aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml
diff options
context:
space:
mode:
Diffstat (limited to 'en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml')
-rw-r--r--en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml432
1 files changed, 210 insertions, 222 deletions
diff --git a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml
index 923dd53eb6..215b9557de 100644
--- a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml
+++ b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.xml
@@ -32,35 +32,24 @@
$FreeBSD$
-->
-
-<chapter id="mac">
- <chapterinfo>
+<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="mac">
+ <info><title>The TrustedBSD MAC Framework</title>
<authorgroup>
- <author>
- <firstname>Chris</firstname>
- <surname>Costello</surname>
-
- <affiliation>
+ <author><personname><firstname>Chris</firstname><surname>Costello</surname></personname><affiliation>
<orgname>TrustedBSD Project</orgname>
<address><email>chris@FreeBSD.org</email></address>
- </affiliation>
- </author>
-
- <author>
- <firstname>Robert</firstname>
- <surname>Watson</surname>
+ </affiliation></author>
- <affiliation>
+ <author><personname><firstname>Robert</firstname><surname>Watson</surname></personname><affiliation>
<orgname>TrustedBSD Project</orgname>
<address><email>rwatson@FreeBSD.org</email></address>
- </affiliation>
- </author>
+ </affiliation></author>
</authorgroup>
- </chapterinfo>
+ </info>
- <title>The TrustedBSD MAC Framework</title>
+
- <sect1 id="mac-copyright">
+ <sect1 xml:id="mac-copyright">
<title>MAC Documentation Copyright</title>
<para>This documentation was developed for the FreeBSD Project by
@@ -110,7 +99,7 @@
</important>
</sect1>
- <sect1 id="mac-synopsis">
+ <sect1 xml:id="mac-synopsis">
<title>Synopsis</title>
<para>FreeBSD includes experimental support for several
@@ -129,7 +118,7 @@
</sect1>
- <sect1 id="mac-introduction">
+ <sect1 xml:id="mac-introduction">
<title>Introduction</title>
<para>The TrustedBSD MAC framework provides a mechanism to allow
@@ -148,7 +137,7 @@
access control extension of the kernel.</para>
</sect1>
- <sect1 id="mac-background">
+ <sect1 xml:id="mac-background">
<title>Policy Background</title>
<para>Mandatory Access Control (MAC), refers to a set of
@@ -180,7 +169,7 @@
flexibility in how they authorize protections.</para>
</sect1>
- <sect1 id="mac-framework-kernel-arch">
+ <sect1 xml:id="mac-framework-kernel-arch">
<title>MAC Framework Kernel Architecture</title>
<para>The TrustedBSD MAC Framework permits kernel modules to
@@ -191,7 +180,7 @@
some definition of useful) compose the results of the
policies.</para>
- <sect2 id="mac-framework-kernel-arch-elements">
+ <sect2 xml:id="mac-framework-kernel-arch-elements">
<title>Kernel Elements</title>
<para>The MAC Framework contains a number of kernel elements:</para>
@@ -221,7 +210,7 @@
</itemizedlist>
</sect2>
- <sect2 id="mac-framework-kernel-arch-management">
+ <sect2 xml:id="mac-framework-kernel-arch-management">
<title>Framework Management Interfaces</title>
<para>The TrustedBSD MAC Framework may be directly managed using
@@ -247,7 +236,7 @@
events, including preventing undesired unloading of the policy.</para>
</sect2>
- <sect2 id="mac-framework-kernel-arch-synchronization">
+ <sect2 xml:id="mac-framework-kernel-arch-synchronization">
<title>Policy List Concurrency and Synchronization</title>
<para>As the set of active policies may change at run-time,
@@ -286,7 +275,7 @@
framework to become idle.</para>
</sect2>
- <sect2 id="mac-framework-kernel-arch-label-synchronization">
+ <sect2 xml:id="mac-framework-kernel-arch-label-synchronization">
<title>Label Synchronization</title>
<para>As kernel objects of interest may generally be accessed from
@@ -311,7 +300,7 @@
the label state attached to the credential.</para>
</sect2>
- <sect2 id="mac-framework-kernel-arch-policy-synchronization">
+ <sect2 xml:id="mac-framework-kernel-arch-policy-synchronization">
<title>Policy Synchronization and Concurrency</title>
<para>Policy modules must be written to assume that many
@@ -338,7 +327,7 @@
locks in the global lock order, helping to avoid deadlock.</para>
</sect2>
- <sect2 id="mac-framework-kernel-arch-registration">
+ <sect2 xml:id="mac-framework-kernel-arch-registration">
<title>Policy Registration</title>
<para>The MAC Framework maintains two lists of active
@@ -361,7 +350,7 @@
not unloadable.</para>
</sect2>
- <sect2 id="mac-framework-kernel-arch-entrypoints">
+ <sect2 xml:id="mac-framework-kernel-arch-entrypoints">
<title>Entry Points</title>
<para>Kernel services interact with the MAC Framework in two ways:
@@ -385,7 +374,7 @@
sockets and label transition at program execution.</para>
</sect2>
- <sect2 id="mac-framework-kernel-arch-composition">
+ <sect2 xml:id="mac-framework-kernel-arch-composition">
<title>Policy Composition</title>
<para>When more than one policy module is loaded into the kernel
@@ -406,7 +395,7 @@
composition.</para>
</sect2>
- <sect2 id="mac-framework-kernel-arch-labels">
+ <sect2 xml:id="mac-framework-kernel-arch-labels">
<title>Labeling Support</title>
<para>As many interesting access control extensions rely on
@@ -422,8 +411,8 @@
of string-based labels provides by user applications, and can
expose multiple label elements to applications if desired.</para>
- <para>In-memory labels are stored in slab-allocated <structname>struct
- label</structname>, which consists of a fixed-length array
+ <para>In-memory labels are stored in slab-allocated <varname remap="structname">struct
+ label</varname>, which consists of a fixed-length array
of unions, each holding a <literal>void *</literal> pointer
and a <literal>long</literal>. Policies registering for
label storage will be assigned a "slot" identifier, which
@@ -483,7 +472,7 @@
unload-reload operations for labeled policies.</para></note>
</sect2>
- <sect2 id="mac-framework-kernel-arch-syscalls">
+ <sect2 xml:id="mac-framework-kernel-arch-syscalls">
<title>System Calls</title>
<para>The MAC Framework implements a number of system calls:
@@ -492,7 +481,7 @@
applications.</para>
<para>The label management calls accept a label description
- structure, <structname>struct mac</structname>, which
+ structure, <varname remap="structname">struct mac</varname>, which
contains a series of MAC label elements. Each element
