Remove MAC kernel config files and add "options MAC" to GENERIC, with the

goal of shipping 8.0 with MAC support in the default kernel. No policies will be compiled in or enabled by default, but it will now be possible to load them at boot or runtime without a kernel recompile. While the framework is not believed to impose measurable overhead when no policies are loaded (a result of optimization over the past few months in HEAD), we'll continue to benchmark and optimize as the release approaches. Please keep an eye out for performance or functionality regressions that could be a result of this change. Approved by: re (kensmith) Obtained from: TrustedBSD Project
author: rwatson <rwatson@FreeBSD.org> 2009-06-02 18:31:08 +0000
committer: rwatson <rwatson@FreeBSD.org> 2009-06-02 18:31:08 +0000
commit: 14f4a9dd42b965a4a23b2aef0c7496f931649524 (patch)
tree: c54525a6e0aff1a518bfb0388e7af117d0d32e4b /sys
parent: 9d4f8dda8fd9436afd4e7d6c966045d29d4cf2eb (diff)
download: FreeBSD-src-14f4a9dd42b965a4a23b2aef0c7496f931649524.zip
FreeBSD-src-14f4a9dd42b965a4a23b2aef0c7496f931649524.tar.gz
14 files changed, 7 insertions, 196 deletions
diff --git a/sys/amd64/conf/GENERIC b/sys/amd64/conf/GENERIC
index 569e0cd..6ff85e2 100644
--- a/sys/amd64/conf/GENERIC
+++ b/sys/amd64/conf/GENERIC
@@ -70,6 +70,7 @@ options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
 options 	STOP_NMI		# Stop CPUS using NMI instead of IPI
 options 	HWPMC_HOOKS		# Necessary kernel hooks for hwpmc(4)
 options 	AUDIT			# Security event auditing
+options 	MAC			# TrustedBSD MAC Framework
 #options 	KDTRACE_FRAME		# Ensure frames are compiled in
 #options 	KDTRACE_HOOKS		# Kernel DTrace hooks
 
diff --git a/sys/amd64/conf/MAC b/sys/amd64/conf/MAC
deleted file mode 100644
index 306f36f..0000000
--- a/sys/amd64/conf/MAC
+++ /dev/null
@@ -1,28 +0,0 @@
-# MAC -- Generic kernel configuration file for FreeBSD/amd64 MAC
-#
-# The Mandatory Access Control, or MAC, framework allows administrators to
-# finely control system security by providing for a loadable security pol-
-# icy architecture.
-#
-# For more information see:
-#
-# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html 
-#
-# $FreeBSD$
-
-include 	GENERIC
-ident 		MAC
-
-options 	MAC
-
-#options 	MAC_BIBA		# BIBA data integrity policy
-#options 	MAC_BSDEXTENDED		# File system firewall policy
-#options 	MAC_IFOFF		# Network interface silencing policy
-#options 	MAC_LOMAC		# Low-watermark data integrity policy
-#options 	MAC_MLS			# Multi-level confidentiality policy
-#options 	MAC_NONE		# NULL policy
-#options 	MAC_PARTITION		# Process partition policy
-#options 	MAC_PORTACL		# Network port access control policy
-#options 	MAC_SEEOTHERUIDS	# UID visibility policy
-#options 	MAC_STUB		# Stub policy
-#options 	MAC_TEST		# Testing policy for the MAC framework
diff --git a/sys/i386/conf/GENERIC b/sys/i386/conf/GENERIC
index 7475efd..08edaf7 100644
--- a/sys/i386/conf/GENERIC
+++ b/sys/i386/conf/GENERIC
@@ -71,6 +71,7 @@ options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
 options 	STOP_NMI		# Stop CPUS using NMI instead of IPI
 options 	HWPMC_HOOKS		# Necessary kernel hooks for hwpmc(4)
 options 	AUDIT			# Security event auditing
+options 	MAC			# TrustedBSD MAC Framework
 #options 	KDTRACE_HOOKS		# Kernel DTrace hooks
 
