diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-07-30 22:15:09 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-07-30 22:15:09 +0000 |
commit | 4cbda9609630f611fedd9334009eecdebb169eff (patch) | |
tree | cff279dd428d4dc88a9cfeafcb5661c999b0fc41 /sys/kern/vnode_if.src | |
parent | c6e184b717c8e6d845c28b3c3f3867cbcf067e37 (diff) | |
download | FreeBSD-src-4cbda9609630f611fedd9334009eecdebb169eff.zip FreeBSD-src-4cbda9609630f611fedd9334009eecdebb169eff.tar.gz |
Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the operating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Introduce two node vnode operations required to support MAC. First,
VOP_REFRESHLABEL(), which will be invoked by callers requiring that
vp->v_label be sufficiently "fresh" for access control purposes.
Second, VOP_SETLABEL(), which be invoked by callers requiring that
the passed label contents be updated. The file system is responsible
for updating v_label if appropriate in coordination with the MAC
framework, as well as committing to disk. File systems that are
not MAC-aware need not implement these VOPs, as the MAC framework
will default to maintaining a single label for all vnodes based
on the label on the file system mount point.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/kern/vnode_if.src')
-rw-r--r-- | sys/kern/vnode_if.src | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/sys/kern/vnode_if.src b/sys/kern/vnode_if.src index 3fb3171..ce7c277 100644 --- a/sys/kern/vnode_if.src +++ b/sys/kern/vnode_if.src @@ -556,3 +556,22 @@ vop_getvobject { IN struct vnode *vp; OUT struct vm_object **objpp; }; + +# +#% refreshlabel vp L L L +# +vop_refreshlabel { + IN struct vnode *vp; + IN struct ucred *cred; + IN struct thread *td; +}; + +# +#% setlabel vp L L L +# +vop_setlabel { + IN struct vnode *vp; + IN struct label *label; + IN struct ucred *cred; + IN struct thread *td; +}; |