Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/security/mac/mac_framework.h
101852 views
1
/*-

2
 * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson

3
 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.

4
 * Copyright (c) 2005-2006 SPARTA, Inc.

5
 * All rights reserved.

6
 *

7
 * This software was developed by Robert Watson for the TrustedBSD Project.

8
 *

9
 * This software was developed for the FreeBSD Project in part by Network

10
 * Associates Laboratories, the Security Research Division of Network

11
 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),

12
 * as part of the DARPA CHATS research program.

13
 *

14
 * This software was enhanced by SPARTA ISSO under SPAWAR contract

15
 * N66001-04-C-6019 ("SEFOS").

16
 *

17
 * This software was developed at the University of Cambridge Computer

18
 * Laboratory with support from a grant from Google, Inc.

19
 *

20
 * Redistribution and use in source and binary forms, with or without

21
 * modification, are permitted provided that the following conditions

22
 * are met:

23
 * 1. Redistributions of source code must retain the above copyright

24
 *    notice, this list of conditions and the following disclaimer.

25
 * 2. Redistributions in binary form must reproduce the above copyright

26
 *    notice, this list of conditions and the following disclaimer in the

27
 *    documentation and/or other materials provided with the distribution.

28
 *

29
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

30
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

31
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

32
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

33
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

34
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

35
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

36
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

37
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

38
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

39
 * SUCH DAMAGE.

40
 */

41


42
/*

43
 * Kernel interface for Mandatory Access Control -- how kernel services

44
 * interact with the TrustedBSD MAC Framework.

45
 */

46


47
#ifndef _SECURITY_MAC_MAC_FRAMEWORK_H_

48
#define	_SECURITY_MAC_MAC_FRAMEWORK_H_

49


50
#ifndef _KERNEL

51
#error "no user-serviceable parts inside"

52
#endif

53


54
struct auditinfo;

55
struct auditinfo_addr;

56
struct bpf_d;

57
struct cdev;

58
struct componentname;

59
struct devfs_dirent;

60
struct ifnet;

61
struct ifreq;

62
struct image_params;

63
struct inpcb;

64
struct ip6q;

65
struct ipq;

66
struct kdb_dbbe;

67
struct ksem;

68
struct label;

69
struct m_tag;

70
struct mac;

71
struct mbuf;

72
struct mount;

73
struct msg;

74
struct msqid_kernel;

75
struct pipepair;

76
struct prison;

77
struct proc;

78
struct semid_kernel;

79
struct shmfd;

80
struct shmid_kernel;

81
struct sockaddr;

82
struct socket;

83
struct sysctl_oid;

84
struct sysctl_req;

85
struct thread;

86
struct timespec;

87
struct ucred;

88
struct vattr;

89
struct vfsoptlist;

90
struct vnode;

91
struct vop_setlabel_args;

92


93
struct in_addr;

94
struct in6_addr;

95


96
#include <sys/acl.h>			/* XXX acl_type_t */

97
#include <sys/types.h>			/* accmode_t */

98


99
#include <ddb/ddb.h>			/* db_expr_t */

100


101
/*

102
 * Entry points to the TrustedBSD MAC Framework from the remainder of the

103
 * kernel: entry points are named based on a principle object type and an

104
 * action relating to it.  They are sorted alphabetically first by object

105
 * type and then action.  In some situations, the principle object type is

106
 * obvious, and in other cases, less so as multiple objects may be inolved

107
 * in the operation.

