested label to set the process label to when beginning " "execution of a new program. This change in label on execution is referred " "to as a \"transition\"." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:261 msgid "" "`mac_get_peer()`, actually implemented via a socket option, retrieves the " "label of a remote peer on a socket, if available." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:263 msgid "" "In addition to these system calls, the `SIOCSIGMAC` and `SIOCSIFMAC` network " "interface ioctls permit the labels on network interfaces to be retrieved and " "set." msgstr "" #. type: Title == #: documentation/content/en/books/arch-handbook/mac/_index.adoc:265 #, no-wrap msgid "MAC Policy Architecture" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:270 msgid "" "Security policies are either linked directly into the kernel, or compiled " "into loadable kernel modules that may be loaded at boot, or dynamically " "using the module loading system calls at runtime. Policy modules interact " "with the system through a set of declared entry points, providing access to " "a stream of system events and permitting the policy to influence access " "control decisions. Each policy contains a number of elements:" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:272 msgid "Optional configuration parameters for policy." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:273 msgid "Centralized implementation of the policy logic and parameters." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:274 msgid "" "Optional implementation of policy life cycle events, such as initialization " "and destruction." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:275 msgid "" "Optional support for initializing, maintaining, and destroying labels on " "selected kernel objects." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:276 msgid "" "Optional support for user process inspection and modification of labels on " "selected objects." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:277 msgid "" "Implementation of selected access control entry points that are of interest " "to the policy." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:278 msgid "" "Declaration of policy identity, module entry points, and policy properties." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:280 #, no-wrap msgid "Policy Declaration" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:283 msgid "" "Modules may be declared using the `MAC_POLICY_SET()` macro, which names the " "policy, provides a reference to the MAC entry point vector, provides load-" "time flags determining how the policy framework should handle the policy, " "and optionally requests the allocation of label state by the framework." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:297 #, no-wrap msgid "" "static struct mac_policy_ops mac_policy_ops =\n" "{\n" " .mpo_destroy = mac_policy_destroy,\n" " .mpo_init = mac_policy_init,\n" " .mpo_init_bpfdesc_label = mac_policy_init_bpfdesc_label,\n" " .mpo_init_cred_label = mac_policy_init_label,\n" "/* ... */\n" " .mpo_check_vnode_setutimes = mac_policy_check_vnode_setutimes,\n" " .mpo_check_vnode_stat = mac_policy_check_vnode_stat,\n" " .mpo_check_vnode_write = mac_policy_check_vnode_write,\n" "};\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:302 msgid "" "The MAC policy entry point vector, `mac__policy__ops` in this example, " "associates functions defined in the module with specific entry points. A " "complete listing of available entry points and their prototypes may be found " "in the MAC entry point reference section. Of specific interest during " "module registration are the .mpo_destroy and .mpo_init entry points." msgstr "" #. type: Block title #: documentation/content/en/books/arch-handbook/mac/_index.adoc:302 #, no-wrap msgid "mpo_init will be invoked once a policy is successfully registered with the module framework but prior to any other entry points becoming active." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:304 msgid "" "This permits the policy to perform any policy-specific allocation and " "initialization, such as initialization of any data or locks." msgstr "" #. type: Block title #: documentation/content/en/books/arch-handbook/mac/_index.adoc:304 #, no-wrap msgid "mpo_destroy will be invoked when a policy module is unloaded to permit releasing of any allocated memory and destruction of locks." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:306 msgid "" "Currently, these two entry points are invoked with the MAC policy list mutex " "held to prevent any other entry points from being invoked: this will be " "changed, but in the mean time, policies should be careful about what kernel " "primitives they invoke so as to avoid lock ordering or sleeping problems." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:310 msgid "" "The policy declaration's module name field exists so that the module may be " "uniquely identified for the purposes of module dependencies. An appropriate " "string should be selected. The full string name of the policy is displayed " "to the user via the kernel log during load and unload events, and also " "exported when providing status information to userland processes." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:312 #, no-wrap msgid "Policy Flags" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:316 msgid "" "The policy declaration flags field permits the module to provide the " "framework with information about its capabilities at the time the module is " "loaded. Currently, three flags are defined:" msgstr "" #. type: Labeled list #: documentation/content/en/books/arch-handbook/mac/_index.adoc:317 #, no-wrap msgid "MPC_LOADTIME_FLAG_UNLOADOK" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:321 msgid "" "This flag indicates that the policy module may be unloaded. If this flag is " "not provided, then the policy framework will reject requests to unload the " "module. This flag might be used by modules that allocate label state and " "are unable to free that state at runtime." msgstr "" #. type: Labeled list #: documentation/content/en/books/arch-handbook/mac/_index.adoc:322 #, no-wrap msgid "MPC_LOADTIME_FLAG_NOTLATE" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:326 msgid "" "This flag indicates that the policy module must be loaded and initialized " "early in the boot process. If the flag is specified, attempts to register " "the module following boot will be rejected. The flag may be used by " "policies that require pervasive labeling of all system objects, and cannot " "handle objects that have not been properly initialized by the policy." msgstr "" #. type: Labeled list #: documentation/content/en/books/arch-handbook/mac/_index.adoc:327 #, no-wrap msgid "MPC_LOADTIME_FLAG_LABELMBUFS" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:332 msgid "" "This flag indicates that the policy module requires labeling of Mbufs, and " "that memory should always be allocated for the storage of Mbuf labels. By " "default, the MAC Framework will not allocate label storage for Mbufs unless " "at least one loaded policy has this flag set. This measurably improves " "network performance when policies do not require Mbuf labeling. A kernel " "option, `MAC_ALWAYS_LABEL_MBUF`, exists to force the MAC Framework to " "allocate Mbuf label storage regardless of the setting of this flag, and may " "be useful in some environments." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:338 msgid "" "Policies using the `MPC_LOADTIME_FLAG_LABELMBUFS` without the " "`MPC_LOADTIME_FLAG_NOTLATE` flag set must be able to correctly handle `NULL` " "Mbuf label pointers passed into entry points. This is necessary as in-" "flight Mbufs without label storage may persist after a policy enabling Mbuf " "labeling has been loaded. If a policy is loaded before the network " "subsystem is active (i.e., the policy is not being loaded late), then all " "Mbufs are guaranteed to have label storage." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:341 #, no-wrap msgid "Policy Entry Points" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:345 msgid "" "Four classes of entry points are offered to policies registered with the " "framework: entry points associated with the registration and management of " "policies, entry points denoting initialization, creation, destruction, and " "other life cycle events for kernel objects, events associated with access " "control decisions that the policy module may influence, and calls associated " "with the management of labels on objects. In addition, a `mac_syscall()` " "entry point is provided so that policies may extend the kernel interface " "without registering new system calls." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:350 msgid "" "Policy module writers should be aware of the kernel locking strategy, as " "well as what object locks are available during which entry points. Writers " "should attempt to avoid deadlock scenarios by avoiding grabbing non-leaf " "locks inside of entry points, and also follow the locking protocol for " "object access and modification. In particular, writers should be aware that " "while necessary locks to access objects and their labels are generally held, " "sufficient locks to modify an object or its label may not be present for all " "entry points. Locking information for arguments is documented in the MAC " "framework entry point document." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:354 msgid "" "Policy entry points will pass a reference to the object label along with the " "object itself. This permits labeled policies to be unaware of the internals " "of the object yet still make decisions based on the label. The exception to " "this is the process credential, which is assumed to be understood by " "policies as a first class security object in the kernel." msgstr "" #. type: Title == #: documentation/content/en/books/arch-handbook/mac/_index.adoc:356 #, no-wrap msgid "MAC Policy Entry Point Reference" msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:359 #, no-wrap msgid "General-Purpose Module Entry Points" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:362 #, no-wrap msgid "`mpo_init`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:367 #, no-wrap msgid "void mpo_init(struct mac_policy_conf *conf);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:373 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:397 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:420 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:458 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:487 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:510 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:533 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:556 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:579 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:608 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:637 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:664 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:687 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:710 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:737 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:764 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:787 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:810 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:833 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:856 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:879 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:902 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:925 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:948 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:971 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:998 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1021 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1044 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1067 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1090 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1113 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1139 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1165 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1192 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1232 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1272 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1312 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1352 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1392 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1432 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1469 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1506 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1543 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1580 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1665 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1708 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1746 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1781 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1813 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1846 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1890 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1943 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1979 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2001 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2036 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2072 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2112 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2148 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2180 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2213 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2248 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2283 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2318 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2355 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2394 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2425 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2453 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2488 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2523 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2558 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2594 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2630 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2666 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2702 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2746 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2782 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2820 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2855 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2892 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2922 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2960 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2992 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3014 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3036 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3096 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3131 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3153 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3179 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3205 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3232 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3262 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3284 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3307 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3346 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3377 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3408 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3443 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3474 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3505 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3538 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3575 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3606 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3636 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3666 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3695 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3730 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3764 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3791 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3826 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3859 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3889 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3927 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3960 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3991 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4034 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4081 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4118 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4152 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4189 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4236 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4279 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4314 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4349 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4380 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4416 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4460 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4508 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4541 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4578 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4615 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4648 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4682 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4715 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4756 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4804 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4841 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4878 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4920 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4960 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4990 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5023 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5058 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5099 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5140 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5173 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5203 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5225 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5251 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5274 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5305 #, no-wrap msgid "Parameter" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:374 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:398 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:421 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:459 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:488 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:511 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:534 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:557 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:580 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:609 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:638 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:665 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:688 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:711 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:738 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:765 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:788 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:811 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:834 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:857 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:880 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:903 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:926 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:949 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:972 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:999 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1022 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1045 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1068 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1091 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1114 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1140 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1166 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1193 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1233 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1273 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1313 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1353 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1393 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1433 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1470 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1507 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1544 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1581 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1666 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1709 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1747 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1782 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1814 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1847 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1891 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1944 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1980 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2002 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2037 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2073 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2113 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2149 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2181 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2214 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2249 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2284 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2319 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2356 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2395 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2426 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2454 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2489 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2524 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2559 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2595 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2631 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2667 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2703 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2747 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2783 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2821 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2856 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2893 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2923 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2961 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2993 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3015 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3037 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3097 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3132 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3154 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3180 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3206 