HEADS UP: MAC enabled by default (was: svn commit: r193334 - in
head/sys: amd64/conf i386/conf ia64/conf pc98/conf powerpc/conf sparc64/conf
sun4v/conf (fwd))
Robert Watson
rwatson at FreeBSD.org
Tue Jun 2 19:12:15 UTC 2009
As an FYI to -CURRENT users: I've enabled "options MAC" in the GENERIC kernel
in order to allow MAC users to enable security policy modules without a kernel
recompile. By default, it shouldn't change the behavior of the system, and
should have negligible performance impact. However, if you run into problems,
please let me know -- hopefully we'll have lots of time before 8.0 to shake
them out.
Thanks,
Robert N M Watson
Computer Laboratory
University of Cambridge
---------- Forwarded message ----------
Date: Tue, 2 Jun 2009 18:31:08 +0000 (UTC)
From: Robert Watson <rwatson at FreeBSD.org>
To: src-committers at freebsd.org, svn-src-all at freebsd.org,
svn-src-head at freebsd.org
Subject: svn commit: r193334 - in head/sys: amd64/conf i386/conf ia64/conf
pc98/conf powerpc/conf sparc64/conf sun4v/conf
Author: rwatson
Date: Tue Jun 2 18:31:08 2009
New Revision: 193334
URL: http://svn.freebsd.org/changeset/base/193334
Log:
Remove MAC kernel config files and add "options MAC" to GENERIC, with the
goal of shipping 8.0 with MAC support in the default kernel. No policies
will be compiled in or enabled by default, but it will now be possible to
load them at boot or runtime without a kernel recompile.
While the framework is not believed to impose measurable overhead when no
policies are loaded (a result of optimization over the past few months in
HEAD), we'll continue to benchmark and optimize as the release approaches.
Please keep an eye out for performance or functionality regressions that
could be a result of this change.
Approved by: re (kensmith)
Obtained from: TrustedBSD Project
Deleted:
head/sys/amd64/conf/MAC
head/sys/i386/conf/MAC
head/sys/ia64/conf/MAC
head/sys/pc98/conf/MAC
head/sys/powerpc/conf/MAC
head/sys/sparc64/conf/MAC
head/sys/sun4v/conf/MAC
Modified:
head/sys/amd64/conf/GENERIC
head/sys/i386/conf/GENERIC
head/sys/ia64/conf/GENERIC
head/sys/pc98/conf/GENERIC
head/sys/powerpc/conf/GENERIC
head/sys/sparc64/conf/GENERIC
head/sys/sun4v/conf/GENERIC
Modified: head/sys/amd64/conf/GENERIC
==============================================================================
--- head/sys/amd64/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333)
+++ head/sys/amd64/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334)
@@ -70,6 +70,7 @@ options KBD_INSTALL_CDEV # install a CD
options STOP_NMI # Stop CPUS using NMI instead of IPI
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
+options MAC # TrustedBSD MAC Framework
#options KDTRACE_FRAME # Ensure frames are compiled in
#options KDTRACE_HOOKS # Kernel DTrace hooks
Modified: head/sys/i386/conf/GENERIC
==============================================================================
--- head/sys/i386/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333)
+++ head/sys/i386/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334)
@@ -71,6 +71,7 @@ options KBD_INSTALL_CDEV # install a CD
options STOP_NMI # Stop CPUS using NMI instead of IPI
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
+options MAC # TrustedBSD MAC Framework
#options KDTRACE_HOOKS # Kernel DTrace hooks
# Debugging for use in -current
Modified: head/sys/ia64/conf/GENERIC
==============================================================================
--- head/sys/ia64/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333)
+++ head/sys/ia64/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334)
@@ -40,6 +40,7 @@ options INVARIANTS # Enable calls of ex
options INVARIANT_SUPPORT # required by INVARIANTS
options KDB # Enable kernel debugger support
options KTRACE # ktrace(1) syscall trace support
+options MAC # TrustedBSD MAC Framework
options MD_ROOT # MD usable as root device
options MSDOSFS # MSDOS Filesystem
options NFSCLIENT # Network Filesystem Client
Modified: head/sys/pc98/conf/GENERIC
==============================================================================
--- head/sys/pc98/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333)
+++ head/sys/pc98/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334)
@@ -73,6 +73,7 @@ options _KPOSIX_PRIORITY_SCHEDULING # P
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
+options MAC # TrustedBSD MAC Framework
# Debugging for use in -current
options KDB # Enable kernel debugger support.
Modified: head/sys/powerpc/conf/GENERIC
==============================================================================
--- head/sys/powerpc/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333)
+++ head/sys/powerpc/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334)
@@ -64,6 +64,7 @@ options SYSVSEM #SYSV-style semaphore
options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
+options MAC # TrustedBSD MAC Framework
# Debugging for use in -current
options KDB #Enable the kernel debugger
Modified: head/sys/sparc64/conf/GENERIC
==============================================================================
--- head/sys/sparc64/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333)
+++ head/sys/sparc64/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334)
@@ -65,6 +65,7 @@ options SYSVSEM # SYSV-style semaphor
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
+options MAC # TrustedBSD MAC Framework
# Debugging for use in -current
options KDB # Enable kernel debugger support.
Modified: head/sys/sun4v/conf/GENERIC
==============================================================================
--- head/sys/sun4v/conf/GENERIC Tue Jun 2 18:30:09 2009 (r193333)
+++ head/sys/sun4v/conf/GENERIC Tue Jun 2 18:31:08 2009 (r193334)
@@ -66,6 +66,7 @@ options AHC_REG_PRETTY_PRINT # Print re
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
+options MAC # TrustedBSD MAC Framework
# Debugging for use in -current
options KDB # Enable kernel debugger support.
More information about the freebsd-current
mailing list