cvs commit: src/sys/conf options src/sys/kern kern_exec.c
src/sys/security/mac mac_framework.c mac_framework.h mac_inet.c
mac_internal.h mac_net.c mac_pipe.c mac_policy.h mac_posix_sem.c
mac_posix_shm.c mac_process.c mac_socket.c mac_syscalls.c ...
Robert Watson
rwatson at FreeBSD.org
Sat Aug 23 15:27:37 UTC 2008
rwatson 2008-08-23 15:26:36 UTC
FreeBSD src repository
Modified files:
sys/conf options
sys/kern kern_exec.c
sys/security/mac mac_framework.c mac_framework.h
mac_inet.c mac_internal.h mac_net.c
mac_pipe.c mac_policy.h mac_posix_sem.c
mac_posix_shm.c mac_process.c
mac_socket.c mac_syscalls.c
mac_sysv_msg.c mac_sysv_sem.c
mac_sysv_shm.c mac_vfs.c
sys/security/mac_biba mac_biba.c
sys/security/mac_bsdextended mac_bsdextended.c
sys/security/mac_ifoff mac_ifoff.c
sys/security/mac_lomac mac_lomac.c
sys/security/mac_mls mac_mls.c
sys/security/mac_none mac_none.c
sys/security/mac_partition mac_partition.c
sys/security/mac_portacl mac_portacl.c
sys/security/mac_seeotheruids mac_seeotheruids.c
sys/security/mac_stub mac_stub.c
sys/security/mac_test mac_test.c
Log:
SVN rev 182063 on 2008-08-23 15:26:36Z by rwatson
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
Revision Changes Path
1.637 +0 -1 src/sys/conf/options
1.322 +5 -7 src/sys/kern/kern_exec.c
1.137 +15 -30 src/sys/security/mac/mac_framework.c
1.101 +4 -6 src/sys/security/mac/mac_framework.h
1.21 +46 -28 src/sys/security/mac/mac_inet.c
1.125 +5 -3 src/sys/security/mac/mac_internal.h
1.132 +34 -23 src/sys/security/mac/mac_net.c
1.114 +8 -3 src/sys/security/mac/mac_pipe.c
1.111 +37 -8 src/sys/security/mac/mac_policy.h
1.15 +8 -3 src/sys/security/mac/mac_posix_sem.c
1.2 +8 -3 src/sys/security/mac/mac_posix_shm.c
1.123 +40 -6 src/sys/security/mac/mac_process.c
1.12 +28 -11 src/sys/security/mac/mac_socket.c
1.137 +28 -0 src/sys/security/mac/mac_syscalls.c
1.11 +17 -6 src/sys/security/mac/mac_sysv_msg.c
1.10 +8 -3 src/sys/security/mac/mac_sysv_sem.c
1.9 +8 -3 src/sys/security/mac/mac_sysv_shm.c
1.126 +25 -9 src/sys/security/mac/mac_vfs.c
1.122 +21 -1 src/sys/security/mac_biba/mac_biba.c
1.44 +1 -1 src/sys/security/mac_bsdextended/mac_bsdextended.c
1.17 +1 -1 src/sys/security/mac_ifoff/mac_ifoff.c
1.65 +21 -1 src/sys/security/mac_lomac/mac_lomac.c
1.104 +21 -1 src/sys/security/mac_mls/mac_mls.c
1.38 +1 -1 src/sys/security/mac_none/mac_none.c
1.24 +26 -7 src/sys/security/mac_partition/mac_partition.c
1.19 +1 -1 src/sys/security/mac_portacl/mac_portacl.c
1.19 +1 -1 src/sys/security/mac_seeotheruids/mac_seeotheruids.c
1.84 +22 -1 src/sys/security/mac_stub/mac_stub.c
1.99 +22 -1 src/sys/security/mac_test/mac_test.c
More information about the cvs-src
mailing list