FreeBSD and MAC

Robert Watson rwatson at FreeBSD.org
Tue Mar 17 10:02:28 PDT 2009


On Sat, 7 Mar 2009, Zahemszky Gábor wrote:

> I have two simple questions about the Mandatory Access Control framework of 
> FreeBSD:
>
> a) what has happened with the SEBSD modul? When will be available (or will 
> it be at all) in the system (or can I find one for an up-to-date kernel: 7.x 
> or up)?
>
> b) when will be the "options MAC" in the GENERIC kernel, or why not? (I 
> think, more people can test the MAC-modules, if they don't need to config a 
> kernel for it.)

Dear Gábor:

Right now no one is maintaining the SEBSD module; this is unfortunate, but 
largely a property of people having enough time.  If this is something you can 
contribute to (or anyone else who's interested) I'm happy to provide pointers 
and advice.  Most of the MAC Framework dependencies for SEBSD were merged back 
into the base tree, but it would need quite a bit of adaptation to move 
forward to FreeBSD7/8.  Also, SEBSD uses what are now quite old SELinux parts, 
so those would also need updating (although I guess that isn't required). 
Feel free to ask questions here, or on the trustedbsd-discuss mailing list.

"options MAC" is believed to cause a significant performance loss on 7.x and 
earlier; we're currently working to address that with the hope of shipping 
"options MAC" in GENERIC starting with FreeBSD 8.0.  I've not re-benchmarked 
in a few months but we've merged a number of improvements that should be 
getting us close.  For example, whereas previously MAC automatically allocated 
memory to hold security labels for objects, now it only allocates memory when 
policies are registered that specifically require labels on those object 
types.  On a similar note, the locking for the MAC Framework itself has been 
significantly optimized over the last few weeks to lower overhead, and there 
are more changes in the works.  We'll probably pause and take stock sometime 
in the next month and see what performance regressions remain.

Robert N M Watson
Computer Laboratory
University of Cambridge


More information about the freebsd-security mailing list