From owner-cvs-all Wed Nov 20 7:44:30 2002 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FC4B37B401; Wed, 20 Nov 2002 07:44:29 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E3B243E6E; Wed, 20 Nov 2002 07:44:29 -0800 (PST) (envelope-from rwatson@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id gAKFfQmV081128; Wed, 20 Nov 2002 07:41:26 -0800 (PST) (envelope-from rwatson@repoman.freebsd.org) Received: (from rwatson@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id gAKFfPtL081127; Wed, 20 Nov 2002 07:41:25 -0800 (PST) Message-Id: <200211201541.gAKFfPtL081127@repoman.freebsd.org> From: Robert Watson Date: Wed, 20 Nov 2002 07:41:25 -0800 (PST) To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/sys mac.h mac_policy.h proc.h src/sys/kern kern_exit.c kern_fork.c kern_mac.c X-FreeBSD-CVS-Branch: HEAD Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG rwatson 2002/11/20 07:41:25 PST Modified files: sys/sys mac.h mac_policy.h proc.h sys/kern kern_exit.c kern_fork.c kern_mac.c Log: Introduce p_label, extensible security label storage for the MAC framework in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories Revision Changes Path 1.185 +5 -0 src/sys/kern/kern_exit.c 1.174 +5 -0 src/sys/kern/kern_fork.c 1.69 +25 -1 src/sys/kern/kern_mac.c 1.32 +2 -0 src/sys/sys/mac.h 1.33 +2 -0 src/sys/sys/mac_policy.h 1.280 +2 -0 src/sys/sys/proc.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message