Date: Wed, 6 Jul 2011 02:06:15 -0400 From: Alan Alvarez <aalvarez@aliensoft.net> To: soc-status@freebsd.org Subject: [Path-based filesystem MAC Policy] Status report Message-ID: <CACwxvb=a9o9XGTDEpeONB30gEEpd2Px0bWJUb0Lruys248W83w@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
The main goal of this project is to extend the existing ugidfw (bsdextended) MAC policy to allow for path-based rules. I've run into some dead ends with the design approaches I've taken before. However, I think I've come to a final design that works and is simple. Before, I resolving the path entered in a rule and acquiring the vnode's filesystem id and inode number. Then, comparing those when a rule needed to be checked against a vnode. Instead, what I'm doing now is saving the full path when it is entered into the rule with the use of realpath(3) from userland. Then, when the rule needs to be checked I'm using vn_fullpath_global. Although I'm mostly done with the code for this, I'm running into what appears to be some locking issues. This week I plan to work those issues out. After that what will be done is to write test cases and extend the documentation. -- regards, Alan Alvarez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACwxvb=a9o9XGTDEpeONB30gEEpd2Px0bWJUb0Lruys248W83w>