Date: Sun, 2 May 2004 10:48:32 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 52083 for review Message-ID: <200405021748.i42HmWAv022673@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=52083 Change 52083 by rwatson@rwatson_paprika on 2004/05/02 10:47:40 Various updates: add new items, upgrade/downgrade items in priority list, remove completed or OBE items. Affected files ... .. //depot/projects/trustedbsd/mac/MERGE#5 edit Differences ... ==== //depot/projects/trustedbsd/mac/MERGE#5 (text+ko) ==== @@ -3,9 +3,28 @@ devfs changes to pass complete paths of objects into MAC Framework for label initialization. - LOMAC fixes + System V IPC, POSIX Semaphore ABI changes to avoid sharing user + and kernel structures. Probably need to remove module unload + changes for now. + + System V IPC, POSIX Sempahore MAC changes to permit labeling + and access control by MAC policies. + + ipcs(1) label support. + + MAC_STATIC to optimize performance by removing locking that + supports dynamic policy changes, limiting the system to + statically loaded policies. + + Removal of redundant suser check in kern_xxx.c + + NFS client credential fixes. + + Use inpcb in preference to socket as label source where possible + in netinet. This helps to avoid the need for socket label + locking in a number of important cases. - mac_test assertion updates + id(1) label support. Consider to merge TODO: @@ -13,18 +32,12 @@ pseudofs uses MNT_MULTILABEL always. - SAVESTART flag in kern_exec.c - mac_update_mbuf_from_cipso() - Removal of redundant suser check in kern_xxx.c - sppp MAC support ppp MAC support - NFS client credential fixes. - Biba/MLS sequential compartment set support. FFS resilience improvements for EA support @@ -33,17 +46,41 @@ bsd_add_rule in libugidfw - tty labeling - setfsmac in /sbin fsck_ffs ea support direct exec of rc - security as a directory in /etc + acl.9 expansions + + ls(1) labels without long form + + mac_support.4 man page showing what is (and isn't) supported + with MAC. + + sysinstall(8) support for multi-label file systems. + +Probably not to merge, at least not in current form: + + security as a directory in /etc (note: mergemaster handles this + poorly). + + Use multilabel md file systems in the diskless environment. + + rc executable so that there's the possibility of a domain + transition from init. + + tty labeling in login(1)/login.conf(5), init(8). + + Build a MAC kernel by default, include in installs/releases. + + setfsmac(8) reference in sbin rather than usr/sbin. - acl.9 expansions + SAVESTART flag in kern_exec.c -- is this needed? + missingops? + truss(1) hexdump support? + inetd(8) resource limits and labels improvements.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405021748.i42HmWAv022673>