From owner-freebsd-current@FreeBSD.ORG Tue Oct 23 23:34:52 2007 Return-Path: Delivered-To: current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72E6316A418 for ; Tue, 23 Oct 2007 23:34:52 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 5E3B213C480 for ; Tue, 23 Oct 2007 23:34:52 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id E3EB647310; Tue, 23 Oct 2007 19:09:47 -0400 (EDT) Date: Wed, 24 Oct 2007 00:09:46 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: current@FreeBSD.org Message-ID: <20071023235444.E70336@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@TrustedBSD.org Subject: MAC Framework KPI changes on the way in 8-CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2007 23:34:52 -0000 Dear all, Per prior e-mail on trustedbsd-discuss (a rather long time ago) I'll be introducing a set of interface changes for the TrustedBSD MAC Framework in 8-CURRENT. These synchronize the MAC Framework KPI, at least to some extent, with the MAC Framework in Mac OS X, and is based on cleanup work I did for SPARTA a year or two ago. It will require updating all policy modules, although source updates can be performed mechanically with a set of regexp's in most cases. All policies shipped with the base OS will be update as part of the commits. It will go in in a couple of phases, beginning with normalizing entry point names. I'll post regexp's to trustedbsd-discuss in a few days once it's all sorted through. I realize this is somewhat disruptive for policy maintainers, and apologize with that. However, the new naming scheme is both significantly more sensible than the old one (which was evolved rather than designed), and also will allow us to more easily make use of Mac OS X security policy modules that may be made available as open source. If you are a policy maintainer and have any trouble getting over the bump, please let me know and I'll be happy to lend a hand. I had hoped to get these changes in for 7.x, but due to some rather unfortunate timing of things outside the FreeBSD world, that was not possible. This will be, FYI, version 4 of the MAC Framework ABI/API in FreeBSD. Policies compiled against the old version will be rejected by the kernel at load-time. Robert N M Watson Computer Laboratory University of Cambridge