diff --git a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
index 17e956af7d..478a4b8f6a 100644
--- a/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
@@ -438,13 +438,13 @@
be manually dereferenced to access the credential label. This
may change in future revisions of the MAC Framework.
- Initialization entry points frequently include a blocking
+ Initialization entry points frequently include a sleeping
disposition flag indicating whether or not an initialization
- is permitted to block; if blocking is not permitted, a failure
+ is permitted to sleep; if sleeping is not permitted, a failure
may be returned to cancel allocation of the label (and hence
object). This may
occur, for example, in the network stack during interrupt
- handling, where blocking is not permitted, or while the caller
+ handling, where sleeping is not permitted, or while the caller
holds a mutex. Due to the
performance cost of maintaining labels on in-flight network
packets (Mbufs), policies must specifically declare a
@@ -721,7 +721,11 @@
Policy load event. The policy list mutex is held, so
- caution should be applied.
+ sleep operations cannot be performed, and calls out to other
+ kernel subsystems must be made with caution. If potentially
+ sleeping memory allocations are required during policy
+ initialization, they should be made using a separate module
+ SYSINIT().
@@ -781,7 +785,7 @@
call
- Syscall number
+ Policy-specific syscall number
@@ -838,13 +842,25 @@
This entry point permits policy modules to perform
- MAC-related events when a thread returns to user space.
+ MAC-related events when a thread returns to user space, via
+ a system call return, trap return, or otherwise.
This is required for policies that have floating process
labels, as it is not always possible to acquire the process
lock at arbitrary points in the stack during system call
processing; process labels might represent traditional
authentication data, process history information, or other
- data.
+ data. To employ this mechanism, intended changes to the
+ process credential label may be stored in the
+ p_label protected by a per-policy spin
+ lock, and then set the per-thread
+ TDF_ASTPENDING flag and per-process
+ PS_MACPENDM flag to schedule a call
+ to the userret entry point. From this entry point, the
+ policy may create a replacement credential with less
+ concern about the locking context. Policy writers are
+ cautioned that event ordering relating to scheduling an
+ AST and the AST being performed may be complex and
+ interlaced in multithreaded applications.
@@ -878,7 +894,7 @@
Initialize the label on a newly instantiated bpfdesc (BPF
- descriptor)
+ descriptor). Sleeping is permitted.
@@ -908,7 +924,7 @@
Initialize the label for a newly instantiated
- user credential.
+ user credential. Sleeping is permitted.
@@ -938,7 +954,7 @@
Initialize the label on a newly instantiated devfs
- entry.
+ entry. Sleeping is permitted.
@@ -968,7 +984,7 @@
Initialize the label on a newly instantiated network
- interface.
+ interface. Sleeping is permitted.
@@ -997,7 +1013,7 @@
flag
- Blocking/non-blocking &man.malloc.9;; see
+ Sleeping/non-sleeping &man.malloc.9;; see
below
@@ -1007,11 +1023,11 @@
Initialize the label on a newly instantiated IP fragment
reassembly queue. The flag field may
be one of M_WAITOK and M_NOWAIT,
- and should be employed to avoid performing a blocking
+ and should be employed to avoid performing a sleeping
&man.malloc.9; during this initialization call. IP fragment
reassembly queue allocation frequently occurs in performance
sensitive environments, and the implementation should be careful
- to avoid blocking or long-lived operations. This entry point
+ to avoid sleeping or long-lived operations. This entry point
is permitted to fail resulting in the failure to allocate
the IP fragment reassembly queue.
@@ -1037,7 +1053,7 @@
flag
- Blocking/non-blocking &man.malloc.9;; see
+ Sleeping/non-sleeping &man.malloc.9;; see
below
@@ -1053,11 +1069,11 @@
header (mbuf). The
flag field may be one of
M_WAITOK and M_NOWAIT, and
- should be employed to avoid performing a blocking
+ should be employed to avoid performing a sleeping
&man.malloc.9; during this initialization call. Mbuf
allocation frequently occurs in performance sensitive
environments, and the implementation should be careful to
- avoid blocking or long-lived operations. This entry point
+ avoid sleeping or long-lived operations. This entry point
is permitted to fail resulting in the failure to allocate
the mbuf header.
@@ -1099,7 +1115,7 @@
Initialize the labels on a newly instantiated mount
- point.
+ point. Sleeping is permitted.
@@ -1129,7 +1145,7 @@
Initialize the label on a newly mounted file
- system.
+ system. Sleeping is permitted
@@ -1158,7 +1174,8 @@
- Initialize a label for a newly instantiated pipe.
+ Initialize a label for a newly instantiated pipe. Sleeping
+ is permitted.
@@ -1194,7 +1211,10 @@
Initialize a label for a newly instantiated
- socket.
+ socket. The flag field may be one of
+ M_WAITOK and M_NOWAIT, and
+ should be employed to avoid performing a sleeping &man.malloc.9;
+ during this initialization call.
@@ -1230,7 +1250,10 @@
Initialize the peer label for a newly instantiated
- socket.
+ socket. The flag field may be one of
+ M_WAITOK and M_NOWAIT, and
+ should be employed to avoid performing a sleeping &man.malloc.9;
+ during this initialization call.
@@ -1260,7 +1283,7 @@
Initialize the label for a newly instantiated
- process.
+ process. Sleeping is permitted.
@@ -1290,7 +1313,8 @@
- Initialize the label on a newly instantiated vnode.
+ Initialize the label on a newly instantiated vnode. Sleeping
+ is permitted.
<function>&mac.mpo;_destroy_bpfdesc_label</function>