os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Resort and organize some sections:

Browse source 
- Move Userland Architecture down to the Userland APIs section.

- Push most of the Policy-related subsections into the MAC Policy
  Architecture section.  Tweak a little language so it makes
  sense.
This commit is contained in:
Robert Watson 2003-04-20 18:01:22 +00:00
parent a7b83db368
commit 96eb481cbd
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=16626
2 changed files with 424 additions and 416 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

190
en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
View file

@ -268,88 +268,6 @@
</sect2>
</sect1>
<sect1 id="mac-userland-arch">
<title>Userland Architecture</title>
<para>The TrustedBSD MAC Framework includes a number of
policy-agnostic elements, including MAC library interfaces
for abstractly managing labels, modifications to the system
credential management and login libraries to support the
assignment of MAC labels to users, and a set of tools to
monitor and modify labels on processes, files, and network
interfaces. More details on the user architecture will
be added to this section in the near future.</para>
<sect2 id="mac-userland-labels">
<title>APIs for Policy-Agnostic Label Management</title>
<para>The TrustedBSD MAC Framework provides a number of
library and system calls permitting applications to
manage MAC labels on objects using a poloicy-agnostic
interface. This permits applications to manipulate
labels for a variety of policies without being
written to support specific policies. These interfaces
are used by general-purpose tools such as &man.ifconfig.8;,
&man.ls.1; and &man.ps.1; to view labels on network
interfaces, files, and processes. The APIs also support
MAC management tools including &man.getfmac.8;,
&man.getpmac.8;, &man.setfmac.8;, &man.setfsmac.8;,
and &man.setpmac.8;. The MAC APIs are documented in
&man.mac.3;.</para>
<para>Applications handle MAC labels in two forms: an
internalized form used to return and set labels on
processes and objects (<literal>mac_t</literal>),
and externalized form based on C strings appropriate for
storage in configuration files, display to the user, or
input from the user. Each MAC label contains a number of
elements, each consisting of a name and value pair.
Policy modules in the kernel bind to specific names
and interpret the values in policy-specific ways. In
the externalized string form, labels are represented
by a comma-delimited list of name and value pairs separated
by the <literal>/</literal> character. Labels may be
directly converted to and from text using provided APIs;
when retrieving labels from the kernel, internalized
label storage must first be prepared for the desired
label element set. Typically, this is done in one of
two ways: using &man.mac.prepare.3; and an arbitrary
list of desired label elements, or one of the variants
of the call that loads a default element set from the
&man.mac.conf.5; configuration file. Per-object
defaults permit application writers to usefully display
labels associated with objects without being aware of
the policies present in the system.</para>
<note><para>Currently, direct manipulation of label elements
other than by conversion to a text string, string editing,
and conversion back to an internalized label is not supported
by the MAC library. Such interfaces may be added in the
future if they prove necessary for application
writers.</para></note>
</sect2>
<sect2 id="mac-userland-credentials">
<title>Binding of Labels to Users</title>
<para>The standard user context management interface,
&man.setusercontext.3;, has been modified to retrieve
MAC labels associated with a user's class from
&man.login.conf.5;. These labels are then set along
with other user context when either
<literal>LOGIN_SETALL</literal> is specified, or when
<literal>LOGIN_SETMAC</literal> is explicitly
specified.</para>
<note><para>It is expected that, in a future version of FreeBSD,
the MAC label database will be separated from the
<filename>login.conf</filename> user class abstraction,
and be maintained in a separate database. However, the
&man.setusercontext.3; API should remain the same
following such a change.</para></note>
</sect2>
</sect1>
<sect1 id="mac-policy-architecture">
<title>MAC Policy Architecture</title>
@ -377,10 +295,9 @@
<listitem><para>Declaration of poicy identity, module entry
points, and policy properties.</para></listitem>
</itemizedlist>
</sect1>
<sect1 id="mac-policy-declaration">
<title>MAC Policy Declaration</title>
<sect2 id="mac-policy-declaration">
<title>Policy Declaration</title>
<para>Modules may be declared using the
<function>MAC_POLICY_SET()</function> macro, which names the
@ -429,10 +346,14 @@
via the kernel log during load and unload events, and also
exported when providing status information to userland
processes.</para>
</sect2>
<para>The policy flags field permits the module to provide the
