Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/security/mac/mac_framework.h
39476 views
1
/*-

2
 * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson

3
 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.

4
 * Copyright (c) 2005-2006 SPARTA, Inc.

5
 * All rights reserved.

6
 *

7
 * This software was developed by Robert Watson for the TrustedBSD Project.

8
 *

9
 * This software was developed for the FreeBSD Project in part by Network

10
 * Associates Laboratories, the Security Research Division of Network

11
 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),

12
 * as part of the DARPA CHATS research program.

13
 *

14
 * This software was enhanced by SPARTA ISSO under SPAWAR contract

15
 * N66001-04-C-6019 ("SEFOS").

16
 *

17
 * This software was developed at the University of Cambridge Computer

18
 * Laboratory with support from a grant from Google, Inc.

19
 *

20
 * Redistribution and use in source and binary forms, with or without

21
 * modification, are permitted provided that the following conditions

22
 * are met:

23
 * 1. Redistributions of source code must retain the above copyright

24
 *    notice, this list of conditions and the following disclaimer.

25
 * 2. Redistributions in binary form must reproduce the above copyright

26
 *    notice, this list of conditions and the following disclaimer in the

27
 *    documentation and/or other materials provided with the distribution.

28
 *

29
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

30
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

31
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

32
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

33
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

34
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

35
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

36
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

37
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

38
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

39
 * SUCH DAMAGE.

40
 */

41


42
/*

43
 * Kernel interface for Mandatory Access Control -- how kernel services

44
 * interact with the TrustedBSD MAC Framework.

45
 */

46


47
#ifndef _SECURITY_MAC_MAC_FRAMEWORK_H_

48
#define	_SECURITY_MAC_MAC_FRAMEWORK_H_

49


50
#ifndef _KERNEL

51
#error "no user-serviceable parts inside"

52
#endif

53


54
struct auditinfo;

55
struct auditinfo_addr;

56
struct bpf_d;

57
struct cdev;

58
struct componentname;

59
struct devfs_dirent;

60
struct ifnet;

61
struct ifreq;

62
struct image_params;

63
struct inpcb;

64
struct ip6q;

65
struct ipq;

66
struct kdb_dbbe;

67
struct ksem;

68
struct label;

69
struct m_tag;

70
struct mac;

71
struct mbuf;

72
struct mount;

73
struct msg;

74
struct msqid_kernel;

75
struct pipepair;

76
struct proc;

77
struct semid_kernel;

78
struct shmfd;

79
struct shmid_kernel;

80
struct sockaddr;

81
struct socket;

82
struct sysctl_oid;

83
struct sysctl_req;

84
struct thread;

85
struct timespec;

86
struct ucred;

87
struct vattr;

88
struct vnode;

89
struct vop_setlabel_args;

90


91
struct in_addr;

92
struct in6_addr;

93


94
#include <sys/acl.h>			/* XXX acl_type_t */

95
#include <sys/types.h>			/* accmode_t */

96


97
#include <ddb/ddb.h>			/* db_expr_t */

98


99
/*

100
 * Entry points to the TrustedBSD MAC Framework from the remainder of the

101
 * kernel: entry points are named based on a principle object type and an

102
 * action relating to it.  They are sorted alphabetically first by object

103
 * type and then action.  In some situations, the principle object type is

104
 * obvious, and in other cases, less so as multiple objects may be inolved

105
 * in the operation.

