From owner-freebsd-security@FreeBSD.ORG Tue Mar 17 17:02:27 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8934A106568E for ; Tue, 17 Mar 2009 17:02:27 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 62B478FC23 for ; Tue, 17 Mar 2009 17:02:27 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 1D5C046B03; Tue, 17 Mar 2009 13:02:27 -0400 (EDT) Date: Tue, 17 Mar 2009 17:02:27 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: =?ISO-8859-15?Q?Zahemszky_G=E1bor?= In-Reply-To: <20090307183701.4b42830e@Picasso.Zahemszky.HU> Message-ID: References: <20090307183701.4b42830e@Picasso.Zahemszky.HU> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="621616949-854990551-1237309347=:72545" Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD and MAC X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2009 17:02:28 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --621616949-854990551-1237309347=:72545 Content-Type: TEXT/PLAIN; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8BIT On Sat, 7 Mar 2009, Zahemszky Gábor wrote: > I have two simple questions about the Mandatory Access Control framework of > FreeBSD: > > a) what has happened with the SEBSD modul? When will be available (or will > it be at all) in the system (or can I find one for an up-to-date kernel: 7.x > or up)? > > b) when will be the "options MAC" in the GENERIC kernel, or why not? (I > think, more people can test the MAC-modules, if they don't need to config a > kernel for it.) Dear Gábor: Right now no one is maintaining the SEBSD module; this is unfortunate, but largely a property of people having enough time. If this is something you can contribute to (or anyone else who's interested) I'm happy to provide pointers and advice. Most of the MAC Framework dependencies for SEBSD were merged back into the base tree, but it would need quite a bit of adaptation to move forward to FreeBSD7/8. Also, SEBSD uses what are now quite old SELinux parts, so those would also need updating (although I guess that isn't required). Feel free to ask questions here, or on the trustedbsd-discuss mailing list. "options MAC" is believed to cause a significant performance loss on 7.x and earlier; we're currently working to address that with the hope of shipping "options MAC" in GENERIC starting with FreeBSD 8.0. I've not re-benchmarked in a few months but we've merged a number of improvements that should be getting us close. For example, whereas previously MAC automatically allocated memory to hold security labels for objects, now it only allocates memory when policies are registered that specifically require labels on those object types. On a similar note, the locking for the MAC Framework itself has been significantly optimized over the last few weeks to lower overhead, and there are more changes in the works. We'll probably pause and take stock sometime in the next month and see what performance regressions remain. Robert N M Watson Computer Laboratory University of Cambridge --621616949-854990551-1237309347=:72545--