From owner-soc-status@FreeBSD.ORG  Wed Jul  6 06:06:36 2011
Return-Path: <owner-soc-status@FreeBSD.ORG>
Delivered-To: soc-status@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 71AA91065676
	for <soc-status@freebsd.org>; Wed,  6 Jul 2011 06:06:36 +0000 (UTC)
	(envelope-from aalvarez@aliensoft.net)
Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 3E3FF8FC0C
	for <soc-status@freebsd.org>; Wed,  6 Jul 2011 06:06:35 +0000 (UTC)
Received: by gwb15 with SMTP id 15so3221320gwb.13
	for <soc-status@freebsd.org>; Tue, 05 Jul 2011 23:06:35 -0700 (PDT)
Received: by 10.101.162.11 with SMTP id p11mr4328058ano.159.1309932395155;
	Tue, 05 Jul 2011 23:06:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.101.129.4 with HTTP; Tue, 5 Jul 2011 23:06:15 -0700 (PDT)
X-Originating-IP: [200.88.151.41]
From: Alan Alvarez <aalvarez@aliensoft.net>
Date: Wed, 6 Jul 2011 02:06:15 -0400
Message-ID: <CACwxvb=a9o9XGTDEpeONB30gEEpd2Px0bWJUb0Lruys248W83w@mail.gmail.com>
To: soc-status@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: [Path-based filesystem MAC Policy] Status report
X-BeenThere: soc-status@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Summer of Code Status Reports and Discussion <soc-status.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/soc-status>,
	<mailto:soc-status-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/soc-status>
List-Post: <mailto:soc-status@freebsd.org>
List-Help: <mailto:soc-status-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/soc-status>,
	<mailto:soc-status-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2011 06:06:36 -0000

The main goal of this project is to extend the existing ugidfw
(bsdextended) MAC policy to allow for path-based rules.

I've run into some dead ends with the design approaches I've taken
before. However, I think I've come to a final design that works and is
simple.

Before, I resolving the path entered in a rule and acquiring the
vnode's filesystem id and inode number. Then, comparing those when a
rule needed to be checked against a vnode.
Instead, what I'm doing now is saving the full path when it is entered
into the rule with the use of realpath(3) from userland. Then, when
the rule needs to be checked I'm using vn_fullpath_global.

Although I'm mostly done with the code for this, I'm running into what
appears to be some locking issues.

This week I plan to work those issues out. After that what will be
done is to write test cases and extend the documentation.

-- 
regards,

Alan Alvarez