106
 */

107
int	mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp);

108
void	mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d);

109
void	mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m);

110
void	mac_bpfdesc_destroy(struct bpf_d *);

111
void	mac_bpfdesc_init(struct bpf_d *);

112


113
void	mac_cred_associate_nfsd(struct ucred *cred);

114
int	mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai);

115
int	mac_cred_check_setaudit_addr(struct ucred *cred,

116
	    struct auditinfo_addr *aia);

117
int	mac_cred_check_setauid(struct ucred *cred, uid_t auid);

118
void	mac_cred_setcred_enter(void);

119
int	mac_cred_check_setcred(u_int flags, const struct ucred *old_cred,

120
	    struct ucred *new_cred);

121
void	mac_cred_setcred_exit(void);

122
int	mac_cred_check_setegid(struct ucred *cred, gid_t egid);

123
int	mac_cred_check_seteuid(struct ucred *cred, uid_t euid);

124
int	mac_cred_check_setgid(struct ucred *cred, gid_t gid);

125
int	mac_cred_check_setgroups(struct ucred *cred, int ngroups,

126
	    gid_t *gidset);

127
int	mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid);

128
int	mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,

129
	    gid_t sgid);

130
int	mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,

131
	    uid_t suid);

132
int	mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid);

133
int	mac_cred_check_setuid(struct ucred *cred, uid_t uid);

134
int	mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);

135
void	mac_cred_copy(struct ucred *cr1, struct ucred *cr2);

136
void	mac_cred_create_init(struct ucred *cred);

137
void	mac_cred_create_swapper(struct ucred *cred);

138
void	mac_cred_destroy(struct ucred *);

139
void	mac_cred_init(struct ucred *);

140


141
int	mac_ddb_command_register(struct db_command_table *table,

142
	    struct db_command *cmd);

143
int	mac_ddb_command_exec(struct db_command *cmd, db_expr_t addr,

144
	    bool have_addr, db_expr_t count, char *modif);

145


146
void	mac_devfs_create_device(struct ucred *cred, struct mount *mp,

147
	    struct cdev *dev, struct devfs_dirent *de);

148
void	mac_devfs_create_directory(struct mount *mp, char *dirname,

149
	    int dirnamelen, struct devfs_dirent *de);

150
void	mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,

151
	    struct devfs_dirent *dd, struct devfs_dirent *de);

152
void	mac_devfs_destroy(struct devfs_dirent *);

153
void	mac_devfs_init(struct devfs_dirent *);

154
void	mac_devfs_update(struct mount *mp, struct devfs_dirent *de,

155
	    struct vnode *vp);

156
void	mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,

157
	    struct vnode *vp);

158


159
int	mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m);

160
#ifdef MAC

161
extern bool mac_ifnet_check_transmit_fp_flag;

162
#else

163
#define mac_ifnet_check_transmit_fp_flag false

164
#endif

165
#define mac_ifnet_check_transmit_enabled() __predict_false(mac_ifnet_check_transmit_fp_flag)

166
static inline int

167
mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)

168
{

169


170
	if (mac_ifnet_check_transmit_enabled())

171
		return (mac_ifnet_check_transmit_impl(ifp, m));

172
	return (0);

173
}

174


175
void	mac_ifnet_create(struct ifnet *ifp);

176


177
void	mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m);

178
#ifdef MAC

179
extern bool mac_ifnet_create_mbuf_fp_flag;

180
#else

181
#define mac_ifnet_create_mbuf_fp_flag false

182
#endif

183
#define mac_ifnet_create_mbuf_enabled() __predict_false(mac_ifnet_create_mbuf_fp_flag)

184
static inline void

185
mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)

186
{

187


188
	if (mac_ifnet_create_mbuf_enabled())

189
		mac_ifnet_create_mbuf_impl(ifp, m);

190
}

191


192
void	mac_ifnet_destroy(struct ifnet *);

193
void	mac_ifnet_init(struct ifnet *);

194
int	mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,

195
	    struct ifnet *ifp);

196
int	mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr,

197
	    struct ifnet *ifp);

198


199
/* Check if the IP address is allowed for the interface. */

200
int	mac_inet_check_add_addr(struct ucred *cred,

201
	    const struct in_addr *ia, struct ifnet *ifp);

202
int	mac_inet6_check_add_addr(struct ucred *cred,

203
	    const struct in6_addr *ia6, struct ifnet *ifp);

