1 | /*- |
---|
2 | * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson |
---|
3 | * Copyright (c) 2001-2005 Networks Associates Technology, Inc. |
---|
4 | * Copyright (c) 2005-2006 SPARTA, Inc. |
---|
5 | * All rights reserved. |
---|
6 | * |
---|
7 | * This software was developed by Robert Watson for the TrustedBSD Project. |
---|
8 | * |
---|
9 | * This software was developed for the FreeBSD Project in part by Network |
---|
10 | * Associates Laboratories, the Security Research Division of Network |
---|
11 | * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), |
---|
12 | * as part of the DARPA CHATS research program. |
---|
13 | * |
---|
14 | * This software was enhanced by SPARTA ISSO under SPAWAR contract |
---|
15 | * N66001-04-C-6019 ("SEFOS"). |
---|
16 | * |
---|
17 | * This software was developed at the University of Cambridge Computer |
---|
18 | * Laboratory with support from a grant from Google, Inc. |
---|
19 | * |
---|
20 | * Redistribution and use in source and binary forms, with or without |
---|
21 | * modification, are permitted provided that the following conditions |
---|
22 | * are met: |
---|
23 | * 1. Redistributions of source code must retain the above copyright |
---|
24 | * notice, this list of conditions and the following disclaimer. |
---|
25 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
26 | * notice, this list of conditions and the following disclaimer in the |
---|
27 | * documentation and/or other materials provided with the distribution. |
---|
28 | * |
---|
29 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
---|
30 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
31 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
32 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
---|
33 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
34 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
35 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
36 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
37 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
38 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
39 | * SUCH DAMAGE. |
---|
40 | * |
---|
41 | * $FreeBSD$ |
---|
42 | */ |
---|
43 | |
---|
44 | /* |
---|
45 | * Kernel interface for Mandatory Access Control -- how kernel services |
---|
46 | * interact with the TrustedBSD MAC Framework. |
---|
47 | */ |
---|
48 | |
---|
49 | #ifndef _SECURITY_MAC_MAC_FRAMEWORK_H_ |
---|
50 | #define _SECURITY_MAC_MAC_FRAMEWORK_H_ |
---|
51 | |
---|
52 | #ifndef _KERNEL |
---|
53 | #error "no user-serviceable parts inside" |
---|
54 | #endif |
---|
55 | |
---|
56 | struct auditinfo; |
---|
57 | struct auditinfo_addr; |
---|
58 | struct bpf_d; |
---|
59 | struct cdev; |
---|
60 | struct componentname; |
---|
61 | struct devfs_dirent; |
---|
62 | struct ifnet; |
---|
63 | struct ifreq; |
---|
64 | struct image_params; |
---|
65 | struct inpcb; |
---|
66 | struct ip6q; |
---|
67 | struct ipq; |
---|
68 | struct ksem; |
---|
69 | struct label; |
---|
70 | struct m_tag; |
---|
71 | struct mac; |
---|
72 | struct mbuf; |
---|
73 | struct mount; |
---|
74 | struct msg; |
---|
75 | struct msqid_kernel; |
---|
76 | struct proc; |
---|
77 | struct semid_kernel; |
---|
78 | struct shmfd; |
---|
79 | struct shmid_kernel; |
---|
80 | struct sockaddr; |
---|
81 | struct socket; |
---|
82 | struct sysctl_oid; |
---|
83 | struct sysctl_req; |
---|
84 | struct pipepair; |
---|
85 | struct thread; |
---|
86 | struct timespec; |
---|
87 | struct ucred; |
---|
88 | struct vattr; |
---|
89 | struct vnode; |
---|
90 | struct vop_setlabel_args; |
---|
91 | |
---|
92 | #include <sys/acl.h> /* XXX acl_type_t */ |
---|
93 | #include <rtems/bsd/sys/types.h> /* accmode_t */ |
---|
94 | |
---|
95 | /* |
---|
96 | * Entry points to the TrustedBSD MAC Framework from the remainder of the |
---|
97 | * kernel: entry points are named based on a principle object type and an |
---|
98 | * action relating to it. They are sorted alphabetically first by object |
---|
