diff options
Diffstat (limited to 'en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml')
-rw-r--r-- | en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml | 432 |
1 files changed, 210 insertions, 222 deletions
diff --git a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml index 923dd53eb6..215b9557de 100644 --- a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml +++ b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml @@ -32,35 +32,24 @@ $FreeBSD$ --> - -<chapter id="mac"> - <chapterinfo> +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="mac"> + <info><title>The TrustedBSD MAC Framework</title> <authorgroup> - <author> - <firstname>Chris</firstname> - <surname>Costello</surname> - - <affiliation> + <author><personname><firstname>Chris</firstname><surname>Costello</surname></personname><affiliation> <orgname>TrustedBSD Project</orgname> <address><email>chris@FreeBSD.org</email></address> - </affiliation> - </author> - - <author> - <firstname>Robert</firstname> - <surname>Watson</surname> + </affiliation></author> - <affiliation> + <author><personname><firstname>Robert</firstname><surname>Watson</surname></personname><affiliation> <orgname>TrustedBSD Project</orgname> <address><email>rwatson@FreeBSD.org</email></address> - </affiliation> - </author> + </affiliation></author> </authorgroup> - </chapterinfo> + </info> - <title>The TrustedBSD MAC Framework</title> + - <sect1 id="mac-copyright"> + <sect1 xml:id="mac-copyright"> <title>MAC Documentation Copyright</title> <para>This documentation was developed for the FreeBSD Project by @@ -110,7 +99,7 @@ </important> </sect1> - <sect1 id="mac-synopsis"> + <sect1 xml:id="mac-synopsis"> <title>Synopsis</title> <para>FreeBSD includes experimental support for several @@ -129,7 +118,7 @@ </sect1> - <sect1 id="mac-introduction"> + <sect1 xml:id="mac-introduction"> <title>Introduction</title> <para>The TrustedBSD MAC framework provides a mechanism to allow @@ -148,7 +137,7 @@ access control extension of the kernel.</para> </sect1> - <sect1 id="mac-background"> + <sect1 xml:id="mac-background"> <title>Policy Background</title> <para>Mandatory Access Control (MAC), refers to a set of @@ -180,7 +169,7 @@ flexibility in how they authorize protections.</para> </sect1> - <sect1 id="mac-framework-kernel-arch"> + <sect1 xml:id="mac-framework-kernel-arch"> <title>MAC Framework Kernel Architecture</title> <para>The TrustedBSD MAC Framework permits kernel modules to @@ -191,7 +180,7 @@ some definition of useful) compose the results of the policies.</para> - <sect2 id="mac-framework-kernel-arch-elements"> + <sect2 xml:id="mac-framework-kernel-arch-elements"> <title>Kernel Elements</title> <para>The MAC Framework contains a number of kernel elements:</para> @@ -221,7 +210,7 @@ </itemizedlist> </sect2> - <sect2 id="mac-framework-kernel-arch-management"> + <sect2 xml:id="mac-framework-kernel-arch-management"> <title>Framework Management Interfaces</title> <para>The TrustedBSD MAC Framework may be directly managed using @@ -247,7 +236,7 @@ events, including preventing undesired unloading of the policy.</para> </sect2> - <sect2 id="mac-framework-kernel-arch-synchronization"> + <sect2 xml:id="mac-framework-kernel-arch-synchronization"> <title>Policy List Concurrency and Synchronization</title> <para>As the set of active policies may change at run-time, @@ -286,7 +275,7 @@ framework to become idle.</para> </sect2> - <sect2 id="mac-framework-kernel-arch-label-synchronization"> + <sect2 xml:id="mac-framework-kernel-arch-label-synchronization"> <title>Label Synchronization</title> <para>As kernel objects of interest may generally be accessed from @@ -311,7 +300,7 @@ the label state attached to the credential.</para> </sect2> - <sect2 id="mac-framework-kernel-arch-policy-synchronization"> + <sect2 xml:id="mac-framework-kernel-arch-policy-synchronization"> <title>Policy Synchronization and Concurrency</title> <para>Policy modules must be written to assume that many @@ -338,7 +327,7 @@ locks in the global lock order, helping to avoid deadlock.</para> </sect2> - <sect2 id="mac-framework-kernel-arch-registration"> + <sect2 xml:id="mac-framework-kernel-arch-registration"> <title>Policy Registration</title> <para>The MAC Framework maintains two lists of active @@ -361,7 +350,7 @@ not unloadable.</para> </sect2> - <sect2 id="mac-framework-kernel-arch-entrypoints"> + <sect2 xml:id="mac-framework-kernel-arch-entrypoints"> <title>Entry Points</title> <para>Kernel services interact with the MAC Framework in two ways: @@ -385,7 +374,7 @@ sockets and label transition at program execution.</para> </sect2> - <sect2 id="mac-framework-kernel-arch-composition"> + <sect2 xml:id="mac-framework-kernel-arch-composition"> <title>Policy Composition</title> <para>When more than one policy module is loaded into the kernel @@ -406,7 +395,7 @@ composition.</para> </sect2> - <sect2 id="mac-framework-kernel-arch-labels"> + <sect2 xml:id="mac-framework-kernel-arch-labels"> <title>Labeling Support</title> <para>As many interesting access control extensions rely on @@ -422,8 +411,8 @@ of string-based labels provides by user applications, and can expose multiple label elements to applications if desired.</para> - <para>In-memory labels are stored in slab-allocated <structname>struct - label</structname>, which consists of a fixed-length array + <para>In-memory labels are stored in slab-allocated <varname remap="structname">struct + label</varname>, which consists of a fixed-length array of unions, each holding a <literal>void *</literal> pointer and a <literal>long</literal>. Policies registering for label storage will be assigned a "slot" identifier, which @@ -483,7 +472,7 @@ unload-reload operations for labeled policies.</para></note> </sect2> - <sect2 id="mac-framework-kernel-arch-syscalls"> + <sect2 xml:id="mac-framework-kernel-arch-syscalls"> <title>System Calls</title> <para>The MAC Framework implements a number of system calls: @@ -492,7 +481,7 @@ applications.