[Path-based filesystem MAC Policy] Status report

[Alan Alvarez]

The main goal of this project is to extend the existing ugidfw
(bsdextended) MAC policy to allow for path-based rules.

I've run into some dead ends with the design approaches I've taken
before. However, I think I've come to a final design that works and is
simple.

Before, I resolving the path entered in a rule and acquiring the
vnode's filesystem id and inode number. Then, comparing those when a
rule needed to be checked against a vnode.
Instead, what I'm doing now is saving the full path when it is entered
into the rule with the use of realpath(3) from userland. Then, when
the rule needs to be checked I'm using vn_fullpath_global.

Although I'm mostly done with the code for this, I'm running into what
appears to be some locking issues.

This week I plan to work those issues out. After that what will be
done is to write test cases and extend the documentation.

-- 
regards,

Alan Alvarez