99 | * type and then action. In some situations, the principle object type is |
---|
100 | * obvious, and in other cases, less so as multiple objects may be inolved |
---|
101 | * in the operation. |
---|
102 | */ |
---|
103 | int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp); |
---|
104 | void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d); |
---|
105 | void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m); |
---|
106 | void mac_bpfdesc_destroy(struct bpf_d *); |
---|
107 | void mac_bpfdesc_init(struct bpf_d *); |
---|
108 | |
---|
109 | void mac_cred_associate_nfsd(struct ucred *cred); |
---|
110 | int mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai); |
---|
111 | int mac_cred_check_setaudit_addr(struct ucred *cred, |
---|
112 | struct auditinfo_addr *aia); |
---|
113 | int mac_cred_check_setauid(struct ucred *cred, uid_t auid); |
---|
114 | int mac_cred_check_setegid(struct ucred *cred, gid_t egid); |
---|
115 | int mac_cred_check_seteuid(struct ucred *cred, uid_t euid); |
---|
116 | int mac_cred_check_setgid(struct ucred *cred, gid_t gid); |
---|
117 | int mac_cred_check_setgroups(struct ucred *cred, int ngroups, |
---|
118 | gid_t *gidset); |
---|
119 | int mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid); |
---|
120 | int mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, |
---|
121 | gid_t sgid); |
---|
122 | int mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, |
---|
123 | uid_t suid); |
---|
124 | int mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid); |
---|
125 | int mac_cred_check_setuid(struct ucred *cred, uid_t uid); |
---|
126 | int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); |
---|
127 | void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); |
---|
128 | void mac_cred_create_init(struct ucred *cred); |
---|
129 | void mac_cred_create_swapper(struct ucred *cred); |
---|
130 | void mac_cred_destroy(struct ucred *); |
---|
131 | void mac_cred_init(struct ucred *); |
---|
132 | |
---|
133 | void mac_devfs_create_device(struct ucred *cred, struct mount *mp, |
---|
134 | struct cdev *dev, struct devfs_dirent *de); |
---|
135 | void mac_devfs_create_directory(struct mount *mp, char *dirname, |
---|
136 | int dirnamelen, struct devfs_dirent *de); |
---|
137 | void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, |
---|
138 | struct devfs_dirent *dd, struct devfs_dirent *de); |
---|
139 | void mac_devfs_destroy(struct devfs_dirent *); |
---|
140 | void mac_devfs_init(struct devfs_dirent *); |
---|
141 | void mac_devfs_update(struct mount *mp, struct devfs_dirent *de, |
---|
142 | struct vnode *vp); |
---|
143 | void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, |
---|
144 | struct vnode *vp); |
---|
145 | |
---|
146 | int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m); |
---|
147 | void mac_ifnet_create(struct ifnet *ifp); |
---|
148 | void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m); |
---|
149 | void mac_ifnet_destroy(struct ifnet *); |
---|
150 | void mac_ifnet_init(struct ifnet *); |
---|
151 | int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, |
---|
152 | struct ifnet *ifp); |
---|
153 | int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, |
---|
154 | struct ifnet *ifp); |
---|
155 | |
---|
156 | int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m); |
---|
157 | int mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp); |
---|
158 | void mac_inpcb_create(struct socket *so, struct inpcb *inp); |
---|
159 | void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m); |
---|
160 | void mac_inpcb_destroy(struct inpcb *); |
---|
161 | int mac_inpcb_init(struct inpcb *, int); |
---|
162 | void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); |
---|
163 | |
---|
164 | void mac_ip6q_create(struct mbuf *m, struct ip6q *q6); |
---|
165 | void mac_ip6q_destroy(struct ip6q *q6); |
---|
166 | int mac_ip6q_init(struct ip6q *q6, int); |
---|
167 | int mac_ip6q_match(struct mbuf *m, struct ip6q *q6); |
---|
168 | void mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m); |
---|
