
CANON: /DEV/POLICY DRIVER COMPONENT

The driver component, which gets loaded into the kernel as a loadable
kernel module (LKM) as the device /dev/policy, is implemented in policy.c, policy_driver.c and policy_policy.c.

policy.c contains mainly necessary stuff for having a device driver in BSD.

policy_driver.c contains the following:

1) policy_check_filter_impl: this is the funtion that is called out to by the kernel when canon is in use (policy_in_use == 1)   This function creates a new context (a datastructure containing all of the ip packet info which is then put on the queue for consideration by the policy daemon component).

2) policyread: this function sends packet information out to the policy daemon or policy daemons.  It supports up to MAX_POLICY_CONTEXTS (256) concurrent connections, assuming there are no errors (there shouldn't be since we are merely doing local reads and writes) -- since theoretically more than one policy daemon can be running in userland.  it simply keeps sending out packet info to the daemon.

3) policywrite: the policy daemon writes the response into this function after reading the packet info and checking with keynote.  after dfw_write receives the response, it either sends the packet to the multiplexor, or drops the packet on an "accept" and "deny" response, respectively.  Afterwards, it cleans up the context used for that session.

policy_routines.c contains functions for creating, writing to, and destroying contexts.  it also contains functions for managing sessions and enqueuing contexts.

policy_inet.c contains policy_check_inet_impl which is the funtion that is called out to by the kernel when canon is in use (policy_in_use == 1) from ipv4input in ip_input.c in /sys/netinet - it enforces ipv4 accesses.  It also includes stuff for caching inet decisions

policy_filesystem.c contains policy_check_filesystem_impl which is the function called from VOP_ACCESS in vnode_if.c in the /sys/kern directory for enforcing filesystem accesses.  also includes stuff for caching filesystem accesses