contains a character string name, and character string
value. Each policy will be given the chance to claim a
@@ -590,7 +579,7 @@
</sect2>
</sect1>
- <sect1 id="mac-policy-architecture">
+ <sect1 xml:id="mac-policy-architecture">
<title>MAC Policy Architecture</title>
<para>Security policies are either linked directly into the kernel,
@@ -618,7 +607,7 @@
points, and policy properties.</para></listitem>
</itemizedlist>
- <sect2 id="mac-policy-declaration">
+ <sect2 xml:id="mac-policy-declaration">
<title>Policy Declaration</title>
<para>Modules may be declared using the
@@ -670,7 +659,7 @@
processes.</para>
</sect2>
- <sect2 id="mac-policy-flags">
+ <sect2 xml:id="mac-policy-flags">
<title>Policy Flags</title>
<para>The policy declaration flags field permits the module to
@@ -737,7 +726,7 @@
to have label storage.</para></note>
</sect2>
- <sect2 id="mac-policy-entry-points">
+ <sect2 xml:id="mac-policy-entry-points">
<title>Policy Entry Points</title>
<para>Four classes of entry points are offered to policies
@@ -772,13 +761,13 @@
</sect2>
</sect1>
- <sect1 id="mac-entry-point-reference">
+ <sect1 xml:id="mac-entry-point-reference">
<title>MAC Policy Entry Point Reference</title>
- <sect2 id="mac-mpo-general">
+ <sect2 xml:id="mac-mpo-general">
<title>General-Purpose Module Entry Points</title>
- <sect3 id="mac-mpo-init">
+ <sect3 xml:id="mac-mpo-init">
<title><function>&mac.mpo;_init</function></title>
<funcsynopsis>
@@ -812,7 +801,7 @@
SYSINIT().</para>
</sect3>
- <sect3 id="mpo-destroy">
+ <sect3 xml:id="mpo-destroy">
<title><function>&mac.mpo;_destroy</function></title>
<funcsynopsis>
@@ -842,7 +831,7 @@
caution should be applied.</para>
</sect3>
- <sect3 id="mac-mpo-syscall">
+ <sect3 xml:id="mac-mpo-syscall">
<title><function>&mac.mpo;_syscall</function></title>
<funcsynopsis>
@@ -898,7 +887,7 @@
own.</para></note>
</sect3>
- <sect3 id="mac-mpo-thread-userret">
+ <sect3 xml:id="mac-mpo-thread-userret">
<title><function>&mac.mpo;_thread_userret</function></title>
<funcsynopsis>
@@ -948,10 +937,10 @@
</sect3>
</sect2>
- <sect2 id="mac-label-ops">
+ <sect2 xml:id="mac-label-ops">
<title>Label Operations</title>
- <sect3 id="mac-mpo-init-bpfdesc">
+ <sect3 xml:id="mac-mpo-init-bpfdesc">
<title><function>&mac.mpo;_init_bpfdesc_label</function></title>
<funcsynopsis>
@@ -981,7 +970,7 @@
descriptor). Sleeping is permitted.</para>
</sect3>
- <sect3 id="mac-mpo-init-cred-label">
+ <sect3 xml:id="mac-mpo-init-cred-label">
<title><function>&mac.mpo;_init_cred_label</function></title>
<funcsynopsis>
@@ -1011,7 +1000,7 @@
user credential. Sleeping is permitted.</para>
</sect3>
- <sect3 id="mac-mpo-init-devfsdirent">
+ <sect3 xml:id="mac-mpo-init-devfsdirent">
<title><function>&mac.mpo;_init_devfsdirent_label</function></title>
<funcsynopsis>
@@ -1041,7 +1030,7 @@
entry. Sleeping is permitted.</para>
</sect3>
- <sect3 id="mac-mpo-init-ifnet">
+ <sect3 xml:id="mac-mpo-init-ifnet">
<title><function>&mac.mpo;_init_ifnet_label</function></title>
<funcsynopsis>
@@ -1071,7 +1060,7 @@
interface. Sleeping is permitted.</para>
</sect3>
- <sect3 id="mac-mpo-init-ipq">
+ <sect3 xml:id="mac-mpo-init-ipq">
<title><function>&mac.mpo;_init_ipq_label</function></title>
<funcsynopsis>
@@ -1116,7 +1105,7 @@
the IP fragment reassembly queue.</para>
</sect3>
- <sect3 id="mac-mpo-init-mbuf">
+ <sect3 xml:id="mac-mpo-init-mbuf">
<title><function>&mac.mpo;_init_mbuf_label</function></title>
<funcsynopsis>
@@ -1162,7 +1151,7 @@
the mbuf header.</para>
</sect3>
- <sect3 id="mac-mpo-init-mount">
+ <sect3 xml:id="mac-mpo-init-mount">
<title><function>&mac.mpo;_init_mount_label</function></title>
<funcsynopsis>
@@ -1202,7 +1191,7 @@
point. Sleeping is permitted.</para>
</sect3>
- <sect3 id="mac-mpo-init-mount-fs-label">
+ <sect3 xml:id="mac-mpo-init-mount-fs-label">
<title><function>&mac.mpo;_init_mount_fs_label</function></title>
<funcsynopsis>
@@ -1232,7 +1221,7 @@
system. Sleeping is permitted</para>
</sect3>
- <sect3 id="mac-mpo-init-pipe-label">
+ <sect3 xml:id="mac-mpo-init-pipe-label">
<title><function>&mac.mpo;_init_pipe_label</function></title>
<funcsynopsis>
@@ -1262,7 +1251,7 @@
is permitted.</para>
</sect3>
- <sect3 id="mac-mpo-init-socket">
+ <sect3 xml:id="mac-mpo-init-socket">
<title><function>&mac.mpo;_init_socket_label</function></title>
<funcsynopsis>
@@ -1301,7 +1290,7 @@
during this initialization call.</para>
</sect3>
- <sect3 id="mac-mpo-init-socket-peer-label">
+ <sect3 xml:id="mac-mpo-init-socket-peer-label">
<title><function>&mac.mpo;_init_socket_peer_label</function></title>
<funcsynopsis>
@@ -1340,7 +1329,7 @@
during this initialization call.</para>
</sect3>
- <sect3 id="mac-mpo-init-proc-label">
+ <sect3 xml:id="mac-mpo-init-proc-label">
<title><function>&mac.mpo;_init_proc_label</function></title>
<funcsynopsis>
@@ -1371,7 +1360,7 @@
</sect3>
- <sect3 id="mac-mpo-init-vnode">
+ <sect3 xml:id="mac-mpo-init-vnode">
<title><function>&mac.mpo;_init_vnode_label</function></title>
<funcsynopsis>
@@ -1400,7 +1389,7 @@
<para>Initialize the label on a newly instantiated vnode. Sleeping
is permitted.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-bpfdesc">
+ <sect3 xml:id="mac-mpo-destroy-bpfdesc">
<title><function>&mac.mpo;_destroy_bpfdesc_label</function></title>
<funcsynopsis>
@@ -1432,7 +1421,7 @@
destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-cred">
+ <sect3 xml:id="mac-mpo-destroy-cred">
<title><function>&mac.mpo;_destroy_cred_label</function></title>
<funcsynopsis>
@@ -1465,7 +1454,7 @@
</sect3>
- <sect3 id="mac-mpo-destroy-devfsdirent">
+ <sect3 xml:id="mac-mpo-destroy-devfsdirent">
<title><function>&mac.mpo;_destroy_devfsdirent_label</function></title>
<funcsynopsis>
@@ -1497,7 +1486,7 @@
be destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-ifnet-label">
+ <sect3 xml:id="mac-mpo-destroy-ifnet-label">
<title><function>&mac.mpo;_destroy_ifnet_label</function></title>
<funcsynopsis>
@@ -1529,7 +1518,7 @@
be destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-ipq-label">
+ <sect3 xml:id="mac-mpo-destroy-ipq-label">
<title><function>&mac.mpo;_destroy_ipq_label</function></title>
<funcsynopsis>
@@ -1561,7 +1550,7 @@
it may be destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-mbuf-label">
+ <sect3 xml:id="mac-mpo-destroy-mbuf-label">
<title><function>&mac.mpo;_destroy_mbuf_label</function></title>
<funcsynopsis>