169 | void mac_ip6q_update(struct mbuf *m, struct ip6q *q6); |
---|
170 | |
---|
171 | void mac_ipq_create(struct mbuf *m, struct ipq *q); |
---|
172 | void mac_ipq_destroy(struct ipq *q); |
---|
173 | int mac_ipq_init(struct ipq *q, int); |
---|
174 | int mac_ipq_match(struct mbuf *m, struct ipq *q); |
---|
175 | void mac_ipq_reassemble(struct ipq *q, struct mbuf *m); |
---|
176 | void mac_ipq_update(struct mbuf *m, struct ipq *q); |
---|
177 | |
---|
178 | int mac_kenv_check_dump(struct ucred *cred); |
---|
179 | int mac_kenv_check_get(struct ucred *cred, char *name); |
---|
180 | int mac_kenv_check_set(struct ucred *cred, char *name, char *value); |
---|
181 | int mac_kenv_check_unset(struct ucred *cred, char *name); |
---|
182 | |
---|
183 | int mac_kld_check_load(struct ucred *cred, struct vnode *vp); |
---|
184 | int mac_kld_check_stat(struct ucred *cred); |
---|
185 | |
---|
186 | void mac_mbuf_copy(struct mbuf *, struct mbuf *); |
---|
187 | int mac_mbuf_init(struct mbuf *, int); |
---|
188 | |
---|
189 | void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *); |
---|
190 | void mac_mbuf_tag_destroy(struct m_tag *); |
---|
191 | int mac_mbuf_tag_init(struct m_tag *, int); |
---|
192 | |
---|
193 | int mac_mount_check_stat(struct ucred *cred, struct mount *mp); |
---|
194 | void mac_mount_create(struct ucred *cred, struct mount *mp); |
---|
195 | void mac_mount_destroy(struct mount *); |
---|
196 | void mac_mount_init(struct mount *); |
---|
197 | |
---|
198 | void mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m); |
---|
199 | |
---|
200 | void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m); |
---|
201 | void mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend); |
---|
202 | void mac_netinet_firewall_send(struct mbuf *m); |
---|
203 | void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag); |
---|
204 | void mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend); |
---|
205 | void mac_netinet_icmp_replyinplace(struct mbuf *m); |
---|
206 | void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m); |
---|
207 | void mac_netinet_tcp_reply(struct mbuf *m); |
---|
208 | |
---|
209 | void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m); |
---|
210 | |
---|
211 | int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, |
---|
212 | unsigned long cmd, void *data); |
---|
213 | int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp); |
---|
214 | int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp); |
---|
215 | int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp); |
---|
216 | int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp); |
---|
217 | void mac_pipe_create(struct ucred *cred, struct pipepair *pp); |
---|
218 | void mac_pipe_destroy(struct pipepair *); |
---|
219 | void mac_pipe_init(struct pipepair *); |
---|
220 | int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, |
---|
221 | struct label *label); |
---|
222 | |
---|
223 | int mac_posixsem_check_getvalue(struct ucred *active_cred, |
---|
224 | struct ucred *file_cred, struct ksem *ks); |
---|
225 | int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); |
---|
226 | int mac_posixsem_check_post(struct ucred *active_cred, |
---|
227 | struct ucred *file_cred, struct ksem *ks); |
---|
228 | int mac_posixsem_check_setmode(struct ucred *cred, struct ksem *ks, |
---|
229 | mode_t mode); |
---|
230 | int mac_posixsem_check_setowner(struct ucred *cred, struct ksem *ks, |
---|
231 | uid_t uid, gid_t gid); |
---|
232 | int mac_posixsem_check_stat(struct ucred *active_cred, |
---|
233 | struct ucred *file_cred, struct ksem *ks); |
---|
234 | int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks); |
---|
235 | int mac_posixsem_check_wait(struct ucred *active_cred, |
---|
236 | struct ucred *file_cred, struct ksem *ks); |
---|
237 | void mac_posixsem_create(struct ucred *cred, struct ksem *ks); |
---|
238 | void mac_posixsem_destroy(struct ksem *); |
---|
239 | void mac_posixsem_init(struct ksem *); |
---|
240 | |
---|