108
 */

109
int	mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp);

110
void	mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d);

111
void	mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m);

112
void	mac_bpfdesc_destroy(struct bpf_d *);

113
void	mac_bpfdesc_init(struct bpf_d *);

114


115
void	mac_cred_associate_nfsd(struct ucred *cred);

116
int	mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai);

117
int	mac_cred_check_setaudit_addr(struct ucred *cred,

118
	    struct auditinfo_addr *aia);

119
int	mac_cred_check_setauid(struct ucred *cred, uid_t auid);

120
void	mac_cred_setcred_enter(void);

121
int	mac_cred_check_setcred(u_int flags, const struct ucred *old_cred,

122
	    struct ucred *new_cred);

123
void	mac_cred_setcred_exit(void);

124
int	mac_cred_check_setegid(struct ucred *cred, gid_t egid);

125
int	mac_cred_check_seteuid(struct ucred *cred, uid_t euid);

126
int	mac_cred_check_setgid(struct ucred *cred, gid_t gid);

127
int	mac_cred_check_setgroups(struct ucred *cred, int ngroups,

128
	    gid_t *gidset);

129
int	mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid);

130
int	mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,

131
	    gid_t sgid);

132
int	mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,

133
	    uid_t suid);

134
int	mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid);

135
int	mac_cred_check_setuid(struct ucred *cred, uid_t uid);

136
int	mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);

137
void	mac_cred_copy(struct ucred *cr1, struct ucred *cr2);

138
void	mac_cred_create_init(struct ucred *cred);

139
void	mac_cred_create_kproc0(struct ucred *cred);

140
void	mac_cred_destroy(struct ucred *);

141
void	mac_cred_init(struct ucred *);

142


143
int	mac_ddb_command_register(struct db_command_table *table,

144
	    struct db_command *cmd);

145
int	mac_ddb_command_exec(struct db_command *cmd, db_expr_t addr,

146
	    bool have_addr, db_expr_t count, char *modif);

147


148
void	mac_devfs_create_device(struct ucred *cred, struct mount *mp,

149
	    struct cdev *dev, struct devfs_dirent *de);

150
void	mac_devfs_create_directory(struct mount *mp, char *dirname,

151
	    int dirnamelen, struct devfs_dirent *de);

152
void	mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,

153
	    struct devfs_dirent *dd, struct devfs_dirent *de);

154
void	mac_devfs_destroy(struct devfs_dirent *);

155
void	mac_devfs_init(struct devfs_dirent *);

156
void	mac_devfs_update(struct mount *mp, struct devfs_dirent *de,

157
	    struct vnode *vp);

158
void	mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,

159
	    struct vnode *vp);

160


161
int	mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m);

162
#ifdef MAC

163
extern bool mac_ifnet_check_transmit_fp_flag;

164
#else

165
#define mac_ifnet_check_transmit_fp_flag false

166
#endif

167
#define mac_ifnet_check_transmit_enabled() __predict_false(mac_ifnet_check_transmit_fp_flag)

168
static inline int

169
mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)

170
{

171


172
	if (mac_ifnet_check_transmit_enabled())

173
		return (mac_ifnet_check_transmit_impl(ifp, m));

174
	return (0);

175
}

176


177
void	mac_ifnet_create(struct ifnet *ifp);

178


179
void	mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m);

180
#ifdef MAC

181
extern bool mac_ifnet_create_mbuf_fp_flag;

182
#else

183
#define mac_ifnet_create_mbuf_fp_flag false

184
#endif

185
#define mac_ifnet_create_mbuf_enabled() __predict_false(mac_ifnet_create_mbuf_fp_flag)

186
static inline void

187
mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)

188
{

189


190
	if (mac_ifnet_create_mbuf_enabled())

191
		mac_ifnet_create_mbuf_impl(ifp, m);

192
}

193


194
void	mac_ifnet_destroy(struct ifnet *);

195
void	mac_ifnet_init(struct ifnet *);

196
int	mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,

197
	    struct ifnet *ifp);

198
int	mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr,

199
	    struct ifnet *ifp);

200


201
/* Check if the IP address is allowed for the interface. */

202
int	mac_inet_check_add_addr(struct ucred *cred,

203
	    const struct in_addr *ia, struct ifnet *ifp);

204
int	mac_inet6_check_add_addr(struct ucred *cred,

205
	    const struct in6_addr *ia6, struct ifnet *ifp);

206


207
int	mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m);

208
int	mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp);

209
void	mac_inpcb_create(struct socket *so, struct inpcb *inp);

210
void	mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m);

211
void	mac_inpcb_destroy(struct inpcb *);