@@ -1593,7 +1582,7 @@
be destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-mount-label">
+ <sect3 xml:id="mac-mpo-destroy-mount-label">
<title><function>&mac.mpo;_destroy_mount_label</function></title>
<funcsynopsis>
@@ -1625,7 +1614,7 @@
may be destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-mount">
+ <sect3 xml:id="mac-mpo-destroy-mount">
<title><function>&mac.mpo;_destroy_mount_label</function></title>
<funcsynopsis>
@@ -1652,7 +1641,7 @@
<row>
<entry><parameter>fslabel</parameter></entry>
- <entry>File system label being destroyed></entry>
+ <entry>File system label being destroyed&gt;</entry>
</row>
</tbody>
</tgroup>
@@ -1665,7 +1654,7 @@
destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-socket">
+ <sect3 xml:id="mac-mpo-destroy-socket">
<title><function>&mac.mpo;_destroy_socket_label</function></title>
<funcsynopsis>
@@ -1699,7 +1688,7 @@
destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-socket-peer-label">
+ <sect3 xml:id="mac-mpo-destroy-socket-peer-label">
<title><function>&mac.mpo;_destroy_socket_peer_label</function></title>
<funcsynopsis>
@@ -1731,7 +1720,7 @@
be destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-pipe-label">
+ <sect3 xml:id="mac-mpo-destroy-pipe-label">
<title><function>&mac.mpo;_destroy_pipe_label</function></title>
<funcsynopsis>
@@ -1763,7 +1752,7 @@
destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-proc-label">
+ <sect3 xml:id="mac-mpo-destroy-proc-label">
<title><function>&mac.mpo;_destroy_proc_label</function></title>
<funcsynopsis>
@@ -1794,7 +1783,7 @@
destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-destroy-vnode-label">
+ <sect3 xml:id="mac-mpo-destroy-vnode-label">
<title><function>&mac.mpo;_destroy_vnode_label</function></title>
<funcsynopsis>
@@ -1825,7 +1814,7 @@
destroyed.</para>
</sect3>
- <sect3 id="mac-mpo-copy-mbuf-label">
+ <sect3 xml:id="mac-mpo-copy-mbuf-label">
<title><function>&mac.mpo;_copy_mbuf_label</function></title>
<funcsynopsis>
@@ -1863,7 +1852,7 @@
<parameter>dest</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-copy-pipe-label">
+ <sect3 xml:id="mac-mpo-copy-pipe-label">
<title><function>&mac.mpo;_copy_pipe_label</function></title>
<funcsynopsis>
@@ -1901,7 +1890,7 @@
<parameter>dest</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-copy-vnode-label">
+ <sect3 xml:id="mac-mpo-copy-vnode-label">
<title><function>&mac.mpo;_copy_vnode_label</function></title>
<funcsynopsis>
@@ -1939,7 +1928,7 @@
<parameter>dest</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-externalize-cred-label">
+ <sect3 xml:id="mac-mpo-externalize-cred-label">
<title><function>&mac.mpo;_externalize_cred_label</function></title>
<funcsynopsis>
@@ -1962,7 +1951,7 @@
&mac.externalize.para;
</sect3>
- <sect3 id="mac-mpo-externalize-ifnet-label">
+ <sect3 xml:id="mac-mpo-externalize-ifnet-label">
<title><function>&mac.mpo;_externalize_ifnet_label</function></title>
<funcsynopsis>
@@ -1985,7 +1974,7 @@
&mac.externalize.para;
</sect3>
- <sect3 id="mac-mpo-externalize-pipe-label">
+ <sect3 xml:id="mac-mpo-externalize-pipe-label">
<title><function>&mac.mpo;_externalize_pipe_label</function></title>
<funcsynopsis>
@@ -2008,7 +1997,7 @@
&mac.externalize.para;
</sect3>
- <sect3 id="mac-mpo-externalize-socket-label">
+ <sect3 xml:id="mac-mpo-externalize-socket-label">
<title><function>&mac.mpo;_externalize_socket_label</function></title>
<funcsynopsis>
@@ -2031,7 +2020,7 @@
&mac.externalize.para;
</sect3>
- <sect3 id="mac-mpo-externalize-socket-peer-label">
+ <sect3 xml:id="mac-mpo-externalize-socket-peer-label">
<title><function>&mac.mpo;_externalize_socket_peer_label</function></title>
<funcsynopsis>
@@ -2054,7 +2043,7 @@
&mac.externalize.para;
</sect3>
- <sect3 id="mac-mpo-externalize-vnode-label">
+ <sect3 xml:id="mac-mpo-externalize-vnode-label">
<title><function>&mac.mpo;_externalize_vnode_label</function></title>
<funcsynopsis>
@@ -2077,7 +2066,7 @@
&mac.externalize.para;
</sect3>
- <sect3 id="mac-mpo-internalize-cred-label">
+ <sect3 xml:id="mac-mpo-internalize-cred-label">
<title><function>&mac.mpo;_internalize_cred_label</function></title>
<funcsynopsis>
@@ -2100,7 +2089,7 @@
&mac.internalize.para;
</sect3>
- <sect3 id="mac-mpo-internalize-ifnet-label">
+ <sect3 xml:id="mac-mpo-internalize-ifnet-label">
<title><function>&mac.mpo;_internalize_ifnet_label</function></title>
<funcsynopsis>
@@ -2123,7 +2112,7 @@
&mac.internalize.para;
</sect3>
- <sect3 id="mac-mpo-internalize-pipe-label">
+ <sect3 xml:id="mac-mpo-internalize-pipe-label">
<title><function>&mac.mpo;_internalize_pipe_label</function></title>
<funcsynopsis>
@@ -2146,7 +2135,7 @@
&mac.internalize.para;
</sect3>
- <sect3 id="mac-mpo-internalize-socket-label">
+ <sect3 xml:id="mac-mpo-internalize-socket-label">
<title><function>&mac.mpo;_internalize_socket_label</function></title>
<funcsynopsis>
@@ -2169,7 +2158,7 @@
&mac.internalize.para;
</sect3>
- <sect3 id="mac-mpo-internalize-vnode-label">
+ <sect3 xml:id="mac-mpo-internalize-vnode-label">
<title><function>&mac.mpo;_internalize_vnode_label</function></title>
<funcsynopsis>
@@ -2193,7 +2182,7 @@
</sect3>
</sect2>
- <sect2 id="mac-label-events">
+ <sect2 xml:id="mac-label-events">
<title>Label Events</title>
<para>This class of entry points is used by the MAC framework to
@@ -2264,10 +2253,10 @@ Label destruction o</programlisting>
<symbol>MAC_INTERNALIZE</symbol>, which accepts a user label
to be converted to an in-kernel representation.</para>
- <sect3 id="mac-fs-label-event-ops">
+ <sect3 xml:id="mac-fs-label-event-ops">
<title>File System Object Labeling Event Operations</title>
- <sect4 id="mac-mpo-associate-vnode-devfs">
+ <sect4 xml:id="mac-mpo-associate-vnode-devfs">
<title><function>&mac.mpo;_associate_vnode_devfs</function></title>
<funcsynopsis>
@@ -2338,7 +2327,7 @@ Label destruction o</programlisting>
label.</para>
</sect4>
- <sect4 id="mac-mpo-associate-vnode-extattr">
+ <sect4 xml:id="mac-mpo-associate-vnode-extattr">
<title><function>&mac.mpo;_associate_vnode_extattr</function></title>
<funcsynopsis>
@@ -2397,7 +2386,7 @@ Label destruction o</programlisting>
be returned.</para>
</sect4>
- <sect4 id="mac-mpo-associate-vnode-singlelabel">
+ <sect4 xml:id="mac-mpo-associate-vnode-singlelabel">
<title><function>&mac.mpo;_associate_vnode_singlelabel</function></title>
<funcsynopsis>