241 | int mac_posixshm_check_create(struct ucred *cred, const char *path); |
---|
242 | int mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, |
---|
243 | int prot, int flags); |
---|
244 | int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, |
---|
245 | accmode_t accmode); |
---|
246 | int mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd, |
---|
247 | mode_t mode); |
---|
248 | int mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd, |
---|
249 | uid_t uid, gid_t gid); |
---|
250 | int mac_posixshm_check_stat(struct ucred *active_cred, |
---|
251 | struct ucred *file_cred, struct shmfd *shmfd); |
---|
252 | int mac_posixshm_check_truncate(struct ucred *active_cred, |
---|
253 | struct ucred *file_cred, struct shmfd *shmfd); |
---|
254 | int mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd); |
---|
255 | void mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd); |
---|
256 | void mac_posixshm_destroy(struct shmfd *); |
---|
257 | void mac_posixshm_init(struct shmfd *); |
---|
258 | |
---|
259 | int mac_priv_check(struct ucred *cred, int priv); |
---|
260 | int mac_priv_grant(struct ucred *cred, int priv); |
---|
261 | |
---|
262 | int mac_proc_check_debug(struct ucred *cred, struct proc *p); |
---|
263 | int mac_proc_check_sched(struct ucred *cred, struct proc *p); |
---|
264 | int mac_proc_check_signal(struct ucred *cred, struct proc *p, |
---|
265 | int signum); |
---|
266 | int mac_proc_check_wait(struct ucred *cred, struct proc *p); |
---|
267 | void mac_proc_destroy(struct proc *); |
---|
268 | void mac_proc_init(struct proc *); |
---|
269 | void mac_proc_vm_revoke(struct thread *td); |
---|
270 | int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); |
---|
271 | void mac_execve_exit(struct image_params *imgp); |
---|
272 | void mac_execve_interpreter_enter(struct vnode *interpvp, |
---|
273 | struct label **interplabel); |
---|
274 | void mac_execve_interpreter_exit(struct label *interpvplabel); |
---|
275 | |
---|
276 | int mac_socket_check_accept(struct ucred *cred, struct socket *so); |
---|
277 | int mac_socket_check_bind(struct ucred *cred, struct socket *so, |
---|
278 | struct sockaddr *sa); |
---|
279 | int mac_socket_check_connect(struct ucred *cred, struct socket *so, |
---|
280 | struct sockaddr *sa); |
---|
281 | int mac_socket_check_create(struct ucred *cred, int domain, int type, |
---|
282 | int proto); |
---|
283 | int mac_socket_check_deliver(struct socket *so, struct mbuf *m); |
---|
284 | int mac_socket_check_listen(struct ucred *cred, struct socket *so); |
---|
285 | int mac_socket_check_poll(struct ucred *cred, struct socket *so); |
---|
286 | int mac_socket_check_receive(struct ucred *cred, struct socket *so); |
---|
287 | int mac_socket_check_send(struct ucred *cred, struct socket *so); |
---|
288 | int mac_socket_check_stat(struct ucred *cred, struct socket *so); |
---|
289 | int mac_socket_check_visible(struct ucred *cred, struct socket *so); |
---|
290 | void mac_socket_create_mbuf(struct socket *so, struct mbuf *m); |
---|
291 | void mac_socket_create(struct ucred *cred, struct socket *so); |
---|
292 | void mac_socket_destroy(struct socket *); |
---|
293 | int mac_socket_init(struct socket *, int); |
---|
294 | void mac_socket_newconn(struct socket *oldso, struct socket *newso); |
---|
295 | int mac_getsockopt_label(struct ucred *cred, struct socket *so, |
---|
296 | struct mac *extmac); |
---|
297 | int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, |
---|
298 | struct mac *extmac); |
---|
299 | int mac_setsockopt_label(struct ucred *cred, struct socket *so, |
---|
300 | struct mac *extmac); |
---|
301 | |
---|
302 | void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); |
---|
303 | void mac_socketpeer_set_from_socket(struct socket *oldso, |
---|
304 | struct socket *newso); |
---|
305 | |
---|
306 | void mac_syncache_create(struct label *l, struct inpcb *inp); |
---|
307 | void mac_syncache_create_mbuf(struct label *l, struct mbuf *m); |
---|
308 | void mac_syncache_destroy(struct label **l); |
---|
309 | int mac_syncache_init(struct label **l); |