212
int	mac_inpcb_init(struct inpcb *, int);

213
void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);

214


215
void	mac_ip6q_create(struct mbuf *m, struct ip6q *q6);

216
void	mac_ip6q_destroy(struct ip6q *q6);

217
int	mac_ip6q_init(struct ip6q *q6, int);

218
int	mac_ip6q_match(struct mbuf *m, struct ip6q *q6);

219
void	mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m);

220
void	mac_ip6q_update(struct mbuf *m, struct ip6q *q6);

221


222
void	mac_ipq_create(struct mbuf *m, struct ipq *q);

223
void	mac_ipq_destroy(struct ipq *q);

224
int	mac_ipq_init(struct ipq *q, int);

225
int	mac_ipq_match(struct mbuf *m, struct ipq *q);

226
void	mac_ipq_reassemble(struct ipq *q, struct mbuf *m);

227
void	mac_ipq_update(struct mbuf *m, struct ipq *q);

228


229
int	mac_kdb_check_backend(struct kdb_dbbe *be);

230
int	mac_kdb_grant_backend(struct kdb_dbbe *be);

231


232
int	mac_kenv_check_dump(struct ucred *cred);

233
int	mac_kenv_check_get(struct ucred *cred, char *name);

234
int	mac_kenv_check_set(struct ucred *cred, char *name, char *value);

235
int	mac_kenv_check_unset(struct ucred *cred, char *name);

236


237
int	mac_kld_check_load(struct ucred *cred, struct vnode *vp);

238
int	mac_kld_check_stat(struct ucred *cred);

239


240
void	mac_mbuf_copy(struct mbuf *, struct mbuf *);

241
int	mac_mbuf_init(struct mbuf *, int);

242


243
void	mac_mbuf_tag_copy(struct m_tag *, struct m_tag *);

244
void	mac_mbuf_tag_destroy(struct m_tag *);

245
int	mac_mbuf_tag_init(struct m_tag *, int);

246


247
int	mac_mount_check_stat(struct ucred *cred, struct mount *mp);

248
void	mac_mount_create(struct ucred *cred, struct mount *mp);

249
void	mac_mount_destroy(struct mount *);

250
void	mac_mount_init(struct mount *);

251


252
void	mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m);

253
void	mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend);

254
void	mac_netinet_firewall_send(struct mbuf *m);

255
void	mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);

256
void	mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend);

257
void	mac_netinet_icmp_replyinplace(struct mbuf *m);

258
void	mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m);

259
void	mac_netinet_tcp_reply(struct mbuf *m);

260


261
void	mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m);

262


263
int	mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,

264
	    unsigned long cmd, void *data);

265
int	mac_pipe_check_poll_impl(struct ucred *cred, struct pipepair *pp);

266
#ifdef MAC

267
extern bool mac_pipe_check_poll_fp_flag;

268
#else

269
#define mac_pipe_check_poll_fp_flag false

270
#endif

271
#define mac_pipe_check_poll_enabled() __predict_false(mac_pipe_check_poll_fp_flag)

272
static inline int

273
mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)

274
{

275


276
	if (mac_pipe_check_poll_enabled())

277
		return (mac_pipe_check_poll_impl(cred, pp));

278
	return (0);

279
}

280


281
#ifdef MAC

282
extern bool mac_pipe_check_stat_fp_flag;

283
#else

284
#define mac_pipe_check_stat_fp_flag false

285
#endif

286
#define mac_pipe_check_stat_enabled() __predict_false(mac_pipe_check_stat_fp_flag)

287
int	mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp);

288
int	mac_pipe_check_read_impl(struct ucred *cred, struct pipepair *pp);

289
#ifdef MAC

290
extern bool mac_pipe_check_read_fp_flag;

291
#else

292
#define mac_pipe_check_read_fp_flag false

293
#endif

294
#define mac_pipe_check_read_enabled() __predict_false(mac_pipe_check_read_fp_flag)

295
static inline int

296
mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)

297
{

298


299
	if (mac_pipe_check_read_enabled())