204


205
int	mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m);

206
int	mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp);

207
void	mac_inpcb_create(struct socket *so, struct inpcb *inp);

208
void	mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m);

209
void	mac_inpcb_destroy(struct inpcb *);

210
int	mac_inpcb_init(struct inpcb *, int);

211
void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);

212


213
void	mac_ip6q_create(struct mbuf *m, struct ip6q *q6);

214
void	mac_ip6q_destroy(struct ip6q *q6);

215
int	mac_ip6q_init(struct ip6q *q6, int);

216
int	mac_ip6q_match(struct mbuf *m, struct ip6q *q6);

217
void	mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m);

218
void	mac_ip6q_update(struct mbuf *m, struct ip6q *q6);

219


220
void	mac_ipq_create(struct mbuf *m, struct ipq *q);

221
void	mac_ipq_destroy(struct ipq *q);

222
int	mac_ipq_init(struct ipq *q, int);

223
int	mac_ipq_match(struct mbuf *m, struct ipq *q);

224
void	mac_ipq_reassemble(struct ipq *q, struct mbuf *m);

225
void	mac_ipq_update(struct mbuf *m, struct ipq *q);

226


227
int	mac_kdb_check_backend(struct kdb_dbbe *be);

228
int	mac_kdb_grant_backend(struct kdb_dbbe *be);

229


230
int	mac_kenv_check_dump(struct ucred *cred);

231
int	mac_kenv_check_get(struct ucred *cred, char *name);

232
int	mac_kenv_check_set(struct ucred *cred, char *name, char *value);

233
int	mac_kenv_check_unset(struct ucred *cred, char *name);

234


235
int	mac_kld_check_load(struct ucred *cred, struct vnode *vp);

236
int	mac_kld_check_stat(struct ucred *cred);

237


238
void	mac_mbuf_copy(struct mbuf *, struct mbuf *);

239
int	mac_mbuf_init(struct mbuf *, int);

240


241
void	mac_mbuf_tag_copy(struct m_tag *, struct m_tag *);

242
void	mac_mbuf_tag_destroy(struct m_tag *);

243
int	mac_mbuf_tag_init(struct m_tag *, int);

244


245
int	mac_mount_check_stat(struct ucred *cred, struct mount *mp);

246
void	mac_mount_create(struct ucred *cred, struct mount *mp);

247
void	mac_mount_destroy(struct mount *);

248
void	mac_mount_init(struct mount *);

249


250
void	mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m);

251
void	mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend);

252
void	mac_netinet_firewall_send(struct mbuf *m);

253
void	mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);

254
void	mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend);

255
void	mac_netinet_icmp_replyinplace(struct mbuf *m);

256
void	mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m);

257
void	mac_netinet_tcp_reply(struct mbuf *m);

258


259
void	mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m);

260


261
int	mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,

262
	    unsigned long cmd, void *data);

263
int	mac_pipe_check_poll_impl(struct ucred *cred, struct pipepair *pp);

264
#ifdef MAC

265
extern bool mac_pipe_check_poll_fp_flag;

266
#else

267
#define mac_pipe_check_poll_fp_flag false

268
#endif

269
#define mac_pipe_check_poll_enabled() __predict_false(mac_pipe_check_poll_fp_flag)

270
static inline int

271
mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)

272
{

273


274
	if (mac_pipe_check_poll_enabled())

275
		return (mac_pipe_check_poll_impl(cred, pp));

276
	return (0);

277
}

278


279
#ifdef MAC

280
extern bool mac_pipe_check_stat_fp_flag;

281
#else

282
#define mac_pipe_check_stat_fp_flag false

283
#endif

284
#define mac_pipe_check_stat_enabled() __predict_false(mac_pipe_check_stat_fp_flag)

285
int	mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp);

286
int	mac_pipe_check_read_impl(struct ucred *cred, struct pipepair *pp);

