Date: Thu, 9 Mar 2006 14:09:09 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Hiroki Sato <hrs@FreeBSD.org> Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: question about MAC policy modules on 6.0 Message-ID: <20060309140712.L13591@fledge.watson.org> In-Reply-To: <20060308.015844.98687889.hrs@allbsd.org> References: <20060308.015844.98687889.hrs@allbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 Mar 2006, Hiroki Sato wrote:
> 4) mount_ufs(8) multilabel option
>
> mount_ufs(8) has multilabel option for the MAC label, but it
> seems broken ("tunefs -l enable" works, though). I am not sure
> the attached patch (the second one) is correct, but it should
> fix this.
It's been a while since I've looked at this code, and have not had a chance to
test your patch as yet. The desired behavior is that mount be able to report
that multilabel is set on the file system, and request that it be set when
mounting the file system, but that the flag cannot be changed while running.
The cache model on vnode labels basically means we assume the underlying label
storage won't change except through the supported MAC APIs, and the mechanisms
are not in place to walk the current vnode list to re-synchronize if the
backing store changes (i.e., is enabled). So as long as your patch doesn't
add the ability to modify the flag at run-time, it sounds good to me. In
principle the kernel shouldn't allow it regardless of what mount requests, of
course.
Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060309140712.L13591>