From owner-cvs-src@FreeBSD.ORG Sat Aug 23 15:27:37 2008 Return-Path: Delivered-To: cvs-src@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B6321065672; Sat, 23 Aug 2008 15:27:37 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id E551B8FC12; Sat, 23 Aug 2008 15:27:36 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.2/8.14.2) with ESMTP id m7NFRakt010571; Sat, 23 Aug 2008 15:27:36 GMT (envelope-from rwatson@repoman.freebsd.org) Received: (from svn2cvs@localhost) by repoman.freebsd.org (8.14.2/8.14.1/Submit) id m7NFRamg010570; Sat, 23 Aug 2008 15:27:36 GMT (envelope-from rwatson@repoman.freebsd.org) Message-Id: <200808231527.m7NFRamg010570@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: svn2cvs set sender to rwatson@repoman.freebsd.org using -f From: Robert Watson Date: Sat, 23 Aug 2008 15:26:36 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: src/sys/conf options src/sys/kern kern_exec.c src/sys/security/mac mac_framework.c mac_framework.h mac_inet.c mac_internal.h mac_net.c mac_pipe.c mac_policy.h mac_posix_sem.c mac_posix_shm.c mac_process.c mac_socket.c mac_syscalls.c ... X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Aug 2008 15:27:37 -0000 rwatson 2008-08-23 15:26:36 UTC FreeBSD src repository Modified files: sys/conf options sys/kern kern_exec.c sys/security/mac mac_framework.c mac_framework.h mac_inet.c mac_internal.h mac_net.c mac_pipe.c mac_policy.h mac_posix_sem.c mac_posix_shm.c mac_process.c mac_socket.c mac_syscalls.c mac_sysv_msg.c mac_sysv_sem.c mac_sysv_shm.c mac_vfs.c sys/security/mac_biba mac_biba.c sys/security/mac_bsdextended mac_bsdextended.c sys/security/mac_ifoff mac_ifoff.c sys/security/mac_lomac mac_lomac.c sys/security/mac_mls mac_mls.c sys/security/mac_none mac_none.c sys/security/mac_partition mac_partition.c sys/security/mac_portacl mac_portacl.c sys/security/mac_seeotheruids mac_seeotheruids.c sys/security/mac_stub mac_stub.c sys/security/mac_test mac_test.c Log: SVN rev 182063 on 2008-08-23 15:26:36Z by rwatson Introduce two related changes to the TrustedBSD MAC Framework: (1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. Revision Changes Path 1.637 +0 -1 src/sys/conf/options 1.322 +5 -7 src/sys/kern/kern_exec.c 1.137 +15 -30 src/sys/security/mac/mac_framework.c 1.101 +4 -6 src/sys/security/mac/mac_framework.h 1.21 +46 -28 src/sys/security/mac/mac_inet.c 1.125 +5 -3 src/sys/security/mac/mac_internal.h 1.132 +34 -23 src/sys/security/mac/mac_net.c 1.114 +8 -3 src/sys/security/mac/mac_pipe.c 1.111 +37 -8 src/sys/security/mac/mac_policy.h 1.15 +8 -3 src/sys/security/mac/mac_posix_sem.c 1.2 +8 -3 src/sys/security/mac/mac_posix_shm.c 1.123 +40 -6 src/sys/security/mac/mac_process.c 1.12 +28 -11 src/sys/security/mac/mac_socket.c 1.137 +28 -0 src/sys/security/mac/mac_syscalls.c 1.11 +17 -6 src/sys/security/mac/mac_sysv_msg.c 1.10 +8 -3 src/sys/security/mac/mac_sysv_sem.c 1.9 +8 -3 src/sys/security/mac/mac_sysv_shm.c 1.126 +25 -9 src/sys/security/mac/mac_vfs.c 1.122 +21 -1 src/sys/security/mac_biba/mac_biba.c 1.44 +1 -1 src/sys/security/mac_bsdextended/mac_bsdextended.c 1.17 +1 -1 src/sys/security/mac_ifoff/mac_ifoff.c 1.65 +21 -1 src/sys/security/mac_lomac/mac_lomac.c 1.104 +21 -1 src/sys/security/mac_mls/mac_mls.c 1.38 +1 -1 src/sys/security/mac_none/mac_none.c 1.24 +26 -7 src/sys/security/mac_partition/mac_partition.c 1.19 +1 -1 src/sys/security/mac_portacl/mac_portacl.c 1.19 +1 -1 src/sys/security/mac_seeotheruids/mac_seeotheruids.c 1.84 +22 -1 src/sys/security/mac_stub/mac_stub.c 1.99 +22 -1 src/sys/security/mac_test/mac_test.c