287
#ifdef MAC

288
extern bool mac_pipe_check_read_fp_flag;

289
#else

290
#define mac_pipe_check_read_fp_flag false

291
#endif

292
#define mac_pipe_check_read_enabled() __predict_false(mac_pipe_check_read_fp_flag)

293
static inline int

294
mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)

295
{

296


297
	if (mac_pipe_check_read_enabled())

298
		return (mac_pipe_check_read_impl(cred, pp));

299
	return (0);

300
}

301


302
int	mac_pipe_check_write(struct ucred *cred, struct pipepair *pp);

303
void	mac_pipe_create(struct ucred *cred, struct pipepair *pp);

304
void	mac_pipe_destroy(struct pipepair *);

305
void	mac_pipe_init(struct pipepair *);

306
int	mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,

307
	    struct label *label);

308


309
int	mac_posixsem_check_getvalue(struct ucred *active_cred,

310
	    struct ucred *file_cred, struct ksem *ks);

311
int	mac_posixsem_check_open(struct ucred *cred, struct ksem *ks);

312
int	mac_posixsem_check_post(struct ucred *active_cred,

313
	    struct ucred *file_cred, struct ksem *ks);

314
int	mac_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,

315
	    mode_t mode);

316
int	mac_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,

317
	    uid_t uid, gid_t gid);

318
int	mac_posixsem_check_stat(struct ucred *active_cred,

319
	    struct ucred *file_cred, struct ksem *ks);

320
int	mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks);

321
int	mac_posixsem_check_wait(struct ucred *active_cred,

322
	    struct ucred *file_cred, struct ksem *ks);

323
void 	mac_posixsem_create(struct ucred *cred, struct ksem *ks);

324
void	mac_posixsem_destroy(struct ksem *);

325
void	mac_posixsem_init(struct ksem *);

326


327
int	mac_posixshm_check_create(struct ucred *cred, const char *path);

328
int	mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,

329
	    int prot, int flags);

330
int	mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,

331
	    accmode_t accmode);

332
int	mac_posixshm_check_read(struct ucred *active_cred,

333
	    struct ucred *file_cred, struct shmfd *shmfd);

334
int	mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,

335
	    mode_t mode);

336
int	mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,

337
	    uid_t uid, gid_t gid);

338
int	mac_posixshm_check_stat(struct ucred *active_cred,

339
	    struct ucred *file_cred, struct shmfd *shmfd);

340
int	mac_posixshm_check_truncate(struct ucred *active_cred,

341
	    struct ucred *file_cred, struct shmfd *shmfd);

342
int	mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd);

343
int	mac_posixshm_check_write(struct ucred *active_cred,

344
	    struct ucred *file_cred, struct shmfd *shmfd);

345
void 	mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd);

346
void	mac_posixshm_destroy(struct shmfd *);

347
void	mac_posixshm_init(struct shmfd *);

348


349
int	mac_priv_check_impl(struct ucred *cred, int priv);

350
#ifdef MAC

351
extern bool mac_priv_check_fp_flag;

352
#else

353
#define mac_priv_check_fp_flag false

354
#endif

355
#define mac_priv_check_enabled()	__predict_false(mac_priv_check_fp_flag)

356
static inline int

357
mac_priv_check(struct ucred *cred, int priv)

358
{

359


360
	if (mac_priv_check_enabled())

361
		return (mac_priv_check_impl(cred, priv));

362
	return (0);

363
}

364


365
int	mac_priv_grant_impl(struct ucred *cred, int priv);

366
#ifdef MAC

367
extern bool mac_priv_grant_fp_flag;

368
#else

369
#define mac_priv_grant_fp_flag false

370
#endif

371
#define mac_priv_grant_enabled()	__predict_false(mac_priv_grant_fp_flag)

372
static inline int

373
mac_priv_grant(struct ucred *cred, int priv)

374
{

375


376
	if (mac_priv_grant_enabled())