 # Debugging for use in -current
diff --git a/sys/i386/conf/MAC b/sys/i386/conf/MAC
deleted file mode 100644
index d208741..0000000
--- a/sys/i386/conf/MAC
+++ /dev/null
@@ -1,28 +0,0 @@
-# MAC -- Generic kernel configuration file for FreeBSD/i386 MAC
-#
-# The Mandatory Access Control, or MAC, framework allows administrators to
-# finely control system security by providing for a loadable security pol-
-# icy architecture.
-#
-# For more information see:
-#
-# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html 
-#
-# $FreeBSD$
-
-include 	GENERIC
-ident 		MAC
-
-options 	MAC
-
-#options 	MAC_BIBA		# BIBA data integrity policy
-#options 	MAC_BSDEXTENDED		# File system firewall policy
-#options 	MAC_IFOFF		# Network interface silencing policy
-#options 	MAC_LOMAC		# Low-watermark data integrity policy
-#options 	MAC_MLS			# Multi-level confidentiality policy
-#options 	MAC_NONE		# NULL policy
-#options 	MAC_PARTITION		# Process partition policy
-#options 	MAC_PORTACL		# Network port access control policy
-#options 	MAC_SEEOTHERUIDS	# UID visibility policy
-#options 	MAC_STUB		# Stub policy
-#options 	MAC_TEST		# Testing policy for the MAC framework
diff --git a/sys/ia64/conf/GENERIC b/sys/ia64/conf/GENERIC
index ab471f7..83d1f60 100644
--- a/sys/ia64/conf/GENERIC
+++ b/sys/ia64/conf/GENERIC
@@ -40,6 +40,7 @@ options 	INVARIANTS	# Enable calls of extra sanity checking
 options 	INVARIANT_SUPPORT # required by INVARIANTS
 options 	KDB		# Enable kernel debugger support
 options 	KTRACE		# ktrace(1) syscall trace support
+options 	MAC			# TrustedBSD MAC Framework
 options 	MD_ROOT		# MD usable as root device
 options 	MSDOSFS		# MSDOS Filesystem
 options 	NFSCLIENT	# Network Filesystem Client
diff --git a/sys/ia64/conf/MAC b/sys/ia64/conf/MAC
deleted file mode 100644
index a4acaeb..0000000
--- a/sys/ia64/conf/MAC
+++ /dev/null
@@ -1,28 +0,0 @@
-# MAC -- Generic kernel configuration file for FreeBSD/ia64 MAC
-#
-# The Mandatory Access Control, or MAC, framework allows administrators to
-# finely control system security by providing for a loadable security pol-
-# icy architecture.
-#
-# For more information see:
-#
-# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html 
-#
-# $FreeBSD$
-
-include 	GENERIC
-ident 		MAC
-
-options 	MAC
-
-#options 	MAC_BIBA		# BIBA data integrity policy
-#options 	MAC_BSDEXTENDED		# File system firewall policy
-#options 	MAC_IFOFF		# Network interface silencing policy
-#options 	MAC_LOMAC		# Low-watermark data integrity policy
-#options 	MAC_MLS			# Multi-level confidentiality policy
-#options 	MAC_NONE		# NULL policy
-#options 	MAC_PARTITION		# Process partition policy
-#options 	MAC_PORTACL		# Network port access control policy
-#options 	MAC_SEEOTHERUIDS	# UID visibility policy
-#options 	MAC_STUB		# Stub policy
-#options 	MAC_TEST		# Testing policy for the MAC framework
diff --git a/sys/pc98/conf/GENERIC b/sys/pc98/conf/GENERIC
index 539feab..82b8888 100644
--- a/sys/pc98/conf/GENERIC
+++ b/sys/pc98/conf/GENERIC
@@ -73,6 +73,7 @@ options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
 options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
 options 	HWPMC_HOOKS		# Necessary kernel hooks for hwpmc(4)
 options 	AUDIT			# Security event auditing
+options 	MAC			# TrustedBSD MAC Framework
 