@@ -2452,7 +2441,7 @@ Label destruction o</programlisting>
</sect4>
- <sect4 id="mac-mpo-create-devfs-device">
+ <sect4 xml:id="mac-mpo-create-devfs-device">
<title><function>&mac.mpo;_create_devfs_device</function></title>
<funcsynopsis>
@@ -2499,7 +2488,7 @@ Label destruction o</programlisting>
available.</para>
</sect4>
- <sect4 id="mac-mpo-create-devfs-directory">
+ <sect4 xml:id="mac-mpo-create-devfs-directory">
<title><function>&mac.mpo;_create_devfs_directory</function></title>
<funcsynopsis>
@@ -2548,7 +2537,7 @@ Label destruction o</programlisting>
available.</para>
</sect4>
- <sect4 id="mac-mpo-create-devfs-symlink">
+ <sect4 xml:id="mac-mpo-create-devfs-symlink">
<title><function>&mac.mpo;_create_devfs_symlink</function></title>
<funcsynopsis>
@@ -2615,7 +2604,7 @@ Label destruction o</programlisting>
a newly created &man.devfs.5; symbolic link entry.</para>
</sect4>
- <sect4 id="mac-mpo-create-vnode-extattr">
+ <sect4 xml:id="mac-mpo-create-vnode-extattr">
<title><function>&mac.mpo;_create_vnode_extattr</function></title>
<funcsynopsis>
@@ -2700,7 +2689,7 @@ Label destruction o</programlisting>
return an appropriate error.</para>
</sect4>
- <sect4 id="mac-mpo-create-mount">
+ <sect4 xml:id="mac-mpo-create-mount">
<title><function>&mac.mpo;_create_mount</function></title>
<funcsynopsis>
@@ -2754,7 +2743,7 @@ Label destruction o</programlisting>
a new file system is mounted.</para>
</sect4>
- <sect4 id="mac-mpo-create-root-mount">
+ <sect4 xml:id="mac-mpo-create-root-mount">
<title><function>&mac.mpo;_create_root_mount</function></title>
<funcsynopsis>
@@ -2779,8 +2768,7 @@ Label destruction o</programlisting>
<tbody>
<row>
- <entry namest="first" nameend="last">See <xref
- linkend="mac-mpo-create-mount"/>.</entry>
+ <entry namest="first" nameend="last">See <xref linkend="mac-mpo-create-mount"/>.</entry>
</row>
</tbody>
</tgroup>
@@ -2792,7 +2780,7 @@ Label destruction o</programlisting>
&mac.mpo;_create_mount;.</para>
</sect4>
- <sect4 id="mac-mpo-relabel-vnode">
+ <sect4 xml:id="mac-mpo-relabel-vnode">
<title><function>&mac.mpo;_relabel_vnode</function></title>
<funcsynopsis>
@@ -2845,7 +2833,7 @@ Label destruction o</programlisting>
update vnode label and the passed subject credential.</para>
</sect4>
- <sect4 id="mac-mpo-setlabel-vnode-extattr">
+ <sect4 xml:id="mac-mpo-setlabel-vnode-extattr">
<title><function>&mac.mpo;_setlabel_vnode_extattr</function></title>
<funcsynopsis>
@@ -2900,7 +2888,7 @@ Label destruction o</programlisting>
<function>vop_stdcreatevnode_ea</function>.</para>
</sect4>
- <sect4 id="mac-mpo-update-devfsdirent">
+ <sect4 xml:id="mac-mpo-update-devfsdirent">
<title><function>&mac.mpo;_update_devfsdirent</function></title>
<funcsynopsis>
<funcprototype>
@@ -2961,11 +2949,11 @@ Label destruction o</programlisting>
</sect4>
</sect3>
- <sect3 id="mac-ipc-label-ops">
+ <sect3 xml:id="mac-ipc-label-ops">
<title>IPC Object Labeling Event Operations</title>
- <sect4 id="mac-mpo-create-mbuf-from-socket">
+ <sect4 xml:id="mac-mpo-create-mbuf-from-socket">
<title><function>&mac.mpo;_create_mbuf_from_socket</function></title>
<funcsynopsis>
@@ -3020,7 +3008,7 @@ Label destruction o</programlisting>
passed mbuf.</para>
</sect4>
- <sect4 id="mac-mpo-create-pipe">
+ <sect4 xml:id="mac-mpo-create-pipe">
<title><function>&mac.mpo;_create_pipe</function></title>
<funcsynopsis>
@@ -3066,7 +3054,7 @@ Label destruction o</programlisting>
created.</para>
</sect4>
- <sect4 id="mac-mpo-create-socket">
+ <sect4 xml:id="mac-mpo-create-socket">
<title><function>&mac.mpo;_create_socket</function></title>
<funcsynopsis>
@@ -3113,7 +3101,7 @@ Label destruction o</programlisting>
created.</para>
</sect4>
- <sect4 id="mac-mpo-create-socket-from-socket">
+ <sect4 xml:id="mac-mpo-create-socket-from-socket">
<title><function>&mac.mpo;_create_socket_from_socket</function></title>
<funcsynopsis>
@@ -3167,7 +3155,7 @@ Label destruction o</programlisting>
socket, <parameter>oldsocket</parameter>.</para>
</sect4>
- <sect4 id="mac-mpo-relabel-pipe">
+ <sect4 xml:id="mac-mpo-relabel-pipe">
<title><function>&mac.mpo;_relabel_pipe</function></title>
<funcsynopsis>
@@ -3220,7 +3208,7 @@ Label destruction o</programlisting>
<parameter>pipe</parameter>.</para>
</sect4>
- <sect4 id="mac-mpo-relabel-socket">
+ <sect4 xml:id="mac-mpo-relabel-socket">
<title><function>&mac.mpo;_relabel_socket</function></title>
<funcsynopsis>
@@ -3274,7 +3262,7 @@ Label destruction o</programlisting>
label update.</para>
</sect4>
- <sect4 id="mpo-set-socket-peer-from-mbuf">
+ <sect4 xml:id="mpo-set-socket-peer-from-mbuf">
<title><function>&mac.mpo;_set_socket_peer_from_mbuf</function></title>
<funcsynopsis>
@@ -3328,7 +3316,7 @@ Label destruction o</programlisting>
domain sockets.</para>
</sect4>
- <sect4 id="mac-mpo-set-socket-peer-from-socket">
+ <sect4 xml:id="mac-mpo-set-socket-peer-from-socket">
<title><function>&mac.mpo;_set_socket_peer_from_socket</function></title>
<funcsynopsis>
@@ -3385,10 +3373,10 @@ Label destruction o</programlisting>
</sect4>
</sect3>
- <sect3 id="mac-net-labeling-event-ops">
+ <sect3 xml:id="mac-net-labeling-event-ops">
<title>Network Object Labeling Event Operations</title>
- <sect4 id="mac-mpo-create-bpfdesc">
+ <sect4 xml:id="mac-mpo-create-bpfdesc">
<title><function>&mac.mpo;_create_bpfdesc</function></title>
<funcsynopsis>
@@ -3436,7 +3424,7 @@ Label destruction o</programlisting>
subject credential.</para>
</sect4>
- <sect4 id="mac-mpo-create-ifnet">
+ <sect4 xml:id="mac-mpo-create-ifnet">
<title><function>&mac.mpo;_create_ifnet</function></title>
<funcsynopsis>
@@ -3476,7 +3464,7 @@ Label destruction o</programlisting>
during the boot or as a result of a user action.</para>
</sect4>
- <sect4 id="mac-mpo-create-ipq">
+ <sect4 xml:id="mac-mpo-create-ipq">
<title><function>&mac.mpo;_create_ipq</function></title>
<funcsynopsis>
@@ -3530,7 +3518,7 @@ Label destruction o</programlisting>
fragment.</para>
</sect4>
- <sect4 id="mac-mpo-create-datagram-from-ipq">
+ <sect4 xml:id="mac-mpo-create-datagram-from-ipq">
<title><function>&mac.mpo;_create_datagram_from_ipq</function></title>
<funcsynopsis>
@@ -3584,7 +3572,7 @@ Label destruction o</programlisting>
generated.</para>
</sect4>
- <sect4 id="mac-mpo-create-fragment">
+ <sect4 xml:id="mac-mpo-create-fragment">
<title><function>&mac.mpo;_create_fragment</function></title>
<funcsynopsis>
