diff options
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/security/mac/mac_framework.h | 146 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 59 | ||||
| -rw-r--r-- | sys/sys/mac.h | 146 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 59 |
4 files changed, 216 insertions, 194 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 4acf755..cc4bd26 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -62,132 +62,104 @@ /* * MAC framework-related constants and limits. */ -#define MAC_MAX_POLICY_NAME 32 +#define MAC_MAX_POLICY_NAME 32 +#define MAC_MAX_LABEL_ELEMENT_NAME 32 +#define MAC_MAX_LABEL_ELEMENT_DATA 4096 +#define MAC_MAX_LABEL_BUF_LEN 8192 + +struct mac { + size_t m_buflen; + char *m_string; +}; + +typedef struct mac *mac_t; + +#ifndef _KERNEL + +/* + * Location of the userland MAC framework configuration file. mac.conf + * binds policy names to shared libraries that understand those policies, + * as well as setting defaults for MAC-aware applications. + */ +#define MAC_CONFFILE "/etc/mac.conf" /* - * XXXMAC: Per-policy structures will be moved from mac.h to per-policy - * include files once the revised user interface is available. + * Extended non-POSIX.1e interfaces that offer additional services + * available from the userland and kernel MAC frameworks. */ +int mac_free(mac_t _label); +int mac_from_text(mac_t *_label, const char *_text); +int mac_get_fd(int _fd, mac_t _label); +int mac_get_file(const char *_path, mac_t _label); +int mac_get_link(const char *_path, mac_t _label); +int mac_get_pid(pid_t _pid, mac_t _label); +int mac_get_proc(mac_t _label); +int mac_is_present(const char *_policyname); +int mac_prepare(mac_t *_label, char *_elements); +int mac_prepare_file_label(mac_t *_label); +int mac_prepare_ifnet_label(mac_t *_label); +int mac_prepare_process_label(mac_t *_label); +int mac_set_fd(int _fildes, const mac_t _label); +int mac_set_file(const char *_path, mac_t _label); +int mac_set_link(const char *_path, mac_t _label); +int mac_set_proc(const mac_t _label); +int mac_syscall(const char *_policyname, int _call, void *_arg); +int mac_to_text(mac_t mac, char **_text); + +#endif /* !_KERNEL */ /* - * Structures and constants associated with a Biba Integrity policy. - * mac_biba represents a Biba label, with mb_type determining its properties, - * and mb_grade represents the hierarchal grade if valid for the current - * mb_type. These structures will move to mac_biba.h once we have dymamic - * labels exposed to userland. + * XXXMAC: For compatibility until the labels on disk are changed. We + * will enable the definitions in various policy include files once + * these can be disabled. */ + #define MAC_BIBA_MAX_COMPARTMENTS 256 + struct mac_biba_element { u_short mbe_type; u_short mbe_grade; u_char mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3]; }; -/* - * Biba labels consist of two components: a single label, and a label - * range. Depending on the context, one or both may be used; the mb_flags - * field permits the provider to indicate what fields are intended for - * use. - */ struct mac_biba { int mb_flags; struct mac_biba_element mb_single; - struct mac_biba_element mb_rangelow, mb_rangehigh; + struct mac_biba_element mb_rangelow, mb_rangehigh; }; -/* - * Structures and constants associated with a Multi-Level Security policy. - * mac_mls represents an MLS label, with mm_type determining its properties, - * and mm_level represents the hierarchal sensitivity level if valid for the - * current mm_type. These structures will move to mac_mls.h once we have - * dynamic labels exposed to userland. - */ #define MAC_MLS_MAX_COMPARTMENTS 256 + struct mac_mls_element { u_short mme_type; u_short mme_level; u_char mme_compartments[MAC_MLS_MAX_COMPARTMENTS >> 3]; }; -/* - * MLS labels consist of two components: a single label, and a label - * range. Depending on the context, one or both may be used; the mb_flags - * field permits the provider to indicate what fields are intended for - * use. - */ struct mac_mls { int mm_flags; struct mac_mls_element mm_single; struct mac_mls_element mm_rangelow, mm_rangehigh; }; -/* - * Structures and constants