 # Debugging for use in -current
 options 	KDB			# Enable kernel debugger support.
diff --git a/sys/pc98/conf/MAC b/sys/pc98/conf/MAC
deleted file mode 100644
index 6aee5da..0000000
--- a/sys/pc98/conf/MAC
+++ /dev/null
@@ -1,28 +0,0 @@
-# MAC -- Generic kernel configuration file for FreeBSD/pc98 MAC
-#
-# The Mandatory Access Control, or MAC, framework allows administrators to
-# finely control system security by providing for a loadable security pol-
-# icy architecture.
-#
-# For more information see:
-#
-# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html 
-#
-# $FreeBSD$
-
-include 	GENERIC
-ident 		MAC
-
-options 	MAC
-
-#options 	MAC_BIBA		# BIBA data integrity policy
-#options 	MAC_BSDEXTENDED		# File system firewall policy
-#options 	MAC_IFOFF		# Network interface silencing policy
-#options 	MAC_LOMAC		# Low-watermark data integrity policy
-#options 	MAC_MLS			# Multi-level confidentiality policy
-#options 	MAC_NONE		# NULL policy
-#options 	MAC_PARTITION		# Process partition policy
-#options 	MAC_PORTACL		# Network port access control policy
-#options 	MAC_SEEOTHERUIDS	# UID visibility policy
-#options 	MAC_STUB		# Stub policy
-#options 	MAC_TEST		# Testing policy for the MAC framework
diff --git a/sys/powerpc/conf/GENERIC b/sys/powerpc/conf/GENERIC
index 819d768..2f9b264 100644
--- a/sys/powerpc/conf/GENERIC
+++ b/sys/powerpc/conf/GENERIC
@@ -64,6 +64,7 @@ options 	SYSVSEM			#SYSV-style semaphores
 options 	_KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
 options 	HWPMC_HOOKS		# Necessary kernel hooks for hwpmc(4)
 options 	AUDIT			# Security event auditing
+options 	MAC			# TrustedBSD MAC Framework
 
 # Debugging for use in -current
 options 	KDB			#Enable the kernel debugger
diff --git a/sys/powerpc/conf/MAC b/sys/powerpc/conf/MAC
deleted file mode 100644
index 8626383..0000000
--- a/sys/powerpc/conf/MAC
+++ /dev/null
@@ -1,28 +0,0 @@
-# MAC -- Generic kernel configuration file for FreeBSD/powerpc MAC
-#
-# The Mandatory Access Control, or MAC, framework allows administrators to
-# finely control system security by providing for a loadable security pol-
-# icy architecture.
-#
-# For more information see:
-#
-# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html 
-#
-# $FreeBSD$
-
-include 	GENERIC
-ident 		MAC
-
-options 	MAC
-
-#options 	MAC_BIBA		# BIBA data integrity policy
-#options 	MAC_BSDEXTENDED		# File system firewall policy
-#options 	MAC_IFOFF		# Network interface silencing policy
-#options 	MAC_LOMAC		# Low-watermark data integrity policy
-#options 	MAC_MLS			# Multi-level confidentiality policy
-#options 	MAC_NONE		# NULL policy
-#options 	MAC_PARTITION		# Process partition policy
-#options 	MAC_PORTACL		# Network port access control policy
-#options 	MAC_SEEOTHERUIDS	# UID visibility policy
-#options 	MAC_STUB		# Stub policy
-#options 	MAC_TEST		# Testing policy for the MAC framework
diff --git a/sys/sparc64/conf/GENERIC b/sys/sparc64/conf/GENERIC
index a3dad1c..943dc74 100644
--- a/sys/sparc64/conf/GENERIC
+++ b/sys/sparc64/conf/GENERIC
@@ -65,6 +65,7 @@ options 	SYSVSEM			# SYSV-style semaphores
 options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
 options 	HWPMC_HOOKS		# Necessary kernel hooks for hwpmc(4)
 options 	AUDIT			# Security event auditing
+options 	MAC			# TrustedBSD MAC Framework
 