377
		return (mac_priv_grant_impl(cred, priv));

378
	return (EPERM);

379
}

380


381
int	mac_proc_check_debug(struct ucred *cred, struct proc *p);

382
int	mac_proc_check_sched(struct ucred *cred, struct proc *p);

383
int	mac_proc_check_signal(struct ucred *cred, struct proc *p,

384
	    int signum);

385
int	mac_proc_check_wait(struct ucred *cred, struct proc *p);

386
void	mac_proc_destroy(struct proc *);

387
void	mac_proc_init(struct proc *);

388
void	mac_proc_vm_revoke(struct thread *td);

389
int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);

390
void	mac_execve_exit(struct image_params *imgp);

391
void	mac_execve_interpreter_enter(struct vnode *interpvp,

392
	    struct label **interplabel);

393
void	mac_execve_interpreter_exit(struct label *interpvplabel);

394


395
int	mac_socket_check_accept(struct ucred *cred, struct socket *so);

396
int	mac_socket_check_bind(struct ucred *cred, struct socket *so,

397
	    struct sockaddr *sa);

398
int	mac_socket_check_connect(struct ucred *cred, struct socket *so,

399
	    struct sockaddr *sa);

400
int	mac_socket_check_create(struct ucred *cred, int domain, int type,

401
	    int proto);

402
int	mac_socket_check_deliver(struct socket *so, struct mbuf *m);

403
int	mac_socket_check_listen(struct ucred *cred, struct socket *so);

404
int	mac_socket_check_poll(struct ucred *cred, struct socket *so);

405
int	mac_socket_check_receive(struct ucred *cred, struct socket *so);

406
int	mac_socket_check_send(struct ucred *cred, struct socket *so);

407
int	mac_socket_check_stat(struct ucred *cred, struct socket *so);

408
int	mac_socket_check_visible(struct ucred *cred, struct socket *so);

409
void	mac_socket_create_mbuf(struct socket *so, struct mbuf *m);

410
void	mac_socket_create(struct ucred *cred, struct socket *so);

411
void	mac_socket_destroy(struct socket *);

412
int	mac_socket_init(struct socket *, int);

413
void	mac_socket_newconn(struct socket *oldso, struct socket *newso);

414
int	mac_getsockopt_label(struct ucred *cred, struct socket *so,

415
	    const struct mac *extmac);

416
int	mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,

417
	    const struct mac *extmac);

418
int	mac_setsockopt_label(struct ucred *cred, struct socket *so,

419
	    const struct mac *extmac);

420


421
void	mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so);

422
void	mac_socketpeer_set_from_socket(struct socket *oldso,

423
	    struct socket *newso);

424


425
void	mac_syncache_create(struct label *l, struct inpcb *inp);

426
void	mac_syncache_create_mbuf(struct label *l, struct mbuf *m);

427
void	mac_syncache_destroy(struct label **l);

428
int	mac_syncache_init(struct label **l);

429


430
int	mac_system_check_acct(struct ucred *cred, struct vnode *vp);

431
int	mac_system_check_audit(struct ucred *cred, void *record, int length);

432
int	mac_system_check_auditctl(struct ucred *cred, struct vnode *vp);

433
int	mac_system_check_auditon(struct ucred *cred, int cmd);

434
int	mac_system_check_reboot(struct ucred *cred, int howto);

435
int	mac_system_check_swapon(struct ucred *cred, struct vnode *vp);

436
int	mac_system_check_swapoff(struct ucred *cred, struct vnode *vp);

437
int	mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,

438
	    void *arg1, int arg2, struct sysctl_req *req);

439


440
void	mac_sysvmsg_cleanup(struct msg *msgptr);

441
void	mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,

442
	    struct msg *msgptr);

443
void	mac_sysvmsg_destroy(struct msg *);

444
void	mac_sysvmsg_init(struct msg *);

445


446
int	mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,

447
	    struct msqid_kernel *msqkptr);

