From owner-svn-src-head@freebsd.org Sat Jul 25 15:56:55 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 17C1D9AA099; Sat, 25 Jul 2015 15:56:55 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 05C2B1C83; Sat, 25 Jul 2015 15:56:55 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6PFusu1007443; Sat, 25 Jul 2015 15:56:54 GMT (envelope-from trasz@FreeBSD.org) Received: (from trasz@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6PFuok4007421; Sat, 25 Jul 2015 15:56:50 GMT (envelope-from trasz@FreeBSD.org) Message-Id: <201507251556.t6PFuok4007421@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: trasz set sender to trasz@FreeBSD.org using -f From: Edward Tomasz Napierala Date: Sat, 25 Jul 2015 15:56:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r285873 - in head: lib/libc/posix1e share/man/man4 share/man/man9 X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jul 2015 15:56:55 -0000 Author: trasz Date: Sat Jul 25 15:56:49 2015 New Revision: 285873 URL: https://svnweb.freebsd.org/changeset/base/285873 Log: Update Capsicum and Mandatory Access Control manual pages to no longer claim they are experimental. Reviewed by: rwatson@, wblock@ MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D2985 Modified: head/lib/libc/posix1e/mac.3 head/lib/libc/posix1e/mac.conf.5 head/share/man/man4/capsicum.4 head/share/man/man4/mac.4 head/share/man/man4/mac_ifoff.4 head/share/man/man4/mac_mls.4 head/share/man/man4/mac_none.4 head/share/man/man4/mac_partition.4 head/share/man/man4/mac_seeotheruids.4 head/share/man/man4/mac_stub.4 head/share/man/man4/mac_test.4 head/share/man/man4/procdesc.4 head/share/man/man9/mac.9 Modified: head/lib/libc/posix1e/mac.3 ============================================================================== --- head/lib/libc/posix1e/mac.3 Sat Jul 25 15:00:14 2015 (r285872) +++ head/lib/libc/posix1e/mac.3 Sat Jul 25 15:56:49 2015 (r285873) @@ -31,7 +31,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 7, 2009 +.Dd July 25, 2015 .Dt MAC 3 .Os .Sh NAME @@ -163,14 +163,3 @@ Support for Mandatory Access Control was as part of the .Tn TrustedBSD Project. -.Sh BUGS -The -.Tn TrustedBSD -MAC Framework and associated policies, interfaces, and -applications are considered to be an experimental feature in -.Fx . -Sites considering production deployment should keep the experimental -status of these services in mind during any deployment process. -See also -.Xr mac 9 -for related considerations regarding the kernel framework. Modified: head/lib/libc/posix1e/mac.conf.5 ============================================================================== --- head/lib/libc/posix1e/mac.conf.5 Sat Jul 25 15:00:14 2015 (r285872) +++ head/lib/libc/posix1e/mac.conf.5 Sat Jul 25 15:56:49 2015 (r285873) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 19, 2003 +.Dd July 25, 2015 .Dt MAC.CONF 5 .Os .Sh NAME @@ -110,14 +110,3 @@ Support for Mandatory Access Control was as part of the .Tn TrustedBSD Project. -.Sh BUGS -The -.Tn TrustedBSD -MAC Framework and associated policies, interfaces, and -applications are considered to be an experimental feature in -.Fx . -Sites considering production deployment should keep the experimental -status of these services in mind during any deployment process. -See also -.Xr mac 9 -for related considerations regarding the kernel framework. Modified: head/share/man/man4/capsicum.4 ============================================================================== --- head/share/man/man4/capsicum.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/capsicum.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 19, 2013 +.Dd July 25, 2015 .Dt CAPSICUM 4 .Os .Sh NAME @@ -125,7 +125,3 @@ and .An Kris Kennaway Aq Mt kris@FreeBSD.org at Google, Inc., and .An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net . -.Sh BUGS -.Nm -is considered experimental in -.Fx . Modified: head/share/man/man4/mac.4 ============================================================================== --- head/share/man/man4/mac.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/mac.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 30, 2007 +.Dd July 25, 2015 .Dt MAC 4 .Os .Sh NAME @@ -239,14 +239,6 @@ under DARPA/SPAWAR contract N66001-01-C- .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Sh BUGS -See -.Xr mac 9 -concerning appropriateness for production use. -The -.Tn TrustedBSD -MAC Framework is considered experimental in -.Fx . -.Pp While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks. Modified: head/share/man/man4/mac_ifoff.4 ============================================================================== --- head/share/man/man4/mac_ifoff.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/mac_ifoff.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 10, 2002 +.Dd July 25, 2015 .Dt MAC_IFOFF 4 .Os .Sh NAME @@ -118,14 +118,6 @@ under DARPA/SPAWAR contract N66001-01-C- .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Sh BUGS -See -.Xr mac 9 -concerning appropriateness for production use. -The -.Tn TrustedBSD -MAC Framework is considered experimental in -.Fx . -.Pp While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks. Modified: head/share/man/man4/mac_mls.4 ============================================================================== --- head/share/man/man4/mac_mls.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/mac_mls.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 1, 2002 +.Dd July 25, 2015 .Dt MAC_MLS 4 .Os .Sh NAME @@ -236,14 +236,6 @@ Inc.\& under DARPA/SPAWAR contract N6600 .