diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-11-20 15:41:25 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-11-20 15:41:25 +0000 |
commit | 569048d3f90c1ad80a2befd6f45adeda27d5b370 (patch) | |
tree | 51776de3b9188cb829cfb48dbad3e46d3b37ed4e /sys/sys/mac.h | |
parent | 8f7431caeb8e8d1dcbcc57542b08b0328692dbb3 (diff) | |
download | FreeBSD-src-569048d3f90c1ad80a2befd6f45adeda27d5b370.zip FreeBSD-src-569048d3f90c1ad80a2befd6f45adeda27d5b370.tar.gz |
Introduce p_label, extensible security label storage for the MAC framework
in struct proc. While the process label is actually stored in the
struct ucred pointed to by p_ucred, there is a need for transient
storage that may be used when asynchronous (deferred) updates need to
be performed on the "real" label for locking reasons. Unlike other
label storage, this label has no locking semantics, relying on policies
to provide their own protection for the label contents, meaning that
a policy leaf mutex may be used, avoiding lock order issues. This
permits policies that act based on historical process behavior (such
as audit policies, the MAC Framework port of LOMAC, etc) can update
process properties even when many existing locks are held without
violating the lock order. No currently committed policies implement use
of this label storage.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/sys/mac.h')
-rw-r--r-- | sys/sys/mac.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 3e7e6bb..89c6efc 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -146,6 +146,7 @@ int mac_init_socket(struct socket *, int flag); void mac_init_pipe(struct pipe *); int mac_init_mbuf(struct mbuf *m, int flag); void mac_init_mount(struct mount *); +void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); void mac_init_vnode_label(struct label *); void mac_copy_vnode_label(struct label *, struct label *label); @@ -156,6 +157,7 @@ void mac_destroy_ifnet(struct ifnet *); void mac_destroy_ipq(struct ipq *); void mac_destroy_socket(struct socket *); void mac_destroy_pipe(struct pipe *); +void mac_destroy_proc(struct proc *); void mac_destroy_mbuf(struct mbuf *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); |