associated with a Type Enforcement policy. - * mac_te represents a Type Enforcement label. - */ #define MAC_TE_TYPE_MAXLEN 32 struct mac_te { - char mt_type[MAC_TE_TYPE_MAXLEN+1]; /* TE type */ + char mt_type[MAC_TE_TYPE_MAXLEN]; }; struct mac_sebsd { - uint32_t ms_psid; /* persistent sid storage */ + uint32_t ms_psid; }; -/* - * Composite structures and constants which combine the various policy - * elements into common structures to be associated with subjects and - * objects. - */ -struct mac { - int m_macflags; - struct mac_biba m_biba; - struct mac_mls m_mls; - struct mac_te m_te; - struct mac_sebsd m_sebsd; +struct oldmac { + int m_macflags; + struct mac_biba m_biba; + struct mac_mls m_mls; + struct mac_te m_te; + struct mac_sebsd m_sebsd; }; -typedef struct mac *mac_t; - -#define MAC_FLAG_INITIALIZED 0x00000001 /* Is initialized. */ - -#ifndef _KERNEL - -/* - * POSIX.1e functions visible in the application namespace. - */ -int mac_dominate(const mac_t _labela, const mac_t _labelb); -int mac_equal(const mac_t labela, const mac_t _labelb); -int mac_free(void *_buf_p); -mac_t mac_from_text(const char *_text_p); -mac_t mac_get_fd(int _fildes); -mac_t mac_get_file(const char *_path_p); -mac_t mac_get_proc(void); -mac_t mac_glb(const mac_t _labela, const mac_t _labelb); -mac_t mac_lub(const mac_t _labela, const mac_t _labelb); -int mac_set_fd(int _fildes, const mac_t _label); -int mac_set_file(const char *_path_p, mac_t _label); -int mac_set_proc(const mac_t _label); -ssize_t mac_size(mac_t _label); -char * mac_to_text(const mac_t _label, size_t *_len_p); -int mac_valid(const mac_t _label); - -/* - * Extensions to POSIX.1e visible in the application namespace. - */ -int mac_is_present_np(const char *_policyname); -int mac_syscall(const char *_policyname, int call, void *arg); -/* - * System calls wrapped by some POSIX.1e functions. - */ -int __mac_get_fd(int _fd, struct mac *_mac_p); -int __mac_get_file(const char *_path_p, struct mac *_mac_p); -int __mac_get_proc(struct mac *_mac_p); -int __mac_set_fd(int fd, struct mac *_mac_p); -int __mac_set_file(const char *_path_p, struct mac *_mac_p); -int __mac_set_proc(struct mac *_mac_p); - -#else /* _KERNEL */ +#ifdef _KERNEL /* * Kernel functions to manage and evaluate labels. @@ -247,9 +219,9 @@ void mac_destroy_vnode(struct vnode *); void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de); void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de); -void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp); void mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, struct devfs_dirent *de); +void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp); void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child); void mac_create_mount(struct ucred *cred, struct mount *mp); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index e003f84..28ed3a8 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -83,7 +83,6 @@ struct mac_policy_ops { int (*mpo_init_socket_label)(struct label *label, int flag); int (*mpo_init_socket_peer_label)(struct label *label, int flag); void (*mpo_init_pipe_label)(struct label *label); - void (*mpo_init_temp_label)(struct label *label); void (*mpo_init_vnode_label)(struct label *label); void (*mpo_destroy_bpfdesc_label)(struct label *label); void (*mpo_destroy_cred_label)(struct label *label); @@ -96,11 +95,41 @@ struct mac_policy_ops { void (*mpo_destroy_socket_label)(struct label *label); void (*mpo_destroy_socket_peer_label)(struct label *label); void (*mpo_destroy_pipe_label)(struct label *label); - void (*mpo_destroy_temp_label)(struct label *label); void (*mpo_destroy_vnode_label)(struct label *label); - - int (*mpo_externalize)(struct label *label, struct mac *extmac); - int (*mpo_internalize)(struct label *label, struct mac *extmac); + void (*mpo_copy_pipe_label)(struct label *src, + struct label *dest); + void (*mpo_copy_vnode_label)(struct label *src, + struct label *dest); + int (*mpo_externalize_cred_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_ifnet_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_pipe_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_socket_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_socket_peer_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_vnode_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_vnode_oldmac)(struct