300
		return (mac_pipe_check_read_impl(cred, pp));

301
	return (0);

302
}

303


304
int	mac_pipe_check_write(struct ucred *cred, struct pipepair *pp);

305
void	mac_pipe_create(struct ucred *cred, struct pipepair *pp);

306
void	mac_pipe_destroy(struct pipepair *);

307
void	mac_pipe_init(struct pipepair *);

308
int	mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,

309
	    struct label *label);

310


311
int	mac_posixsem_check_getvalue(struct ucred *active_cred,

312
	    struct ucred *file_cred, struct ksem *ks);

313
int	mac_posixsem_check_open(struct ucred *cred, struct ksem *ks);

314
int	mac_posixsem_check_post(struct ucred *active_cred,

315
	    struct ucred *file_cred, struct ksem *ks);

316
int	mac_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,

317
	    mode_t mode);

318
int	mac_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,

319
	    uid_t uid, gid_t gid);

320
int	mac_posixsem_check_stat(struct ucred *active_cred,

321
	    struct ucred *file_cred, struct ksem *ks);

322
int	mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks);

323
int	mac_posixsem_check_wait(struct ucred *active_cred,

324
	    struct ucred *file_cred, struct ksem *ks);

325
void 	mac_posixsem_create(struct ucred *cred, struct ksem *ks);

326
void	mac_posixsem_destroy(struct ksem *);

327
void	mac_posixsem_init(struct ksem *);

328


329
int	mac_posixshm_check_create(struct ucred *cred, const char *path);

330
int	mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,

331
	    int prot, int flags);

332
int	mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,

333
	    accmode_t accmode);

334
int	mac_posixshm_check_read(struct ucred *active_cred,

335
	    struct ucred *file_cred, struct shmfd *shmfd);

336
int	mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,

337
	    mode_t mode);

338
int	mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,

339
	    uid_t uid, gid_t gid);

340
int	mac_posixshm_check_stat(struct ucred *active_cred,

341
	    struct ucred *file_cred, struct shmfd *shmfd);

342
int	mac_posixshm_check_truncate(struct ucred *active_cred,

343
	    struct ucred *file_cred, struct shmfd *shmfd);

344
int	mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd);

345
int	mac_posixshm_check_write(struct ucred *active_cred,

346
	    struct ucred *file_cred, struct shmfd *shmfd);

347
void 	mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd);

348
void	mac_posixshm_destroy(struct shmfd *);

349
void	mac_posixshm_init(struct shmfd *);

350


351
int	mac_prison_init(struct prison *pr, int flag);

352
void	mac_prison_relabel(struct ucred *cred, struct prison *pr,

353
	    struct label *newlabel);

354
void	mac_prison_destroy(struct prison *pr);

355
int	mac_prison_check_attach(struct ucred *cred, struct prison *pr);

356
int	mac_prison_check_create(struct ucred *cred, struct vfsoptlist *opts,

357
	    int flags);

358
int	mac_prison_check_get(struct ucred *cred, struct prison *pr,

359
	    struct vfsoptlist *opts, int flags);

360
int	mac_prison_check_set(struct ucred *cred, struct prison *pr,

361
	    struct vfsoptlist *opts, int flags);

362
int	mac_prison_check_remove(struct ucred *cred, struct prison *pr);

363
void	mac_prison_created(struct ucred *cred, struct prison *pr);

364
void	mac_prison_attached(struct ucred *cred, struct prison *pr,

365
	    struct proc *p);

366


367
int	mac_priv_check_impl(struct ucred *cred, int priv);

368
#ifdef MAC

369
extern bool mac_priv_check_fp_flag;

370
#else

371
#define mac_priv_check_fp_flag false

372
#endif

373
#define mac_priv_check_enabled()	__predict_false(mac_priv_check_fp_flag)

374
static inline int

375
mac_priv_check(struct ucred *cred, int priv)

376
{

377


378
	if (mac_priv_check_enabled())

379
		return (mac_priv_check_impl(cred, priv));

380
	return (0);

