PERFORCE change 52083 for review
Robert Watson
rwatson at FreeBSD.org
Sun May 2 17:48:32 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=52083
Change 52083 by rwatson at rwatson_paprika on 2004/05/02 10:47:40
Various updates: add new items, upgrade/downgrade items in
priority list, remove completed or OBE items.
Affected files ...
.. //depot/projects/trustedbsd/mac/MERGE#5 edit
Differences ...
==== //depot/projects/trustedbsd/mac/MERGE#5 (text+ko) ====
@@ -3,9 +3,28 @@
devfs changes to pass complete paths of objects into MAC Framework
for label initialization.
- LOMAC fixes
+ System V IPC, POSIX Semaphore ABI changes to avoid sharing user
+ and kernel structures. Probably need to remove module unload
+ changes for now.
+
+ System V IPC, POSIX Sempahore MAC changes to permit labeling
+ and access control by MAC policies.
+
+ ipcs(1) label support.
+
+ MAC_STATIC to optimize performance by removing locking that
+ supports dynamic policy changes, limiting the system to
+ statically loaded policies.
+
+ Removal of redundant suser check in kern_xxx.c
+
+ NFS client credential fixes.
+
+ Use inpcb in preference to socket as label source where possible
+ in netinet. This helps to avoid the need for socket label
+ locking in a number of important cases.
- mac_test assertion updates
+ id(1) label support.
Consider to merge TODO:
@@ -13,18 +32,12 @@
pseudofs uses MNT_MULTILABEL always.
- SAVESTART flag in kern_exec.c
-
mac_update_mbuf_from_cipso()
- Removal of redundant suser check in kern_xxx.c
-
sppp MAC support
ppp MAC support
- NFS client credential fixes.
-
Biba/MLS sequential compartment set support.
FFS resilience improvements for EA support
@@ -33,17 +46,41 @@
bsd_add_rule in libugidfw
- tty labeling
-
setfsmac in /sbin
fsck_ffs ea support
direct exec of rc
- security as a directory in /etc
+ acl.9 expansions
+
+ ls(1) labels without long form
+
+ mac_support.4 man page showing what is (and isn't) supported
+ with MAC.
+
+ sysinstall(8) support for multi-label file systems.
+
+Probably not to merge, at least not in current form:
+
+ security as a directory in /etc (note: mergemaster handles this
+ poorly).
+
+ Use multilabel md file systems in the diskless environment.
+
+ rc executable so that there's the possibility of a domain
+ transition from init.
+
+ tty labeling in login(1)/login.conf(5), init(8).
+
+ Build a MAC kernel by default, include in installs/releases.
+
+ setfsmac(8) reference in sbin rather than usr/sbin.
- acl.9 expansions
+ SAVESTART flag in kern_exec.c -- is this needed?
+ missingops?
+ truss(1) hexdump support?
+ inetd(8) resource limits and labels improvements.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list