@@ -3638,7 +3626,7 @@ Label destruction o</programlisting>
it was generate from.</para>
</sect4>
- <sect4 id="mac-mpo-create-mbuf-from-mbuf">
+ <sect4 xml:id="mac-mpo-create-mbuf-from-mbuf">
<title><function>&mac.mpo;_create_mbuf_from_mbuf</function></title>
<funcsynopsis>
@@ -3693,7 +3681,7 @@ Label destruction o</programlisting>
an mbuf is re-allocated for alignment purposes.</para>
</sect4>
- <sect4 id="mac-mpo-create-mbuf-linklayer">
+ <sect4 xml:id="mac-mpo-create-mbuf-linklayer">
<title><function>&mac.mpo;_create_mbuf_linklayer</function></title>
<funcsynopsis>
@@ -3749,7 +3737,7 @@ Label destruction o</programlisting>
IPv4 and IPv6 stacks.</para>
</sect4>
- <sect4 id="mac-mpo-create-mbuf-from-bpfdesc">
+ <sect4 xml:id="mac-mpo-create-mbuf-from-bpfdesc">
<title><function>&mac.mpo;_create_mbuf_from_bpfdesc</function></title>
<funcsynopsis>
@@ -3804,7 +3792,7 @@ Label destruction o</programlisting>
associated with the passed BPF descriptor.</para>
</sect4>
- <sect4 id="mac-mpo-create-mbuf-from-ifnet">
+ <sect4 xml:id="mac-mpo-create-mbuf-from-ifnet">
<title><function>&mac.mpo;_create_mbuf_from_ifnet</function></title>
<funcsynopsis>
@@ -3857,7 +3845,7 @@ Label destruction o</programlisting>
datagram generated from the passed network interface.</para>
</sect4>
- <sect4 id="mac-mpo-create-mbuf-multicast-encap">
+ <sect4 xml:id="mac-mpo-create-mbuf-multicast-encap">
<title><function>&mac.mpo;_create_mbuf_multicast_encap</function></title>
<funcsynopsis>
@@ -3929,7 +3917,7 @@ Label destruction o</programlisting>
delivered using the virtual interface.</para>
</sect4>
- <sect4 id="mac-mpo-create-mbuf-netlayer">
+ <sect4 xml:id="mac-mpo-create-mbuf-netlayer">
<title><function>&mac.mpo;_create_mbuf_netlayer</function></title>
<funcsynopsis>
@@ -3985,7 +3973,7 @@ Label destruction o</programlisting>
when responding to ICMP request datagrams.</para>
</sect4>
- <sect4 id="mac-mpo-fragment-match">
+ <sect4 xml:id="mac-mpo-fragment-match">
<title><function>&mac.mpo;_fragment_match</function></title>
<funcsynopsis>
@@ -4049,7 +4037,7 @@ Label destruction o</programlisting>
label or other information.</para>
</sect4>
- <sect4 id="mac-mpo-ifnet-relabel">
+ <sect4 xml:id="mac-mpo-ifnet-relabel">
<title><function>&mac.mpo;_relabel_ifnet</function></title>
<funcsynopsis>
@@ -4104,7 +4092,7 @@ Label destruction o</programlisting>
subject credential, <parameter>cred</parameter>.</para>
</sect4>
- <sect4 id="mac-mpo-update-ipq">
+ <sect4 xml:id="mac-mpo-update-ipq">
<title><function>&mac.mpo;_update_ipq</function></title>
<funcsynopsis>
@@ -4160,10 +4148,10 @@ Label destruction o</programlisting>
</sect4>
</sect3>
- <sect3 id="mac-proc-labeling-event-ops">
+ <sect3 xml:id="mac-proc-labeling-event-ops">
<title>Process Labeling Event Operations</title>
- <sect4 id="mac-mpo-create-cred">
+ <sect4 xml:id="mac-mpo-create-cred">
<title><function>&mac.mpo;_create_cred</function></title>
<funcsynopsis>
@@ -4203,7 +4191,7 @@ Label destruction o</programlisting>
process forking or creation event.</para>
</sect4>
- <sect4 id="mac-mpo-execve-transition">
+ <sect4 xml:id="mac-mpo-execve-transition">
<title><function>&mac.mpo;_execve_transition</function></title>
<funcsynopsis>
@@ -4271,7 +4259,7 @@ Label destruction o</programlisting>
<function>mpo_execve_will_transition</function>.</para>
</sect4>
- <sect4 id="mac-mpo-execve-will-transition">
+ <sect4 xml:id="mac-mpo-execve-will-transition">
<title><function>&mac.mpo;_execve_will_transition</function></title>
<funcsynopsis>
@@ -4326,7 +4314,7 @@ Label destruction o</programlisting>
transition.</para>
</sect4>
- <sect4 id="mac-mpo-create-proc0">
+ <sect4 xml:id="mac-mpo-create-proc0">
<title><function>&mac.mpo;_create_proc0</function></title>
<funcsynopsis>
@@ -4356,7 +4344,7 @@ Label destruction o</programlisting>
of all kernel processes.</para>
</sect4>
- <sect4 id="mac-mpo-create-proc1">
+ <sect4 xml:id="mac-mpo-create-proc1">
<title><function>&mac.mpo;_create_proc1</function></title>
<funcsynopsis>
@@ -4386,7 +4374,7 @@ Label destruction o</programlisting>
of all user processes.</para>
</sect4>
- <sect4 id="mac-mpo-relabel-cred">
+ <sect4 xml:id="mac-mpo-relabel-cred">
<title><function>&mac.mpo;_relabel_cred</function></title>
<funcsynopsis>
@@ -4427,7 +4415,7 @@ Label destruction o</programlisting>
</sect3>
</sect2>
- <sect2 id="mac-access-control-checks">
+ <sect2 xml:id="mac-access-control-checks">
<title>Access Control Checks</title>
<para>Access control entry points permit policy modules to
@@ -4455,15 +4443,15 @@ Label destruction o</programlisting>
<entry><errorcode>EDEADLK</errorcode></entry></row>
<row>
- <entry></entry>
+ <entry/>
<entry><errorcode>EINVAL</errorcode></entry>
</row>
<row>
- <entry></entry>
+ <entry/>
<entry><errorcode>ESRCH</errorcode></entry>
</row>
<row>
- <entry></entry>
+ <entry/>
<entry>EACCES</entry>
</row>
<row>
@@ -4481,7 +4469,7 @@ Label destruction o</programlisting>
failures, invalid arguments, object not present, access not
permitted, other.</para>
- <sect3 id="mac-mpo-bpfdesc-check-receive-from-ifnet">
+ <sect3 xml:id="mac-mpo-bpfdesc-check-receive-from-ifnet">
<title><function>&mac.mpo;_check_bpfdesc_receive</function></title>
<funcsynopsis>
@@ -4539,7 +4527,7 @@ Label destruction o</programlisting>
<errorcode>EPERM</errorcode> for lack of privilege.</para>
</sect3>
- <sect3 id="mac-mpo-check-kenv-dump">
+ <sect3 xml:id="mac-mpo-check-kenv-dump">
<title><function>&mac.mpo;_check_kenv_dump</function></title>
<funcsynopsis>
@@ -4569,7 +4557,7 @@ Label destruction o</programlisting>
retrieve the kernel environment (see &man.kenv.2;).</para>
</sect3>
- <sect3 id="mac-mpo-check-kenv-get">
+ <sect3 xml:id="mac-mpo-check-kenv-get">
<title><function>&mac.mpo;_check_kenv_get</function></title>
<funcsynopsis>
@@ -4606,7 +4594,7 @@ Label destruction o</programlisting>
variable.</para>
</sect3>
- <sect3 id="mac-mpo-check-kenv-set">
+ <sect3 xml:id="mac-mpo-check-kenv-set">
<title><function>&mac.mpo;_check_kenv_set</function></title>
<funcsynopsis>
@@ -4642,7 +4630,7 @@ Label destruction o</programlisting>
the specified kernel environment variable.</para>
</sect3>
- <sect3 id="mac-mpo-check-kenv-unset">
+ <sect3 xml:id="mac-mpo-check-kenv-unset">
<title><function>&mac.mpo;_check_kenv_unset</function></title>
<funcsynopsis>
@@ -4678,7 +4666,7 @@ Label destruction o</programlisting>