---|
310 | |
---|
311 | int mac_system_check_acct(struct ucred *cred, struct vnode *vp); |
---|
312 | int mac_system_check_audit(struct ucred *cred, void *record, int length); |
---|
313 | int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp); |
---|
314 | int mac_system_check_auditon(struct ucred *cred, int cmd); |
---|
315 | int mac_system_check_reboot(struct ucred *cred, int howto); |
---|
316 | int mac_system_check_swapon(struct ucred *cred, struct vnode *vp); |
---|
317 | int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp); |
---|
318 | int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, |
---|
319 | void *arg1, int arg2, struct sysctl_req *req); |
---|
320 | |
---|
321 | void mac_sysvmsg_cleanup(struct msg *msgptr); |
---|
322 | void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, |
---|
323 | struct msg *msgptr); |
---|
324 | void mac_sysvmsg_destroy(struct msg *); |
---|
325 | void mac_sysvmsg_init(struct msg *); |
---|
326 | |
---|
327 | int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, |
---|
328 | struct msqid_kernel *msqkptr); |
---|
329 | int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr); |
---|
330 | int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr); |
---|
331 | int mac_sysvmsq_check_msqctl(struct ucred *cred, |
---|
332 | struct msqid_kernel *msqkptr, int cmd); |
---|
333 | int mac_sysvmsq_check_msqget(struct ucred *cred, |
---|
334 | struct msqid_kernel *msqkptr); |
---|
335 | int mac_sysvmsq_check_msqrcv(struct ucred *cred, |
---|
336 | struct msqid_kernel *msqkptr); |
---|
337 | int mac_sysvmsq_check_msqsnd(struct ucred *cred, |
---|
338 | struct msqid_kernel *msqkptr); |
---|
339 | void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr); |
---|
340 | void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr); |
---|
341 | void mac_sysvmsq_destroy(struct msqid_kernel *); |
---|
342 | void mac_sysvmsq_init(struct msqid_kernel *); |
---|
343 | |
---|
344 | int mac_sysvsem_check_semctl(struct ucred *cred, |
---|
345 | struct semid_kernel *semakptr, int cmd); |
---|
346 | int mac_sysvsem_check_semget(struct ucred *cred, |
---|
347 | struct semid_kernel *semakptr); |
---|
348 | int mac_sysvsem_check_semop(struct ucred *cred, |
---|
349 | struct semid_kernel *semakptr, size_t accesstype); |
---|
350 | void mac_sysvsem_cleanup(struct semid_kernel *semakptr); |
---|
351 | void mac_sysvsem_create(struct ucred *cred, |
---|
352 | struct semid_kernel *semakptr); |
---|
353 | void mac_sysvsem_destroy(struct semid_kernel *); |
---|
354 | void mac_sysvsem_init(struct semid_kernel *); |
---|
355 | |
---|
356 | int mac_sysvshm_check_shmat(struct ucred *cred, |
---|
357 | struct shmid_kernel *shmsegptr, int shmflg); |
---|
358 | int mac_sysvshm_check_shmctl(struct ucred *cred, |
---|
359 | struct shmid_kernel *shmsegptr, int cmd); |
---|
360 | int mac_sysvshm_check_shmdt(struct ucred *cred, |
---|
361 | struct shmid_kernel *shmsegptr); |
---|
362 | int mac_sysvshm_check_shmget(struct ucred *cred, |
---|
363 | struct shmid_kernel *shmsegptr, int shmflg); |
---|
364 | void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr); |
---|
365 | void mac_sysvshm_create(struct ucred *cred, |
---|
366 | struct shmid_kernel *shmsegptr); |
---|
367 | void mac_sysvshm_destroy(struct shmid_kernel *); |
---|
368 | void mac_sysvshm_init(struct shmid_kernel *); |
---|
369 | |
---|
370 | void mac_thread_userret(struct thread *td); |
---|
371 | |
---|
372 | int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); |
---|
373 | void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); |
---|
374 | int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, |
---|
375 | accmode_t accmode); |
---|
376 | int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); |
---|
377 | int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); |
---|
378 | int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, |
---|
379 | struct componentname *cnp, struct vattr *vap); |
---|
380 | int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, |