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3233 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3263 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3285 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3308 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3347 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3378 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3409 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3444 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3475 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3506 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3539 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3576 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3607 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3637 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3667 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3696 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3731 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3765 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3792 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3827 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3860 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3890 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3928 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3961 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3992 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4035 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4082 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4119 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4153 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4190 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4237 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4280 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4315 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4350 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4381 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4417 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4461 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4509 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4542 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4579 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4616 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4649 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4683 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4716 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4757 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4805 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4842 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4879 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4921 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4961 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4991 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5024 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5059 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5100 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5141 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5174 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5204 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5226 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5252 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5275 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5306 #, no-wrap msgid "Description" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:376 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:400 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:423 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:461 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:490 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:513 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:536 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:559 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:582 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:611 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:640 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:667 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:690 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:713 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:740 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:767 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:790 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:813 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:836 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:859 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:882 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:905 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:928 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:951 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:974 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1001 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1024 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1047 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1070 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1093 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1116 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1142 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1168 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1195 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1235 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1275 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1315 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1355 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1395 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1435 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1472 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1509 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1546 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1583 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1668 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1711 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1749 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1784 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1816 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1849 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1893 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1946 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1982 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2004 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2039 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2075 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2115 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2151 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2183 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2216 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2251 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2286 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2321 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2358 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2397 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2428 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2456 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2491 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2526 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2561 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2597 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2633 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2669 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2705 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2749 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2785 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2823 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2858 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2895 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2925 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2963 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2995 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3017 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3039 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3099 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3134 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3156 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3182 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3208 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3235 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3265 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3287 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3310 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3349 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3380 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3411 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3446 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3477 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3508 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3541 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3578 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3609 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3639 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3669 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3698 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3733 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3767 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3794 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3829 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3862 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3892 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3930 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3963 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3994 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4037 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4084 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4121 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4155 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4192 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4239 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4282 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4317 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4352 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4383 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4419 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4463 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4511 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4544 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4581 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4618 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4651 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4685 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4718 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4759 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4807 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4844 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4881 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4923 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4963 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4993 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5026 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5061 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5102 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5143 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5176 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5206 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5228 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5254 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5277 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5308 #, no-wrap msgid "Locking" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:377 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:401 #, no-wrap msgid "`conf`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:378 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:402 #, no-wrap msgid "MAC policy definition" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:384 msgid "" "Policy load event. The policy list mutex is held, so sleep operations " "cannot be performed, and calls out to other kernel subsystems must be made " "with caution. If potentially sleeping memory allocations are required " "during policy initialization, they should be made using a separate module " "SYSINIT()." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:386 #, no-wrap msgid "`mpo_destroy`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:391 #, no-wrap msgid "void mpo_destroy(struct mac_policy_conf *conf);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:407 msgid "" "Policy load event. The policy list mutex is held, so caution should be " "applied." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:409 #, no-wrap msgid "`mpo_syscall`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:414 #, no-wrap msgid "int mpo_syscall(struct thread *td, int call, void *arg);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:424 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:462 #, no-wrap msgid "`td`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:425 #, no-wrap msgid "Calling thread" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:428 #, no-wrap msgid "`call`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:429 #, no-wrap msgid "Policy-specific syscall number" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:432 #, no-wrap msgid "`arg`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:433 #, no-wrap msgid "Pointer to syscall arguments" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:440 msgid "" "This entry point provides a policy-multiplexed system call so that policies " "may provide additional services to user processes without registering " "specific system calls. The policy name provided during registration is used " "to demultiplexer calls from userland, and the arguments will be forwarded to " "this entry point. When implementing new services, security modules should " "be sure to invoke appropriate access control checks from the MAC framework " "as needed. For example, if a policy implements an augmented signal " "functionality, it should call the necessary signal access control checks to " "invoke the MAC framework and other registered policies." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:444 msgid "" "Modules must currently perform the `copyin()` of the syscall data on their " "own." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:447 #, no-wrap msgid "`mpo_thread_userret`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:452 #, no-wrap msgid "void mpo_thread_userret(struct thread *td);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:463 #, no-wrap msgid "Returning thread" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:471 msgid "" "This entry point permits policy modules to perform MAC-related events when a " "thread returns to user space, via a system call return, trap return, or " "otherwise. This is required for policies that have floating process labels, " "as it is not always possible to acquire the process lock at arbitrary points " "in the stack during system call processing; process labels might represent " "traditional authentication data, process history information, or other " "data. To employ this mechanism, intended changes to the process credential " "label may be stored in the `p_label` protected by a per-policy spin lock, " "and then set the per-thread `TDF_ASTPENDING` flag and per-process " "`PS_MACPENDM` flag to schedule a call to the `userret` entry point. From " "this entry point, the policy may create a replacement credential with less " "concern about the locking context. Policy writers are cautioned that event " "ordering relating to scheduling an AST and the AST being performed may be " "complex and interlaced in multithreaded applications." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:473 #, no-wrap msgid "Label Operations" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:476 #, no-wrap msgid "`mpo_init_bpfdesc_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:481 #, no-wrap msgid "void mpo_init_bpfdesc_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:491 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:514 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:537 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:560 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:583 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:616 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:668 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:691 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:714 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:741 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:768 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:791 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:814 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:837 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:860 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:883 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:906 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:929 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:952 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1002 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1048 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1071 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1094 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1196 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1236 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1276 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1316 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1356 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1396 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1436 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1473 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1510 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1547 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1584 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1793 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1902 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3901 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4054 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4093 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4130 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4164 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4201 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4256 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4291 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4326 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4396 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4436 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4480 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4590 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4660 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4694 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4727 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4768 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4816 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4853 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4890 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4932 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5035 #, no-wrap msgid "`label`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:492 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:538 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:561 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:584 #, no-wrap msgid "New label to apply" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:497 msgid "" "Initialize the label on a newly instantiated bpfdesc (BPF descriptor). " "Sleeping is permitted." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:499 #, no-wrap msgid "`mpo_init_cred_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:504 #, no-wrap msgid "void mpo_init_cred_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:515 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:715 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:742 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:769 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:792 #, no-wrap msgid "New label to initialize" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:520 msgid "" "Initialize the label for a newly instantiated user credential. Sleeping is " "permitted." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:522 #, no-wrap msgid "`mpo_init_devfsdirent_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:527 #, no-wrap msgid "void mpo_init_devfsdirent_label(struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:543 msgid "" "Initialize the label on a newly instantiated devfs entry. Sleeping is " "permitted." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:545 #, no-wrap msgid "`mpo_init_ifnet_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:550 #, no-wrap msgid "void mpo_init_ifnet_label(struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:566 msgid "" "Initialize the label on a newly instantiated network interface. Sleeping is " "permitted." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:568 #, no-wrap msgid "`mpo_init_ipq_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:573 #, no-wrap msgid "void mpo_init_ipq_label(struct label *label, int flag);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:587 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:612 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:718 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:745 #, no-wrap msgid "`flag`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:588 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:613 #, no-wrap msgid "Sleeping/non-sleeping man:malloc[9]; see below" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:595 msgid "" "Initialize the label on a newly instantiated IP fragment reassembly queue. " "The `flag` field may be one of M_WAITOK and M_NOWAIT, and should be employed " "to avoid performing a sleeping man:malloc[9] during this initialization " "call. IP fragment reassembly queue allocation frequently occurs in " "performance sensitive environments, and the implementation should be careful " "to avoid sleeping or long-lived operations. This entry point is permitted " "to fail resulting in the failure to allocate the IP fragment reassembly " "queue." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:597 #, no-wrap msgid "`mpo_init_mbuf_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:602 #, no-wrap msgid "void mpo_init_mbuf_label(int flag, struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:617 #, no-wrap msgid "Policy label to initialize" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:624 msgid "" "Initialize the label on a newly instantiated mbuf packet header (`mbuf`). " "The `flag` field may be one of M_WAITOK and M_NOWAIT, and should be employed " "to avoid performing a sleeping man:malloc[9] during this initialization " "call. Mbuf allocation frequently occurs in performance sensitive " "environments, and the implementation should be careful to avoid sleeping or " "long-lived operations. This entry point is permitted to fail resulting in " "the failure to allocate the mbuf header." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:626 #, no-wrap msgid "`mpo_init_mount_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:631 #, no-wrap msgid "void mpo_init_mount_label(struct label *mntlabel, struct label *fslabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:641 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:975 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1955 #, no-wrap msgid "`mntlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:642 #, no-wrap msgid "Policy label to be initialized for the mount itself" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:645 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:979 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1673 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1716 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1754 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1959 #, no-wrap msgid "`fslabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:646 #, no-wrap msgid "Policy label to be initialized for the file system" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:651 msgid "" "Initialize the labels on a newly instantiated mount point. Sleeping is " "permitted." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:653 #, no-wrap msgid "`mpo_init_mount_fs_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:658 #, no-wrap msgid "void mpo_init_mount_fs_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:669 #, no-wrap msgid "Label to be initialized" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:674 msgid "" "Initialize the label on a newly mounted file system. Sleeping is permitted" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:676 #, no-wrap msgid "`mpo_init_pipe_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:681 #, no-wrap msgid "void mpo_init_pipe_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:692 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1437 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1474 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1511 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1548 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1585 #, no-wrap msgid "Label to be filled in" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:697 msgid "" "Initialize a label for a newly instantiated pipe. Sleeping is permitted." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:699 #, no-wrap msgid "`mpo_init_socket_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:704 #, no-wrap msgid "void mpo_init_socket_label(struct label *label, int flag);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:719 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:746 #, no-wrap msgid "man:malloc[9] flags" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:724 msgid "" "Initialize a label for a newly instantiated socket. The `flag` field may be " "one of M_WAITOK and M_NOWAIT, and should be employed to avoid performing a " "sleeping man:malloc[9] during this initialization call." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:726 #, no-wrap msgid "`mpo_init_socket_peer_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:731 #, no-wrap msgid "void mpo_init_socket_peer_label(struct label *label, int flag);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:751 msgid "" "Initialize the peer label for a newly instantiated socket. The `flag` field " "may be one of M_WAITOK and M_NOWAIT, and should be employed to avoid " "performing a sleeping man:malloc[9] during this initialization call." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:753 #, no-wrap msgid "`mpo_init_proc_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:758 #, no-wrap msgid "void mpo_init_proc_label(struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:774 msgid "" "Initialize the label for a newly instantiated process. Sleeping is " "permitted." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:776 #, no-wrap msgid "`mpo_init_vnode_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:781 #, no-wrap msgid "void mpo_init_vnode_label(struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:797 msgid "" "Initialize the label on a newly instantiated vnode. Sleeping is permitted." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:799 #, no-wrap msgid "`mpo_destroy_bpfdesc_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:804 #, no-wrap msgid "void mpo_destroy_bpfdesc_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:815 #, no-wrap msgid "bpfdesc label" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:820 msgid "" "Destroy the label on a BPF descriptor. In this entry point a policy should " "free any internal storage associated with `label` so that it may be " "destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:822 #, no-wrap msgid "`mpo_destroy_cred_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:827 #, no-wrap msgid "void mpo_destroy_cred_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:838 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:861 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:884 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:907 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:930 #, no-wrap msgid "Label being destroyed" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:843 msgid "" "Destroy the label on a credential. In this entry point, a policy module " "should free any internal storage associated with `label` so that it may be " "destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:845 #, no-wrap msgid "`mpo_destroy_devfsdirent_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:850 #, no-wrap msgid "void mpo_destroy_devfsdirent_label(struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:866 msgid "" "Destroy the label on a devfs entry. In this entry point, a policy module " "should free any internal storage associated with `label` so that it may be " "destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:868 #, no-wrap msgid "`mpo_destroy_ifnet_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:873 #, no-wrap msgid "void mpo_destroy_ifnet_label(struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:889 msgid "" "Destroy the label on a removed interface. In this entry point, a policy " "module should free any internal storage associated with `label` so that it " "may be destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:891 #, no-wrap msgid "`mpo_destroy_ipq_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:896 #, no-wrap msgid "void mpo_destroy_ipq_label(struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:912 msgid "" "Destroy the label on an IP fragment queue. In this entry point, a policy " "module should free any internal storage associated with `label` so that it " "may be destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:914 #, no-wrap msgid "`mpo_destroy_mbuf_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:919 #, no-wrap msgid "void mpo_destroy_mbuf_label(struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:935 msgid "" "Destroy the label on an mbuf header. In this entry point, a policy module " "should free any internal storage associated with `label` so that it may be " "destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:937 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:960 #, no-wrap msgid "`mpo_destroy_mount_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:942 #, no-wrap msgid "void mpo_destroy_mount_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:953 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:976 #, no-wrap msgid "Mount point label being destroyed" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:958 msgid "" "Destroy the labels on a mount point. In this entry point, a policy module " "should free the internal storage associated with `mntlabel` so that they may " "be destroyed." msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:965 #, no-wrap msgid "void mpo_destroy_mount_label(struct label *mntlabel, struct label *fslabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:980 #, no-wrap msgid "File system label being destroyed>" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:985 msgid "" "Destroy the labels on a mount point. In this entry point, a policy module " "should free the internal storage associated with `mntlabel` and `fslabel` so " "that they may be destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:987 #, no-wrap msgid "`mpo_destroy_socket_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:992 #, no-wrap msgid "void mpo_destroy_socket_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1003 #, no-wrap msgid "Socket label being destroyed" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1008 msgid "" "Destroy the label on a socket. In this entry point, a policy module should " "free any internal storage associated with `label` so that it may be " "destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1010 #, no-wrap msgid "`mpo_destroy_socket_peer_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1015 #, no-wrap msgid "void mpo_destroy_socket_peer_label(struct label *peerlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1025 #, no-wrap msgid "`peerlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1026 #, no-wrap msgid "Socket peer label being destroyed" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1031 msgid "" "Destroy the peer label on a socket. In this entry point, a policy module " "should free any internal storage associated with `label` so that it may be " "destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1033 #, no-wrap msgid "`mpo_destroy_pipe_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1038 #, no-wrap msgid "void mpo_destroy_pipe_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1049 #, no-wrap msgid "Pipe label" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1054 msgid "" "Destroy the label on a pipe. In this entry point, a policy module should " "free any internal storage associated with `label` so that it may be " "destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1056 #, no-wrap msgid "`mpo_destroy_proc_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1061 #, no-wrap msgid "void mpo_destroy_proc_label(struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1072 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1095 #, no-wrap msgid "Process label" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1077 msgid "" "Destroy the label on a process. In this entry point, a policy module should " "free any internal storage associated with `label` so that it may be " "destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1079 #, no-wrap msgid "`mpo_destroy_vnode_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1084 #, no-wrap msgid "void mpo_destroy_vnode_label(struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1100 msgid "" "Destroy the label on a vnode. In this entry point, a policy module should " "free any internal storage associated with `label` so that it may be " "destroyed." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1102 #, no-wrap msgid "`mpo_copy_mbuf_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1107 #, no-wrap msgid "void mpo_copy_mbuf_label(struct label *src, struct label *dest);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1117 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1143 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1169 #, no-wrap msgid "`src`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1118 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1144 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1170 #, no-wrap msgid "Source label" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1121 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1147 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1173 #, no-wrap msgid "`dest`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1122 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1148 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1174 #, no-wrap msgid "Destination label" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1126 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1152 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1178 msgid "Copy the label information in `src` into `dest`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1128 #, no-wrap msgid "`mpo_copy_pipe_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1133 #, no-wrap msgid "void mpo_copy_pipe_label(struct label *src, struct label *dest);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1154 #, no-wrap msgid "`mpo_copy_vnode_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1159 #, no-wrap msgid "void mpo_copy_vnode_label(struct label *src, struct label *dest);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1180 #, no-wrap msgid "`mpo_externalize_cred_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1186 #, no-wrap msgid "" "int mpo_externalize_cred_label(struct label *label, char *element_name,\n" " struct sbuf *sb, int *claimed);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1197 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1237 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1277 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1317 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1357 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1397 #, no-wrap msgid "Label to be externalized" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1200 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1240 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1280 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1320 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1360 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1400 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1440 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1477 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1514 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1551 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1588 #, no-wrap msgid "`element_name`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1201 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1241 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1281 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1321 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1361 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1401 #, no-wrap msgid "Name of the policy whose label should be externalized" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1204 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1244 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1284 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1324 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1364 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1404 #, no-wrap msgid "`sb`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1205 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1245 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1285 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1325 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1365 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1405 #, no-wrap msgid "String buffer to be filled with a text representation of label" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1208 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1248 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1288 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1328 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1368 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1408 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1448 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1485 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1522 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1559 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1596 #, no-wrap msgid "`claimed`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1209 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1249 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1289 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1329 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1369 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1409 #, no-wrap msgid "Should be incremented when `element_data` can be filled in." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1218 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1258 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1298 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1338 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1378 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1418 msgid "" "Produce an externalized label based on the label structure passed. An " "externalized label consists of a text representation of the label contents " "that can be used with userland applications and read by the user. " "Currently, all policies' `externalize` entry points will be called, so the " "implementation should check the contents of `element_name` before attempting " "to fill in `sb`. If `element_name` does not match the name of your policy, " "simply return 0. Only return nonzero if an error occurs while externalizing " "the label data. Once the policy fills in `element_data`, `*claimed` should " "be incremented." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1220 #, no-wrap msgid "`mpo_externalize_ifnet_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1226 #, no-wrap msgid "" "int mpo_externalize_ifnet_label(struct label *label, char *element_name,\n" " struct sbuf *sb, int *claimed);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1260 #, no-wrap msgid "`mpo_externalize_pipe_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1266 #, no-wrap msgid "" "int mpo_externalize_pipe_label(struct label *label, char *element_name,\n" " struct sbuf *sb, int *claimed);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1300 #, no-wrap msgid "`mpo_externalize_socket_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1306 #, no-wrap msgid "" "int mpo_externalize_socket_label(struct label *label, char *element_name,\n" " struct sbuf *sb, int *claimed);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1340 #, no-wrap msgid "`mpo_externalize_socket_peer_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1346 #, no-wrap msgid "" "int mpo_externalize_socket_peer_label(struct label *label, char *element_name,\n" " struct sbuf *sb, int *claimed);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1380 #, no-wrap msgid "`mpo_externalize_vnode_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1386 #, no-wrap msgid "" "int mpo_externalize_vnode_label(struct label *label, char *element_name,\n" " struct sbuf *sb, int *claimed);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1420 #, no-wrap msgid "`mpo_internalize_cred_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1426 #, no-wrap msgid "" "int mpo_internalize_cred_label(struct label *label, char *element_name,\n" " char *element_data, int *claimed);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1441 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1478 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1515 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1552 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1589 #, no-wrap msgid "Name of the policy whose label should be internalized" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1444 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1481 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1518 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1555 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1592 #, no-wrap msgid "`element_data`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1445 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1482 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1519 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1556 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1593 #, no-wrap msgid "Text data to be internalized" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1449 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1486 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1523 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1560 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1597 #, no-wrap msgid "Should be incremented when data can be successfully internalized." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1455 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1492 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1529 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1566 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1603 msgid "" "Produce an internal label structure based on externalized label data in text " "format. Currently, all policies' `internalize` entry points are called when " "internalization is requested, so the implementation should compare the " "contents of `element_name` to its own name in order to be sure it should be " "internalizing the data in `element_data`. Just as in the `externalize` " "entry points, the entry point should return 0 if `element_name` does not " "match its own name, or when data can successfully be internalized, in which " "case `*claimed` should be incremented." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1457 #, no-wrap msgid "`mpo_internalize_ifnet_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1463 #, no-wrap msgid "" "int mpo_internalize_ifnet_label(struct label *label, char *element_name,\n" " char *element_data, int *claimed);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1494 #, no-wrap msgid "`mpo_internalize_pipe_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1500 #, no-wrap msgid "" "int mpo_internalize_pipe_label(struct label *label, char *element_name,\n" " char *element_data, int *claimed);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1531 #, no-wrap msgid "`mpo_internalize_socket_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1537 #, no-wrap msgid "" "int mpo_internalize_socket_label(struct label *label, char *element_name,\n" " char *element_data, int *claimed);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1568 #, no-wrap msgid "`mpo_internalize_vnode_label`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1574 #, no-wrap msgid "" "int mpo_internalize_vnode_label(struct label *label, char *element_name,\n" " char *element_data, int *claimed);\n" msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1605 #, no-wrap msgid "Label Events" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1613 msgid "" "This class of entry points is used by the MAC framework to permit policies " "to maintain label information on kernel objects. For each labeled kernel " "object of interest to a MAC policy, entry points may be registered for " "relevant life cycle events. All objects implement initialization, creation, " "and destruction hooks. Some objects will also implement relabeling, " "allowing user processes to change the labels on objects. Some objects will " "also implement object-specific events, such as label events associated with " "IP reassembly. A typical labeled object will have the following life cycle " "of entry points:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1625 #, no-wrap msgid "" "Label initialization o\n" "(object-specific wait) \\\n" "Label creation o\n" " \\\n" "Relabel events, o--<--.\n" "Various object-specific, | |\n" "Access control events ~-->--o\n" " \\\n" "Label destruction o\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1629 msgid "" "Label initialization permits policies to allocate memory and set initial " "values for labels without context for the use of the object. The label slot " "allocated to a policy will be zeroed by default, so some policies may not " "need to perform initialization." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1636 msgid "" "Label creation occurs when the kernel structure is associated with an actual " "kernel object. For example, Mbufs may be allocated and remain unused in a " "pool until they are required. mbuf allocation causes label initialization " "on the mbuf to take place, but mbuf creation occurs when the mbuf is " "associated with a datagram. Typically, context will be provided for a " "creation event, including the circumstances of the creation, and labels of " "other relevant objects in the creation process. For example, when an mbuf " "is created from a socket, the socket and its label will be presented to " "registered policies in addition to the new mbuf and its label. Memory " "allocation in creation events is discouraged, as it may occur in performance " "sensitive ports of the kernel; in addition, creation calls are not permitted " "to fail so a failure to allocate memory cannot be reported." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1639 msgid "" "Object specific events do not generally fall into the other broad classes of " "label events, but will generally provide an opportunity to modify or update " "the label on an object based on additional context. For example, the label " "on an IP fragment reassembly queue may be updated during the MAC_UPDATE_IPQ " "entry point as a result of the acceptance of an additional mbuf to that " "queue." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1641 msgid "Access control events are discussed in detail in the following section." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1643 msgid "" "Label destruction permits policies to release storage or state associated " "with a label during its association with an object so that the kernel data " "structures supporting the object may be reused or released." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1647 msgid "" "In addition to labels associated with specific kernel objects, an additional " "class of labels exists: temporary labels. These labels are used to store " "update information submitted by user processes. These labels are " "initialized and destroyed as with other label types, but the creation event " "is MAC_INTERNALIZE, which accepts a user label to be converted to an in-" "kernel representation." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1649 #, no-wrap msgid "File System Object Labeling Event Operations" msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1652 #, no-wrap msgid "`mpo_associate_vnode_devfs`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1659 #, no-wrap msgid "" "void mpo_associate_vnode_devfs(struct mount *mp, struct label *fslabel,\n" " struct devfs_dirent *de, struct label *delabel, struct vnode *vp,\n" " struct label *vlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1669 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1712 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1750 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1854 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1951 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3834 #, no-wrap msgid "`mp`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1670 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1855 #, no-wrap msgid "Devfs mount point" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1674 #, no-wrap msgid "Devfs file system label (`mp->mnt_fslabel`)" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1677 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1866 #, no-wrap msgid "`de`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1678 #, no-wrap msgid "Devfs directory entry" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1681 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1870 #, no-wrap msgid "`delabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1682 #, no-wrap msgid "Policy label associated with `de`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1685 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1720 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1758 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1914 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2009 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2044 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2084 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2934 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2968 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3240 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3799 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3897 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4050 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4089 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4126 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4160 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4197 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4252 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4287 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4322 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4357 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4392 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4432 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4476 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4586 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4656 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4690 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4723 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4764 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4812 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4849 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4886 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4928 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5031 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5181 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5282 #, no-wrap msgid "`vp`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1686 #, no-wrap msgid "vnode associated with `de`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1689 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1724 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1762 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1918 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2048 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3244 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5185 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5286 #, no-wrap msgid "`vlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1690 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1725 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1763 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1919 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2049 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4257 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4292 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4397 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4437 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4481 #, no-wrap msgid "Policy label associated with `vp`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1694 msgid "" "Fill in the label (`vlabel`) for a newly created devfs vnode based on the " "devfs directory entry passed in `de` and its label." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1696 #, no-wrap msgid "`mpo_associate_vnode_extattr`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1702 #, no-wrap msgid "" "int mpo_associate_vnode_extattr(struct mount *mp, struct label *fslabel,\n" " struct vnode *vp, struct label *vlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1713 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1751 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1899 #, no-wrap msgid "File system mount point" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1717 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1755 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1903 #, no-wrap msgid "File system label" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1721 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1759 #, no-wrap msgid "Vnode to label" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1732 msgid "" "Attempt to retrieve the label for `vp` from the file system extended " "attributes. Upon success, the value `0` is returned. Should extended " "attribute retrieval not be supported, an accepted fallback is to copy " "`fslabel` into `vlabel`. In the event of an error, an appropriate value for " "`errno` should be returned." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1734 #, no-wrap msgid "`mpo_associate_vnode_singlelabel`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1740 #, no-wrap msgid "" "void mpo_associate_vnode_singlelabel(struct mount *mp, struct label *fslabel,\n" " struct vnode *vp, struct label *vlabel);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1767 msgid "" "On non-multilabel file systems, this entry point is called to set the policy " "label for `vp` based on the file system label, `fslabel`." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1769 #, no-wrap msgid "`mpo_create_devfs_device`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1775 #, no-wrap msgid "" "void mpo_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,\n" " struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1785 #, no-wrap msgid "`dev`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1786 #, no-wrap msgid "Device corresponding with `devfs_dirent`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1789 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1825 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2076 #, no-wrap msgid "`devfs_dirent`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1790 #, no-wrap msgid "Devfs directory entry to be labeled." msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1794 #, no-wrap msgid "Label for `devfs_dirent` to be filled in." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1799 msgid "" "Fill out the label on a devfs_dirent being created for the passed device. " "This call will be made when the device file system is mounted, regenerated, " "or a new device is made available." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1801 #, no-wrap msgid "`mpo_create_devfs_directory`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1807 #, no-wrap msgid "" "void mpo_create_devfs_directory(char *dirname, int dirnamelen,\n" " struct devfs_dirent *devfs_dirent, struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1817 #, no-wrap msgid "`dirname`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1818 #, no-wrap msgid "Name of directory being created" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1821 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5317 #, no-wrap msgid "`namelen`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1822 #, no-wrap msgid "Length of string `dirname`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1826 #, no-wrap msgid "Devfs directory entry for directory being created." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1831 msgid "" "Fill out the label on a devfs_dirent being created for the passed " "directory. This call will be made when the device file system is mounted, " "regenerated, or a new device requiring a specific directory hierarchy is " "made available." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1833 #, no-wrap msgid "`mpo_create_devfs_symlink`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1840 #, no-wrap msgid "" "void mpo_create_devfs_symlink(struct ucred *cred, struct mount *mp,\n" " struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,\n" " struct label *delabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1850 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1894 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1947 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2005 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2040 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2152 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2184 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2252 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2287 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2398 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2824 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2996 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3018 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3040 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3135 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3157 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3183 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3209 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3236 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3266 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3288 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3311 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3350 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3381 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3412 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3447 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3478 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3509 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3542 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3579 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3610 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3670 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3699 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3734 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3768 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3795 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3830 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3863 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3893 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3931 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3964 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3995 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4038 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4085 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4122 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4156 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4193 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4240 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4283 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4318 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4353 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4420 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4464 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4512 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4545 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4582 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4619 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4652 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4686 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4719 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4760 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4808 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4845 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4882 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4924 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4964 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4994 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5027 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5062 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5103 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5144 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5207 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5229 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5255 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5278 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5309 #, no-wrap msgid "`cred`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1851 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1895 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1948 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2006 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2041 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2153 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2185 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2253 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2288 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2399 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2825 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3041 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3136 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3158 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3184 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3210 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3237 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3267 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3289 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3312 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3351 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3382 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3413 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3448 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3479 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3510 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3543 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3580 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3611 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3641 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3671 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3700 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3735 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3769 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3796 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3831 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3864 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3894 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3932 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3965 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3996 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4039 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4086 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4123 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4157 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4194 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4241 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4284 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4354 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4385 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4421 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4465 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4513 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4546 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4583 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4620 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4653 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4687 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4720 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4761 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4809 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4846 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4883 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4925 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4965 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4995 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5028 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5063 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5104 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5145 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5178 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5208 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5230 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5256 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5279 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5310 #, no-wrap msgid "Subject credential" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1858 #, no-wrap msgid "`dd`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1859 #, no-wrap msgid "Link destination" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1862 #, no-wrap msgid "`ddlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1863 #, no-wrap msgid "Label associated with `dd`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1867 #, no-wrap msgid "Symlink entry" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1871 #, no-wrap msgid "Label associated with `de`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1875 msgid "" "Fill in the label (`delabel`) for a newly created man:devfs[5] symbolic link " "entry." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1877 #, no-wrap msgid "`mpo_create_vnode_extattr`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1884 #, no-wrap msgid "" "int mpo_create_vnode_extattr(struct ucred *cred, struct mount *mp,\n" " struct label *fslabel, struct vnode *dvp, struct label *dlabel,\n" " struct vnode *vp, struct label *vlabel, struct componentname *cnp);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1898 #, no-wrap msgid "`mount`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1906 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3935 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3968 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3999 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4042 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4244 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4424 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4468 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4549 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4623 #, no-wrap msgid "`dvp`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1907 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4043 #, no-wrap msgid "Parent directory vnode" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1910 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3939 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3972 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4003 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4046 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4248 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4428 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4472 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4553 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4627 #, no-wrap msgid "`dlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1911 #, no-wrap msgid "Label associated with `dvp`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1915 #, no-wrap msgid "Newly created vnode" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1922 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4007 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4058 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4260 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4440 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4488 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4557 #, no-wrap msgid "`cnp`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1923 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4059 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4441 #, no-wrap msgid "Component name for `vp`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1929 msgid "" "Write out the label for `vp` to the appropriate extended attribute. If the " "write succeeds, fill in `vlabel` with the label, and return 0. Otherwise, " "return an appropriate error." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1931 #, no-wrap msgid "`mpo_create_mount`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1937 #, no-wrap msgid "" "void mpo_create_mount(struct ucred *cred, struct mount *mp, struct label *mnt,\n" " struct label *fslabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1952 #, no-wrap msgid "Object; file system being mounted" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1956 #, no-wrap msgid "Policy label to be filled in for `mp`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1960 #, no-wrap msgid "Policy label for the file system `mp` mounts." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1965 msgid "" "Fill out the labels on the mount point being created by the passed subject " "credential. This call will be made when a new file system is mounted." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1967 #, no-wrap msgid "`mpo_create_root_mount`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1973 #, no-wrap msgid "" "void mpo_create_root_mount(struct ucred *cred, struct mount *mp,\n" " struct label *mntlabel, struct label *fslabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1983 #, no-wrap msgid "See crossref:mac[mac-mpo-create-mount, `mpo_create_mount`]." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1987 msgid "" "Fill out the labels on the mount point being created by the passed subject " "credential. This call will be made when the root file system is mounted, " "after `mpo_create_mount;`." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1989 #, no-wrap msgid "`mpo_relabel_vnode`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:1995 #, no-wrap msgid "" "void mpo_relabel_vnode(struct ucred *cred, struct vnode *vp,\n" " struct label *vnodelabel, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2010 #, no-wrap msgid "vnode to relabel" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2013 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2088 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2938 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2972 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3803 #, no-wrap msgid "`vnodelabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2014 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3804 #, no-wrap msgid "Existing policy label for `vp`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2017 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2264 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2299 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2334 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2836 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3044 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3424 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3711 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3746 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3772 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3807 #, no-wrap msgid "`newlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2018 #, no-wrap msgid "New, possibly partial label to replace `vnodelabel`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2022 msgid "" "Update the label on the passed vnode given the passed update vnode label and " "the passed subject credential." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2024 #, no-wrap msgid "`mpo_setlabel_vnode_extattr`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2030 #, no-wrap msgid "" "int mpo_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,\n" " struct label *vlabel, struct label *intlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2045 #, no-wrap msgid "Vnode for which the label is being written" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2052 #, no-wrap msgid "`intlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2053 #, no-wrap msgid "Label to write out" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2058 msgid "" "Write out the policy from `intlabel` to an extended attribute. This is " "called from `vop_stdcreatevnode_ea`." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2060 #, no-wrap msgid "`mpo_update_devfsdirent`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2066 #, no-wrap msgid "" "void mpo_update_devfsdirent(struct devfs_dirent *devfs_dirent,\n" " struct label *direntlabel, struct vnode *vp, struct label *vnodelabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2077 #, no-wrap msgid "Object; devfs directory entry" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2080 #, no-wrap msgid "`direntlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2081 #, no-wrap msgid "Policy label for `devfs_dirent` to be updated." msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2085 #, no-wrap msgid "Parent vnode" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2087 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2937 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3802 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4092 #, no-wrap msgid "Locked" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2089 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2939 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2973 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3902 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4055 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4094 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4131 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4165 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4202 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4591 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4661 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4695 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4728 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4769 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4817 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4854 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4891 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4933 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5036 #, no-wrap msgid "Policy label for `vp`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2095 msgid "" "Update the `devfs_dirent` label from the passed devfs vnode label. This " "call will be made when a devfs vnode has been successfully relabeled to " "commit the label change such that it lasts even if the vnode is recycled. " "It will also be made when a symlink is created in devfs, following a call to " "`mac_vnode_create_from_vnode` to initialize the vnode label." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2097 #, no-wrap msgid "IPC Object Labeling Event Operations" msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2100 #, no-wrap msgid "`mpo_create_mbuf_from_socket`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2106 #, no-wrap msgid "" "void mpo_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,\n" " struct mbuf *m, struct label *mbuflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2116 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3513 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3546 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3674 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3738 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4516 #, no-wrap msgid "`socket`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2117 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3584 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3615 #, no-wrap msgid "Socket" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2119 #, no-wrap msgid "Socket locking WIP" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2120 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2192 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3517 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3550 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3587 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3618 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3678 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3742 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4520 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5152 #, no-wrap msgid "`socketlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2121 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3518 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3551 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3679 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4521 #, no-wrap msgid "Policy label for `socket`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2124 #, no-wrap msgid "`m`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2125 #, no-wrap msgid "Object; mbuf" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2128 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2326 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2610 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2646 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2682 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2863 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5078 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5119 #, no-wrap msgid "`mbuflabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2129 #, no-wrap msgid "Policy label to fill in for `m`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2134 msgid "" "Set the label on a newly created mbuf header from the passed socket label. " "This call is made when a new datagram or message is generated by the socket " "and stored in the passed mbuf." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2136 #, no-wrap msgid "`mpo_create_pipe`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2142 #, no-wrap msgid "" "void mpo_create_pipe(struct ucred *cred, struct pipe *pipe,\n" " struct label *pipelabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2156 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2256 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3315 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3354 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3385 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3416 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3451 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3482 #, no-wrap msgid "`pipe`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2157 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2257 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3316 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3355 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3386 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3417 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3452 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3483 #, no-wrap msgid "Pipe" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2160 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3319 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3358 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3389 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3420 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3455 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3486 #, no-wrap msgid "`pipelabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2161 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3320 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3359 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3390 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3456 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3487 #, no-wrap msgid "Policy label associated with `pipe`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2166 msgid "" "Set the label on a newly created pipe from the passed subject credential. " "This call is made when a new pipe is created." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2168 #, no-wrap msgid "`mpo_create_socket`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2174 #, no-wrap msgid "" "void mpo_create_socket(struct ucred *cred, struct socket *so,\n" " struct label *socketlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2187 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2290 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2401 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2929 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2967 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3798 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3866 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4088 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5147 #, no-wrap msgid "Immutable" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2188 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2291 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3583 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3614 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5148 #, no-wrap msgid "`so`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2189 #, no-wrap msgid "Object; socket to label" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2193 #, no-wrap msgid "Label to fill in for `so`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2198 msgid "" "Set the label on a newly created socket from the passed subject credential. " "This call is made when a socket is created." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2200 #, no-wrap msgid "`mpo_create_socket_from_socket`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2207 #, no-wrap msgid "" "void mpo_create_socket_from_socket(struct socket *oldsocket,\n" " struct label *oldsocketlabel, struct socket *newsocket,\n" " struct label *newsocketlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2217 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2359 #, no-wrap msgid "`oldsocket`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2218 #, no-wrap msgid "Listening socket" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2221 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2363 #, no-wrap msgid "`oldsocketlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2222 #, no-wrap msgid "Policy label associated with `oldsocket`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2225 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2367 #, no-wrap msgid "`newsocket`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2226 #, no-wrap msgid "New socket" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2229 #, no-wrap msgid "`newsocketlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2230 #, no-wrap msgid "Policy label associated with `newsocketlabel`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2234 msgid "" "Label a socket, `newsocket`, newly man:accept[2]ed, based on the " "man:listen[2] socket, `oldsocket`." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2236 #, no-wrap msgid "`mpo_relabel_pipe`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2242 #, no-wrap msgid "" "void mpo_relabel_pipe(struct ucred *cred, struct pipe *pipe,\n" " struct label *oldlabel, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2260 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2295 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2330 #, no-wrap msgid "`oldlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2261 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3421 #, no-wrap msgid "Current policy label associated with `pipe`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2265 #, no-wrap msgid "Policy label update to apply to `pipe`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2269 msgid "Apply a new label, `newlabel`, to `pipe`." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2271 #, no-wrap msgid "`mpo_relabel_socket`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2277 #, no-wrap msgid "" "void mpo_relabel_socket(struct ucred *cred, struct socket *so,\n" " struct label *oldlabel, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2292 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3675 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3739 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4517 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5149 #, no-wrap msgid "Object; socket" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2296 #, no-wrap msgid "Current label for `so`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2300 #, no-wrap msgid "Label update for `so`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2304 msgid "Update the label on a socket from the passed socket label update." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2306 #, no-wrap msgid "`mpo_set_socket_peer_from_mbuf`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2312 #, no-wrap msgid "" "void mpo_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,\n" " struct label *oldlabel, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2322 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2606 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2642 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2678 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2859 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5074 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5115 #, no-wrap msgid "`mbuf`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2323 #, no-wrap msgid "First datagram received over socket" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2327 #, no-wrap msgid "Label for `mbuf`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2331 #, no-wrap msgid "Current label for the socket" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2335 #, no-wrap msgid "Policy label to be filled out for the socket" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2340 msgid "" "Set the peer label on a stream socket from the passed mbuf label. This call " "will be made when the first datagram is received by the stream socket, with " "the exception of Unix domain sockets." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2342 #, no-wrap msgid "`mpo_set_socket_peer_from_socket`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2349 #, no-wrap msgid "" "void mpo_set_socket_peer_from_socket(struct socket *oldsocket,\n" " struct label *oldsocketlabel, struct socket *newsocket,\n" " struct label *newsocketpeerlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2360 #, no-wrap msgid "Local socket" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2364 #, no-wrap msgid "Policy label for `oldsocket`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2368 #, no-wrap msgid "Peer socket" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2371 #, no-wrap msgid "`newsocketpeerlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2372 #, no-wrap msgid "Policy label to fill in for `newsocket`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2377 msgid "" "Set the peer label on a stream UNIX domain socket from the passed remote " "socket endpoint. This call will be made when the socket pair is connected, " "and will be made for both endpoints." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2379 #, no-wrap msgid "Network Object Labeling Event Operations" msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2382 #, no-wrap msgid "`mpo_create_bpfdesc`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2388 #, no-wrap msgid "" "void mpo_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,\n" " struct label *bpflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2402 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2634 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3100 #, no-wrap msgid "`bpf_d`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2403 #, no-wrap msgid "Object; bpf descriptor" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2406 #, no-wrap msgid "`bpf`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2407 #, no-wrap msgid "Policy label to be filled in for `bpf_d`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2412 msgid "" "Set the label on a newly created BPF descriptor from the passed subject " "credential. This call will be made when a BPF device node is opened by a " "process with the passed subject credential." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2414 #, no-wrap msgid "`mpo_create_ifnet`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2419 #, no-wrap msgid "void mpo_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2429 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2598 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2670 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2714 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2828 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3108 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3703 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5066 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5107 #, no-wrap msgid "`ifnet`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2430 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2599 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2671 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2715 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5067 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5108 #, no-wrap msgid "Network interface" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2433 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2602 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2674 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2718 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2832 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3112 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3707 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5070 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5111 #, no-wrap msgid "`ifnetlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2434 #, no-wrap msgid "Policy label to fill in for `ifnet`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2439 msgid "" "Set the label on a newly created interface. This call may be made when a " "new physical interface becomes available to the system, or when a pseudo-" "interface is instantiated during the boot or as a result of a user action." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2441 #, no-wrap msgid "`mpo_create_ipq`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2447 #, no-wrap msgid "" "void mpo_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,\n" " struct ipq *ipq, struct label *ipqlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2457 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2535 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2786 #, no-wrap msgid "`fragment`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2458 #, no-wrap msgid "First received IP fragment" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2461 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2539 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2790 #, no-wrap msgid "`fragmentlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2462 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2791 #, no-wrap msgid "Policy label for `fragment`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2465 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2492 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2794 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2867 #, no-wrap msgid "`ipq`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2466 #, no-wrap msgid "IP reassembly queue to be labeled" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2469 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2496 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2798 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2871 #, no-wrap msgid "`ipqlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2470 #, no-wrap msgid "Policy label to be filled in for `ipq`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2474 msgid "" "Set the label on a newly created IP fragment reassembly queue from the mbuf " "header of the first received fragment." