Date: Wed, 20 Nov 2002 07:41:25 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/sys mac.h mac_policy.h proc.h src/sys/kern kern_exit.c kern_fork.c kern_mac.c Message-ID: <200211201541.gAKFfPtL081127@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
rwatson 2002/11/20 07:41:25 PST
Modified files:
sys/sys mac.h mac_policy.h proc.h
sys/kern kern_exit.c kern_fork.c kern_mac.c
Log:
Introduce p_label, extensible security label storage for the MAC framework
in struct proc. While the process label is actually stored in the
struct ucred pointed to by p_ucred, there is a need for transient
storage that may be used when asynchronous (deferred) updates need to
be performed on the "real" label for locking reasons. Unlike other
label storage, this label has no locking semantics, relying on policies
to provide their own protection for the label contents, meaning that
a policy leaf mutex may be used, avoiding lock order issues. This
permits policies that act based on historical process behavior (such
as audit policies, the MAC Framework port of LOMAC, etc) can update
process properties even when many existing locks are held without
violating the lock order. No currently committed policies implement use
of this label storage.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Revision Changes Path
1.185 +5 -0 src/sys/kern/kern_exit.c
1.174 +5 -0 src/sys/kern/kern_fork.c
1.69 +25 -1 src/sys/kern/kern_mac.c
1.32 +2 -0 src/sys/sys/mac.h
1.33 +2 -0 src/sys/sys/mac_policy.h
1.280 +2 -0 src/sys/sys/proc.h
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211201541.gAKFfPtL081127>