framework with information about its capabilities at the
time the module is loaded. Currently, three flags are
<sect2 id="mac-policy-flags">
<title>Policy Flags</title>
<para>The policy declaration flags field permits the module to
provide the framework with information about its capabilities at
the time the module is loaded. Currently, three flags are
defined:</para>
<variablelist>
@ -452,7 +373,8 @@
<varlistentry>
<term>MPC_LOADTIME_FLAG_NOTLATE</term>
<listitem><para>This flag indicates that the policy module
<listitem>
<para>This flag indicates that the policy module
must be loaded and initialized early in the boot
process. If the flag is specified, attempts to register
the module following boot will be rejected. The flag
@ -479,7 +401,6 @@
useful in some environments.</para>
</listitem>
</varlistentry>
</variablelist>
<note><para>Policies using the
@ -492,10 +413,10 @@
is loaded before the network subsystem is active (i.e., the
policy is not being loaded late), then all Mbufs are guaranteed
to have label storage.</para></note>
</sect1>
</sect2>
<sect1 id="mac-policy-entry-points">
<title>MAC Policy Entry Points</title>
<sect2 id="mac-policy-entry-points">
<title>Policy Entry Points</title>
<para>Four classes of entry points are offered to policies
registered with the framework: entry points associated with
@ -529,6 +450,7 @@
Policies that do not implement labels on kernel objects will
be passed NULL pointers for label arguments to entry
points.</para>
</sect2>
</sect1>
<sect1 id="mac-entry-point-reference">
@ -7654,6 +7576,88 @@ Label destruction o</programlisting>
</sect2>
</sect1>
<sect1 id="mac-userland-arch">
<title>Userland Architecture</title>
<para>The TrustedBSD MAC Framework includes a number of
policy-agnostic elements, including MAC library interfaces
for abstractly managing labels, modifications to the system
credential management and login libraries to support the
assignment of MAC labels to users, and a set of tools to
monitor and modify labels on processes, files, and network
interfaces. More details on the user architecture will
be added to this section in the near future.</para>
<sect2 id="mac-userland-labels">
<title>APIs for Policy-Agnostic Label Management</title>
<para>The TrustedBSD MAC Framework provides a number of
library and system calls permitting applications to
manage MAC labels on objects using a poloicy-agnostic
interface. This permits applications to manipulate
labels for a variety of policies without being
written to support specific policies. These interfaces
are used by general-purpose tools such as &man.ifconfig.8;,
&man.ls.1; and &man.ps.1; to view labels on network
interfaces, files, and processes. The APIs also support
MAC management tools including &man.getfmac.8;,
&man.getpmac.8;, &man.setfmac.8;, &man.setfsmac.8;,
and &man.setpmac.8;. The MAC APIs are documented in
&man.mac.3;.</para>
<para>Applications handle MAC labels in two forms: an
internalized form used to return and set labels on
processes and objects (<literal>mac_t</literal>),
and externalized form based on C strings appropriate for
storage in configuration files, display to the user, or
input from the user. Each MAC label contains a number of
elements, each consisting of a name and value pair.
Policy modules in the kernel bind to specific names
and interpret the values in policy-specific ways. In
the externalized string form, labels are represented
by a comma-delimited list of name and value pairs separated
by the <literal>/</literal> character. Labels may be
directly converted to and from text using provided APIs;
when retrieving labels from the kernel, internalized
label storage must first be prepared for the desired
label element set. Typically, this is done in one of
two ways: using &man.mac.prepare.3; and an arbitrary
list of desired label elements, or one of the variants
of the call that loads a default element set from the
&man.mac.conf.5; configuration file. Per-object
defaults permit application writers to usefully display
labels associated with objects without being aware of
the policies present in the system.</para>
<note><para>Currently, direct manipulation of label elements
other than by conversion to a text string, string editing,
and conversion back to an internalized label is not supported
by the MAC library. Such interfaces may be added in the
future if they prove necessary for application
writers.</para></note>
</sect2>
<sect2 id="mac-userland-credentials">
<title>Binding of Labels to Users</title>
<para>The standard user context management interface,
&man.setusercontext.3;, has been modified to retrieve
MAC labels associated with a user's class from
&man.login.conf.5;. These labels are then set along
with other user context when either
<literal>LOGIN_SETALL</literal> is specified, or when
<literal>LOGIN_SETMAC</literal> is explicitly
specified.</para>
<note><para>It is expected that, in a future version of FreeBSD,
the MAC label database will be separated from the