label *label, + struct oldmac *extmac); + int (*mpo_internalize_cred_label)(struct label *label, + char *element_name, char *element_data, int *claimed); + int (*mpo_internalize_ifnet_label)(struct label *label, + char *element_name, char *element_data, int *claimed); + int (*mpo_internalize_pipe_label)(struct label *label, + char *element_name, char *element_data, int *claimed); + int (*mpo_internalize_socket_label)(struct label *label, + char *element_name, char *element_data, int *claimed); + int (*mpo_internalize_vnode_label)(struct label *label, + char *element_name, char *element_data, int *claimed); /* * Labeling event operations: file system objects, and things that @@ -136,7 +165,7 @@ struct mac_policy_ops { struct label *vnodelabel, struct mount *mp, struct label *fslabel); int (*mpo_update_vnode_from_externalized)(struct vnode *vp, - struct label *vnodelabel, struct mac *mac); + struct label *vnodelabel, struct oldmac *extmac); void (*mpo_update_vnode_from_mount)(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel); @@ -379,7 +408,6 @@ enum mac_op_constant { MAC_INIT_PIPE_LABEL, MAC_INIT_SOCKET_LABEL, MAC_INIT_SOCKET_PEER_LABEL, - MAC_INIT_TEMP_LABEL, MAC_INIT_VNODE_LABEL, MAC_DESTROY_BPFDESC_LABEL, MAC_DESTROY_CRED_LABEL, @@ -392,10 +420,21 @@ enum mac_op_constant { MAC_DESTROY_PIPE_LABEL, MAC_DESTROY_SOCKET_LABEL, MAC_DESTROY_SOCKET_PEER_LABEL, - MAC_DESTROY_TEMP_LABEL, MAC_DESTROY_VNODE_LABEL, - MAC_EXTERNALIZE, - MAC_INTERNALIZE, + MAC_COPY_PIPE_LABEL, + MAC_COPY_VNODE_LABEL, + MAC_EXTERNALIZE_CRED_LABEL, + MAC_EXTERNALIZE_IFNET_LABEL, + MAC_EXTERNALIZE_PIPE_LABEL, + MAC_EXTERNALIZE_SOCKET_LABEL, + MAC_EXTERNALIZE_SOCKET_PEER_LABEL, + MAC_EXTERNALIZE_VNODE_LABEL, + MAC_EXTERNALIZE_VNODE_OLDMAC, + MAC_INTERNALIZE_CRED_LABEL, + MAC_INTERNALIZE_IFNET_LABEL, + MAC_INTERNALIZE_PIPE_LABEL, + MAC_INTERNALIZE_SOCKET_LABEL, + MAC_INTERNALIZE_VNODE_LABEL, MAC_CREATE_DEVFS_DEVICE, MAC_CREATE_DEVFS_DIRECTORY, MAC_CREATE_DEVFS_SYMLINK, diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 4acf755..cc4bd26 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -62,132 +62,104 @@ /* * MAC framework-related constants and limits. */ -#define MAC_MAX_POLICY_NAME 32 +#define MAC_MAX_POLICY_NAME 32 +#define MAC_MAX_LABEL_ELEMENT_NAME 32 +#define MAC_MAX_LABEL_ELEMENT_DATA 4096 +#define MAC_MAX_LABEL_BUF_LEN 8192 + +struct mac { + size_t m_buflen; + char *m_string; +}; + +typedef struct mac *mac_t; + +#ifndef _KERNEL + +/* + * Location of the userland MAC framework configuration file. mac.conf + * binds policy names to shared libraries that understand those policies, + * as well as setting defaults for MAC-aware applications. + */ +#define MAC_CONFFILE "/etc/mac.conf" /* - * XXXMAC: Per-policy structures will be moved from mac.h to per-policy - * include files once the revised user interface is available. + * Extended non-POSIX.1e interfaces that offer additional services + * available from the userland and kernel MAC frameworks. */ +int mac_free(mac_t _label); +int mac_from_text(mac_t *_label, const char *_text); +int mac_get_fd(int _fd, mac_t _label); +int mac_get_file(const char *_path, mac_t _label); +int mac_get_link(const char *_path, mac_t _label); +int mac_get_pid(pid_t _pid, mac_t _label); +int mac_get_proc(mac_t _label); +int mac_is_present(const char *_policyname); +int mac_prepare(mac_t *_label, char *_elements); +int mac_prepare_file_label(mac_t *_label); +int mac_prepare_ifnet_label(mac_t *_label); +int mac_prepare_process_label(mac_t *_label); +int mac_set_fd(int _fildes, const mac_t _label); +int mac_set_file(const char *_path, mac_t _label); +int mac_set_link(const char *_path, mac_t _label); +int mac_set_proc(const mac_t _label); +int mac_syscall(const char *_policyname, int _call, void *_arg); +int mac_to_text(mac_t mac, char **_text); + +#endif /* !