Date: Sat, 23 Aug 2008 15:26:36 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/conf options src/sys/kern kern_exec.c src/sys/security/mac mac_framework.c mac_framework.h mac_inet.c mac_internal.h mac_net.c mac_pipe.c mac_policy.h mac_posix_sem.c mac_posix_shm.c mac_process.c mac_socket.c mac_syscalls.c ... Message-ID: <200808231527.m7NFRamg010570@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
rwatson 2008-08-23 15:26:36 UTC FreeBSD src repository Modified files: sys/conf options sys/kern kern_exec.c sys/security/mac mac_framework.c mac_framework.h mac_inet.c mac_internal.h mac_net.c mac_pipe.c mac_policy.h mac_posix_sem.c mac_posix_shm.c mac_process.c mac_socket.c mac_syscalls.c mac_sysv_msg.c mac_sysv_sem.c mac_sysv_shm.c mac_vfs.c sys/security/mac_biba mac_biba.c sys/security/mac_bsdextended mac_bsdextended.c sys/security/mac_ifoff mac_ifoff.c sys/security/mac_lomac mac_lomac.c sys/security/mac_mls mac_mls.c sys/security/mac_none mac_none.c sys/security/mac_partition mac_partition.c sys/security/mac_portacl mac_portacl.c sys/security/mac_seeotheruids mac_seeotheruids.c sys/security/mac_stub mac_stub.c sys/security/mac_test mac_test.c Log: SVN rev 182063 on 2008-08-23 15:26:36Z by rwatson Introduce two related changes to the TrustedBSD MAC Framework: (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. Revision Changes Path 1.637 +0 -1 src/sys/conf/options 1.322 +5 -7 src/sys/kern/kern_exec.c 1.137 +15 -30 src/sys/security/mac/mac_framework.c 1.101 +4 -6 src/sys/security/mac/mac_framework.h 1.21 +46 -28 src/sys/security/mac/mac_inet.c 1.125 +5 -3 src/sys/security/mac/mac_internal.h 1.132 +34 -23 src/sys/security/mac/mac_net.c 1.114 +8 -3 src/sys/security/mac/mac_pipe.c 1.111 +37 -8 src/sys/security/mac/mac_policy.h 1.15 +8 -3 src/sys/security/mac/mac_posix_sem.c 1.2 +8 -3 src/sys/security/mac/mac_posix_shm.c 1.123 +40 -6 src/sys/security/mac/mac_process.c 1.12 +28 -11 src/sys/security/mac/mac_socket.c 1.137 +28 -0 src/sys/security/mac/mac_syscalls.c 1.11 +17 -6 src/sys/security/mac/mac_sysv_msg.c 1.10 +8 -3 src/sys/security/mac/mac_sysv_sem.c 1.9 +8 -3 src/sys/security/mac/mac_sysv_shm.c 1.126 +25 -9 src/sys/security/mac/mac_vfs.c 1.122 +21 -1 src/sys/security/mac_biba/mac_biba.c 1.44 +1 -1 src/sys/security/mac_bsdextended/mac_bsdextended.c 1.17 +1 -1 src/sys/security/mac_ifoff/mac_ifoff.c 1.65 +21 -1 src/sys/security/mac_lomac/mac_lomac.c 1.104 +21 -1 src/sys/security/mac_mls/mac_mls.c 1.38 +1 -1 src/sys/security/mac_none/mac_none.c 1.24 +26 -7 src/sys/security/mac_partition/mac_partition.c 1.19 +1 -1 src/sys/security/mac_portacl/mac_portacl.c 1.19 +1 -1 src/sys/security/mac_seeotheruids/mac_seeotheruids.c 1.84 +22 -1 src/sys/security/mac_stub/mac_stub.c 1.99 +22 -1 src/sys/security/mac_test/mac_test.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808231527.m7NFRamg010570>