381
}

382


383
int	mac_priv_grant_impl(struct ucred *cred, int priv);

384
#ifdef MAC

385
extern bool mac_priv_grant_fp_flag;

386
#else

387
#define mac_priv_grant_fp_flag false

388
#endif

389
#define mac_priv_grant_enabled()	__predict_false(mac_priv_grant_fp_flag)

390
static inline int

391
mac_priv_grant(struct ucred *cred, int priv)

392
{

393


394
	if (mac_priv_grant_enabled())

395
		return (mac_priv_grant_impl(cred, priv));

396
	return (EPERM);

397
}

398


399
int	mac_proc_check_debug(struct ucred *cred, struct proc *p);

400
int	mac_proc_check_sched(struct ucred *cred, struct proc *p);

401
int	mac_proc_check_signal(struct ucred *cred, struct proc *p,

402
	    int signum);

403
int	mac_proc_check_wait(struct ucred *cred, struct proc *p);

404
void	mac_proc_destroy(struct proc *);

405
void	mac_proc_init(struct proc *);

406
void	mac_proc_vm_revoke(struct thread *td);

407
int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);

408
void	mac_execve_exit(struct image_params *imgp);

409
void	mac_execve_interpreter_enter(struct vnode *interpvp,

410
	    struct label **interplabel);

411
void	mac_execve_interpreter_exit(struct label *interpvplabel);

412


413
int	mac_socket_check_accept(struct ucred *cred, struct socket *so);

414
int	mac_socket_check_bind(struct ucred *cred, struct socket *so,

415
	    struct sockaddr *sa);

416
int	mac_socket_check_connect(struct ucred *cred, struct socket *so,

417
	    struct sockaddr *sa);

418
int	mac_socket_check_create(struct ucred *cred, int domain, int type,

419
	    int proto);

420
int	mac_socket_check_deliver(struct socket *so, struct mbuf *m);

421
int	mac_socket_check_listen(struct ucred *cred, struct socket *so);

422
int	mac_socket_check_poll(struct ucred *cred, struct socket *so);

423
int	mac_socket_check_receive(struct ucred *cred, struct socket *so);

424
int	mac_socket_check_send(struct ucred *cred, struct socket *so);

425
int	mac_socket_check_stat(struct ucred *cred, struct socket *so);

426
int	mac_socket_check_visible(struct ucred *cred, struct socket *so);

427
void	mac_socket_create_mbuf(struct socket *so, struct mbuf *m);

428
void	mac_socket_create(struct ucred *cred, struct socket *so);

429
void	mac_socket_destroy(struct socket *);

430
int	mac_socket_init(struct socket *, int);

431
void	mac_socket_newconn(struct socket *oldso, struct socket *newso);

432
int	mac_getsockopt_label(struct ucred *cred, struct socket *so,

433
	    const struct mac *extmac);

434
int	mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,

435
	    const struct mac *extmac);

436
int	mac_setsockopt_label(struct ucred *cred, struct socket *so,

437
	    const struct mac *extmac);

438


439
void	mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so);

440
void	mac_socketpeer_set_from_socket(struct socket *oldso,

441
	    struct socket *newso);

442


443
void	mac_syncache_create(struct label *l, struct inpcb *inp);

444
void	mac_syncache_create_mbuf(struct label *l, struct mbuf *m);

445
void	mac_syncache_destroy(struct label **l);

446
int	mac_syncache_init(struct label **l);

447


448
int	mac_system_check_acct(struct ucred *cred, struct vnode *vp);

449
int	mac_system_check_audit(struct ucred *cred, void *record, int length);

450
int	mac_system_check_auditctl(struct ucred *cred, struct vnode *vp);

451
int	mac_system_check_auditon(struct ucred *cred, int cmd);

452
int	mac_system_check_reboot(struct ucred *cred, int howto);

453
int	mac_system_check_swapon(struct ucred *cred, struct vnode *vp);

454
int	mac_system_check_swapoff(struct ucred *cred, struct vnode *vp);

