MAC kernel option
Robert Watson
rwatson at FreeBSD.org
Sun Sep 18 12:21:17 GMT 2005
On Sun, 18 Sep 2005, Christian S.J. Peron wrote:
> I think it's about time we added the MAC kernel option to FreeBSD's
> GENERIC kernel, what do other people think?
>
> Even if it is commented out:
>
> # Build the Mandatory Access Control (MAC) framework
> # options MAC
For the time being, I think leaving it off by default is the right thing
to do. There are a few performance issues we'll want to consider
carefully:
(1) Right now, we automatically allocate label storage for four policies
on most system objects if MAC is compiled in. This isn't a huge
amount of memory (4 pointers plus one flags field), and it is zone
allocated, but this is still a non-trivial overhead. We don't do this
for mbufs unless requested by an active policy, but it's still
measurable.
(2) Right now we assume dynamic policy loading and unloading is allowed,
and so we take a locking overhead to maintain the dynamic policy list.
I think your merging of MAC kernel configurations to sys/*/conf, based on
GENERIC, is the right thing to do in the mean time while we consider these
issues.
Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list