_KERNEL */ /* - * Structures and constants associated with a Biba Integrity policy. - * mac_biba represents a Biba label, with mb_type determining its properties, - * and mb_grade represents the hierarchal grade if valid for the current - * mb_type. These structures will move to mac_biba.h once we have dymamic - * labels exposed to userland. + * XXXMAC: For compatibility until the labels on disk are changed. We + * will enable the definitions in various policy include files once + * these can be disabled. */ + #define MAC_BIBA_MAX_COMPARTMENTS 256 + struct mac_biba_element { u_short mbe_type; u_short mbe_grade; u_char mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3]; }; -/* - * Biba labels consist of two components: a single label, and a label - * range. Depending on the context, one or both may be used; the mb_flags - * field permits the provider to indicate what fields are intended for - * use. - */ struct mac_biba { int mb_flags; struct mac_biba_element mb_single; - struct mac_biba_element mb_rangelow, mb_rangehigh; + struct mac_biba_element mb_rangelow, mb_rangehigh; }; -/* - * Structures and constants associated with a Multi-Level Security policy. - * mac_mls represents an MLS label, with mm_type determining its properties, - * and mm_level represents the hierarchal sensitivity level if valid for the - * current mm_type. These structures will move to mac_mls.h once we have - * dynamic labels exposed to userland. - */ #define MAC_MLS_MAX_COMPARTMENTS 256 + struct mac_mls_element { u_short mme_type; u_short mme_level; u_char mme_compartments[MAC_MLS_MAX_COMPARTMENTS >> 3]; }; -/* - * MLS labels consist of two components: a single label, and a label - * range. Depending on the context, one or both may be used; the mb_flags - * field permits the provider to indicate what fields are intended for - * use. - */ struct mac_mls { int mm_flags; struct mac_mls_element mm_single; struct mac_mls_element mm_rangelow, mm_rangehigh; }; -/* - * Structures and constants associated with a Type Enforcement policy. - * mac_te represents a Type Enforcement label. - */ #define MAC_TE_TYPE_MAXLEN 32 struct mac_te { - char mt_type[MAC_TE_TYPE_MAXLEN+1]; /* TE type */ + char mt_type[MAC_TE_TYPE_MAXLEN]; }; struct mac_sebsd { - uint32_t ms_psid; /* persistent sid storage */ + uint32_t ms_psid; }; -/* - * Composite structures and constants which combine the various policy - * elements into common structures to be associated with subjects and - * objects. - */ -struct mac { - int m_macflags; - struct mac_biba m_biba; - struct mac_mls m_mls; - struct mac_te m_te; - struct mac_sebsd m_sebsd; +struct oldmac { + int m_macflags; + struct mac_biba m_biba; + struct mac_mls m_mls; + struct mac_te m_te; + struct mac_sebsd m_sebsd; }; -typedef struct mac *mac_t; - -#define MAC_FLAG_INITIALIZED 0x00000001 /* Is initialized. */ - -#ifndef _KERNEL - -/* - * POSIX.1e functions visible in the application namespace. - */ -int mac_dominate(const mac_t _labela, const mac_t _labelb); -int mac_equal(const mac_t labela, const mac_t _labelb); -int mac_free(void *_buf_p); -mac_t mac_from_text(const char *_text_p); -mac_t mac_get_fd(int _fildes); -mac_t mac_get_file(const char *_path_p); -mac_t mac_get_proc(void); -mac_t mac_glb(const mac_t _labela, const mac_t _labelb); -mac_t mac_lub(const mac_t _labela, const mac_t _labelb); -int mac_set_fd(int _fildes, const mac_t _label); -int mac_set_file(const char *_path_p, mac_t _label); -int mac_set_proc(const mac_t _label); -ssize_t mac_size(mac_t _label); -char * mac_to_text(const mac_t _label, size_t *_len_p); -int mac_valid(const mac_t _label); - -/* - * Extensions to POSIX.1e visible in the application namespace. - */ -int mac_is_present_np(const char *_policyname); -int mac_syscall(const char *_policyname, int call, void *arg); -/* - * System calls wrapped by some POSIX.1e functions. - */ -int __mac_get_fd(int _fd, struct mac *_mac_p); -int __mac_get_file(const char *_path_p, struct mac *_mac_p); -int __mac_get_proc(struct mac *_mac_p); -int __mac_set_fd(int fd, struct mac *_mac_p); -int __mac_set_file(const char *_path_p, struct mac *_mac_p); -int __mac_set_proc(struct mac *_mac_p); - -#else /* _KERNEL */ +#ifdef _KERNEL /* * Kernel functions to manage and evaluate labels. @@ -247,9 +219,9 @@ void mac_destroy_vnode(struct vnode *); void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de); void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de); -void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp); void mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, struct devfs_dirent *de); +void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp); void mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child); void mac_create_mount(struct ucred *cred, struct mount *mp); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index e003f84..28ed3a8 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -83,7 +83,6 @@ struct mac_policy_ops { int (*mpo_init_socket_label)(struct label *label, int flag); int (*mpo_init_socket_peer_label)(struct label *label, int flag); void (*mpo_init_pipe_label)(struct label *label); - void (*mpo_init_temp_label)(struct label *label); void (*mpo_init_vnode_label)(struct label *label); void (*mpo_destroy_bpfdesc_label)(struct label *label); void (*mpo_destroy_cred_label)(struct label *label); @@ -96,11 +95,41 @@ struct mac_policy_ops { void (*mpo_destroy_socket_label)(struct label *label); void (*mpo_destroy_socket_peer_label)(struct label *label); void (*mpo_destroy_pipe_label)(struct label *label); - void (*mpo_destroy_temp_label)(struct label *label); void (*mpo_destroy_vnode_label)(struct label *label); - - int (*mpo_externalize)(struct label *label, struct mac *extmac); - int (*mpo_internalize)(struct label *label, struct mac *extmac); + void (*mpo_copy_pipe_label)(struct label *src, + struct label *dest); + void (*mpo_copy_vnode_label)(struct label *src, + struct label *dest); + int (*mpo_externalize_cred_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_ifnet_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_pipe_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_socket_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_socket_peer_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_vnode_label)(struct label *label, + char *element_name, char *buffer, size_t buflen, + size_t *len, int *claimed); + int (*mpo_externalize_vnode_oldmac)(struct label *label, + struct oldmac *extmac); + int (*mpo_internalize_cred_label)(struct label *label, + char *element_name, char *element_data, int *claimed); + int (*mpo_internalize_ifnet_label)(struct label *label, + char *element_name, char *element_data, int *claimed); + int (*mpo_internalize_pipe_label)(struct label *label, + char *element_name, char *element_data, int *claimed); + int (*mpo_internalize_socket_label)(struct label *label, + char *element_name, char *element_data, int *claimed); + int (*mpo_internalize_vnode_label)(struct label *label, + char *element_name, char *element_data, int *claimed); /* * Labeling event operations: file system objects, and things that @@ -136,7 +165,7 @@ struct mac_policy_ops { struct label *vnodelabel, struct mount *mp, struct label *fslabel); int (*mpo_update_vnode_from_externalized)(struct vnode *vp, - struct label *vnodelabel, struct mac *mac); + struct label *vnodelabel, struct oldmac *extmac); void (*mpo_update_vnode_from_mount)(struct vnode *vp, struct label *vnodelabel, struct mount *mp, struct label *fslabel); @@ -379,7 +408,6 @@ enum mac_op_constant { MAC_INIT_PIPE_LABEL, MAC_INIT_SOCKET_LABEL, MAC_INIT_SOCKET_PEER_LABEL, - MAC_INIT_TEMP_LABEL, MAC_INIT_VNODE_LABEL, MAC_DESTROY_BPFDESC_LABEL, MAC_DESTROY_CRED_LABEL, @@ -392,10 +420,21 @@ enum mac_op_constant { MAC_DESTROY_PIPE_LABEL, MAC_DESTROY_SOCKET_LABEL, MAC_DESTROY_SOCKET_PEER_LABEL, - MAC_DESTROY_TEMP_LABEL, MAC_DESTROY_VNODE_LABEL, - MAC_EXTERNALIZE, - MAC_INTERNALIZE, + MAC_COPY_PIPE_LABEL, + MAC_COPY_VNODE_LABEL, + MAC_EXTERNALIZE_CRED_LABEL, + MAC_EXTERNALIZE_IFNET_LABEL, + MAC_EXTERNALIZE_PIPE_LABEL, + MAC_EXTERNALIZE_SOCKET_LABEL, + MAC_EXTERNALIZE_SOCKET_PEER_LABEL, + MAC_EXTERNALIZE_VNODE_LABEL, + MAC_EXTERNALIZE_VNODE_OLDMAC, + MAC_INTERNALIZE_CRED_LABEL, + MAC_INTERNALIZE_IFNET_LABEL, + MAC_INTERNALIZE_PIPE_LABEL, + MAC_INTERNALIZE_SOCKET_LABEL, + MAC_INTERNALIZE_VNODE_LABEL, MAC_CREATE_DEVFS_DEVICE, MAC_CREATE_DEVFS_DIRECTORY, MAC_CREATE_DEVFS_SYMLINK, |