455
int	mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,

456
	    void *arg1, int arg2, struct sysctl_req *req);

457


458
void	mac_sysvmsg_cleanup(struct msg *msgptr);

459
void	mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,

460
	    struct msg *msgptr);

461
void	mac_sysvmsg_destroy(struct msg *);

462
void	mac_sysvmsg_init(struct msg *);

463


464
int	mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,

465
	    struct msqid_kernel *msqkptr);

466
int	mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr);

467
int	mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr);

468
int	mac_sysvmsq_check_msqctl(struct ucred *cred,

469
	    struct msqid_kernel *msqkptr, int cmd);

470
int	mac_sysvmsq_check_msqget(struct ucred *cred,

471
	    struct msqid_kernel *msqkptr);

472
int	mac_sysvmsq_check_msqrcv(struct ucred *cred,

473
	    struct msqid_kernel *msqkptr);

474
int	mac_sysvmsq_check_msqsnd(struct ucred *cred,

475
	    struct msqid_kernel *msqkptr);

476
void	mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr);

477
void	mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr);

478
void	mac_sysvmsq_destroy(struct msqid_kernel *);

479
void	mac_sysvmsq_init(struct msqid_kernel *);

480


481
int	mac_sysvsem_check_semctl(struct ucred *cred,

482
	    struct semid_kernel *semakptr, int cmd);

483
int	mac_sysvsem_check_semget(struct ucred *cred,

484
	   struct semid_kernel *semakptr);

485
int	mac_sysvsem_check_semop(struct ucred *cred,

486
	    struct semid_kernel *semakptr, size_t accesstype);

487
void	mac_sysvsem_cleanup(struct semid_kernel *semakptr);

488
void	mac_sysvsem_create(struct ucred *cred,

489
	    struct semid_kernel *semakptr);

490
void	mac_sysvsem_destroy(struct semid_kernel *);

491
void	mac_sysvsem_init(struct semid_kernel *);

492


493
int	mac_sysvshm_check_shmat(struct ucred *cred,

494
	    struct shmid_kernel *shmsegptr, int shmflg);

495
int	mac_sysvshm_check_shmctl(struct ucred *cred,

496
	    struct shmid_kernel *shmsegptr, int cmd);

497
int	mac_sysvshm_check_shmdt(struct ucred *cred,

498
	    struct shmid_kernel *shmsegptr);

499
int	mac_sysvshm_check_shmget(struct ucred *cred,

500
	    struct shmid_kernel *shmsegptr, int shmflg);

501
void	mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr);

502
void	mac_sysvshm_create(struct ucred *cred,

503
	    struct shmid_kernel *shmsegptr);

504
void	mac_sysvshm_destroy(struct shmid_kernel *);

505
void	mac_sysvshm_init(struct shmid_kernel *);

506


507
void	mac_thread_userret(struct thread *td);

508


509
#if defined(MAC) && defined(INVARIANTS)

510
void	mac_vnode_assert_locked(struct vnode *vp, const char *func);

511
#else

512
#define mac_vnode_assert_locked(vp, func) do { } while (0)

513
#endif

514


515
int	mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp);

516
void	mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp);

517
int	mac_vnode_check_access_impl(struct ucred *cred, struct vnode *dvp,

518
	    accmode_t accmode);

519
extern bool mac_vnode_check_access_fp_flag;

520
#define mac_vnode_check_access_enabled() __predict_false(mac_vnode_check_access_fp_flag)

521
static inline int

522
mac_vnode_check_access(struct ucred *cred, struct vnode *dvp,

523
    accmode_t accmode)

524
{

525


526
	mac_vnode_assert_locked(dvp, "mac_vnode_check_access");

527
	if (mac_vnode_check_access_enabled())

528
                return (mac_vnode_check_access_impl(cred, dvp, accmode));

529
	return (0);

530
}

531
int	mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp);

532
int	mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp);

533
int	mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,

534
	    struct componentname *cnp, struct vattr *vap);

535
int	mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,

536
	    acl_type_t type);

537
int	mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,

538
	    int attrnamespace, const char *name);