<filename>login.conf</filename> user class abstraction,
and be maintained in a separate database. However, the
&man.setusercontext.3; API should remain the same
following such a change.</para></note>
</sect2>
</sect1>
<sect1 id="mac-userland-api">
<title>Userland APIs</title>

190
en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml
View file

@ -268,88 +268,6 @@
</sect2>
</sect1>
<sect1 id="mac-userland-arch">
<title>Userland Architecture</title>
<para>The TrustedBSD MAC Framework includes a number of
policy-agnostic elements, including MAC library interfaces
for abstractly managing labels, modifications to the system
credential management and login libraries to support the
assignment of MAC labels to users, and a set of tools to
monitor and modify labels on processes, files, and network
interfaces. More details on the user architecture will
be added to this section in the near future.</para>
<sect2 id="mac-userland-labels">
<title>APIs for Policy-Agnostic Label Management</title>
<para>The TrustedBSD MAC Framework provides a number of
library and system calls permitting applications to
manage MAC labels on objects using a poloicy-agnostic
interface. This permits applications to manipulate
labels for a variety of policies without being
written to support specific policies. These interfaces
are used by general-purpose tools such as &man.ifconfig.8;,
&man.ls.1; and &man.ps.1; to view labels on network
interfaces, files, and processes. The APIs also support
MAC management tools including &man.getfmac.8;,
&man.getpmac.8;, &man.setfmac.8;, &man.setfsmac.8;,
and &man.setpmac.8;. The MAC APIs are documented in
&man.mac.3;.</para>
<para>Applications handle MAC labels in two forms: an
internalized form used to return and set labels on
processes and objects (<literal>mac_t</literal>),
and externalized form based on C strings appropriate for
storage in configuration files, display to the user, or
input from the user. Each MAC label contains a number of
elements, each consisting of a name and value pair.
Policy modules in the kernel bind to specific names
and interpret the values in policy-specific ways. In
the externalized string form, labels are represented
by a comma-delimited list of name and value pairs separated
by the <literal>/</literal> character. Labels may be
directly converted to and from text using provided APIs;
when retrieving labels from the kernel, internalized
label storage must first be prepared for the desired
label element set. Typically, this is done in one of
two ways: using &man.mac.prepare.3; and an arbitrary
list of desired label elements, or one of the variants
of the call that loads a default element set from the
&man.mac.conf.5; configuration file. Per-object
defaults permit application writers to usefully display
labels associated with objects without being aware of
the policies present in the system.</para>
<note><para>Currently, direct manipulation of label elements
other than by conversion to a text string, string editing,
and conversion back to an internalized label is not supported
by the MAC library. Such interfaces may be added in the
future if they prove necessary for application
writers.</para></note>
</sect2>
<sect2 id="mac-userland-credentials">
<title>Binding of Labels to Users</title>
<para>The standard user context management interface,
&man.setusercontext.3;, has been modified to retrieve
MAC labels associated with a user's class from
&man.login.conf.5;. These labels are then set along
with other user context when either
<literal>LOGIN_SETALL</literal> is specified, or when
<literal>LOGIN_SETMAC</literal> is explicitly
specified.</para>
<note><para>It is expected that, in a future version of FreeBSD,
the MAC label database will be separated from the
<filename>login.conf</filename> user class abstraction,
and be maintained in a separate database. However, the
&man.setusercontext.3; API should remain the same
following such a change.</para></note>
</sect2>
</sect1>
<sect1 id="mac-policy-architecture">
<title>MAC Policy Architecture</title>
@ -377,10 +295,9 @@
<listitem><para>Declaration of poicy identity, module entry
points, and policy properties.</para></listitem>
</itemizedlist>
</sect1>
<sect1 id="mac-policy-declaration">
<title>MAC Policy Declaration</title>
<sect2 id="mac-policy-declaration">
<title>Policy Declaration</title>
<para>Modules may be declared using the
<function>MAC_POLICY_SET()</function> macro, which names the
@ -429,10 +346,14 @@
via the kernel log during load and unload events, and also
exported when providing status information to userland
processes.</para>
</sect2>
<para>The policy flags field permits the module to provide the
framework with information about its capabilities at the
time the module is loaded. Currently, three flags are
<sect2 id="mac-policy-flags">
<title>Policy Flags</title>
<para>The policy declaration flags field permits the module to
provide the framework with information about its capabilities at