the specified kernel environment variable.</para>
</sect3>
- <sect3 id="mac-mpo-check-kld-load">
+ <sect3 xml:id="mac-mpo-check-kld-load">
<title><function>&mac.mpo;_check_kld_load</function></title>
<funcsynopsis>
@@ -4723,7 +4711,7 @@ Label destruction o</programlisting>
the specified module file.</para>
</sect3>
- <sect3 id="mac-mpo-check-kld-stat">
+ <sect3 xml:id="mac-mpo-check-kld-stat">
<title><function>&mac.mpo;_check_kld_stat</function></title>
<funcsynopsis>
@@ -4754,7 +4742,7 @@ Label destruction o</programlisting>
statistics.</para>
</sect3>
- <sect3 id="mac-mpo-check-kld-unload">
+ <sect3 xml:id="mac-mpo-check-kld-unload">
<title><function>&mac.mpo;_check_kld_unload</function></title>
<funcsynopsis>
@@ -4784,7 +4772,7 @@ Label destruction o</programlisting>
unload a kernel module.</para>
</sect3>
- <sect3 id="mac-mpo-check-pipe-ioctl">
+ <sect3 xml:id="mac-mpo-check-pipe-ioctl">
<title><function>&mac.mpo;_check_pipe_ioctl</function></title>
<funcsynopsis>
@@ -4842,7 +4830,7 @@ Label destruction o</programlisting>
the specified &man.ioctl.2; call.</para>
</sect3>
- <sect3 id="mac-mpo-check-pipe-poll">
+ <sect3 xml:id="mac-mpo-check-pipe-poll">
<title><function>&mac.mpo;_check_pipe_poll</function></title>
<funcsynopsis>
@@ -4887,7 +4875,7 @@ Label destruction o</programlisting>
<parameter>pipe</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-pipe-read">
+ <sect3 xml:id="mac-mpo-check-pipe-read">
<title><function>&mac.mpo;_check_pipe_read</function></title>
<funcsynopsis>
@@ -4932,7 +4920,7 @@ Label destruction o</programlisting>
access to <parameter>pipe</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-pipe-relabel">
+ <sect3 xml:id="mac-mpo-check-pipe-relabel">
<title><function>&mac.mpo;_check_pipe_relabel</function></title>
<funcsynopsis>
@@ -4985,7 +4973,7 @@ Label destruction o</programlisting>
relabel <parameter>pipe</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-pipe-stat">
+ <sect3 xml:id="mac-mpo-check-pipe-stat">
<title><function>&mac.mpo;_check_pipe_stat</function></title>
<funcsynopsis>
@@ -5031,7 +5019,7 @@ Label destruction o</programlisting>
<parameter>pipe</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-pipe-write">
+ <sect3 xml:id="mac-mpo-check-pipe-write">
<title><function>&mac.mpo;_check_pipe_write</function></title>
<funcsynopsis>
@@ -5076,7 +5064,7 @@ Label destruction o</programlisting>
to <parameter>pipe</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-socket-bind">
+ <sect3 xml:id="mac-mpo-cred-check-socket-bind">
<title><function>&mac.mpo;_check_socket_bind</function></title>
<funcsynopsis>
@@ -5128,7 +5116,7 @@ Label destruction o</programlisting>
</sect3>
- <sect3 id="mac-mpo-cred-check-socket-connect">
+ <sect3 xml:id="mac-mpo-cred-check-socket-connect">
<title><function>&mac.mpo;_check_socket_connect</function></title>
<funcsynopsis>
@@ -5187,7 +5175,7 @@ Label destruction o</programlisting>
<errorcode>EPERM</errorcode> for lack of privilege.</para>
</sect3>
- <sect3 id="mac-mpo-check-socket-receive">
+ <sect3 xml:id="mac-mpo-check-socket-receive">
<title><function>&mac.mpo;_check_socket_receive</function></title>
<funcsynopsis>
@@ -5233,7 +5221,7 @@ Label destruction o</programlisting>
<parameter>so</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-socket-send">
+ <sect3 xml:id="mac-mpo-check-socket-send">
<title><function>&mac.mpo;_check_socket_send</function></title>
<funcsynopsis>
@@ -5279,7 +5267,7 @@ Label destruction o</programlisting>
<parameter>so</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-cred-visible">
+ <sect3 xml:id="mac-mpo-check-cred-visible">
<title><function>&mac.mpo;_check_cred_visible</function></title>
<funcsynopsis>
@@ -5326,7 +5314,7 @@ Label destruction o</programlisting>
and in procfs lookups.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-socket-visible">
+ <sect3 xml:id="mac-mpo-cred-check-socket-visible">
<title><function>&mac.mpo;_check_socket_visible</function></title>
<funcsynopsis>
@@ -5369,7 +5357,7 @@ Label destruction o</programlisting>
</sect3>
- <sect3 id="mac-mpo-cred-check-ifnet-relabel">
+ <sect3 xml:id="mac-mpo-cred-check-ifnet-relabel">
<title><function>&mac.mpo;_check_ifnet_relabel</function></title>
<funcsynopsis>
@@ -5422,7 +5410,7 @@ Label destruction o</programlisting>
passed network interface to the passed label update.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-socket-relabel">
+ <sect3 xml:id="mac-mpo-cred-check-socket-relabel">
<title><function>&mac.mpo;_check_socket_relabel</function></title>
<funcsynopsis>
@@ -5475,7 +5463,7 @@ Label destruction o</programlisting>
passed socket to the passed label update.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-cred-relabel">
+ <sect3 xml:id="mac-mpo-cred-check-cred-relabel">
<title><function>&mac.mpo;_check_cred_relabel</function></title>
<funcsynopsis>
@@ -5514,7 +5502,7 @@ Label destruction o</programlisting>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-relabel">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-relabel">
<title><function>&mac.mpo;_check_vnode_relabel</function></title>
<funcsynopsis>
@@ -5569,7 +5557,7 @@ Label destruction o</programlisting>
passed vnode to the passed label update.</para>
</sect3>
- <sect3 id="mpo-cred-check-mount-stat">
+ <sect3 xml:id="mpo-cred-check-mount-stat">
<title><function>&mac.mpo;_check_mount_stat</function></title>
<funcsynopsis>
@@ -5622,7 +5610,7 @@ Label destruction o</programlisting>
systems, such as when &man.getfsstat.2; is invoked. </para>
</sect3>
- <sect3 id="mac-mpo-cred-check-proc-debug">
+ <sect3 xml:id="mac-mpo-cred-check-proc-debug">
<title><function>&mac.mpo;_check_proc_debug</function></title>
<funcsynopsis>
@@ -5668,7 +5656,7 @@ Label destruction o</programlisting>
operations.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-access">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-access">
<title><function>&mac.mpo;_check_vnode_access</function></title>
<funcsynopsis>
@@ -5727,7 +5715,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-chdir">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-chdir">
<title><function>&mac.mpo;_check_vnode_chdir</function></title>
<funcsynopsis>
@@ -5777,7 +5765,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-check-vnode-chroot">
+ <sect3 xml:id="mac-mpo-check-vnode-chroot">