539
int	mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,

540
	    struct image_params *imgp);

541
int	mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp,

542
	    acl_type_t type);

543
int	mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,

544
	    int attrnamespace, const char *name);

545
int	mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,

546
	    struct vnode *vp, struct componentname *cnp);

547
int	mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,

548
	    int attrnamespace);

549


550
int	mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp,

551
 	    struct componentname *cnp);

552
#ifdef MAC

553
extern bool mac_vnode_check_lookup_fp_flag;

554
#else

555
#define mac_vnode_check_lookup_fp_flag false

556
#endif

557
#define mac_vnode_check_lookup_enabled() __predict_false(mac_vnode_check_lookup_fp_flag)

558
static inline int

559
mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,

560
    struct componentname *cnp)

561
{

562


563
	mac_vnode_assert_locked(dvp, "mac_vnode_check_lookup");

564
	if (mac_vnode_check_lookup_enabled())

565
                return (mac_vnode_check_lookup_impl(cred, dvp, cnp));

566
	return (0);

567
}

568


569
int	mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot,

570
	    int flags);

571
#ifdef MAC

572
extern bool mac_vnode_check_mmap_fp_flag;

573
#else

574
#define mac_vnode_check_mmap_fp_flag false

575
#endif

576
#define mac_vnode_check_mmap_enabled() __predict_false(mac_vnode_check_mmap_fp_flag)

577
static inline int

578
mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,

579
    int flags)

580
{

581


582
	mac_vnode_assert_locked(vp, "mac_vnode_check_mmap");

583
	if (mac_vnode_check_mmap_enabled())

584
		return (mac_vnode_check_mmap_impl(cred, vp, prot, flags));

585
	return (0);

586
}

587


588
int	mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp,

589
	    accmode_t accmode);

590
#ifdef MAC

591
extern bool mac_vnode_check_open_fp_flag;

592
#else

593
#define mac_vnode_check_open_fp_flag false

594
#endif

595
#define mac_vnode_check_open_enabled() __predict_false(mac_vnode_check_open_fp_flag)

596
static inline int

597
mac_vnode_check_open(struct ucred *cred, struct vnode *vp,

598
    accmode_t accmode)

599
{

600


601
	mac_vnode_assert_locked(vp, "mac_vnode_check_open");

602
	if (mac_vnode_check_open_enabled())

603
		return (mac_vnode_check_open_impl(cred, vp, accmode));

604
	return (0);

605
}

606


607
int	mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,

608
	    int prot);

609


610
#define mac_vnode_check_poll_enabled() __predict_false(mac_vnode_check_poll_fp_flag)

611
#ifdef MAC

612
extern bool mac_vnode_check_poll_fp_flag;

613
int	mac_vnode_check_poll(struct ucred *active_cred,

614
	    struct ucred *file_cred, struct vnode *vp);

615
#else

616
#define mac_vnode_check_poll_fp_flag	false

617
static inline int

618
mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,

619
    struct vnode *vp)

620
{

621


622
	return (0);

623
}

624
#endif

625
int	mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp);

626
int	mac_vnode_check_readlink_impl(struct ucred *cred, struct vnode *dvp);

627
#ifdef MAC

628
extern bool mac_vnode_check_readlink_fp_flag;

629
#else

630
#define mac_vnode_check_readlink_fp_flag false

631
#endif

632
#define mac_vnode_check_readlink_enabled() __predict_false(mac_vnode_check_readlink_fp_flag)

633
static inline int

634
mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)

635
{

636


637
	mac_vnode_assert_locked(vp, "mac_vnode_check_readlink");

638
	if (mac_vnode_check_readlink_enabled())

639
		return (mac_vnode_check_readlink_impl(cred, vp));

640
	return (0);

641
}

642
#define mac_vnode_check_rename_from_enabled() __predict_false(mac_vnode_check_rename_from_fp_flag)

643
#ifdef MAC

644
extern bool mac_vnode_check_rename_from_fp_flag;