</para> <para>The label management calls accept a label description - structure, <structname>struct mac</structname>, which + structure, <varname remap="structname">struct mac</varname>, which contains a series of MAC label elements. Each element contains a character string name, and character string value. Each policy will be given the chance to claim a @@ -590,7 +579,7 @@ </sect2> </sect1> - <sect1 id="mac-policy-architecture"> + <sect1 xml:id="mac-policy-architecture"> <title>MAC Policy Architecture</title> <para>Security policies are either linked directly into the kernel, @@ -618,7 +607,7 @@ points, and policy properties.</para></listitem> </itemizedlist> - <sect2 id="mac-policy-declaration"> + <sect2 xml:id="mac-policy-declaration"> <title>Policy Declaration</title> <para>Modules may be declared using the @@ -670,7 +659,7 @@ processes.</para> </sect2> - <sect2 id="mac-policy-flags"> + <sect2 xml:id="mac-policy-flags"> <title>Policy Flags</title> <para>The policy declaration flags field permits the module to @@ -737,7 +726,7 @@ to have label storage.</para></note> </sect2> - <sect2 id="mac-policy-entry-points"> + <sect2 xml:id="mac-policy-entry-points"> <title>Policy Entry Points</title> <para>Four classes of entry points are offered to policies @@ -772,13 +761,13 @@ </sect2> </sect1> - <sect1 id="mac-entry-point-reference"> + <sect1 xml:id="mac-entry-point-reference"> <title>MAC Policy Entry Point Reference</title> - <sect2 id="mac-mpo-general"> + <sect2 xml:id="mac-mpo-general"> <title>General-Purpose Module Entry Points</title> - <sect3 id="mac-mpo-init"> + <sect3 xml:id="mac-mpo-init"> <title><function>&mac.mpo;_init</function></title> <funcsynopsis> @@ -812,7 +801,7 @@ SYSINIT().</para> </sect3> - <sect3 id="mpo-destroy"> + <sect3 xml:id="mpo-destroy"> <title><function>&mac.mpo;_destroy</function></title> <funcsynopsis> @@ -842,7 +831,7 @@ caution should be applied.</para> </sect3> - <sect3 id="mac-mpo-syscall"> + <sect3 xml:id="mac-mpo-syscall"> <title><function>&mac.mpo;_syscall</function></title> <funcsynopsis> @@ -898,7 +887,7 @@ own.</para></note> </sect3> - <sect3 id="mac-mpo-thread-userret"> + <sect3 xml:id="mac-mpo-thread-userret"> <title><function>&mac.mpo;_thread_userret</function></title> <funcsynopsis> @@ -948,10 +937,10 @@ </sect3> </sect2> - <sect2 id="mac-label-ops"> + <sect2 xml:id="mac-label-ops"> <title>Label Operations</title> - <sect3 id="mac-mpo-init-bpfdesc"> + <sect3 xml:id="mac-mpo-init-bpfdesc"> <title><function>&mac.mpo;_init_bpfdesc_label</function></title> <funcsynopsis> @@ -981,7 +970,7 @@ descriptor). Sleeping is permitted.</para> </sect3> - <sect3 id="mac-mpo-init-cred-label"> + <sect3 xml:id="mac-mpo-init-cred-label"> <title><function>&mac.mpo;_init_cred_label</function></title> <funcsynopsis> @@ -1011,7 +1000,7 @@ user credential. Sleeping is permitted.</para> </sect3> - <sect3 id="mac-mpo-init-devfsdirent"> + <sect3 xml:id="mac-mpo-init-devfsdirent"> <title><function>&mac.mpo;_init_devfsdirent_label</function></title> <funcsynopsis> @@ -1041,7 +1030,7 @@ entry. Sleeping is permitted.</para> </sect3> - <sect3 id="mac-mpo-init-ifnet"> + <sect3 xml:id="mac-mpo-init-ifnet"> <title><function>&mac.mpo;_init_ifnet_label</function></title> <funcsynopsis> @@ -1071,7 +1060,7 @@ interface. Sleeping is permitted.</para> </sect3> - <sect3 id="mac-mpo-init-ipq"> + <sect3 xml:id="mac-mpo-init-ipq"> <title><function>&mac.mpo;_init_ipq_label</function></title> <funcsynopsis> @@ -1116,7 +1105,7 @@ the IP fragment reassembly queue.</para> </sect3> - <sect3 id="mac-mpo-init-mbuf"> + <sect3 xml:id="mac-mpo-init-mbuf"> <title><function>&mac.mpo;_init_mbuf_label</function></title> <funcsynopsis> @@ -1162,7 +1151,7 @@ the mbuf header.</para> </sect3> - <sect3 id="mac-mpo-init-mount"> + <sect3 xml:id="mac-mpo-init-mount"> <title><function>&mac.mpo;_init_mount_label</function></title> <funcsynopsis> @@ -1202,7 +1191,7 @@ point. Sleeping is permitted.</para> </sect3> - <sect3 id="mac-mpo-init-mount-fs-label"> + <sect3 xml:id="mac-mpo-init-mount-fs-label"> <title><function>&mac.mpo;_init_mount_fs_label</function></title> <funcsynopsis> @@ -1232,7 +1221,7 @@ system. Sleeping is permitted</para> </sect3> - <sect3 id="mac-mpo-init-pipe-label"> + <sect3 xml:id="mac-mpo-init-pipe-label"> <title><function>&mac.mpo;_init_pipe_label</function></title> <funcsynopsis> @@ -1262,7 +1251,7 @@ is permitted.</para> </sect3> - <sect3 id="mac-mpo-init-socket"> + <sect3 xml:id="mac-mpo-init-socket"> <title><function>&mac.mpo;_init_socket_label</function></title> <funcsynopsis> @@ -1301,7 +1290,7 @@ during this initialization call.</para> </sect3> - <sect3 id="mac-mpo-init-socket-peer-label"> + <sect3 xml:id="mac-mpo-init-socket-peer-label"> <title><function>&mac.mpo;_init_socket_peer_label</function></title> <funcsynopsis> @@ -1340,7 +1329,7 @@ during this initialization call.</para> </sect3> - <sect3 id="mac-mpo-init-proc-label"> + <sect3 xml:id="mac-mpo-init-proc-label"> <title><function>&mac.mpo;_init_proc_label</function></title> <funcsynopsis> @@ -1371,7 +1360,7 @@ </sect3> - <sect3 id="mac-mpo-init-vnode"> + <sect3 xml:id="mac-mpo-init-vnode"> <title><function>&mac.mpo;_init_vnode_label</function></title> <funcsynopsis> @@ -1400,7 +1389,7 @@ <para>Initialize the label on a newly instantiated vnode. Sleeping is permitted.</para> </sect3> - <sect3 id="mac-mpo-destroy-bpfdesc"> + <sect3 xml:id="mac-mpo-destroy-bpfdesc"> <title><function>&mac.mpo;_destroy_bpfdesc_label</function></title> <funcsynopsis> @@ -1432,7 +1421,7 @@ destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-cred"> + <sect3 xml:id="mac-mpo-destroy-cred"> <title><function>&mac.mpo;_destroy_cred_label</function></title> <funcsynopsis> @@ -1465,7 +1454,7 @@ </sect3> - <sect3 id="mac-mpo-destroy-devfsdirent"> + <sect3 xml:id="mac-mpo-destroy-devfsdirent"> <title><function>&mac.mpo;_destroy_devfsdirent_label</function></title> <funcsynopsis> @@ -1497,7 +1486,7 @@ be destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-ifnet-label"> + <sect3 xml:id="mac-mpo-destroy-ifnet-label"> <title><function>&mac.mpo;_destroy_ifnet_label</function></title> <funcsynopsis> @@ -1529,7 +1518,7 @@ be destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-ipq-label"> + <sect3 xml:id="mac-mpo-destroy-ipq-label"> <title><function>&mac.mpo;_destroy_ipq_label</function></title> <funcsynopsis> @@ -1561,7 +1550,7 @@ it may be destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-mbuf-label"> + <sect3 xml:id="mac-mpo-destroy-mbuf-label"> <title><function>&mac.mpo;_destroy_mbuf_label</function></title> <funcsynopsis> @@ -1593,7 +1582,7 @@ be destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-mount-label"> + <sect3 xml:id="mac-mpo-destroy-mount-label"> <title><function>&mac.mpo;_destroy_mount_label</function></title> <funcsynopsis> @@ -1625,7 +1614,7 @@ may be destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-mount"> + <sect3 xml:id="mac-mpo-destroy-mount"> <title><function>&mac.mpo;_destroy_mount_label</function></title> <funcsynopsis> @@ -1652,7 +1641,7 @@ <row> <entry><parameter>fslabel</parameter></entry> - <entry>File system label being destroyed></entry> + <entry>File system label being destroyed></entry> </row> </tbody> </tgroup> @@ -1665,7 +1654,7 @@ destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-socket"> + <sect3 xml:id="mac-mpo-destroy-socket"> <title><function>&mac.mpo;_destroy_socket_label</function></title> <funcsynopsis> @@ -1699,7 +1688,7 @@ destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-socket-peer-label"> + <sect3 xml:id="mac-mpo-destroy-socket-peer-label"> <title><function>&mac.mpo;_destroy_socket_peer_label</function></title> <funcsynopsis> @@ -1731,7 +1720,7 @@ be destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-pipe-label"> + <sect3 xml:id="mac-mpo-destroy-pipe-label"> <title><function>&mac.mpo;_destroy_pipe_label</function></title> <funcsynopsis> @@ -1763,7 +1752,7 @@ destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-proc-label"> + <sect3 xml:id="mac-mpo-destroy-proc-label"> <title><function>&mac.mpo;_destroy_proc_label</function></title> <funcsynopsis> @@ -1794,7 +1783,7 @@ destroyed.</para> </sect3> - <sect3 id="mac-mpo-destroy-vnode-label"> + <sect3 xml:id="mac-mpo-destroy-vnode-label"> <title><function>&mac.mpo;_destroy_vnode_label</function></title> <funcsynopsis> @@ -1825,7 +1814,7 @@ destroyed.</para> </sect3> - <sect3 id="mac-mpo-copy-mbuf-label"> + <sect3 xml:id="mac-mpo-copy-mbuf-label"> <title><function>&mac.mpo;_copy_mbuf_label</function></title> <funcsynopsis> @@ -1863,7 +1852,7 @@ <parameter>dest</parameter>.</para> </sect3> - <sect3 id="mac-mpo-copy-pipe-label"> + <sect3 xml:id="mac-mpo-copy-pipe-label"> <title><function>&mac.mpo;_copy_pipe_label</function></title> <funcsynopsis> @@ -1901,7 +1890,7 @@ <parameter>dest</parameter>.</para> </sect3> - <sect3 id="mac-mpo-copy-vnode-label"> + <sect3 xml:id="mac-mpo-copy-vnode-label"> <title><function>&mac.mpo;_copy_vnode_label</function></title> <funcsynopsis> @@ -1939,7 +1928,7 @@ <parameter>dest</parameter>.</para> </sect3> - <sect3 id="mac-mpo-externalize-cred-label"> + <sect3 xml:id="mac-mpo-externalize-cred-label"> <title><function>&mac.mpo;_externalize_cred_label</function></title> <funcsynopsis> @@ -1962,7 +1951,7 @@ &mac.externalize.para; </sect3> - <sect3 id="mac-mpo-externalize-ifnet-label"> + <sect3 xml:id="mac-mpo-externalize-ifnet-label"> <title><function>&mac.mpo;_externalize_ifnet_label</function></title> <funcsynopsis> @@ -1985,7 +1974,7 @@ &mac.externalize.para; </sect3> - <sect3 id="mac-mpo-externalize-pipe-label"> + <sect3 xml:id="mac-mpo-externalize-pipe-label"> <title><function>&mac.mpo;_externalize_pipe_label</function></title> <funcsynopsis> @@ -2008,7 +1997,7 @@ &mac.externalize.para; </sect3> - <sect3 id="mac-mpo-externalize-socket-label"> + <sect3 xml:id="mac-mpo-externalize-socket-label"> <title><function>&mac.mpo;_externalize_socket_label</function></title> <funcsynopsis> @@ -2031,7 +2020,7 @@ &mac.externalize.para; </sect3> - <sect3 id="mac-mpo-externalize-socket-peer-label"> + <sect3 xml:id="mac-mpo-externalize-socket-peer-label"> <title><function>&mac.mpo;_externalize_socket_peer_label</function></title> <funcsynopsis> @@ -2054,7 +2043,7 @@ &mac.externalize.para; </sect3> - <sect3 id="mac-mpo-externalize-vnode-label"> + <sect3 xml:id="mac-mpo-externalize-vnode-label"> <title><function>&mac.mpo;_externalize_vnode_label</function></title> <funcsynopsis> @@ -2077,7 +2066,7 @@ &mac.externalize.para; </sect3> - <sect3 id="mac-mpo-internalize-cred-label"> + <sect3 xml:id="mac-mpo-internalize-cred-label"> <title><function>&mac.mpo;_internalize_cred_label</function></title> <funcsynopsis> @@ -2100,7 +2089,7 @@ &mac.internalize.para; </sect3> - <sect3 id="mac-mpo-internalize-ifnet-label"> + <sect3 xml:id="mac-mpo-internalize-ifnet-label"> <title><function>&mac.mpo;_internalize_ifnet_label</function></title> <funcsynopsis> @@ -2123,7 +2112,7 @@ &mac.internalize.para; </sect3> - <sect3 id="mac-mpo-internalize-pipe-label"> + <sect3 xml:id="mac-mpo-internalize-pipe-label"> <title><function>&mac.mpo;_internalize_pipe_label</function></title> <funcsynopsis> @@ -2146,7 +2135,7 @@ &mac.internalize.para; </sect3> - <sect3 id="mac-mpo-internalize-socket-label"> + <sect3 xml:id="mac-mpo-internalize-socket-label"> <title><function>&mac.mpo;_internalize_socket_label</function></title> <funcsynopsis> @@ -2169,7 +2158,7 @@ &mac.internalize.para; </sect3> - <sect3 id="mac-mpo-internalize-vnode-label"> + <sect3 xml:id="mac-mpo-internalize-vnode-label"> <title><function>&mac.mpo;_internalize_vnode_label</function></title> <funcsynopsis> @@ -2193,7 +2182,7 @@ </sect3> </sect2> - <sect2 id="mac-label-events"> + <sect2 xml:id="mac-label-events"> <title>Label Events</title> <para>This class of entry points is used by the MAC framework to @@ -2264,10 +2253,10 @@ Label destruction o</programlisting> <symbol>MAC_INTERNALIZE</symbol>, which accepts a user label to be converted to an in-kernel representation.</para> - <sect3 id="mac-fs-label-event-ops"> + <sect3 xml:id="mac-fs-label-event-ops"> <title>File System Object Labeling Event Operations</title> - <sect4 id="mac-mpo-associate-vnode-devfs"> + <sect4 xml:id="mac-mpo-associate-vnode-devfs"> <title><function>&mac.mpo;_associate_vnode_devfs</function></title> <funcsynopsis> @@ -2338,7 +2327,7 @@ Label destruction o</programlisting> label.</para> </sect4> - <sect4 id="mac-mpo-associate-vnode-extattr"> + <sect4 xml:id="mac-mpo-associate-vnode-extattr"> <title><function>&mac.mpo;_associate_vnode_extattr</function></title> <funcsynopsis> @@ -2397,7 +2386,7 @@ Label destruction o</programlisting> be returned.