<title><function>&mac.mpo;_check_vnode_chroot</function></title>
<funcsynopsis>
@@ -5823,7 +5811,7 @@ Label destruction o</programlisting>
(<parameter>dvp</parameter>).</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-create">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-create">
<title><function>&mac.mpo;_check_vnode_create</function></title>
<funcsynopsis>
@@ -5892,7 +5880,7 @@ Label destruction o</programlisting>
others.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-delete">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-delete">
<title><function>&mac.mpo;_check_vnode_delete</function></title>
<funcsynopsis>
@@ -5970,7 +5958,7 @@ Label destruction o</programlisting>
rename.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-deleteacl">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-deleteacl">
<title><function>&mac.mpo;_check_vnode_deleteacl</function></title>
<funcsynopsis>
@@ -6025,7 +6013,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-exec">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-exec">
<title><function>&mac.mpo;_check_vnode_exec</function></title>
<funcsynopsis>
@@ -6076,7 +6064,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mpo-cred-check-vnode-getacl">
+ <sect3 xml:id="mpo-cred-check-vnode-getacl">
<title><function>&mac.mpo;_check_vnode_getacl</function></title>
<funcsynopsis>
@@ -6133,7 +6121,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-getextattr">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-getextattr">
<title><function>&mac.mpo;_check_vnode_getextattr</function></title>
<funcsynopsis>
@@ -6207,7 +6195,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-check-vnode-link">
+ <sect3 xml:id="mac-mpo-check-vnode-link">
<title><function>&mac.mpo;_check_vnode_link</function></title>
<funcsynopsis>
@@ -6275,7 +6263,7 @@ Label destruction o</programlisting>
the name specified by <parameter>cnp</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-vnode-mmap">
+ <sect3 xml:id="mac-mpo-check-vnode-mmap">
<title><function>&mac.mpo;_check_vnode_mmap</function></title>
<funcsynopsis>
@@ -6327,7 +6315,7 @@ Label destruction o</programlisting>
specified in <parameter>prot</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-vnode-mmap-downgrade">
+ <sect3 xml:id="mac-mpo-check-vnode-mmap-downgrade">
<title><function>&mac.mpo;_check_vnode_mmap_downgrade</function></title>
<funcsynopsis>
@@ -6376,7 +6364,7 @@ Label destruction o</programlisting>
object labels.</para>
</sect3>
- <sect3 id="mac-mpo-check-vnode-mprotect">
+ <sect3 xml:id="mac-mpo-check-vnode-mprotect">
<title><function>&mac.mpo;_check_vnode_mprotect</function></title>
<funcsynopsis>
@@ -6422,7 +6410,7 @@ Label destruction o</programlisting>
the vnode <parameter>vp</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-vnode-poll">
+ <sect3 xml:id="mac-mpo-check-vnode-poll">
<title><function>&mac.mpo;_check_vnode_poll</function></title>
<funcsynopsis>
@@ -6475,7 +6463,7 @@ Label destruction o</programlisting>
the vnode <parameter>vp</parameter>.</para>
</sect3>
- <sect3 id="mac-mpo-check-vnode-rename-from">
+ <sect3 xml:id="mac-mpo-check-vnode-rename-from">
<title><function>&mac.mpo;_check_vnode_rename_from</function></title>
<funcsynopsis>
@@ -6544,7 +6532,7 @@ Label destruction o</programlisting>
else.</para>
</sect3>
- <sect3 id="mac-mpo-check-vnode-rename-to">
+ <sect3 xml:id="mac-mpo-check-vnode-rename-to">
<title><function>&mac.mpo;_check_vnode_rename_to</function></title>
<funcsynopsis>
@@ -6622,7 +6610,7 @@ Label destruction o</programlisting>
<parameter>label</parameter> will be NULL.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-socket-listen">
+ <sect3 xml:id="mac-mpo-cred-check-socket-listen">
<title><function>&mac.mpo;_check_socket_listen</function></title>
<funcsynopsis>
@@ -6671,7 +6659,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-lookup">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-lookup">
<title><function>&mac.mpo;_check_vnode_lookup</function></title>
<funcsynopsis>
@@ -6680,11 +6668,11 @@ Label destruction o</programlisting>
<function>&mac.mpo;_check_vnode_lookup</function></funcdef>
<paramdef>struct ucred
- *<parameter></parameter>cred</paramdef>
+ *<parameter/>cred</paramdef>
<paramdef>struct vnode
- *<parameter></parameter>dvp</paramdef>
+ *<parameter/>dvp</paramdef>
<paramdef>struct label
- *<parameter></parameter>dlabel</paramdef>
+ *<parameter/>dlabel</paramdef>
<paramdef>struct componentname
*<parameter>cnp</parameter></paramdef>
</funcprototype>
@@ -6728,7 +6716,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-open">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-open">
<title><function>&mac.mpo;_check_vnode_open</function></title>
<funcsynopsis>
@@ -6784,7 +6772,7 @@ Label destruction o</programlisting>
<errorcode>EPERM</errorcode> for lack of privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-readdir">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-readdir">
<title><function>&mac.mpo;_check_vnode_readdir</function></title>
<funcsynopsis>
@@ -6793,11 +6781,11 @@ Label destruction o</programlisting>
<function>&mac.mpo;_check_vnode_readdir</function></funcdef>
<paramdef>struct ucred
- *<parameter></parameter>cred</paramdef>
+ *<parameter/>cred</paramdef>
<paramdef>struct vnode
- *<parameter></parameter>dvp</paramdef>
+ *<parameter/>dvp</paramdef>
<paramdef>struct label
- *<parameter></parameter>dlabel</paramdef>
+ *<parameter/>dlabel</paramdef>
</funcprototype>
</funcsynopsis>
@@ -6834,7 +6822,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-readlink">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-readlink">
<title><function>&mac.mpo;_check_vnode_readlink</function></title>
<funcsynopsis>
@@ -6888,7 +6876,7 @@ Label destruction o</programlisting>
process.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-revoke">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-revoke">
<title><function>&mac.mpo;_check_vnode_revoke</function></title>
<funcsynopsis>
@@ -6938,7 +6926,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-setacl">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-setacl">
<title><function>&mac.mpo;_check_vnode_setacl</function></title>
<funcsynopsis>
@@ -7002,7 +6990,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-setextattr">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-setextattr">