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2476 #, no-wrap msgid "`mpo_create_datagram_from_ipq`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2482 #, no-wrap msgid "" "void mpo_create_create_datagram_from_ipq(struct ipq *ipq,\n" " struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2493 #, no-wrap msgid "IP reassembly queue" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2497 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2799 #, no-wrap msgid "Policy label for `ipq`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2500 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2527 #, no-wrap msgid "`datagram`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2501 #, no-wrap msgid "Datagram to be labeled" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2504 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2531 #, no-wrap msgid "`datagramlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2505 #, no-wrap msgid "Policy label to be filled in for `datagramlabel`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2509 msgid "" "Set the label on a newly reassembled IP datagram from the IP fragment " "reassembly queue from which it was generated." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2511 #, no-wrap msgid "`mpo_create_fragment`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2517 #, no-wrap msgid "" "void mpo_create_fragment(struct mbuf *datagram, struct label *datagramlabel,\n" " struct mbuf *fragment, struct label *fragmentlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2528 #, no-wrap msgid "Datagram" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2532 #, no-wrap msgid "Policy label for `datagram`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2536 #, no-wrap msgid "Fragment to be labeled" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2540 #, no-wrap msgid "Policy label to be filled in for `datagram`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2544 msgid "" "Set the label on the mbuf header of a newly created IP fragment from the " "label on the mbuf header of the datagram it was generate from." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2546 #, no-wrap msgid "`mpo_create_mbuf_from_mbuf`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2552 #, no-wrap msgid "" "void mpo_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct label *oldmbuflabel,\n" " struct mbuf *newmbuf, struct label *newmbuflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2562 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2706 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2750 #, no-wrap msgid "`oldmbuf`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2563 #, no-wrap msgid "Existing (source) mbuf" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2566 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2710 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2754 #, no-wrap msgid "`oldmbuflabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2567 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2711 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2755 #, no-wrap msgid "Policy label for `oldmbuf`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2570 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2722 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2758 #, no-wrap msgid "`newmbuf`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2571 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2643 #, no-wrap msgid "New mbuf to be labeled" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2574 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2726 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2762 #, no-wrap msgid "`newmbuflabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2575 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2727 #, no-wrap msgid "Policy label to be filled in for `newmbuf`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2580 msgid "" "Set the label on the mbuf header of a newly created datagram from the mbuf " "header of an existing datagram. This call may be made in a number of " "situations, including when an mbuf is re-allocated for alignment purposes." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2582 #, no-wrap msgid "`mpo_create_mbuf_linklayer`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2588 #, no-wrap msgid "" "void mpo_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,\n" " struct mbuf *mbuf, struct label *mbuflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2603 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2719 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2833 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3113 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5071 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5112 #, no-wrap msgid "Policy label for `ifnet`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2607 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2679 #, no-wrap msgid "mbuf header for new datagram" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2611 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2683 #, no-wrap msgid "Policy label to be filled in for `mbuf`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2616 msgid "" "Set the label on the mbuf header of a newly created datagram generated for " "the purposes of a link layer response for the passed interface. This call " "may be made in a number of situations, including for ARP or ND6 responses in " "the IPv4 and IPv6 stacks." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2618 #, no-wrap msgid "`mpo_create_mbuf_from_bpfdesc`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2624 #, no-wrap msgid "" "void mpo_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,\n" " struct mbuf *mbuf, struct label *mbuflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2635 #, no-wrap msgid "BPF descriptor" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2638 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3104 #, no-wrap msgid "`bpflabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2639 #, no-wrap msgid "Policy label for `bpflabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2647 #, no-wrap msgid "Policy label to fill in for `mbuf`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2652 msgid "" "Set the label on the mbuf header of a newly created datagram generated using " "the passed BPF descriptor. This call is made when a write is performed to " "the BPF device associated with the passed BPF descriptor." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2654 #, no-wrap msgid "`mpo_create_mbuf_from_ifnet`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2660 #, no-wrap msgid "" "void mpo_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,\n" " struct mbuf *mbuf, struct label *mbuflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2675 #, no-wrap msgid "Policy label for `ifnetlabel`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2687 msgid "" "Set the label on the mbuf header of a newly created datagram generated from " "the passed network interface." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2689 #, no-wrap msgid "`mpo_create_mbuf_multicast_encap`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2696 #, no-wrap msgid "" "void mpo_create_mbuf_multicast_encap(struct mbuf *oldmbuf,\n" " struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,\n" " struct mbuf *newmbuf, struct label *newmbuflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2707 #, no-wrap msgid "mbuf header for existing datagram" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2723 #, no-wrap msgid "mbuf header to be labeled for new datagram" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2732 msgid "" "Set the label on the mbuf header of a newly created datagram generated from " "the existing passed datagram when it is processed by the passed multicast " "encapsulation interface. This call is made when an mbuf is to be delivered " "using the virtual interface." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2734 #, no-wrap msgid "`mpo_create_mbuf_netlayer`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2740 #, no-wrap msgid "" "void mpo_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel,\n" " struct mbuf *newmbuf, struct label *newmbuflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2751 #, no-wrap msgid "Received datagram" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2759 #, no-wrap msgid "Newly created datagram" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2763 #, no-wrap msgid "Policy label for `newmbuf`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2768 msgid "" "Set the label on the mbuf header of a newly created datagram generated by " "the IP stack in response to an existing received datagram (`oldmbuf`). This " "call may be made in a number of situations, including when responding to " "ICMP request datagrams." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2770 #, no-wrap msgid "`mpo_fragment_match`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2776 #, no-wrap msgid "" "int mpo_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,\n" " struct ipq *ipq, struct label *ipqlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2787 #, no-wrap msgid "IP datagram fragment" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2795 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2868 #, no-wrap msgid "IP fragment reassembly queue" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2806 msgid "" "Determine whether an mbuf header containing an IP datagram (`fragment`) " "fragment matches the label of the passed IP fragment reassembly queue " "(`ipq`). Return (1) for a successful match, or (0) for no match. This call " "is made when the IP stack attempts to find an existing fragment reassembly " "queue for a newly received fragment; if this fails, a new fragment " "reassembly queue may be instantiated for the fragment. Policies may use " "this entry point to prevent the reassembly of otherwise matching IP " "fragments if policy does not permit them to be reassembled based on the " "label or other information." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2808 #, no-wrap msgid "`mpo_relabel_ifnet`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2814 #, no-wrap msgid "" "void mpo_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,\n" " struct label *ifnetlabel, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2829 #, no-wrap msgid "Object; Network interface" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2837 #, no-wrap msgid "Label update to apply to `ifnet`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2841 msgid "" "Update the label of network interface, `ifnet`, based on the passed update " "label, `newlabel`, and the passed subject credential, `cred`." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2843 #, no-wrap msgid "`mpo_update_ipq`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2849 #, no-wrap msgid "" "void mpo_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,\n" " struct ipq *ipq, struct label *ipqlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2860 #, no-wrap msgid "IP fragment" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2864 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5079 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5120 #, no-wrap msgid "Policy label for `mbuf`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2872 #, no-wrap msgid "Policy label to be updated for `ipq`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2876 msgid "" "Update the label on an IP fragment reassembly queue (`ipq`) based on the " "acceptance of the passed IP fragment mbuf header (`mbuf`)." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2878 #, no-wrap msgid "Process Labeling Event Operations" msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2881 #, no-wrap msgid "`mpo_create_cred`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2886 #, no-wrap msgid "void mpo_create_cred(struct ucred *parent_cred, struct ucred *child_cred);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2896 #, no-wrap msgid "`parent_cred`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2897 #, no-wrap msgid "Parent subject credential" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2900 #, no-wrap msgid "`child_cred`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2901 #, no-wrap msgid "Child subject credential" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2907 msgid "" "Set the label of a newly created subject credential from the passed subject " "credential. This call will be made when man:crcopy[9] is invoked on a newly " "created `struct ucred`. This call should not be confused with a process " "forking or creation event." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2909 #, no-wrap msgid "`mpo_execve_transition`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2915 #, no-wrap msgid "" "void mpo_execve_transition(struct ucred *old, struct ucred *new,\n" " struct vnode *vp, struct label *vnodelabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2926 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2964 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5321 #, no-wrap msgid "`old`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2927 #, no-wrap msgid "Existing subject credential" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2930 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5333 #, no-wrap msgid "`new`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2931 #, no-wrap msgid "New subject credential to be labeled" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2935 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2969 #, no-wrap msgid "File to execute" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2946 msgid "" "Update the label of a newly created subject credential (`new`) from the " "passed existing subject credential (`old`) based on a label transition " "caused by executing the passed vnode (`vp`). This call occurs when a " "process executes the passed vnode and one of the policies returns a success " "from the `mpo_execve_will_transition` entry point. Policies may choose to " "implement this call simply by invoking `mpo_create_cred` and passing the two " "subject credentials so as not to implement a transitioning event. Policies " "should not leave this entry point unimplemented if they implement " "`mpo_create_cred`, even if they do not implement " "`mpo_execve_will_transition`." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2948 #, no-wrap msgid "`mpo_execve_will_transition`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2954 #, no-wrap msgid "" "int mpo_execve_will_transition(struct ucred *old, struct vnode *vp,\n" " struct label *vnodelabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2965 #, no-wrap msgid "Subject credential prior to man:execve[2]" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2979 msgid "" "Determine whether the policy will want to perform a transition event as a " "result of the execution of the passed vnode by the passed subject " "credential. Return 1 if a transition is required, 0 if not. Even if a " "policy returns 0, it should behave correctly in the presence of an " "unexpected invocation of `mpo_execve_transition`, as that call may happen as " "a result of another policy requesting a transition." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2981 #, no-wrap msgid "`mpo_create_proc0`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2986 #, no-wrap msgid "void mpo_create_proc0(struct ucred *cred);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:2997 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3019 #, no-wrap msgid "Subject credential to be filled in" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3001 msgid "" "Create the subject credential of process 0, the parent of all kernel " "processes." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3003 #, no-wrap msgid "`mpo_create_proc1`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3008 #, no-wrap msgid "void mpo_create_proc1(struct ucred *cred);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3023 msgid "" "Create the subject credential of process 1, the parent of all user processes." msgstr "" #. type: Title ===== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3025 #, no-wrap msgid "`mpo_relabel_cred`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3030 #, no-wrap msgid "void mpo_relabel_cred(struct ucred *cred, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3045 #, no-wrap msgid "Label update to apply to `cred`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3049 msgid "Update the label on a subject credential from the passed update label." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3051 #, no-wrap msgid "Access Control Checks" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3059 msgid "" "Access control entry points permit policy modules to influence access " "control decisions made by the kernel. Generally, although not always, " "arguments to an access control entry point will include one or more " "authorizing credentials, information (possibly including a label) for any " "other objects involved in the operation. An access control entry point may " "return 0 to permit the operation, or an man:errno[2] error value. The " "results of invoking the entry point across various registered policy modules " "will be composed as follows: if all modules permit the operation to succeed, " "success will be returned. If one or modules returns a failure, a failure " "will be returned. If more than one module returns a failure, the errno " "value to return to the user will be selected using the following precedence, " "implemented by the `error_select()` function in [.filename]#kern_mac.c#:" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3065 #, no-wrap msgid "Most precedence" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3067 #, no-wrap msgid "EDEADLK" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3070 #, no-wrap msgid "EINVAL" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3073 #, no-wrap msgid "ESRCH" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3076 #, no-wrap msgid "EACCES" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3077 #, no-wrap msgid "Least precedence" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3078 #, no-wrap msgid "EPERM" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3082 msgid "" "If none of the error values returned by all modules are listed in the " "precedence chart then an arbitrarily selected value from the set will be " "returned. In general, the rules provide precedence to errors in the " "following order: kernel failures, invalid arguments, object not present, " "access not permitted, other." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3084 #, no-wrap msgid "`mpo_check_bpfdesc_receive`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3090 #, no-wrap msgid "" "int mpo_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,\n" " struct ifnet *ifnet, struct label *ifnetlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3101 #, no-wrap msgid "Subject; BPF descriptor" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3105 #, no-wrap msgid "Policy label for `bpf_d`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3109 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3704 #, no-wrap msgid "Object; network interface" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3118 msgid "" "Determine whether the MAC framework should permit datagrams from the passed " "interface to be delivered to the buffers of the passed BPF descriptor. " "Return (0) for success, or an `errno` value for failure Suggested failure: " "EACCES for label mismatches, EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3120 #, no-wrap msgid "`mpo_check_kenv_dump`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3125 #, no-wrap msgid "int mpo_check_kenv_dump(struct ucred *cred);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3140 msgid "" "Determine whether the subject should be allowed to retrieve the kernel " "environment (see man:kenv[2])." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3142 #, no-wrap msgid "`mpo_check_kenv_get`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3147 #, no-wrap msgid "int mpo_check_kenv_get(struct ucred *cred, char *name);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3161 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3187 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3213 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4209 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4776 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5313 #, no-wrap msgid "`name`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3162 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3188 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3214 #, no-wrap msgid "Kernel environment variable name" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3166 msgid "" "Determine whether the subject should be allowed to retrieve the value of the " "specified kernel environment variable." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3168 #, no-wrap msgid "`mpo_check_kenv_set`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3173 #, no-wrap msgid "int mpo_check_kenv_set(struct ucred *cred, char *name);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3192 msgid "" "Determine whether the subject should be allowed to set the specified kernel " "environment variable." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3194 #, no-wrap msgid "`mpo_check_kenv_unset`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3199 #, no-wrap msgid "int mpo_check_kenv_unset(struct ucred *cred, char *name);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3218 msgid "" "Determine whether the subject should be allowed to unset the specified " "kernel environment variable." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3220 #, no-wrap msgid "`mpo_check_kld_load`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3226 #, no-wrap msgid "" "int mpo_check_kld_load(struct ucred *cred, struct vnode *vp,\n" " struct label *vlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3241 #, no-wrap msgid "Kernel module vnode" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3245 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5186 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5287 #, no-wrap msgid "Label associated with `vp`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3249 msgid "" "Determine whether the subject should be allowed to load the specified module " "file." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3251 #, no-wrap msgid "`mpo_check_kld_stat`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3256 #, no-wrap msgid "int mpo_check_kld_stat(struct ucred *cred);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3271 msgid "" "Determine whether the subject should be allowed to retrieve a list of loaded " "kernel module files and associated statistics." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3273 #, no-wrap msgid "`mpo_check_kld_unload`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3278 #, no-wrap msgid "int mpo_check_kld_unload(struct ucred *cred);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3293 msgid "" "Determine whether the subject should be allowed to unload a kernel module." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3295 #, no-wrap msgid "`mpo_check_pipe_ioctl`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3301 #, no-wrap msgid "" "int mpo_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,\n" " struct label *pipelabel, unsigned long cmd, void *data);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3323 #, no-wrap msgid "`cmd`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3324 #, no-wrap msgid "man:ioctl[2] command" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3327 #, no-wrap msgid "`data`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3328 #, no-wrap msgid "man:ioctl[2] data" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3332 msgid "" "Determine whether the subject should be allowed to make the specified " "man:ioctl[2] call." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3334 #, no-wrap msgid "`mpo_check_pipe_poll`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3340 #, no-wrap msgid "" "int mpo_check_pipe_poll(struct ucred *cred, struct pipe *pipe,\n" " struct label *pipelabel);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3363 msgid "Determine whether the subject should be allowed to poll `pipe`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3365 #, no-wrap msgid "`mpo_check_pipe_read`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3371 #, no-wrap msgid "" "int mpo_check_pipe_read(struct ucred *cred, struct pipe *pipe,\n" " struct label *pipelabel);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3394 msgid "Determine whether the subject should be allowed read access to `pipe`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3396 #, no-wrap msgid "`mpo_check_pipe_relabel`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3402 #, no-wrap msgid "" "int mpo_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,\n" " struct label *pipelabel, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3425 #, no-wrap msgid "Label update to `pipelabel`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3429 msgid "Determine whether the subject should be allowed to relabel `pipe`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3431 #, no-wrap msgid "`mpo_check_pipe_stat`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3437 #, no-wrap msgid "" "int mpo_check_pipe_stat(struct ucred *cred, struct pipe *pipe,\n" " struct label *pipelabel);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3460 msgid "" "Determine whether the subject should be allowed to retrieve statistics " "related to `pipe`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3462 #, no-wrap msgid "`mpo_check_pipe_write`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3468 #, no-wrap msgid "" "int mpo_check_pipe_write(struct ucred *cred, struct pipe *pipe,\n" " struct label *pipelabel);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3491 msgid "Determine whether the subject should be allowed to write to `pipe`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3493 #, no-wrap msgid "`mpo_check_socket_bind`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3499 #, no-wrap msgid "" "int mpo_check_socket_bind(struct ucred *cred, struct socket *socket,\n" " struct label *socketlabel, struct sockaddr *sockaddr);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3514 #, no-wrap msgid "Socket to be bound" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3521 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3554 #, no-wrap msgid "`sockaddr`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3522 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3555 #, no-wrap msgid "Address of `socket`" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3526 #, no-wrap msgid "`mpo_check_socket_connect`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3532 #, no-wrap msgid "" "int mpo_check_socket_connect(struct ucred *cred, struct socket *socket,\n" " struct label *socketlabel, struct sockaddr *sockaddr);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3547 #, no-wrap msgid "Socket to be connected" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3561 msgid "" "Determine whether the subject credential (`cred`) can connect the passed " "socket (`socket`) to the passed socket address (`sockaddr`). Return 0 for " "success, or an `errno` value for failure. Suggested failure: EACCES for " "label mismatches, EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3563 #, no-wrap msgid "`mpo_check_socket_receive`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3569 #, no-wrap msgid "" "int mpo_check_socket_receive(struct ucred *cred, struct socket *so,\n" " struct label *socketlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3588 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3619 #, no-wrap msgid "Policy label associated with `so`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3592 msgid "" "Determine whether the subject should be allowed to receive information from " "the socket `so`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3594 #, no-wrap msgid "`mpo_check_socket_send`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3600 #, no-wrap msgid "" "int mpo_check_socket_send(struct ucred *cred, struct socket *so,\n" " struct label *socketlabel);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3623 msgid "" "Determine whether the subject should be allowed to send information across " "the socket `so`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3625 #, no-wrap msgid "`mpo_check_cred_visible`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3630 #, no-wrap msgid "int mpo_check_cred_visible(struct ucred *u1, struct ucred *u2);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3640 #, no-wrap msgid "`u1`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3644 #, no-wrap msgid "`u2`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3645 #, no-wrap msgid "Object credential" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3652 msgid "" "Determine whether the subject credential `u1` can \"see\" other subjects " "with the passed subject credential `u2`. Return 0 for success, or an " "`errno` value for failure. Suggested failure: EACCES for label mismatches, " "EPERM for lack of privilege, or ESRCH to hide visibility. This call may be " "made in a number of situations, including inter-process status sysctl's used " "by `ps`, and in procfs lookups." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3654 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5128 #, no-wrap msgid "`mpo_check_socket_visible`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3660 #, no-wrap msgid "" "int mpo_check_socket_visible(struct ucred *cred, struct socket *socket,\n" " struct label *socketlabel);\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3683 #, no-wrap msgid "`mpo_check_ifnet_relabel`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3689 #, no-wrap msgid "" "int mpo_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,\n" " struct label *ifnetlabel, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3708 #, no-wrap msgid "Existing policy label for `ifnet`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3712 #, no-wrap msgid "Policy label update to later be applied to `ifnet`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3716 msgid "" "Determine whether the subject credential can relabel the passed network " "interface to the passed label update." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3718 #, no-wrap msgid "`mpo_check_socket_relabel`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3724 #, no-wrap msgid "" "int mpo_check_socket_relabel(struct ucred *cred, struct socket *socket,\n" " struct label *socketlabel, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3743 #, no-wrap msgid "Existing policy label for `socket`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3747 #, no-wrap msgid "Label update to later be applied to `socketlabel`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3751 msgid "" "Determine whether the subject credential can relabel the passed socket to " "the passed label update." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3753 #, no-wrap msgid "`mpo_check_cred_relabel`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3758 #, no-wrap msgid "int mpo_check_cred_relabel(struct ucred *cred, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3773 #, no-wrap msgid "Label update to later be applied to `cred`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3777 msgid "" "Determine whether the subject credential can relabel itself to the passed " "label update." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3779 #, no-wrap msgid "`mpo_check_vnode_relabel`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3785 #, no-wrap msgid "" "int mpo_check_vnode_relabel(struct ucred *cred, struct vnode *vp,\n" " struct label *vnodelabel, struct label *newlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3800 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3898 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4000 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4090 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4161 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4198 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4550 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4587 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4657 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4691 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4724 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4765 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4813 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4850 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4887 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5032 #, no-wrap msgid "Object; vnode" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3808 #, no-wrap msgid "Policy label update to later be applied to `vp`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3812 msgid "" "Determine whether the subject credential can relabel the passed vnode to the " "passed label update." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3814 #, no-wrap msgid "`mpo_check_mount_stat`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3820 #, no-wrap msgid "" "int mpo_check_mount_stat(struct ucred *cred, struct mount *mp,\n" " struct label *mountlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3835 #, no-wrap msgid "Object; file system mount" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3838 #, no-wrap msgid "`mountlabel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3839 #, no-wrap msgid "Policy label for `mp`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3846 msgid "" "Determine whether the subject credential can see the results of a statfs " "performed on the file system. Return 0 for success, or an `errno` value for " "failure. Suggested failure: EACCES for label mismatches or EPERM for lack " "of privilege. This call may be made in a number of situations, including " "during invocations of man:statfs[2] and related calls, as well as to " "determine what file systems to exclude from listings of file systems, such " "as when man:getfsstat[2] is invoked." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3848 #, no-wrap msgid "`mpo_check_proc_debug`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3853 #, no-wrap msgid "int mpo_check_proc_debug(struct ucred *cred, struct proc *proc);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3867 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4968 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4998 #, no-wrap msgid "`proc`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3868 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4969 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4999 #, no-wrap msgid "Object; process" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3875 msgid "" "Determine whether the subject credential can debug the passed process. " "Return 0 for success, or an `errno` value for failure. Suggested failure: " "EACCES for label mismatch, EPERM for lack of privilege, or ESRCH to hide " "visibility of the target. This call may be made in a number of situations, " "including use of the man:ptrace[2] and man:ktrace[2] APIs, as well as for " "some types of procfs operations." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3877 #, no-wrap msgid "`mpo_check_vnode_access`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3883 #, no-wrap msgid "" "int mpo_check_vnode_access(struct ucred *cred, struct vnode *vp,\n" " struct label *label, int flags);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3905 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4820 #, no-wrap msgid "`flags`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3906 #, no-wrap msgid "man:access[2] flags" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3913 msgid "" "Determine how invocations of man:access[2] and related calls by the subject " "credential should return when performed on the passed vnode using the passed " "access flags. This should generally be implemented using the same semantics " "used in `mpo_check_vnode_open`. Return 0 for success, or an `errno` value " "for failure. Suggested failure: EACCES for label mismatches or EPERM for " "lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3915 #, no-wrap msgid "`mpo_check_vnode_chdir`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3921 #, no-wrap msgid "" "int mpo_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,\n" " struct label *dlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3936 #, no-wrap msgid "Object; vnode to man:chdir[2] into" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3940 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4004 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4047 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4554 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4628 #, no-wrap msgid "Policy label for `dvp`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3946 msgid "" "Determine whether the subject credential can change the process working " "directory to the passed vnode. Return 0 for success, or an `errno` value " "for failure. Suggested failure: EACCES for label mismatch, or EPERM for " "lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3948 #, no-wrap msgid "`mpo_check_vnode_chroot`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3954 #, no-wrap msgid "" "int mpo_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,\n" " struct label *dlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3969 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4245 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4425 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4469 #, no-wrap msgid "Directory vnode" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3973 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4249 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4429 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4473 #, no-wrap msgid "Policy label associated with `dvp`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3977 msgid "" "Determine whether the subject should be allowed to man:chroot[2] into the " "specified directory (`dvp`)." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3979 #, no-wrap msgid "`mpo_check_vnode_create`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:3985 #, no-wrap msgid "" "int mpo_check_vnode_create(struct ucred *cred, struct vnode *dvp,\n" " struct label *dlabel, struct componentname *cnp, struct vattr *vap);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4008 #, no-wrap msgid "Component name for `dvp`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4011 #, no-wrap msgid "`vap`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4012 #, no-wrap msgid "vnode attributes for `vap`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4019 msgid "" "Determine whether the subject credential can create a vnode with the passed " "parent directory, passed name information, and passed attribute " "information. Return 0 for success, or an `errno` value for failure. " "Suggested failure: EACCES for label mismatch, or EPERM for lack of " "privilege. This call may be made in a number of situations, including as a " "result of calls to man:open[2] with O_CREAT, man:mkfifo[2], and others." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4021 #, no-wrap msgid "`mpo_check_vnode_delete`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4028 #, no-wrap msgid "" "int mpo_check_vnode_delete(struct ucred *cred, struct vnode *dvp,\n" " struct label *dlabel, struct vnode *vp, void *label,\n" " struct componentname *cnp);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4051 #, no-wrap msgid "Object; vnode to delete" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4067 msgid "" "Determine whether the subject credential can delete a vnode from the passed " "parent directory and passed name information. Return 0 for success, or an " "`errno` value for failure. Suggested failure: EACCES for label mismatch, or " "EPERM for lack of privilege. This call may be made in a number of " "situations, including as a result of calls to man:unlink[2] and " "man:rmdir[2]. Policies implementing this entry point should also implement " "`mpo_check_rename_to` to authorize deletion of objects as a result of being " "the target of a rename." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4069 #, no-wrap msgid "`mpo_check_vnode_deleteacl`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4075 #, no-wrap msgid "" "int mpo_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,\n" " struct label *label, acl_type_t type);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4097 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4168 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4731 #, no-wrap msgid "`type`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4098 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4169 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4732 #, no-wrap msgid "ACL type" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4104 msgid "" "Determine whether the subject credential can delete the ACL of passed type " "from the passed vnode. Return 0 for success, or an `errno` value for " "failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of " "privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4106 #, no-wrap msgid "`mpo_check_vnode_exec`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4112 #, no-wrap msgid "" "int mpo_check_vnode_exec(struct ucred *cred, struct vnode *vp,\n" " struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4127 #, no-wrap msgid "Object; vnode to execute" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4138 msgid "" "Determine whether the subject credential can execute the passed vnode. " "Determination of execute privilege is made separately from decisions about " "any transitioning event. Return 0 for success, or an `errno` value for " "failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of " "privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4140 #, no-wrap msgid "`mpo_check_vnode_getacl`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4146 #, no-wrap msgid "" "int mpo_check_vnode_getacl(struct ucred *cred, struct vnode *vp,\n" " struct label *label, acl_type_t type);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4175 msgid "" "Determine whether the subject credential can retrieve the ACL of passed type " "from the passed vnode. Return 0 for success, or an `errno` value for " "failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of " "privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4177 #, no-wrap msgid "`mpo_check_vnode_getextattr`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4183 #, no-wrap msgid "" "int mpo_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,\n" " struct label *label, int attrnamespace, const char *name, struct uio *uio);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4205 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4772 #, no-wrap msgid "`attrnamespace`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4206 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4773 #, no-wrap msgid "Extended attribute namespace" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4210 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4777 #, no-wrap msgid "Extended attribute name" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4213 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4780 #, no-wrap msgid "`uio`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4214 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4781 #, no-wrap msgid "I/O structure pointer; see man:uio[9]" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4221 msgid "" "Determine whether the subject credential can retrieve the extended attribute " "with the passed namespace and name from the passed vnode. Policies " "implementing labeling using extended attributes may be interested in special " "handling of operations on those extended attributes. Return 0 for success, " "or an `errno` value for failure. Suggested failure: EACCES for label " "mismatch, or EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4223 #, no-wrap msgid "`mpo_check_vnode_link`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4230 #, no-wrap msgid "" "int mpo_check_vnode_link(struct ucred *cred, struct vnode *dvp,\n" " struct label *dlabel, struct vnode *vp, struct label *label,\n" " struct componentname *cnp);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4253 #, no-wrap msgid "Link destination vnode" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4261 #, no-wrap msgid "Component name for the link being created" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4265 msgid "" "Determine whether the subject should be allowed to create a link to the " "vnode `vp` with the name specified by `cnp`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4267 #, no-wrap msgid "`mpo_check_vnode_mmap`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4273 #, no-wrap msgid "" "int mpo_check_vnode_mmap(struct ucred *cred, struct vnode *vp,\n" " struct label *label, int prot);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4288 #, no-wrap msgid "Vnode to map" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4295 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4330 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4361 #, no-wrap msgid "`prot`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4296 #, no-wrap msgid "Mmap protections (see man:mmap[2])" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4300 msgid "" "Determine whether the subject should be allowed to map the vnode `vp` with " "the protections specified in `prot`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4302 #, no-wrap msgid "`mpo_check_vnode_mmap_downgrade`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4308 #, no-wrap msgid "" "void mpo_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,\n" " struct label *label, int *prot);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4319 #, no-wrap msgid "See crossref:mac[mac-mpo-check-vnode-mmap, `mpo_check_vnode_mmap`]." msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4331 #, no-wrap msgid "Mmap protections to be downgraded" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4335 msgid "Downgrade the mmap protections based on the subject and object labels." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4337 #, no-wrap msgid "`mpo_check_vnode_mprotect`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4343 #, no-wrap msgid "" "int mpo_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,\n" " struct label *label, int prot);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4358 #, no-wrap msgid "Mapped vnode" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4362 #, no-wrap msgid "Memory protections" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4366 msgid "" "Determine whether the subject should be allowed to set the specified memory " "protections on memory mapped from the vnode `vp`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4368 #, no-wrap msgid "`mpo_check_vnode_poll`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4374 #, no-wrap msgid "" "int mpo_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,\n" " struct vnode *vp, struct label *label);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4384 #, no-wrap msgid "`active_cred`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4388 #, no-wrap msgid "`file_cred`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4389 #, no-wrap msgid "Credential associated with the struct file" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4393 #, no-wrap msgid "Polled vnode" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4401 msgid "Determine whether the subject should be allowed to poll the vnode `vp`." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4403 #, no-wrap msgid "`mpo_check_vnode_rename_from`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4410 #, no-wrap msgid "" "int mpo_vnode_rename_from(struct ucred *cred, struct vnode *dvp,\n" " struct label *dlabel, struct vnode *vp, struct label *label,\n" " struct componentname *cnp);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4433 #, no-wrap msgid "Vnode to be renamed" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4445 msgid "" "Determine whether the subject should be allowed to rename the vnode `vp` to " "something else." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4447 #, no-wrap msgid "`mpo_check_vnode_rename_to`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4454 #, no-wrap msgid "" "int mpo_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,\n" " struct label *dlabel, struct vnode *vp, struct label *label, int samedir,\n" " struct componentname *cnp);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4477 #, no-wrap msgid "Overwritten vnode" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4484 #, no-wrap msgid "`samedir`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4485 #, no-wrap msgid "Boolean; `1` if the source and destination directories are the same" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4489 #, no-wrap msgid "Destination component name" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4494 msgid "" "Determine whether the subject should be allowed to rename to the vnode `vp`, " "into the directory `dvp`, or to the name represented by `cnp`. If there is " "no existing file to overwrite, `vp` and `label` will be NULL." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4496 #, no-wrap msgid "`mpo_check_socket_listen`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4502 #, no-wrap msgid "" "int mpo_check_socket_listen(struct ucred *cred, struct socket *socket,\n" " struct label *socketlabel);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4527 msgid "" "Determine whether the subject credential can listen on the passed socket. " "Return 0 for success, or an `errno` value for failure. Suggested failure: " "EACCES for label mismatch, or EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4529 #, no-wrap msgid "`mpo_check_vnode_lookup`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4535 #, no-wrap msgid "" "int mpo_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,\n" " struct label *dlabel, struct componentname *cnp);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4558 #, no-wrap msgid "Component name being looked up" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4564 msgid "" "Determine whether the subject credential can perform a lookup in the passed " "directory vnode for the passed name. Return 0 for success, or an `errno` " "value for failure. Suggested failure: EACCES for label mismatch, or EPERM " "for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4566 #, no-wrap msgid "`mpo_check_vnode_open`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4572 #, no-wrap msgid "" "int mpo_check_vnode_open(struct ucred *cred, struct vnode *vp,\n" " struct label *label, int acc_mode);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4594 #, no-wrap msgid "`acc_mode`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4595 #, no-wrap msgid "man:open[2] access mode" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4601 msgid "" "Determine whether the subject credential can perform an open operation on " "the passed vnode with the passed access mode. Return 0 for success, or an " "errno value for failure. Suggested failure: EACCES for label mismatch, or " "EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4603 #, no-wrap msgid "`mpo_check_vnode_readdir`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4609 #, no-wrap msgid "" "int mpo_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,\n" " struct label *dlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4624 #, no-wrap msgid "Object; directory vnode" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4634 msgid "" "Determine whether the subject credential can perform a `readdir` operation " "on the passed directory vnode. Return 0 for success, or an `errno` value " "for failure. Suggested failure: EACCES for label mismatch, or EPERM for " "lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4636 #, no-wrap msgid "`mpo_check_vnode_readlink`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4642 #, no-wrap msgid "" "int mpo_check_vnode_readlink(struct ucred *cred, struct vnode *vp,\n" " struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4668 msgid "" "Determine whether the subject credential can perform a `readlink` operation " "on the passed symlink vnode. Return 0 for success, or an `errno` value for " "failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of " "privilege. This call may be made in a number of situations, including an " "explicit `readlink` call by the user process, or as a result of an implicit " "`readlink` during a name lookup by the process." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4670 #, no-wrap msgid "`mpo_check_vnode_revoke`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4676 #, no-wrap msgid "" "int mpo_check_vnode_revoke(struct ucred *cred, struct vnode *vp,\n" " struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4701 msgid "" "Determine whether the subject credential can revoke access to the passed " "vnode. Return 0 for success, or an `errno` value for failure. Suggested " "failure: EACCES for label mismatch, or EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4703 #, no-wrap msgid "`mpo_check_vnode_setacl`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4709 #, no-wrap msgid "" "int mpo_check_vnode_setacl(struct ucred *cred, struct vnode *vp,\n" " struct label *label, acl_type_t type, struct acl *acl);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4735 #, no-wrap msgid "`acl`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4736 #, no-wrap msgid "ACL" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4742 msgid "" "Determine whether the subject credential can set the passed ACL of passed " "type on the passed vnode. Return 0 for success, or an `errno` value for " "failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of " "privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4744 #, no-wrap msgid "`mpo_check_vnode_setextattr`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4750 #, no-wrap msgid "" "int mpo_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,\n" " struct label *label, int attrnamespace, const char *name, struct uio *uio);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4790 msgid "" "Determine whether the subject credential can set the extended attribute of " "passed name and passed namespace on the passed vnode. Policies implementing " "security labels backed into extended attributes may want to provide " "additional protections for those attributes. Additionally, policies should " "avoid making decisions based on the data referenced from `uio`, as there is " "a potential race condition between this check and the actual operation. The " "`uio` may also be `NULL` if a delete operation is being performed. Return 0 " "for success, or an `errno` value for failure. Suggested failure: EACCES for " "label mismatch, or EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4792 #, no-wrap msgid "`mpo_check_vnode_setflags`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4798 #, no-wrap msgid "" "int mpo_check_vnode_setflags(struct ucred *cred, struct vnode *vp,\n" " struct label *label, u_long flags);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4821 #, no-wrap msgid "File flags; see man:chflags[2]" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4827 msgid "" "Determine whether the subject credential can set the passed flags on the " "passed vnode. Return 0 for success, or an `errno` value for failure. " "Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4829 #, no-wrap msgid "`mpo_check_vnode_setmode`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4835 #, no-wrap msgid "" "int mpo_check_vnode_setmode(struct ucred *cred, struct vnode *vp,\n" " struct label *label, mode_t mode);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4857 #, no-wrap msgid "`mode`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4858 #, no-wrap msgid "File mode; see man:chmod[2]" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4864 msgid "" "Determine whether the subject credential can set the passed mode on the " "passed vnode. Return 0 for success, or an `errno` value for failure. " "Suggested failure: EACCES for label mismatch, or EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4866 #, no-wrap msgid "`mpo_check_vnode_setowner`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4872 #, no-wrap msgid "" "int mpo_check_vnode_setowner(struct ucred *cred, struct vnode *vp,\n" " struct label *label, uid_t uid, gid_t gid);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4894 #, no-wrap msgid "`uid`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4895 #, no-wrap msgid "User ID" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4898 #, no-wrap msgid "`gid`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4899 #, no-wrap msgid "Group ID" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4906 msgid "" "Determine whether the subject credential can set the passed uid and passed " "gid as file uid and file gid on the passed vnode. The IDs may be set to " "(`-1`) to request no update. Return 0 for success, or an `errno` value for " "failure. Suggested failure: EACCES for label mismatch, or EPERM for lack of " "privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4908 #, no-wrap msgid "`mpo_check_vnode_setutimes`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4914 #, no-wrap msgid "" "int mpo_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,\n" " struct label *label, struct timespec atime, struct timespec mtime);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4929 #, no-wrap msgid "Object; vp" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4936 #, no-wrap msgid "`atime`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4937 #, no-wrap msgid "Access time; see man:utimes[2]" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4940 #, no-wrap msgid "`mtime`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4941 #, no-wrap msgid "Modification time; see man:utimes[2]" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4947 msgid "" "Determine whether the subject credential can set the passed access " "timestamps on the passed vnode. Return 0 for success, or an `errno` value " "for failure. Suggested failure: EACCES for label mismatch, or EPERM for " "lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4949 #, no-wrap msgid "`mpo_check_proc_sched`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4954 #, no-wrap msgid "int mpo_check_proc_sched(struct ucred *ucred, struct proc *proc);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4975 msgid "" "Determine whether the subject credential can change the scheduling " "parameters of the passed process. Return 0 for success, or an `errno` value " "for failure. Suggested failure: EACCES for label mismatch, EPERM for lack " "of privilege, or ESRCH to limit visibility." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4977 msgid "See man:setpriority[2] for more information." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4979 #, no-wrap msgid "`mpo_check_proc_signal`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:4984 #, no-wrap msgid "int mpo_check_proc_signal(struct ucred *cred, struct proc *proc, int signal);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5002 #, no-wrap msgid "`signal`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5003 #, no-wrap msgid "Signal; see man:kill[2]" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5009 msgid "" "Determine whether the subject credential can deliver the passed signal to " "the passed process. Return 0 for success, or an `errno` value for failure. " "Suggested failure: EACCES for label mismatch, EPERM for lack of privilege, " "or ESRCH to limit visibility." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5011 #, no-wrap msgid "`mpo_check_vnode_stat`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5017 #, no-wrap msgid "" "int mpo_check_vnode_stat(struct ucred *cred, struct vnode *vp,\n" " struct label *label);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5042 msgid "" "Determine whether the subject credential can `stat` the passed vnode. " "Return 0 for success, or an `errno` value for failure. Suggested failure: " "EACCES for label mismatch, or EPERM for lack of privilege." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5044 msgid "See man:stat[2] for more information." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5046 #, no-wrap msgid "`mpo_check_ifnet_transmit`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5052 #, no-wrap msgid "" "int mpo_check_ifnet_transmit(struct ucred *cred, struct ifnet *ifnet,\n" " struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5075 #, no-wrap msgid "Object; mbuf to be sent" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5085 msgid "" "Determine whether the network interface can transmit the passed mbuf. " "Return 0 for success, or an `errno` value for failure. Suggested failure: " "EACCES for label mismatch, or EPERM for lack of privilege." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5087 #, no-wrap msgid "`mpo_check_socket_deliver`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5093 #, no-wrap msgid "" "int mpo_check_socket_deliver(struct ucred *cred, struct ifnet *ifnet,\n" " struct label *ifnetlabel, struct mbuf *mbuf, struct label *mbuflabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5116 #, no-wrap msgid "Object; mbuf to be delivered" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5126 msgid "" "Determine whether the socket may receive the datagram stored in the passed " "mbuf header. Return 0 for success, or an `errno` value for failure. " "Suggested failures: EACCES for label mismatch, or EPERM for lack of " "privilege." msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5134 #, no-wrap msgid "" "int mpo_check_socket_visible(struct ucred *cred, struct socket *so,\n" " struct label *socketlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5153 #, no-wrap msgid "Policy label for `so`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5159 msgid "" "Determine whether the subject credential cred can \"see\" the passed socket " "(`socket`) using system monitoring functions, such as those employed by " "man:netstat[8] and man:sockstat[1]. Return 0 for success, or an `errno` " "value for failure. Suggested failure: EACCES for label mismatches, EPERM " "for lack of privilege, or ESRCH to hide visibility." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5161 #, no-wrap msgid "`mpo_check_system_acct`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5167 #, no-wrap msgid "" "int mpo_check_system_acct(struct ucred *ucred, struct vnode *vp,\n" " struct label *vlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5177 #, no-wrap msgid "`ucred`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5182 #, no-wrap msgid "Accounting file; man:acct[5]" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5190 msgid "" "Determine whether the subject should be allowed to enable accounting, based " "on its label and the label of the accounting log file." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5192 #, no-wrap msgid "`mpo_check_system_nfsd`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5197 #, no-wrap msgid "int mpo_check_system_nfsd(struct ucred *cred);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5212 msgid "Determine whether the subject should be allowed to call man:nfssvc[2]." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5214 #, no-wrap msgid "`mpo_check_system_reboot`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5219 #, no-wrap msgid "int mpo_check_system_reboot(struct ucred *cred, int howto);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5233 #, no-wrap msgid "`howto`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5234 #, no-wrap msgid "`howto` parameter from man:reboot[2]" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5238 msgid "" "Determine whether the subject should be allowed to reboot the system in the " "specified manner." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5240 #, no-wrap msgid "`mpo_check_system_settime`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5245 #, no-wrap msgid "int mpo_check_system_settime(struct ucred *cred);\n" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5260 msgid "Determine whether the user should be allowed to set the system clock." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5262 #, no-wrap msgid "`mpo_check_system_swapon`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5268 #, no-wrap msgid "" "int mpo_check_system_swapon(struct ucred *cred, struct vnode *vp,\n" " struct label *vlabel);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5283 #, no-wrap msgid "Swap device" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5291 msgid "" "Determine whether the subject should be allowed to add `vp` as a swap device." msgstr "" #. type: Title ==== #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5293 #, no-wrap msgid "`mpo_check_system_sysctl`" msgstr "" #. type: delimited block - 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5299 #, no-wrap msgid "" "int mpo_check_system_sysctl(struct ucred *cred, int *name, u_int *namelen,\n" " void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen);\n" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5314 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5334 #, no-wrap msgid "See man:sysctl[3]" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5325 #, no-wrap msgid "`oldlenp`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5329 #, no-wrap msgid "`inkernel`" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5330 #, no-wrap msgid "Boolean; `1` if called from kernel" msgstr "" #. type: Table #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5337 #, no-wrap msgid "`newlen`" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5342 msgid "" "Determine whether the subject should be allowed to make the specified " "man:sysctl[3] transaction." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5344 #, no-wrap msgid "Label Management Calls" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5350 msgid "" "Relabel events occur when a user process has requested that the label on an " "object be modified. A two-phase update occurs: first, an access control " "check will be performed to determine if the update is both valid and " "permitted, and then the update itself is performed via a separate entry " "point. Relabel entry points typically accept the object, object label " "reference, and an update label submitted by the process. Memory allocation " "during relabel is discouraged, as relabel calls are not permitted to fail " "(failure should be reported earlier in the relabel check)." msgstr "" #. type: Title == #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5352 #, no-wrap msgid "Userland Architecture" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5356 msgid "" "The TrustedBSD MAC Framework includes a number of policy-agnostic elements, " "including MAC library interfaces for abstractly managing labels, " "modifications to the system credential management and login libraries to " "support the assignment of MAC labels to users, and a set of tools to monitor " "and modify labels on processes, files, and network interfaces. More details " "on the user architecture will be added to this section in the near future." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5358 #, no-wrap msgid "APIs for Policy-Agnostic Label Management" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5365 msgid "" "The TrustedBSD MAC Framework provides a number of library and system calls " "permitting applications to manage MAC labels on objects using a policy-" "agnostic interface. This permits applications to manipulate labels for a " "variety of policies without being written to support specific policies. " "These interfaces are used by general-purpose tools such as man:ifconfig[8], " "man:ls[1] and man:ps[1] to view labels on network interfaces, files, and " "processes. The APIs also support MAC management tools including " "man:getfmac[8], man:getpmac[8], man:setfmac[8], man:setfsmac[8], and " "man:setpmac[8]. The MAC APIs are documented in man:mac[3]." msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5373 msgid "" "Applications handle MAC labels in two forms: an internalized form used to " "return and set labels on processes and objects (`mac_t`), and externalized " "form based on C strings appropriate for storage in configuration files, " "display to the user, or input from the user. Each MAC label contains a " "number of elements, each consisting of a name and value pair. Policy " "modules in the kernel bind to specific names and interpret the values in " "policy-specific ways. In the externalized string form, labels are " "represented by a comma-delimited list of name and value pairs separated by " "the `/` character. Labels may be directly converted to and from text using " "provided APIs; when retrieving labels from the kernel, internalized label " "storage must first be prepared for the desired label element set. " "Typically, this is done in one of two ways: using man:mac_prepare[3] and an " "arbitrary list of desired label elements, or one of the variants of the call " "that loads a default element set from the man:mac.conf[5] configuration " "file. Per-object defaults permit application writers to usefully display " "labels associated with objects without being aware of the policies present " "in the system." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5378 msgid "" "Currently, direct manipulation of label elements other than by conversion to " "a text string, string editing, and conversion back to an internalized label " "is not supported by the MAC library. Such interfaces may be added in the " "future if they prove necessary for application writers." msgstr "" #. type: Title === #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5381 #, no-wrap msgid "Binding of Labels to Users" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5385 msgid "" "The standard user context management interface, man:setusercontext[3], has " "been modified to retrieve MAC labels associated with a user's class from " "man:login.conf[5]. These labels are then set along with other user context " "when either `LOGIN_SETALL` is specified, or when `LOGIN_SETMAC` is " "explicitly specified." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5390 msgid "" "It is expected that, in a future version of FreeBSD, the MAC label database " "will be separated from the [.filename]#login.conf# user class abstraction, " "and be maintained in a separate database. However, the " "man:setusercontext[3] API should remain the same following such a change." msgstr "" #. type: Title == #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5393 #, no-wrap msgid "Conclusion" msgstr "" #. type: Plain text #: documentation/content/en/books/arch-handbook/mac/_index.adoc:5398 msgid "" "The TrustedBSD MAC framework permits kernel modules to augment the system " "security policy in a highly integrated manner. They may do this based on " "existing object properties, or based on label data that is maintained with " "the assistance of the MAC framework. The framework is sufficiently flexible " "to implement a variety of policy types, including information flow security " "policies such as MLS and Biba, as well as policies based on existing BSD " "credentials or file protections. Policy authors may wish to consult this " "documentation as well as existing security modules when implementing a new " "security service." msgstr ""