448
int	mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr);

449
int	mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr);

450
int	mac_sysvmsq_check_msqctl(struct ucred *cred,

451
	    struct msqid_kernel *msqkptr, int cmd);

452
int	mac_sysvmsq_check_msqget(struct ucred *cred,

453
	    struct msqid_kernel *msqkptr);

454
int	mac_sysvmsq_check_msqrcv(struct ucred *cred,

455
	    struct msqid_kernel *msqkptr);

456
int	mac_sysvmsq_check_msqsnd(struct ucred *cred,

457
	    struct msqid_kernel *msqkptr);

458
void	mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr);

459
void	mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr);

460
void	mac_sysvmsq_destroy(struct msqid_kernel *);

461
void	mac_sysvmsq_init(struct msqid_kernel *);

462


463
int	mac_sysvsem_check_semctl(struct ucred *cred,

464
	    struct semid_kernel *semakptr, int cmd);

465
int	mac_sysvsem_check_semget(struct ucred *cred,

466
	   struct semid_kernel *semakptr);

467
int	mac_sysvsem_check_semop(struct ucred *cred,

468
	    struct semid_kernel *semakptr, size_t accesstype);

469
void	mac_sysvsem_cleanup(struct semid_kernel *semakptr);

470
void	mac_sysvsem_create(struct ucred *cred,

471
	    struct semid_kernel *semakptr);

472
void	mac_sysvsem_destroy(struct semid_kernel *);

473
void	mac_sysvsem_init(struct semid_kernel *);

474


475
int	mac_sysvshm_check_shmat(struct ucred *cred,

476
	    struct shmid_kernel *shmsegptr, int shmflg);

477
int	mac_sysvshm_check_shmctl(struct ucred *cred,

478
	    struct shmid_kernel *shmsegptr, int cmd);

479
int	mac_sysvshm_check_shmdt(struct ucred *cred,

480
	    struct shmid_kernel *shmsegptr);

481
int	mac_sysvshm_check_shmget(struct ucred *cred,

482
	    struct shmid_kernel *shmsegptr, int shmflg);

483
void	mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr);

484
void	mac_sysvshm_create(struct ucred *cred,

485
	    struct shmid_kernel *shmsegptr);

486
void	mac_sysvshm_destroy(struct shmid_kernel *);

487
void	mac_sysvshm_init(struct shmid_kernel *);

488


489
void	mac_thread_userret(struct thread *td);

490


491
#if defined(MAC) && defined(INVARIANTS)

492
void	mac_vnode_assert_locked(struct vnode *vp, const char *func);

493
#else

494
#define mac_vnode_assert_locked(vp, func) do { } while (0)

495
#endif

496


497
int	mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp);

498
void	mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp);

499
int	mac_vnode_check_access_impl(struct ucred *cred, struct vnode *dvp,

500
	    accmode_t accmode);

501
extern bool mac_vnode_check_access_fp_flag;

502
#define mac_vnode_check_access_enabled() __predict_false(mac_vnode_check_access_fp_flag)

503
static inline int

504
mac_vnode_check_access(struct ucred *cred, struct vnode *dvp,

505
    accmode_t accmode)

506
{

507


508
	mac_vnode_assert_locked(dvp, "mac_vnode_check_access");

509
	if (mac_vnode_check_access_enabled())

510
                return (mac_vnode_check_access_impl(cred, dvp, accmode));

511
	return (0);

512
}

513
int	mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp);

514
int	mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp);

515
int	mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,

516
	    struct componentname *cnp, struct vattr *vap);

517
int	mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,

518
	    acl_type_t type);

519
int	mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,

520
	    int attrnamespace, const char *name);

521
int	mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,

522
	    struct image_params *imgp);

523
int	mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp,

524
	    acl_type_t type);

525
int	mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,

526
	    int attrnamespace, const char *name);

527
int	mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,

528
	    struct vnode *vp, struct componentname *cnp);