<title><function>&mac.mpo;_check_vnode_setextattr</function></title>
<funcsynopsis>
@@ -7080,7 +7068,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-setflags">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-setflags">
<title><function>&mac.mpo;_check_vnode_setflags</function></title>
<funcsynopsis>
@@ -7136,7 +7124,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-setmode">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-setmode">
<title><function>&mac.mpo;_check_vnode_setmode</function></title>
<funcsynopsis>
@@ -7191,7 +7179,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-setowner">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-setowner">
<title><function>&mac.mpo;_check_vnode_setowner</function></title>
<funcsynopsis>
@@ -7253,7 +7241,7 @@ Label destruction o</programlisting>
of privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-setutimes">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-setutimes">
<title><function>&mac.mpo;_check_vnode_setutimes</function></title>
<funcsynopsis>
@@ -7262,15 +7250,15 @@ Label destruction o</programlisting>
<function>&mac.mpo;_check_vnode_setutimes</function></funcdef>
<paramdef>struct ucred
- *<parameter></parameter>cred</paramdef>
+ *<parameter/>cred</paramdef>
<paramdef>struct vnode
- *<parameter></parameter>vp</paramdef>
+ *<parameter/>vp</paramdef>
<paramdef>struct label
- *<parameter></parameter>label</paramdef>
+ *<parameter/>label</paramdef>
<paramdef>struct timespec
- <parameter></parameter>atime</paramdef>
+ <parameter/>atime</paramdef>
<paramdef>struct timespec
- <parameter></parameter>mtime</paramdef>
+ <parameter/>mtime</paramdef>
</funcprototype>
</funcsynopsis>
@@ -7317,7 +7305,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-proc-sched">
+ <sect3 xml:id="mac-mpo-cred-check-proc-sched">
<title><function>&mac.mpo;_check_proc_sched</function></title>
<funcsynopsis>
@@ -7361,7 +7349,7 @@ Label destruction o</programlisting>
<para>See &man.setpriority.2; for more information.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-proc-signal">
+ <sect3 xml:id="mac-mpo-cred-check-proc-signal">
<title><function>&mac.mpo;_check_proc_signal</function></title>
<funcsynopsis>
@@ -7409,7 +7397,7 @@ Label destruction o</programlisting>
<errorcode>ESRCH</errorcode> to limit visibility.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-vnode-stat">
+ <sect3 xml:id="mac-mpo-cred-check-vnode-stat">
<title><function>&mac.mpo;_check_vnode_stat</function></title>
<funcsynopsis>
@@ -7461,7 +7449,7 @@ Label destruction o</programlisting>
<para>See &man.stat.2; for more information.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-ifnet-transmit">
+ <sect3 xml:id="mac-mpo-cred-check-ifnet-transmit">
<title><function>&mac.mpo;_check_ifnet_transmit</function></title>
<funcsynopsis>
@@ -7525,7 +7513,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-cred-check-socket-deliver">
+ <sect3 xml:id="mac-mpo-cred-check-socket-deliver">
<title><function>&mac.mpo;_check_socket_deliver</function></title>
<funcsynopsis>
@@ -7590,7 +7578,7 @@ Label destruction o</programlisting>
privilege.</para>
</sect3>
- <sect3 id="mac-mpo-check-socket-visible">
+ <sect3 xml:id="mac-mpo-check-socket-visible">
<title><function>&mac.mpo;_check_socket_visible</function></title>
<funcsynopsis>
@@ -7643,7 +7631,7 @@ Label destruction o</programlisting>
<errorcode>ESRCH</errorcode> to hide visibility.</para>
</sect3>
- <sect3 id="mac-mpo-check-system-acct">
+ <sect3 xml:id="mac-mpo-check-system-acct">
<title><function>&mac.mpo;_check_system_acct</function></title>
<funcsynopsis>
@@ -7689,7 +7677,7 @@ Label destruction o</programlisting>
accounting log file.</para>
</sect3>
- <sect3 id="mac-mpo-check-system-nfsd">
+ <sect3 xml:id="mac-mpo-check-system-nfsd">
<title><function>&mac.mpo;_check_system_nfsd</function></title>
<funcsynopsis>
@@ -7719,7 +7707,7 @@ Label destruction o</programlisting>
&man.nfssvc.2;.</para>
</sect3>
- <sect3 id="mac-mpo-check-system-reboot">
+ <sect3 xml:id="mac-mpo-check-system-reboot">
<title><function>&mac.mpo;_check_system_reboot</function></title>
<funcsynopsis>
@@ -7756,7 +7744,7 @@ Label destruction o</programlisting>
reboot the system in the specified manner.</para>
</sect3>
- <sect3 id="mac-mpo-check-system-settime">
+ <sect3 xml:id="mac-mpo-check-system-settime">
<title><function>&mac.mpo;_check_system_settime</function></title>
<funcsynopsis>
@@ -7786,7 +7774,7 @@ Label destruction o</programlisting>
system clock.</para>
</sect3>
- <sect3 id="mac-mpo-check-system-swapon">
+ <sect3 xml:id="mac-mpo-check-system-swapon">
<title><function>&mac.mpo;_check_system_swapon</function></title>
<funcsynopsis>
@@ -7831,7 +7819,7 @@ Label destruction o</programlisting>
<parameter>vp</parameter> as a swap device.</para>
</sect3>
- <sect3 id="mac-mpo-check-system-sysctl">
+ <sect3 xml:id="mac-mpo-check-system-sysctl">
<title><function>&mac.mpo;_check_system_sysctl</function></title>
<funcsynopsis>
@@ -7902,7 +7890,7 @@ Label destruction o</programlisting>
</sect3>
</sect2>
- <sect2 id="mac-label-management">
+ <sect2 xml:id="mac-label-management">
<title>Label Management Calls</title>
<para>Relabel events occur when a user process has requested
@@ -7919,7 +7907,7 @@ Label destruction o</programlisting>
</sect2>
</sect1>
- <sect1 id="mac-userland-arch">
+ <sect1 xml:id="mac-userland-arch">
<title>Userland Architecture</title>
<para>The TrustedBSD MAC Framework includes a number of
@@ -7931,7 +7919,7 @@ Label destruction o</programlisting>
interfaces. More details on the user architecture will
be added to this section in the near future.</para>
- <sect2 id="mac-userland-labels">
+ <sect2 xml:id="mac-userland-labels">
<title>APIs for Policy-Agnostic Label Management</title>
<para>The TrustedBSD MAC Framework provides a number of
@@ -7980,7 +7968,7 @@ Label destruction o</programlisting>
writers.</para></note>
</sect2>
- <sect2 id="mac-userland-credentials">
+ <sect2 xml:id="mac-userland-credentials">
<title>Binding of Labels to Users</title>
<para>The standard user context management interface,
@@ -8001,7 +7989,7 @@ Label destruction o</programlisting>
</sect2>
</sect1>
- <sect1 id="mac-conclusion">
+ <sect1 xml:id="mac-conclusion">
<title>Conclusion</title>
<para>The TrustedBSD MAC framework permits kernel modules to