 # Debugging for use in -current
 options 	KDB			# Enable kernel debugger support.
diff --git a/sys/sparc64/conf/MAC b/sys/sparc64/conf/MAC
deleted file mode 100644
index 56af83d..0000000
--- a/sys/sparc64/conf/MAC
+++ /dev/null
@@ -1,28 +0,0 @@
-# MAC -- Generic kernel configuration file for FreeBSD/sparc64 MAC
-#
-# The Mandatory Access Control, or MAC, framework allows administrators to
-# finely control system security by providing for a loadable security pol-
-# icy architecture.
-#
-# For more information see:
-#
-# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html 
-#
-# $FreeBSD$
-
-include 	GENERIC
-ident 		MAC
-
-options 	MAC
-
-#options 	MAC_BIBA		# BIBA data integrity policy
-#options 	MAC_BSDEXTENDED		# File system firewall policy
-#options 	MAC_IFOFF		# Network interface silencing policy
-#options 	MAC_LOMAC		# Low-watermark data integrity policy
-#options 	MAC_MLS			# Multi-level confidentiality policy
-#options 	MAC_NONE		# NULL policy
-#options 	MAC_PARTITION		# Process partition policy
-#options 	MAC_PORTACL		# Network port access control policy
-#options 	MAC_SEEOTHERUIDS	# UID visibility policy
-#options 	MAC_STUB		# Stub policy
-#options 	MAC_TEST		# Testing policy for the MAC framework
diff --git a/sys/sun4v/conf/GENERIC b/sys/sun4v/conf/GENERIC
index 2291087..438db17 100644
--- a/sys/sun4v/conf/GENERIC
+++ b/sys/sun4v/conf/GENERIC
@@ -66,6 +66,7 @@ options 	AHC_REG_PRETTY_PRINT	# Print register bitfields in debug
 options 	PRINTF_BUFR_SIZE=128	# Prevent printf output being interspersed.
 options 	HWPMC_HOOKS		# Necessary kernel hooks for hwpmc(4)
 options 	AUDIT			# Security event auditing
+options 	MAC			# TrustedBSD MAC Framework
 
 # Debugging for use in -current
 options 	KDB			# Enable kernel debugger support.
diff --git a/sys/sun4v/conf/MAC b/sys/sun4v/conf/MAC
deleted file mode 100644
index 56af83d..0000000
--- a/sys/sun4v/conf/MAC
+++ /dev/null
@@ -1,28 +0,0 @@
-# MAC -- Generic kernel configuration file for FreeBSD/sparc64 MAC
-#
-# The Mandatory Access Control, or MAC, framework allows administrators to
-# finely control system security by providing for a loadable security pol-
-# icy architecture.
-#
-# For more information see:
-#
-# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html 
-#
-# $FreeBSD$
-
-include 	GENERIC
-ident 		MAC
-
-options 	MAC
-
-#options 	MAC_BIBA		# BIBA data integrity policy
-#options 	MAC_BSDEXTENDED		# File system firewall policy
-#options 	MAC_IFOFF		# Network interface silencing policy
-#options 	MAC_LOMAC		# Low-watermark data integrity policy
-#options 	MAC_MLS			# Multi-level confidentiality policy
-#options 	MAC_NONE		# NULL policy
-#options 	MAC_PARTITION		# Process partition policy
-#options 	MAC_PORTACL		# Network port access control policy
-#options 	MAC_SEEOTHERUIDS	# UID visibility policy
-#options 	MAC_STUB		# Stub policy
-#options 	MAC_TEST		# Testing policy for the MAC framework
author	rwatson <rwatson@FreeBSD.org>	2009-06-02 18:31:08 +0000
committer	rwatson <rwatson@FreeBSD.org>	2009-06-02 18:31:08 +0000
commit	14f4a9dd42b965a4a23b2aef0c7496f931649524 (patch)
tree	c54525a6e0aff1a518bfb0388e7af117d0d32e4b /sys
parent	9d4f8dda8fd9436afd4e7d6c966045d29d4cf2eb (diff)
download	FreeBSD-src-14f4a9dd42b965a4a23b2aef0c7496f931649524.zip FreeBSD-src-14f4a9dd42b965a4a23b2aef0c7496f931649524.tar.gz