529
int	mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,

530
	    int attrnamespace);

531


532
int	mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp,

533
 	    struct componentname *cnp);

534
#ifdef MAC

535
extern bool mac_vnode_check_lookup_fp_flag;

536
#else

537
#define mac_vnode_check_lookup_fp_flag false

538
#endif

539
#define mac_vnode_check_lookup_enabled() __predict_false(mac_vnode_check_lookup_fp_flag)

540
static inline int

541
mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,

542
    struct componentname *cnp)

543
{

544


545
	mac_vnode_assert_locked(dvp, "mac_vnode_check_lookup");

546
	if (mac_vnode_check_lookup_enabled())

547
                return (mac_vnode_check_lookup_impl(cred, dvp, cnp));

548
	return (0);

549
}

550


551
int	mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot,

552
	    int flags);

553
#ifdef MAC

554
extern bool mac_vnode_check_mmap_fp_flag;

555
#else

556
#define mac_vnode_check_mmap_fp_flag false

557
#endif

558
#define mac_vnode_check_mmap_enabled() __predict_false(mac_vnode_check_mmap_fp_flag)

559
static inline int

560
mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,

561
    int flags)

562
{

563


564
	mac_vnode_assert_locked(vp, "mac_vnode_check_mmap");

565
	if (mac_vnode_check_mmap_enabled())

566
		return (mac_vnode_check_mmap_impl(cred, vp, prot, flags));

567
	return (0);

568
}

569


570
int	mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp,

571
	    accmode_t accmode);

572
#ifdef MAC

573
extern bool mac_vnode_check_open_fp_flag;

574
#else

575
#define mac_vnode_check_open_fp_flag false

576
#endif

577
#define mac_vnode_check_open_enabled() __predict_false(mac_vnode_check_open_fp_flag)

578
static inline int

579
mac_vnode_check_open(struct ucred *cred, struct vnode *vp,

580
    accmode_t accmode)

581
{

582


583
	mac_vnode_assert_locked(vp, "mac_vnode_check_open");

584
	if (mac_vnode_check_open_enabled())

585
		return (mac_vnode_check_open_impl(cred, vp, accmode));

586
	return (0);

587
}

588


589
int	mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,

590
	    int prot);

591


592
#define mac_vnode_check_poll_enabled() __predict_false(mac_vnode_check_poll_fp_flag)

593
#ifdef MAC

594
extern bool mac_vnode_check_poll_fp_flag;

595
int	mac_vnode_check_poll(struct ucred *active_cred,

596
	    struct ucred *file_cred, struct vnode *vp);

597
#else

598
#define mac_vnode_check_poll_fp_flag	false

599
static inline int

600
mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,

601
    struct vnode *vp)

602
{

603


604
	return (0);

605
}

606
#endif

607
int	mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp);

608
int	mac_vnode_check_readlink_impl(struct ucred *cred, struct vnode *dvp);

609
#ifdef MAC

610
extern bool mac_vnode_check_readlink_fp_flag;

611
#else

612
#define mac_vnode_check_readlink_fp_flag false

613
#endif

614
#define mac_vnode_check_readlink_enabled() __predict_false(mac_vnode_check_readlink_fp_flag)

615
static inline int

616
mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)

617
{

618


619
	mac_vnode_assert_locked(vp, "mac_vnode_check_readlink");

620
	if (mac_vnode_check_readlink_enabled())

621
		return (mac_vnode_check_readlink_impl(cred, vp));

622
	return (0);

623
}

624
#define mac_vnode_check_rename_from_enabled() __predict_false(mac_vnode_check_rename_from_fp_flag)

625
#ifdef MAC

626
extern bool mac_vnode_check_rename_from_fp_flag;

627
#endif

628
int	mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,

629
	    struct vnode *vp, struct componentname *cnp);

630
int	mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,

631
	    struct vnode *vp, int samedir, struct componentname *cnp);

