From owner-freebsd-current@FreeBSD.ORG Tue Jun 2 19:12:15 2009 Return-Path: Delivered-To: current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33C8A1065808 for ; Tue, 2 Jun 2009 19:12:15 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id EC91B8FC24 for ; Tue, 2 Jun 2009 19:12:14 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id A7FCE46B2C for ; Tue, 2 Jun 2009 15:12:14 -0400 (EDT) Date: Tue, 2 Jun 2009 20:12:14 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: current@FreeBSD.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: HEADS UP: MAC enabled by default (was: svn commit: r193334 - in head/sys: amd64/conf i386/conf ia64/conf pc98/conf powerpc/conf sparc64/conf sun4v/conf (fwd)) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2009 19:12:15 -0000 As an FYI to -CURRENT users: I've enabled "options MAC" in the GENERIC kernel in order to allow MAC users to enable security policy modules without a kernel recompile. By default, it shouldn't change the behavior of the system, and should have negligible performance impact. However, if you run into problems, please let me know -- hopefully we'll have lots of time before 8.0 to shake them out. Thanks, Robert N M Watson Computer Laboratory University of Cambridge ---------- Forwarded message ---------- Date: Tue, 2 Jun 2009 18:31:08 +0000 (UTC) From: Robert Watson To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r193334 - in head/sys: amd64/conf i386/conf ia64/conf pc98/conf powerpc/conf sparc64/conf sun4v/conf Author: rwatson Date: Tue Jun 2 18:31:08 2009 New Revision: 193334 URL: http://svn.freebsd.org/changeset/base/193334 Log: Remove MAC kernel config files and add "options MAC" to GENERIC, with the goal of shipping 8.0 with MAC support in the default kernel. No policies will be compiled in or enabled by default, but it will now be possible to load them at boot or runtime without a kernel recompile. While the framework is not believed to impose measurable overhead when no policies are loaded (a result of optimization over the past few months in HEAD), we'll continue to benchmark and optimize as the release approaches. Please keep an eye out for performance or functionality regressions that could be a result of this change. Approved by: re (kensmith) Obtained from: TrustedBSD Project Deleted: head/sys/amd64/conf/MAC head/sys/i386/conf/MAC head/sys/ia64/conf/MAC head/sys/pc98/conf/MAC head/sys/powerpc/conf/MAC head/sys/sparc64/conf/MAC head/sys/sun4v/conf/MAC Modified: head/sys/amd64/conf/GENERIC head/sys/i386/conf/GENERIC head/sys/ia64/conf/GENERIC head/sys/pc98/conf/GENERIC head/sys/powerpc/conf/GENERIC head/sys/sparc64/conf/GENERIC head/sys/sun4v/conf/GENERIC Modified: head/sys/amd64/conf/GENERIC ============================================================================== --- head/sys/amd64/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333) +++ head/sys/amd64/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334) @@ -70,6 +70,7 @@ options KBD_INSTALL_CDEV # install a CD options STOP_NMI # Stop CPUS using NMI instead of IPI options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework #options KDTRACE_FRAME # Ensure frames are compiled in #options KDTRACE_HOOKS # Kernel DTrace hooks Modified: head/sys/i386/conf/GENERIC ============================================================================== --- head/sys/i386/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333) +++ head/sys/i386/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334) @@ -71,6 +71,7 @@ options KBD_INSTALL_CDEV # install a CD options STOP_NMI # Stop CPUS using NMI instead of IPI options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework #options KDTRACE_HOOKS # Kernel DTrace hooks # Debugging for use in -current Modified: head/sys/ia64/conf/GENERIC ============================================================================== --- head/sys/ia64/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333) +++ head/sys/ia64/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334) @@ -40,6 +40,7 @@ options INVARIANTS # Enable calls of ex options INVARIANT_SUPPORT # required by INVARIANTS options KDB # Enable kernel debugger support options KTRACE # ktrace(1) syscall trace support +options MAC # TrustedBSD MAC Framework options MD_ROOT # MD usable as root device options MSDOSFS # MSDOS Filesystem options NFSCLIENT # Network Filesystem Client Modified: head/sys/pc98/conf/GENERIC ============================================================================== --- head/sys/pc98/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333) +++ head/sys/pc98/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334) @@ -73,6 +73,7 @@ options _KPOSIX_PRIORITY_SCHEDULING # P options KBD_INSTALL_CDEV # install a CDEV entry in /dev options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework # Debugging for use in -current options KDB # Enable kernel debugger support. Modified: head/sys/powerpc/conf/GENERIC ============================================================================== --- head/sys/powerpc/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333) +++ head/sys/powerpc/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334) @@ -64,6 +64,7 @@ options SYSVSEM #SYSV-style semaphore options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework # Debugging for use in -current options KDB #Enable the kernel debugger Modified: head/sys/sparc64/conf/GENERIC ============================================================================== --- head/sys/sparc64/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333) +++ head/sys/sparc64/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334) @@ -65,6 +65,7 @@ options SYSVSEM # SYSV-style semaphor options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework # Debugging for use in -current options KDB # Enable kernel debugger support. Modified: head/sys/sun4v/conf/GENERIC ============================================================================== --- head/sys/sun4v/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333) +++ head/sys/sun4v/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334) @@ -66,6 +66,7 @@ options AHC_REG_PRETTY_PRINT # Print re options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed. options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework # Debugging for use in -current options KDB # Enable kernel debugger support.