</para> </sect4> - <sect4 id="mac-mpo-associate-vnode-singlelabel"> + <sect4 xml:id="mac-mpo-associate-vnode-singlelabel"> <title><function>&mac.mpo;_associate_vnode_singlelabel</function></title> <funcsynopsis> @@ -2452,7 +2441,7 @@ Label destruction o</programlisting> </sect4> - <sect4 id="mac-mpo-create-devfs-device"> + <sect4 xml:id="mac-mpo-create-devfs-device"> <title><function>&mac.mpo;_create_devfs_device</function></title> <funcsynopsis> @@ -2499,7 +2488,7 @@ Label destruction o</programlisting> available.</para> </sect4> - <sect4 id="mac-mpo-create-devfs-directory"> + <sect4 xml:id="mac-mpo-create-devfs-directory"> <title><function>&mac.mpo;_create_devfs_directory</function></title> <funcsynopsis> @@ -2548,7 +2537,7 @@ Label destruction o</programlisting> available.</para> </sect4> - <sect4 id="mac-mpo-create-devfs-symlink"> + <sect4 xml:id="mac-mpo-create-devfs-symlink"> <title><function>&mac.mpo;_create_devfs_symlink</function></title> <funcsynopsis> @@ -2615,7 +2604,7 @@ Label destruction o</programlisting> a newly created &man.devfs.5; symbolic link entry.</para> </sect4> - <sect4 id="mac-mpo-create-vnode-extattr"> + <sect4 xml:id="mac-mpo-create-vnode-extattr"> <title><function>&mac.mpo;_create_vnode_extattr</function></title> <funcsynopsis> @@ -2700,7 +2689,7 @@ Label destruction o</programlisting> return an appropriate error.</para> </sect4> - <sect4 id="mac-mpo-create-mount"> + <sect4 xml:id="mac-mpo-create-mount"> <title><function>&mac.mpo;_create_mount</function></title> <funcsynopsis> @@ -2754,7 +2743,7 @@ Label destruction o</programlisting> a new file system is mounted.</para> </sect4> - <sect4 id="mac-mpo-create-root-mount"> + <sect4 xml:id="mac-mpo-create-root-mount"> <title><function>&mac.mpo;_create_root_mount</function></title> <funcsynopsis> @@ -2779,8 +2768,7 @@ Label destruction o</programlisting> <tbody> <row> - <entry namest="first" nameend="last">See <xref - linkend="mac-mpo-create-mount"/>.</entry> + <entry namest="first" nameend="last">See <xref linkend="mac-mpo-create-mount"/>.</entry> </row> </tbody> </tgroup> @@ -2792,7 +2780,7 @@ Label destruction o</programlisting> &mac.mpo;_create_mount;.</para> </sect4> - <sect4 id="mac-mpo-relabel-vnode"> + <sect4 xml:id="mac-mpo-relabel-vnode"> <title><function>&mac.mpo;_relabel_vnode</function></title> <funcsynopsis> @@ -2845,7 +2833,7 @@ Label destruction o</programlisting> update vnode label and the passed subject credential.</para> </sect4> - <sect4 id="mac-mpo-setlabel-vnode-extattr"> + <sect4 xml:id="mac-mpo-setlabel-vnode-extattr"> <title><function>&mac.mpo;_setlabel_vnode_extattr</function></title> <funcsynopsis> @@ -2900,7 +2888,7 @@ Label destruction o</programlisting> <function>vop_stdcreatevnode_ea</function>.</para> </sect4> - <sect4 id="mac-mpo-update-devfsdirent"> + <sect4 xml:id="mac-mpo-update-devfsdirent"> <title><function>&mac.mpo;_update_devfsdirent</function></title> <funcsynopsis> <funcprototype> @@ -2961,11 +2949,11 @@ Label destruction o</programlisting> </sect4> </sect3> - <sect3 id="mac-ipc-label-ops"> + <sect3 xml:id="mac-ipc-label-ops"> <title>IPC Object Labeling Event Operations</title> - <sect4 id="mac-mpo-create-mbuf-from-socket"> + <sect4 xml:id="mac-mpo-create-mbuf-from-socket"> <title><function>&mac.mpo;_create_mbuf_from_socket</function></title> <funcsynopsis> @@ -3020,7 +3008,7 @@ Label destruction o</programlisting> passed mbuf.</para> </sect4> - <sect4 id="mac-mpo-create-pipe"> + <sect4 xml:id="mac-mpo-create-pipe"> <title><function>&mac.mpo;_create_pipe</function></title> <funcsynopsis> @@ -3066,7 +3054,7 @@ Label destruction o</programlisting> created.</para> </sect4> - <sect4 id="mac-mpo-create-socket"> + <sect4 xml:id="mac-mpo-create-socket"> <title><function>&mac.mpo;_create_socket</function></title> <funcsynopsis> @@ -3113,7 +3101,7 @@ Label destruction o</programlisting> created.</para> </sect4> - <sect4 id="mac-mpo-create-socket-from-socket"> + <sect4 xml:id="mac-mpo-create-socket-from-socket"> <title><function>&mac.mpo;_create_socket_from_socket</function></title> <funcsynopsis> @@ -3167,7 +3155,7 @@ Label destruction o</programlisting> socket, <parameter>oldsocket</parameter>.</para> </sect4> - <sect4 id="mac-mpo-relabel-pipe"> + <sect4 xml:id="mac-mpo-relabel-pipe"> <title><function>&mac.mpo;_relabel_pipe</function></title> <funcsynopsis> @@ -3220,7 +3208,7 @@ Label destruction o</programlisting> <parameter>pipe</parameter>.</para> </sect4> - <sect4 id="mac-mpo-relabel-socket"> + <sect4 xml:id="mac-mpo-relabel-socket"> <title><function>&mac.mpo;_relabel_socket</function></title> <funcsynopsis> @@ -3274,7 +3262,7 @@ Label destruction o</programlisting> label update.</para> </sect4> - <sect4 id="mpo-set-socket-peer-from-mbuf"> + <sect4 xml:id="mpo-set-socket-peer-from-mbuf"> <title><function>&mac.mpo;_set_socket_peer_from_mbuf</function></title> <funcsynopsis> @@ -3328,7 +3316,7 @@ Label destruction o</programlisting> domain sockets.</para> </sect4> - <sect4 id="mac-mpo-set-socket-peer-from-socket"> + <sect4 xml:id="mac-mpo-set-socket-peer-from-socket"> <title><function>&mac.mpo;_set_socket_peer_from_socket</function></title> <funcsynopsis> @@ -3385,10 +3373,10 @@ Label destruction o</programlisting> </sect4> </sect3> - <sect3 id="mac-net-labeling-event-ops"> + <sect3 xml:id="mac-net-labeling-event-ops"> <title>Network Object Labeling Event Operations</title> - <sect4 id="mac-mpo-create-bpfdesc"> + <sect4 xml:id="mac-mpo-create-bpfdesc"> <title><function>&mac.mpo;_create_bpfdesc</function></title> <funcsynopsis> @@ -3436,7 +3424,7 @@ Label destruction o</programlisting> subject credential.</para> </sect4> - <sect4 id="mac-mpo-create-ifnet"> + <sect4 xml:id="mac-mpo-create-ifnet"> <title><function>&mac.mpo;_create_ifnet</function></title> <funcsynopsis> @@ -3476,7 +3464,7 @@ Label destruction o</programlisting> during the boot or as a result of a user action.</para> </sect4> - <sect4 id="mac-mpo-create-ipq"> + <sect4 xml:id="mac-mpo-create-ipq"> <title><function>&mac.mpo;_create_ipq</function></title> <funcsynopsis> @@ -3530,7 +3518,7 @@ Label destruction o</programlisting> fragment.</para> </sect4> - <sect4 id="mac-mpo-create-datagram-from-ipq"> + <sect4 xml:id="mac-mpo-create-datagram-from-ipq"> <title><function>&mac.mpo;_create_datagram_from_ipq</function></title> <funcsynopsis> @@ -3584,7 +3572,7 @@ Label destruction o</programlisting> generated.