645
#endif

646
int	mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,

647
	    struct vnode *vp, struct componentname *cnp);

648
int	mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,

649
	    struct vnode *vp, int samedir, struct componentname *cnp);

650
int	mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp);

651
int	mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp,

652
	    acl_type_t type, struct acl *acl);

653
int	mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,

654
	    int attrnamespace, const char *name);

655
int	mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,

656
	    u_long flags);

657
int	mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp,

658
	    mode_t mode);

659
int	mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp,

660
	    uid_t uid, gid_t gid);

661
int	mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,

662
	    struct timespec atime, struct timespec mtime);

663


664
int	mac_vnode_check_stat_impl(struct ucred *active_cred,

665
	    struct ucred *file_cred, struct vnode *vp);

666
#ifdef MAC

667
extern bool mac_vnode_check_stat_fp_flag;

668
#else

669
#define mac_vnode_check_stat_fp_flag false

670
#endif

671
#define mac_vnode_check_stat_enabled()	__predict_false(mac_vnode_check_stat_fp_flag)

672
static inline int

673
mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,

674
    struct vnode *vp)

675
{

676


677
	mac_vnode_assert_locked(vp, "mac_vnode_check_stat");

678
	if (mac_vnode_check_stat_enabled())

679
		return (mac_vnode_check_stat_impl(active_cred, file_cred, vp));

680
	return (0);

681
}

682


683
int	mac_vnode_check_read_impl(struct ucred *active_cred,

684
	    struct ucred *file_cred, struct vnode *vp);

685
#ifdef MAC

686
extern bool mac_vnode_check_read_fp_flag;

687
#else

688
#define mac_vnode_check_read_fp_flag false

689
#endif

690
#define mac_vnode_check_read_enabled() __predict_false(mac_vnode_check_read_fp_flag)

691
static inline int

692
mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,

693
    struct vnode *vp)

694
{

695


696
	mac_vnode_assert_locked(vp, "mac_vnode_check_read");

697
	if (mac_vnode_check_read_enabled())

698
		return (mac_vnode_check_read_impl(active_cred, file_cred, vp));

699
	return (0);

700
}

701


702
int	mac_vnode_check_write_impl(struct ucred *active_cred,

703
	    struct ucred *file_cred, struct vnode *vp);

704
#ifdef MAC

705
extern bool mac_vnode_check_write_fp_flag;

706
#else

707
#define mac_vnode_check_write_fp_flag false

708
#endif

709
#define mac_vnode_check_write_enabled() __predict_false(mac_vnode_check_write_fp_flag)

710
static inline int

711
mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,

712
    struct vnode *vp)

713
{

714


715
	mac_vnode_assert_locked(vp, "mac_vnode_check_write");

716
	if (mac_vnode_check_write_enabled())

717
		return (mac_vnode_check_write_impl(active_cred, file_cred, vp));

718
	return (0);

719
}

720


721
int	mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,

722
	    struct vnode *vp, struct componentname *cnp);

723
void	mac_vnode_copy_label(struct label *, struct label *);

724
void	mac_vnode_init(struct vnode *);

725
int	mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,

726
	    struct vnode *dvp, struct vnode *vp, struct componentname *cnp);

727
void	mac_vnode_destroy(struct vnode *);

728
void	mac_vnode_execve_transition(struct ucred *oldcred,

729
	    struct ucred *newcred, struct vnode *vp,

730
	    struct label *interpvplabel, struct image_params *imgp);

731
int	mac_vnode_execve_will_transition(struct ucred *cred,

732
	    struct vnode *vp, struct label *interpvplabel,

733
	    struct image_params *imgp);

734
void	mac_vnode_relabel(struct ucred *cred, struct vnode *vp,

735
	    struct label *newlabel);

736


737
/*

738
 * Calls to help various file systems implement labeling functionality using

739
 * their existing EA implementation.

740
 */

741
int	vop_stdsetlabel_ea(struct vop_setlabel_args *ap);

742


743
#endif /* !_SECURITY_MAC_MAC_FRAMEWORK_H_ */

744


745