the time the module is loaded. Currently, three flags are
defined:</para>
<variablelist>
@ -452,7 +373,8 @@
<varlistentry>
<term>MPC_LOADTIME_FLAG_NOTLATE</term>
<listitem><para>This flag indicates that the policy module
<listitem>
<para>This flag indicates that the policy module
must be loaded and initialized early in the boot
process. If the flag is specified, attempts to register
the module following boot will be rejected. The flag
@ -479,7 +401,6 @@
useful in some environments.</para>
</listitem>
</varlistentry>
</variablelist>
<note><para>Policies using the
@ -492,10 +413,10 @@
is loaded before the network subsystem is active (i.e., the
policy is not being loaded late), then all Mbufs are guaranteed
to have label storage.</para></note>
</sect1>
</sect2>
<sect1 id="mac-policy-entry-points">
<title>MAC Policy Entry Points</title>
<sect2 id="mac-policy-entry-points">
<title>Policy Entry Points</title>
<para>Four classes of entry points are offered to policies
registered with the framework: entry points associated with
@ -529,6 +450,7 @@
Policies that do not implement labels on kernel objects will
be passed NULL pointers for label arguments to entry
points.</para>
</sect2>
</sect1>
<sect1 id="mac-entry-point-reference">
@ -7654,6 +7576,88 @@ Label destruction o</programlisting>
</sect2>
</sect1>
<sect1 id="mac-userland-arch">
<title>Userland Architecture</title>
<para>The TrustedBSD MAC Framework includes a number of
policy-agnostic elements, including MAC library interfaces
for abstractly managing labels, modifications to the system
credential management and login libraries to support the
assignment of MAC labels to users, and a set of tools to
monitor and modify labels on processes, files, and network
interfaces. More details on the user architecture will
be added to this section in the near future.</para>
<sect2 id="mac-userland-labels">
<title>APIs for Policy-Agnostic Label Management</title>
<para>The TrustedBSD MAC Framework provides a number of
library and system calls permitting applications to
manage MAC labels on objects using a poloicy-agnostic
interface. This permits applications to manipulate
labels for a variety of policies without being
written to support specific policies. These interfaces
are used by general-purpose tools such as &man.ifconfig.8;,
&man.ls.1; and &man.ps.1; to view labels on network
interfaces, files, and processes. The APIs also support
MAC management tools including &man.getfmac.8;,
&man.getpmac.8;, &man.setfmac.8;, &man.setfsmac.8;,
and &man.setpmac.8;. The MAC APIs are documented in
&man.mac.3;.</para>
<para>Applications handle MAC labels in two forms: an
internalized form used to return and set labels on
processes and objects (<literal>mac_t</literal>),
and externalized form based on C strings appropriate for
storage in configuration files, display to the user, or
input from the user. Each MAC label contains a number of
elements, each consisting of a name and value pair.
Policy modules in the kernel bind to specific names
and interpret the values in policy-specific ways. In
the externalized string form, labels are represented
by a comma-delimited list of name and value pairs separated
by the <literal>/</literal> character. Labels may be
directly converted to and from text using provided APIs;
when retrieving labels from the kernel, internalized
label storage must first be prepared for the desired
label element set. Typically, this is done in one of
two ways: using &man.mac.prepare.3; and an arbitrary
list of desired label elements, or one of the variants
of the call that loads a default element set from the
&man.mac.conf.5; configuration file. Per-object
defaults permit application writers to usefully display
labels associated with objects without being aware of
the policies present in the system.</para>
<note><para>Currently, direct manipulation of label elements
other than by conversion to a text string, string editing,
and conversion back to an internalized label is not supported
by the MAC library. Such interfaces may be added in the
future if they prove necessary for application
writers.</para></note>
</sect2>
<sect2 id="mac-userland-credentials">
<title>Binding of Labels to Users</title>
<para>The standard user context management interface,
&man.setusercontext.3;, has been modified to retrieve
MAC labels associated with a user's class from
&man.login.conf.5;. These labels are then set along
with other user context when either
<literal>LOGIN_SETALL</literal> is specified, or when
<literal>LOGIN_SETMAC</literal> is explicitly
specified.</para>
<note><para>It is expected that, in a future version of FreeBSD,
the MAC label database will be separated from the
<filename>login.conf</filename> user class abstraction,
and be maintained in a separate database. However, the
&man.setusercontext.3; API should remain the same
following such a change.</para></note>
</sect2>
</sect1>
<sect1 id="mac-userland-api">
<title>Userland APIs</title>