</para> </sect4> - <sect4 id="mac-mpo-create-fragment"> + <sect4 xml:id="mac-mpo-create-fragment"> <title><function>&mac.mpo;_create_fragment</function></title> <funcsynopsis> @@ -3638,7 +3626,7 @@ Label destruction o</programlisting> it was generate from.</para> </sect4> - <sect4 id="mac-mpo-create-mbuf-from-mbuf"> + <sect4 xml:id="mac-mpo-create-mbuf-from-mbuf"> <title><function>&mac.mpo;_create_mbuf_from_mbuf</function></title> <funcsynopsis> @@ -3693,7 +3681,7 @@ Label destruction o</programlisting> an mbuf is re-allocated for alignment purposes.</para> </sect4> - <sect4 id="mac-mpo-create-mbuf-linklayer"> + <sect4 xml:id="mac-mpo-create-mbuf-linklayer"> <title><function>&mac.mpo;_create_mbuf_linklayer</function></title> <funcsynopsis> @@ -3749,7 +3737,7 @@ Label destruction o</programlisting> IPv4 and IPv6 stacks.</para> </sect4> - <sect4 id="mac-mpo-create-mbuf-from-bpfdesc"> + <sect4 xml:id="mac-mpo-create-mbuf-from-bpfdesc"> <title><function>&mac.mpo;_create_mbuf_from_bpfdesc</function></title> <funcsynopsis> @@ -3804,7 +3792,7 @@ Label destruction o</programlisting> associated with the passed BPF descriptor.</para> </sect4> - <sect4 id="mac-mpo-create-mbuf-from-ifnet"> + <sect4 xml:id="mac-mpo-create-mbuf-from-ifnet"> <title><function>&mac.mpo;_create_mbuf_from_ifnet</function></title> <funcsynopsis> @@ -3857,7 +3845,7 @@ Label destruction o</programlisting> datagram generated from the passed network interface.</para> </sect4> - <sect4 id="mac-mpo-create-mbuf-multicast-encap"> + <sect4 xml:id="mac-mpo-create-mbuf-multicast-encap"> <title><function>&mac.mpo;_create_mbuf_multicast_encap</function></title> <funcsynopsis> @@ -3929,7 +3917,7 @@ Label destruction o</programlisting> delivered using the virtual interface.</para> </sect4> - <sect4 id="mac-mpo-create-mbuf-netlayer"> + <sect4 xml:id="mac-mpo-create-mbuf-netlayer"> <title><function>&mac.mpo;_create_mbuf_netlayer</function></title> <funcsynopsis> @@ -3985,7 +3973,7 @@ Label destruction o</programlisting> when responding to ICMP request datagrams.</para> </sect4> - <sect4 id="mac-mpo-fragment-match"> + <sect4 xml:id="mac-mpo-fragment-match"> <title><function>&mac.mpo;_fragment_match</function></title> <funcsynopsis> @@ -4049,7 +4037,7 @@ Label destruction o</programlisting> label or other information.</para> </sect4> - <sect4 id="mac-mpo-ifnet-relabel"> + <sect4 xml:id="mac-mpo-ifnet-relabel"> <title><function>&mac.mpo;_relabel_ifnet</function></title> <funcsynopsis> @@ -4104,7 +4092,7 @@ Label destruction o</programlisting> subject credential, <parameter>cred</parameter>.</para> </sect4> - <sect4 id="mac-mpo-update-ipq"> + <sect4 xml:id="mac-mpo-update-ipq"> <title><function>&mac.mpo;_update_ipq</function></title> <funcsynopsis> @@ -4160,10 +4148,10 @@ Label destruction o</programlisting> </sect4> </sect3> - <sect3 id="mac-proc-labeling-event-ops"> + <sect3 xml:id="mac-proc-labeling-event-ops"> <title>Process Labeling Event Operations</title> - <sect4 id="mac-mpo-create-cred"> + <sect4 xml:id="mac-mpo-create-cred"> <title><function>&mac.mpo;_create_cred</function></title> <funcsynopsis> @@ -4203,7 +4191,7 @@ Label destruction o</programlisting> process forking or creation event.</para> </sect4> - <sect4 id="mac-mpo-execve-transition"> + <sect4 xml:id="mac-mpo-execve-transition"> <title><function>&mac.mpo;_execve_transition</function></title> <funcsynopsis> @@ -4271,7 +4259,7 @@ Label destruction o</programlisting> <function>mpo_execve_will_transition</function>.</para> </sect4> - <sect4 id="mac-mpo-execve-will-transition"> + <sect4 xml:id="mac-mpo-execve-will-transition"> <title><function>&mac.mpo;_execve_will_transition</function></title> <funcsynopsis> @@ -4326,7 +4314,7 @@ Label destruction o</programlisting> transition.</para> </sect4> - <sect4 id="mac-mpo-create-proc0"> + <sect4 xml:id="mac-mpo-create-proc0"> <title><function>&mac.mpo;_create_proc0</function></title> <funcsynopsis> @@ -4356,7 +4344,7 @@ Label destruction o</programlisting> of all kernel processes.</para> </sect4> - <sect4 id="mac-mpo-create-proc1"> + <sect4 xml:id="mac-mpo-create-proc1"> <title><function>&mac.mpo;_create_proc1</function></title> <funcsynopsis> @@ -4386,7 +4374,7 @@ Label destruction o</programlisting> of all user processes.</para> </sect4> - <sect4 id="mac-mpo-relabel-cred"> + <sect4 xml:id="mac-mpo-relabel-cred"> <title><function>&mac.mpo;_relabel_cred</function></title> <funcsynopsis> @@ -4427,7 +4415,7 @@ Label destruction o</programlisting> </sect3> </sect2> - <sect2 id="mac-access-control-checks"> + <sect2 xml:id="mac-access-control-checks"> <title>Access Control Checks</title> <para>Access control entry points permit policy modules to @@ -4455,15 +4443,15 @@ Label destruction o</programlisting> <entry><errorcode>EDEADLK</errorcode></entry></row> <row> - <entry></entry> + <entry/> <entry><errorcode>EINVAL</errorcode></entry> </row> <row> - <entry></entry> + <entry/> <entry><errorcode>ESRCH</errorcode></entry> </row> <row> - <entry></entry> + <entry/> <entry>EACCES</entry> </row> <row> @@ -4481,7 +4469,7 @@ Label destruction o</programlisting> failures, invalid arguments, object not present, access not permitted, other.</para> - <sect3 id="mac-mpo-bpfdesc-check-receive-from-ifnet"> + <sect3 xml:id="mac-mpo-bpfdesc-check-receive-from-ifnet"> <title><function>&mac.mpo;_check_bpfdesc_receive</function></title> <funcsynopsis> @@ -4539,7 +4527,7 @@ Label destruction o</programlisting> <errorcode>EPERM</errorcode> for lack of privilege.</para> </sect3> - <sect3 id="mac-mpo-check-kenv-dump"> + <sect3 xml:id="mac-mpo-check-kenv-dump"> <title><function>&mac.mpo;_check_kenv_dump</function></title> <funcsynopsis> @@ -4569,7 +4557,7 @@ Label destruction o</programlisting> retrieve the kernel environment (see &man.kenv.2;).</para> </sect3> - <sect3 id="mac-mpo-check-kenv-get"> + <sect3 xml:id="mac-mpo-check-kenv-get"> <title><function>&mac.mpo;_check_kenv_get</function></title> <funcsynopsis> @@ -4606,7 +4594,7 @@ Label destruction o</programlisting> variable.</para> </sect3> - <sect3 id="mac-mpo-check-kenv-set"> + <sect3 xml:id="mac-mpo-check-kenv-set"> <title><function>&mac.mpo;_check_kenv_set</function></title> <funcsynopsis> @@ -4642,7 +4630,7 @@ Label destruction o</programlisting> the specified kernel environment variable.