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Sh BUGS -See -.Xr mac 9 -concerning appropriateness for production use. -The -.Tn TrustedBSD -MAC Framework is considered experimental in -.Fx . -.Pp While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks. Modified: head/share/man/man4/mac_none.4 ============================================================================== --- head/share/man/man4/mac_none.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/mac_none.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 1, 2002 +.Dd July 25, 2015 .Dt MAC_NONE 4 .Os .Sh NAME @@ -98,14 +98,6 @@ under DARPA/SPAWAR contract N66001-01-C- .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Sh BUGS -See -.Xr mac 9 -concerning appropriateness for production use. -The -.Tn TrustedBSD -MAC Framework is considered experimental in -.Fx . -.Pp While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks. Modified: head/share/man/man4/mac_partition.4 ============================================================================== --- head/share/man/man4/mac_partition.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/mac_partition.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 9, 2002 +.Dd July 25, 2015 .Dt MAC_PARTITION 4 .Os .Sh NAME @@ -118,14 +118,6 @@ under DARPA/SPAWAR contract N66001-01-C- .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Sh BUGS -See -.Xr mac 9 -concerning appropriateness for production use. -The -.Tn TrustedBSD -MAC Framework is considered experimental in -.Fx . -.Pp While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks. Modified: head/share/man/man4/mac_seeotheruids.4 ============================================================================== --- head/share/man/man4/mac_seeotheruids.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/mac_seeotheruids.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 6, 2005 +.Dd July 25, 2015 .Dt MAC_SEEOTHERUIDS 4 .Os .Sh NAME @@ -116,14 +116,6 @@ under DARPA/SPAWAR contract N66001-01-C- .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Sh BUGS -See -.Xr mac 9 -concerning appropriateness for production use. -The -.Tn TrustedBSD -MAC Framework is considered experimental in -.Fx . -.Pp While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks. Modified: head/share/man/man4/mac_stub.4 ============================================================================== --- head/share/man/man4/mac_stub.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/mac_stub.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 1, 2002 +.Dd July 25, 2015 .Dt MAC_STUB 4 .Os .Sh NAME @@ -101,14 +101,6 @@ under DARPA/SPAWAR contract N66001-01-C- .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Sh BUGS -See -.Xr mac 9 -concerning appropriateness for production use. -The -.Tn TrustedBSD -MAC Framework is considered experimental in -.Fx . -.Pp While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks. Modified: head/share/man/man4/mac_test.4 ============================================================================== --- head/share/man/man4/mac_test.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/mac_test.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 1, 2002 +.Dd July 25, 2015 .Dt MAC_TEST 4 .Os .Sh NAME @@ -102,14 +102,6 @@ under DARPA/SPAWAR contract N66001-01-C- .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Sh BUGS -See -.Xr mac 9 -concerning appropriateness for production use. -The -.Tn TrustedBSD -MAC Framework is considered experimental in -.Fx . -.Pp While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks. Modified: head/share/man/man4/procdesc.4 ============================================================================== --- head/share/man/man4/procdesc.4 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man4/procdesc.4 Sat Jul 25 15:56:49 2015 (r285873) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 21, 2013 +.Dd July 25, 2015 .Dt PROCDESC 4 .Os .Sh NAME @@ -85,7 +85,3 @@ at the University of Cambridge, and and .An Kris Kennaway Aq Mt kris@FreeBSD.org at Google, Inc. -.Sh BUGS -.Nm -is considered experimental in -.Fx . Modified: head/share/man/man9/mac.9 ============================================================================== --- head/share/man/man9/mac.9 Sat Jul 25 15:00:14 2015 (r285872) +++ head/share/man/man9/mac.9 Sat Jul 25 15:56:49 2015 (r285873) @@ -33,7 +33,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 10, 2006 +.Dd July 25, 2015 .Dt MAC 9 .Os .Sh NAME @@ -62,14 +62,6 @@ opportunity to modify security behavior Both consumers of the API (normal kernel services) and security modules must be aware of the semantics of the API calls, particularly with respect to synchronization primitives (such as locking). -.Ss Note on Appropriateness for Production Use -The -.Tn TrustedBSD -MAC Framework included in -.Fx 5.0 -is considered experimental, and should not be deployed in production -environments without careful consideration of the risks associated with -the use of experimental operating system features. .Ss Kernel Objects Supported by the Framework The MAC framework manages labels on a variety of types of in-kernel objects, including process credentials, vnodes, devfs_dirents, mount @@ -232,13 +224,6 @@ Additional contributors include: and .An Tim Robbins . .Sh BUGS -See the earlier section in this document concerning appropriateness -for production use. -The -.Tn TrustedBSD -MAC Framework is considered experimental in -.Fx . -.Pp While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks.