Poll for users: mac_partition and mac_ifoff policies

Robert Watson rwatson at FreeBSD.org
Sat Jul 8 10:16:01 UTC 2006


Dear all,

I'm currently in the process of reviewing the use of the MAC Framework in 
FreeBSD, following meetings at the developer summit about proposed 
simplifications and enhancements.  One of the on-going concerns I have had is 
that several of the policies we ship are reference implementation policies, 
rather than reference user policies:

mac_ifoff	- Interface silencing
mac_partition	- Process space partitions
mac_stub	- Stub MAC policy entry points
mac_test	- Invariants testing

While mac_stub and mac_test are both extremely useful for devleopers as 
shipped, it's not clear to me that mac_ifoff and mac_partition offer 
significantly similar value, and as they are reference policies rather than 
production policies, my leaning is to provide them as downloads on the 
TrustedBSD web site and via p4, but to not ship them with FreeBSD 7.0.  So 
this e-mail is to poll to see if anyone is currently using the mac_ifoff and 
mac_partition policies in production, and would object on those grounds to 
shipping them separately from the base OS.

Robert N M Watson
Computer Laboratory
University of Cambridge


More information about the freebsd-security mailing list