Introduce support for Mandatory Access Control and extensible
kernel access control. Label BPF descriptor objects, permitting security features to be maintained on those objects. bd_label will be used to authorize data flow from network interfaces to user processes. BPF labels are protected using the same synchronization model as other mutable data in the BPF descriptor. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
This commit is contained in:
Robert Watson
parent
55fb783052
commit
39bd868cc3
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=100991
@ -44,6 +44,7 @@
|
||||
#define _NET_BPFDESC_H_
|
||||
|
||||
#include <sys/callout.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/selinfo.h>
|
||||
|
||||
/*
|
||||
@ -92,6 +93,7 @@ struct bpf_d {
|
||||
#endif
|
||||
struct mtx bd_mtx; /* mutex for this descriptor */
|
||||
struct callout bd_callout; /* for BPF timeouts with select */
|
||||
struct label bd_label; /* MAC label for descriptor */
|
||||
};
|
||||
|
||||
/* Values for bd_state */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user