</para> </sect3> - <sect3 id="mac-mpo-check-kenv-unset"> + <sect3 xml:id="mac-mpo-check-kenv-unset"> <title><function>&mac.mpo;_check_kenv_unset</function></title> <funcsynopsis> @@ -4678,7 +4666,7 @@ Label destruction o</programlisting> the specified kernel environment variable.</para> </sect3> - <sect3 id="mac-mpo-check-kld-load"> + <sect3 xml:id="mac-mpo-check-kld-load"> <title><function>&mac.mpo;_check_kld_load</function></title> <funcsynopsis> @@ -4723,7 +4711,7 @@ Label destruction o</programlisting> the specified module file.</para> </sect3> - <sect3 id="mac-mpo-check-kld-stat"> + <sect3 xml:id="mac-mpo-check-kld-stat"> <title><function>&mac.mpo;_check_kld_stat</function></title> <funcsynopsis> @@ -4754,7 +4742,7 @@ Label destruction o</programlisting> statistics.</para> </sect3> - <sect3 id="mac-mpo-check-kld-unload"> + <sect3 xml:id="mac-mpo-check-kld-unload"> <title><function>&mac.mpo;_check_kld_unload</function></title> <funcsynopsis> @@ -4784,7 +4772,7 @@ Label destruction o</programlisting> unload a kernel module.</para> </sect3> - <sect3 id="mac-mpo-check-pipe-ioctl"> + <sect3 xml:id="mac-mpo-check-pipe-ioctl"> <title><function>&mac.mpo;_check_pipe_ioctl</function></title> <funcsynopsis> @@ -4842,7 +4830,7 @@ Label destruction o</programlisting> the specified &man.ioctl.2; call.</para> </sect3> - <sect3 id="mac-mpo-check-pipe-poll"> + <sect3 xml:id="mac-mpo-check-pipe-poll"> <title><function>&mac.mpo;_check_pipe_poll</function></title> <funcsynopsis> @@ -4887,7 +4875,7 @@ Label destruction o</programlisting> <parameter>pipe</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-pipe-read"> + <sect3 xml:id="mac-mpo-check-pipe-read"> <title><function>&mac.mpo;_check_pipe_read</function></title> <funcsynopsis> @@ -4932,7 +4920,7 @@ Label destruction o</programlisting> access to <parameter>pipe</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-pipe-relabel"> + <sect3 xml:id="mac-mpo-check-pipe-relabel"> <title><function>&mac.mpo;_check_pipe_relabel</function></title> <funcsynopsis> @@ -4985,7 +4973,7 @@ Label destruction o</programlisting> relabel <parameter>pipe</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-pipe-stat"> + <sect3 xml:id="mac-mpo-check-pipe-stat"> <title><function>&mac.mpo;_check_pipe_stat</function></title> <funcsynopsis> @@ -5031,7 +5019,7 @@ Label destruction o</programlisting> <parameter>pipe</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-pipe-write"> + <sect3 xml:id="mac-mpo-check-pipe-write"> <title><function>&mac.mpo;_check_pipe_write</function></title> <funcsynopsis> @@ -5076,7 +5064,7 @@ Label destruction o</programlisting> to <parameter>pipe</parameter>.</para> </sect3> - <sect3 id="mac-mpo-cred-check-socket-bind"> + <sect3 xml:id="mac-mpo-cred-check-socket-bind"> <title><function>&mac.mpo;_check_socket_bind</function></title> <funcsynopsis> @@ -5128,7 +5116,7 @@ Label destruction o</programlisting> </sect3> - <sect3 id="mac-mpo-cred-check-socket-connect"> + <sect3 xml:id="mac-mpo-cred-check-socket-connect"> <title><function>&mac.mpo;_check_socket_connect</function></title> <funcsynopsis> @@ -5187,7 +5175,7 @@ Label destruction o</programlisting> <errorcode>EPERM</errorcode> for lack of privilege.</para> </sect3> - <sect3 id="mac-mpo-check-socket-receive"> + <sect3 xml:id="mac-mpo-check-socket-receive"> <title><function>&mac.mpo;_check_socket_receive</function></title> <funcsynopsis> @@ -5233,7 +5221,7 @@ Label destruction o</programlisting> <parameter>so</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-socket-send"> + <sect3 xml:id="mac-mpo-check-socket-send"> <title><function>&mac.mpo;_check_socket_send</function></title> <funcsynopsis> @@ -5279,7 +5267,7 @@ Label destruction o</programlisting> <parameter>so</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-cred-visible"> + <sect3 xml:id="mac-mpo-check-cred-visible"> <title><function>&mac.mpo;_check_cred_visible</function></title> <funcsynopsis> @@ -5326,7 +5314,7 @@ Label destruction o</programlisting> and in procfs lookups.</para> </sect3> - <sect3 id="mac-mpo-cred-check-socket-visible"> + <sect3 xml:id="mac-mpo-cred-check-socket-visible"> <title><function>&mac.mpo;_check_socket_visible</function></title> <funcsynopsis> @@ -5369,7 +5357,7 @@ Label destruction o</programlisting> </sect3> - <sect3 id="mac-mpo-cred-check-ifnet-relabel"> + <sect3 xml:id="mac-mpo-cred-check-ifnet-relabel"> <title><function>&mac.mpo;_check_ifnet_relabel</function></title> <funcsynopsis> @@ -5422,7 +5410,7 @@ Label destruction o</programlisting> passed network interface to the passed label update.</para> </sect3> - <sect3 id="mac-mpo-cred-check-socket-relabel"> + <sect3 xml:id="mac-mpo-cred-check-socket-relabel"> <title><function>&mac.mpo;_check_socket_relabel</function></title> <funcsynopsis> @@ -5475,7 +5463,7 @@ Label destruction o</programlisting> passed socket to the passed label update.</para> </sect3> - <sect3 id="mac-mpo-cred-check-cred-relabel"> + <sect3 xml:id="mac-mpo-cred-check-cred-relabel"> <title><function>&mac.mpo;_check_cred_relabel</function></title> <funcsynopsis> @@ -5514,7 +5502,7 @@ Label destruction o</programlisting> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-relabel"> + <sect3 xml:id="mac-mpo-cred-check-vnode-relabel"> <title><function>&mac.mpo;_check_vnode_relabel</function></title> <funcsynopsis> @@ -5569,7 +5557,7 @@ Label destruction o</programlisting> passed vnode to the passed label update.</para> </sect3> - <sect3 id="mpo-cred-check-mount-stat"> + <sect3 xml:id="mpo-cred-check-mount-stat"> <title><function>&mac.mpo;_check_mount_stat</function></title> <funcsynopsis> @@ -5622,7 +5610,7 @@ Label destruction o</programlisting> systems, such as when &man.getfsstat.2; is invoked. </para> </sect3> - <sect3 id="mac-mpo-cred-check-proc-debug"> + <sect3 xml:id="mac-mpo-cred-check-proc-debug"> <title><function>&mac.mpo;_check_proc_debug</function></title> <funcsynopsis> @@ -5668,7 +5656,7 @@ Label destruction o</programlisting> operations.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-access"> + <sect3 xml:id="mac-mpo-cred-check-vnode-access"> <title><function>&mac.mpo;_check_vnode_access</function></title> <funcsynopsis> @@ -5727,7 +5715,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-chdir"> + <sect3 xml:id="mac-mpo-cred-check-vnode-chdir"> <title><function>&mac.mpo;_check_vnode_chdir</function></title> <funcsynopsis> @@ -5777,7 +5765,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-check-vnode-chroot"> + <sect3 xml:id="mac-mpo-check-vnode-chroot"> <title><function>&mac.mpo;_check_vnode_chroot</function></title> <funcsynopsis> @@ -5823,7 +5811,7 @@ Label destruction o</programlisting> (<parameter>dvp</parameter>).