---|
381 | acl_type_t type); |
---|
382 | int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, |
---|
383 | int attrnamespace, const char *name); |
---|
384 | int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, |
---|
385 | struct image_params *imgp); |
---|
386 | int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, |
---|
387 | acl_type_t type); |
---|
388 | int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, |
---|
389 | int attrnamespace, const char *name); |
---|
390 | int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, |
---|
391 | struct vnode *vp, struct componentname *cnp); |
---|
392 | int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, |
---|
393 | int attrnamespace); |
---|
394 | int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, |
---|
395 | struct componentname *cnp); |
---|
396 | int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, |
---|
397 | int flags); |
---|
398 | int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, |
---|
399 | int prot); |
---|
400 | int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, |
---|
401 | accmode_t accmode); |
---|
402 | int mac_vnode_check_poll(struct ucred *active_cred, |
---|
403 | struct ucred *file_cred, struct vnode *vp); |
---|
404 | int mac_vnode_check_read(struct ucred *active_cred, |
---|
405 | struct ucred *file_cred, struct vnode *vp); |
---|
406 | int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); |
---|
407 | int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp); |
---|
408 | int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, |
---|
409 | struct vnode *vp, struct componentname *cnp); |
---|
410 | int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, |
---|
411 | struct vnode *vp, int samedir, struct componentname *cnp); |
---|
412 | int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp); |
---|
413 | int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, |
---|
414 | acl_type_t type, struct acl *acl); |
---|
415 | int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, |
---|
416 | int attrnamespace, const char *name); |
---|
417 | int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, |
---|
418 | u_long flags); |
---|
419 | int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, |
---|
420 | mode_t mode); |
---|
421 | int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, |
---|
422 | uid_t uid, gid_t gid); |
---|
423 | int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, |
---|
424 | struct timespec atime, struct timespec mtime); |
---|
425 | int mac_vnode_check_stat(struct ucred *active_cred, |
---|
426 | struct ucred *file_cred, struct vnode *vp); |
---|
427 | int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, |
---|
428 | struct vnode *vp, struct componentname *cnp); |
---|
429 | int mac_vnode_check_write(struct ucred *active_cred, |
---|
430 | struct ucred *file_cred, struct vnode *vp); |
---|
431 | void mac_vnode_copy_label(struct label *, struct label *); |
---|
432 | void mac_vnode_init(struct vnode *); |
---|
433 | int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, |
---|
434 | struct vnode *dvp, struct vnode *vp, struct componentname *cnp); |
---|
435 | void mac_vnode_destroy(struct vnode *); |
---|
436 | void mac_vnode_execve_transition(struct ucred *oldcred, |
---|
437 | struct ucred *newcred, struct vnode *vp, |
---|
438 | struct label *interpvplabel, struct image_params *imgp); |
---|
439 | int mac_vnode_execve_will_transition(struct ucred *cred, |
---|
440 | struct vnode *vp, struct label *interpvplabel, |
---|
441 | struct image_params *imgp); |
---|
442 | void mac_vnode_relabel(struct ucred *cred, struct vnode *vp, |
---|
443 | struct label *newlabel); |
---|
444 | |
---|
445 | /* |
---|
446 | * Calls to help various file systems implement labeling functionality using |
---|
447 | * their existing EA implementation. |
---|
448 | */ |
---|
449 | int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); |
---|
450 | |
---|
451 | #endif /* !_SECURITY_MAC_MAC_FRAMEWORK_H_ */ |
---|