From owner-cvs-src@FreeBSD.ORG Sun Apr 22 15:31:23 2007 Return-Path: X-Original-To: cvs-src@FreeBSD.org Delivered-To: cvs-src@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2506816A401; Sun, 22 Apr 2007 15:31:23 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 145A813C455; Sun, 22 Apr 2007 15:31:23 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.8/8.13.8) with ESMTP id l3MFVMd1050518; Sun, 22 Apr 2007 15:31:22 GMT (envelope-from rwatson@repoman.freebsd.org) Received: (from rwatson@localhost) by repoman.freebsd.org (8.13.8/8.13.8/Submit) id l3MFVMUm050517; Sun, 22 Apr 2007 15:31:22 GMT (envelope-from rwatson) Message-Id: <200704221531.l3MFVMUm050517@repoman.freebsd.org> From: Robert Watson Date: Sun, 22 Apr 2007 15:31:22 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: src/sys/i386/i386 sys_machdep.c src/sys/kern kern_linker.c kern_time.c src/sys/nfsserver nfs_syscalls.c src/sys/security/mac mac_framework.h mac_policy.h mac_system.c src/sys/security/mac_biba mac_biba.c src/sys/security/mac_lomac ... X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Apr 2007 15:31:23 -0000 rwatson 2007-04-22 15:31:22 UTC FreeBSD src repository Modified files: sys/i386/i386 sys_machdep.c sys/kern kern_linker.c kern_time.c sys/nfsserver nfs_syscalls.c sys/security/mac mac_framework.h mac_policy.h mac_system.c sys/security/mac_biba mac_biba.c sys/security/mac_lomac mac_lomac.c sys/security/mac_stub mac_stub.c sys/security/mac_test mac_test.c Log: Remove MAC Framework access control check entry points made redundant with the introduction of priv(9) and MAC Framework entry points for privilege checking/granting. These entry points exactly aligned with privileges and provided no additional security context: - mac_check_sysarch_ioperm() - mac_check_kld_unload() - mac_check_settime() - mac_check_system_nfsd() Add mpo_priv_check() implementations to Biba and LOMAC policies, which, for each privilege, determine if they can be granted to processes considered unprivileged by those two policies. These mostly, but not entirely, align with the set of privileges granted in jails. Obtained from: TrustedBSD Project Revision Changes Path 1.108 +0 -5 src/sys/i386/i386/sys_machdep.c 1.148 +0 -5 src/sys/kern/kern_linker.c 1.140 +0 -14 src/sys/kern/kern_time.c 1.114 +0 -8 src/sys/nfsserver/nfs_syscalls.c 1.80 +0 -4 src/sys/security/mac/mac_framework.h 1.88 +0 -8 src/sys/security/mac/mac_policy.h 1.111 +16 -47 src/sys/security/mac/mac_system.c 1.103 +179 -39 src/sys/security/mac_biba/mac_biba.c 1.47 +192 -17 src/sys/security/mac_lomac/mac_lomac.c 1.63 +0 -32 src/sys/security/mac_stub/mac_stub.c 1.73 +0 -36 src/sys/security/mac_test/mac_test.c