632
int	mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp);

633
int	mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp,

634
	    acl_type_t type, struct acl *acl);

635
int	mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,

636
	    int attrnamespace, const char *name);

637
int	mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,

638
	    u_long flags);

639
int	mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp,

640
	    mode_t mode);

641
int	mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp,

642
	    uid_t uid, gid_t gid);

643
int	mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,

644
	    struct timespec atime, struct timespec mtime);

645


646
int	mac_vnode_check_stat_impl(struct ucred *active_cred,

647
	    struct ucred *file_cred, struct vnode *vp);

648
#ifdef MAC

649
extern bool mac_vnode_check_stat_fp_flag;

650
#else

651
#define mac_vnode_check_stat_fp_flag false

652
#endif

653
#define mac_vnode_check_stat_enabled()	__predict_false(mac_vnode_check_stat_fp_flag)

654
static inline int

655
mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,

656
    struct vnode *vp)

657
{

658


659
	mac_vnode_assert_locked(vp, "mac_vnode_check_stat");

660
	if (mac_vnode_check_stat_enabled())

661
		return (mac_vnode_check_stat_impl(active_cred, file_cred, vp));

662
	return (0);

663
}

664


665
int	mac_vnode_check_read_impl(struct ucred *active_cred,

666
	    struct ucred *file_cred, struct vnode *vp);

667
#ifdef MAC

668
extern bool mac_vnode_check_read_fp_flag;

669
#else

670
#define mac_vnode_check_read_fp_flag false

671
#endif

672
#define mac_vnode_check_read_enabled() __predict_false(mac_vnode_check_read_fp_flag)

673
static inline int

674
mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,

675
    struct vnode *vp)

676
{

677


678
	mac_vnode_assert_locked(vp, "mac_vnode_check_read");

679
	if (mac_vnode_check_read_enabled())

680
		return (mac_vnode_check_read_impl(active_cred, file_cred, vp));

681
	return (0);

682
}

683


684
int	mac_vnode_check_write_impl(struct ucred *active_cred,

685
	    struct ucred *file_cred, struct vnode *vp);

686
#ifdef MAC

687
extern bool mac_vnode_check_write_fp_flag;

688
#else

689
#define mac_vnode_check_write_fp_flag false

690
#endif

691
#define mac_vnode_check_write_enabled() __predict_false(mac_vnode_check_write_fp_flag)

692
static inline int

693
mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,

694
    struct vnode *vp)

695
{

696


697
	mac_vnode_assert_locked(vp, "mac_vnode_check_write");

698
	if (mac_vnode_check_write_enabled())

699
		return (mac_vnode_check_write_impl(active_cred, file_cred, vp));

700
	return (0);

701
}

702


703
int	mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,

704
	    struct vnode *vp, struct componentname *cnp);

705
void	mac_vnode_copy_label(struct label *, struct label *);

706
void	mac_vnode_init(struct vnode *);

707
int	mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,

708
	    struct vnode *dvp, struct vnode *vp, struct componentname *cnp);

709
void	mac_vnode_destroy(struct vnode *);

710
void	mac_vnode_execve_transition(struct ucred *oldcred,

711
	    struct ucred *newcred, struct vnode *vp,

712
	    struct label *interpvplabel, struct image_params *imgp);

713
int	mac_vnode_execve_will_transition(struct ucred *cred,

714
	    struct vnode *vp, struct label *interpvplabel,

715
	    struct image_params *imgp);

716
void	mac_vnode_relabel(struct ucred *cred, struct vnode *vp,

717
	    struct label *newlabel);

718


719
/*

720
 * Calls to help various file systems implement labeling functionality using

721
 * their existing EA implementation.

722
 */

723
int	vop_stdsetlabel_ea(struct vop_setlabel_args *ap);

724


725
#endif /* !_SECURITY_MAC_MAC_FRAMEWORK_H_ */

726


727