</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-create"> + <sect3 xml:id="mac-mpo-cred-check-vnode-create"> <title><function>&mac.mpo;_check_vnode_create</function></title> <funcsynopsis> @@ -5892,7 +5880,7 @@ Label destruction o</programlisting> others.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-delete"> + <sect3 xml:id="mac-mpo-cred-check-vnode-delete"> <title><function>&mac.mpo;_check_vnode_delete</function></title> <funcsynopsis> @@ -5970,7 +5958,7 @@ Label destruction o</programlisting> rename.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-deleteacl"> + <sect3 xml:id="mac-mpo-cred-check-vnode-deleteacl"> <title><function>&mac.mpo;_check_vnode_deleteacl</function></title> <funcsynopsis> @@ -6025,7 +6013,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-exec"> + <sect3 xml:id="mac-mpo-cred-check-vnode-exec"> <title><function>&mac.mpo;_check_vnode_exec</function></title> <funcsynopsis> @@ -6076,7 +6064,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mpo-cred-check-vnode-getacl"> + <sect3 xml:id="mpo-cred-check-vnode-getacl"> <title><function>&mac.mpo;_check_vnode_getacl</function></title> <funcsynopsis> @@ -6133,7 +6121,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-getextattr"> + <sect3 xml:id="mac-mpo-cred-check-vnode-getextattr"> <title><function>&mac.mpo;_check_vnode_getextattr</function></title> <funcsynopsis> @@ -6207,7 +6195,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-check-vnode-link"> + <sect3 xml:id="mac-mpo-check-vnode-link"> <title><function>&mac.mpo;_check_vnode_link</function></title> <funcsynopsis> @@ -6275,7 +6263,7 @@ Label destruction o</programlisting> the name specified by <parameter>cnp</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-vnode-mmap"> + <sect3 xml:id="mac-mpo-check-vnode-mmap"> <title><function>&mac.mpo;_check_vnode_mmap</function></title> <funcsynopsis> @@ -6327,7 +6315,7 @@ Label destruction o</programlisting> specified in <parameter>prot</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-vnode-mmap-downgrade"> + <sect3 xml:id="mac-mpo-check-vnode-mmap-downgrade"> <title><function>&mac.mpo;_check_vnode_mmap_downgrade</function></title> <funcsynopsis> @@ -6376,7 +6364,7 @@ Label destruction o</programlisting> object labels.</para> </sect3> - <sect3 id="mac-mpo-check-vnode-mprotect"> + <sect3 xml:id="mac-mpo-check-vnode-mprotect"> <title><function>&mac.mpo;_check_vnode_mprotect</function></title> <funcsynopsis> @@ -6422,7 +6410,7 @@ Label destruction o</programlisting> the vnode <parameter>vp</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-vnode-poll"> + <sect3 xml:id="mac-mpo-check-vnode-poll"> <title><function>&mac.mpo;_check_vnode_poll</function></title> <funcsynopsis> @@ -6475,7 +6463,7 @@ Label destruction o</programlisting> the vnode <parameter>vp</parameter>.</para> </sect3> - <sect3 id="mac-mpo-check-vnode-rename-from"> + <sect3 xml:id="mac-mpo-check-vnode-rename-from"> <title><function>&mac.mpo;_check_vnode_rename_from</function></title> <funcsynopsis> @@ -6544,7 +6532,7 @@ Label destruction o</programlisting> else.</para> </sect3> - <sect3 id="mac-mpo-check-vnode-rename-to"> + <sect3 xml:id="mac-mpo-check-vnode-rename-to"> <title><function>&mac.mpo;_check_vnode_rename_to</function></title> <funcsynopsis> @@ -6622,7 +6610,7 @@ Label destruction o</programlisting> <parameter>label</parameter> will be NULL.</para> </sect3> - <sect3 id="mac-mpo-cred-check-socket-listen"> + <sect3 xml:id="mac-mpo-cred-check-socket-listen"> <title><function>&mac.mpo;_check_socket_listen</function></title> <funcsynopsis> @@ -6671,7 +6659,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-lookup"> + <sect3 xml:id="mac-mpo-cred-check-vnode-lookup"> <title><function>&mac.mpo;_check_vnode_lookup</function></title> <funcsynopsis> @@ -6680,11 +6668,11 @@ Label destruction o</programlisting> <function>&mac.mpo;_check_vnode_lookup</function></funcdef> <paramdef>struct ucred - *<parameter></parameter>cred</paramdef> + *<parameter/>cred</paramdef> <paramdef>struct vnode - *<parameter></parameter>dvp</paramdef> + *<parameter/>dvp</paramdef> <paramdef>struct label - *<parameter></parameter>dlabel</paramdef> + *<parameter/>dlabel</paramdef> <paramdef>struct componentname *<parameter>cnp</parameter></paramdef> </funcprototype> @@ -6728,7 +6716,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-open"> + <sect3 xml:id="mac-mpo-cred-check-vnode-open"> <title><function>&mac.mpo;_check_vnode_open</function></title> <funcsynopsis> @@ -6784,7 +6772,7 @@ Label destruction o</programlisting> <errorcode>EPERM</errorcode> for lack of privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-readdir"> + <sect3 xml:id="mac-mpo-cred-check-vnode-readdir"> <title><function>&mac.mpo;_check_vnode_readdir</function></title> <funcsynopsis> @@ -6793,11 +6781,11 @@ Label destruction o</programlisting> <function>&mac.mpo;_check_vnode_readdir</function></funcdef> <paramdef>struct ucred - *<parameter></parameter>cred</paramdef> + *<parameter/>cred</paramdef> <paramdef>struct vnode - *<parameter></parameter>dvp</paramdef> + *<parameter/>dvp</paramdef> <paramdef>struct label - *<parameter></parameter>dlabel</paramdef> + *<parameter/>dlabel</paramdef> </funcprototype> </funcsynopsis> @@ -6834,7 +6822,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-readlink"> + <sect3 xml:id="mac-mpo-cred-check-vnode-readlink"> <title><function>&mac.mpo;_check_vnode_readlink</function></title> <funcsynopsis> @@ -6888,7 +6876,7 @@ Label destruction o</programlisting> process.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-revoke"> + <sect3 xml:id="mac-mpo-cred-check-vnode-revoke"> <title><function>&mac.mpo;_check_vnode_revoke</function></title> <funcsynopsis> @@ -6938,7 +6926,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-setacl"> + <sect3 xml:id="mac-mpo-cred-check-vnode-setacl"> <title><function>&mac.mpo;_check_vnode_setacl</function></title> <funcsynopsis> @@ -7002,7 +6990,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-setextattr"> + <sect3 xml:id="mac-mpo-cred-check-vnode-setextattr"> <title><function>&mac.mpo;_check_vnode_setextattr</function></title> <funcsynopsis> @@ -7080,7 +7068,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-setflags"> + <sect3 xml:id="mac-mpo-cred-check-vnode-setflags"> <title><function>&mac.mpo;_check_vnode_setflags</function></title> <funcsynopsis> @@ -7136,7 +7124,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-setmode"> + <sect3 xml:id="mac-mpo-cred-check-vnode-setmode"> <title><function>&mac.mpo;_check_vnode_setmode</function></title> <funcsynopsis> @@ -7191,7 +7179,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-setowner"> + <sect3 xml:id="mac-mpo-cred-check-vnode-setowner"> <title><function>&mac.mpo;_check_vnode_setowner</function></title> <funcsynopsis> @@ -7253,7 +7241,7 @@ Label destruction o</programlisting> of privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-setutimes"> + <sect3 xml:id="mac-mpo-cred-check-vnode-setutimes"> <title><function>&mac.mpo;_check_vnode_setutimes</function></title> <funcsynopsis> @@ -7262,15 +7250,15 @@ Label destruction o</programlisting> <function>&mac.mpo;_check_vnode_setutimes</function></funcdef> <paramdef>struct ucred - *<parameter></parameter>cred</paramdef> + *<parameter/>cred</paramdef> <paramdef>struct vnode - *<parameter></parameter>vp</paramdef> + *<parameter/>vp</paramdef> <paramdef>struct label - *<parameter></parameter>label</paramdef> + *<parameter/>label</paramdef> <paramdef>struct timespec - <parameter></parameter>atime</paramdef> + <parameter/>atime</paramdef> <paramdef>struct timespec - <parameter></parameter>mtime</paramdef> + <parameter/>mtime</paramdef> </funcprototype> </funcsynopsis> @@ -7317,7 +7305,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-proc-sched"> + <sect3 xml:id="mac-mpo-cred-check-proc-sched"> <title><function>&mac.mpo;_check_proc_sched</function></title> <funcsynopsis> @@ -7361,7 +7349,7 @@ Label destruction o</programlisting> <para>See &man.setpriority.2; for more information.</para> </sect3> - <sect3 id="mac-mpo-cred-check-proc-signal"> + <sect3 xml:id="mac-mpo-cred-check-proc-signal"> <title><function>&mac.mpo;_check_proc_signal</function></title> <funcsynopsis> @@ -7409,7 +7397,7 @@ Label destruction o</programlisting> <errorcode>ESRCH</errorcode> to limit visibility.</para> </sect3> - <sect3 id="mac-mpo-cred-check-vnode-stat"> + <sect3 xml:id="mac-mpo-cred-check-vnode-stat"> <title><function>&mac.mpo;_check_vnode_stat</function></title> <funcsynopsis> @@ -7461,7 +7449,7 @@ Label destruction o</programlisting> <para>See &man.stat.2; for more information.</para> </sect3> - <sect3 id="mac-mpo-cred-check-ifnet-transmit"> + <sect3 xml:id="mac-mpo-cred-check-ifnet-transmit"> <title><function>&mac.mpo;_check_ifnet_transmit</function></title> <funcsynopsis> @@ -7525,7 +7513,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-cred-check-socket-deliver"> + <sect3 xml:id="mac-mpo-cred-check-socket-deliver"> <title><function>&mac.mpo;_check_socket_deliver</function></title> <funcsynopsis> @@ -7590,7 +7578,7 @@ Label destruction o</programlisting> privilege.</para> </sect3> - <sect3 id="mac-mpo-check-socket-visible"> + <sect3 xml:id="mac-mpo-check-socket-visible"> <title><function>&mac.mpo;_check_socket_visible</function></title> <funcsynopsis> @@ -7643,7 +7631,7 @@ Label destruction o</programlisting> <errorcode>ESRCH</errorcode> to hide visibility.</para> </sect3> - <sect3 id="mac-mpo-check-system-acct"> + <sect3 xml:id="mac-mpo-check-system-acct"> <title><function>&mac.mpo;_check_system_acct</function></title> <funcsynopsis> @@ -7689,7 +7677,7 @@ Label destruction o</programlisting> accounting log file.</para> </sect3> - <sect3 id="mac-mpo-check-system-nfsd"> + <sect3 xml:id="mac-mpo-check-system-nfsd"> <title><function>&mac.mpo;_check_system_nfsd</function></title> <funcsynopsis> @@ -7719,7 +7707,7 @@ Label destruction o</programlisting> &man.nfssvc.2;.</para> </sect3> - <sect3 id="mac-mpo-check-system-reboot"> + <sect3 xml:id="mac-mpo-check-system-reboot"> <title><function>&mac.mpo;_check_system_reboot</function></title> <funcsynopsis> @@ -7756,7 +7744,7 @@ Label destruction o</programlisting> reboot the system in the specified manner.</para> </sect3> - <sect3 id="mac-mpo-check-system-settime"> + <sect3 xml:id="mac-mpo-check-system-settime"> <title><function>&mac.mpo;_check_system_settime</function></title> <funcsynopsis> @@ -7786,7 +7774,7 @@ Label destruction o</programlisting> system clock.</para> </sect3> - <sect3 id="mac-mpo-check-system-swapon"> + <sect3 xml:id="mac-mpo-check-system-swapon"> <title><function>&mac.mpo;_check_system_swapon</function></title> <funcsynopsis> @@ -7831,7 +7819,7 @@ Label destruction o</programlisting> <parameter>vp</parameter> as a swap device.</para> </sect3> - <sect3 id="mac-mpo-check-system-sysctl"> + <sect3 xml:id="mac-mpo-check-system-sysctl"> <title><function>&mac.mpo;_check_system_sysctl</function></title> <funcsynopsis> @@ -7902,7 +7890,7 @@ Label destruction o</programlisting> </sect3> </sect2> - <sect2 id="mac-label-management"> + <sect2 xml:id="mac-label-management"> <title>Label Management Calls</title> <para>Relabel events occur when a user process has requested @@ -7919,7 +7907,7 @@ Label destruction o</programlisting> </sect2> </sect1> - <sect1 id="mac-userland-arch"> + <sect1 xml:id="mac-userland-arch"> <title>Userland Architecture</title> <para>The TrustedBSD MAC Framework includes a number of @@ -7931,7 +7919,7 @@ Label destruction o</programlisting> interfaces. More details on the user architecture will be added to this section in the near future.</para> - <sect2 id="mac-userland-labels"> + <sect2 xml:id="mac-userland-labels"> <title>APIs for Policy-Agnostic Label Management</title> <para>The TrustedBSD MAC Framework provides a number of @@ -7980,7 +7968,7 @@ Label destruction o</programlisting> writers.</para></note> </sect2> - <sect2 id="mac-userland-credentials"> + <sect2 xml:id="mac-userland-credentials"> <title>Binding of Labels to Users</title> <para>The standard user context management interface, @@ -8001,7 +7989,7 @@ Label destruction o</programlisting> </sect2> </sect1> - <sect1 id="mac-conclusion"> + <sect1 xml:id="mac-conclusion"> <title>Conclusion</title> <para>The TrustedBSD MAC framework permits kernel modules to |