Date: Sat, 26 Oct 2002 14:48:46 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/conf files src/sys/fs/devfs devfs_vnops.c src/sys/fs/procfs procfs.c procfs.h procfs_mac.c src/sys/fs/pseudofs pseudofs.h pseudofs_vnops.c src/sys/kern kern_mac.c vfs_subr.c src/sys/modules/procfs Makefile ... Message-ID: <Pine.NEB.3.96L.1021026144653.2493D-100000@fledge.watson.org> In-Reply-To: <200210261438.g9QEcO9Q098566@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
FYI to those experimenting with MAC: this breaks each policy out into using its own extended attribute, and is pretty much the last step in getting all policy-specific data out of the central MAC framework (kern_mac.c, mac.h) into the policy-specific modules. There's a little more cleanup here, but not much. If you're using persistent disk labels, this will change the storage of those labels, and we do not currently provide a migration path (although it might not be hard to write a single-user mode utility to walk the file system and migrate the data to their new extended attributes). With this change, however, we do recommend that (wherever possible) UFS2 be used for MAC and not UFS1, as UFS1 provides weaker guarantees than UFS2 for extended attribute modification. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Sat, 26 Oct 2002, Robert Watson wrote: > rwatson 2002/10/26 07:38:24 PDT > > Modified files: > sys/conf files > sys/fs/devfs devfs_vnops.c > sys/fs/procfs procfs.c procfs.h > sys/fs/pseudofs pseudofs.h pseudofs_vnops.c > sys/kern kern_mac.c vfs_subr.c > sys/modules/procfs Makefile > sys/security/mac_biba mac_biba.c > sys/security/mac_mls mac_mls.c > sys/security/mac_none mac_none.c > sys/security/mac_test mac_test.c > sys/sys mac.h mac_policy.h > sys/ufs/ffs ffs_vfsops.c > sys/ufs/ufs ufs_vnops.c > Removed files: > sys/fs/procfs procfs_mac.c > Log: > Slightly change the semantics of vnode labels for MAC: rather than > "refreshing" the label on the vnode before use, just get the label > right from inception. For single-label file systems, set the label > in the generic VFS getnewvnode() code; for multi-label file systems, > leave the labeling up to the file system. With UFS1/2, this means > reading the extended attribute during vfs_vget() as the inode is > pulled off disk, rather than hitting the extended attributes > frequently during operations later, improving performance. This > also corrects sematics for shared vnode locks, which were not > previously present in the system. This chances the cache > coherrency properties WRT out-of-band access to label data, but in > an acceptable form. With UFS1, there is a small race condition > during automatic extended attribute start -- this is not present > with UFS2, and occurs because EAs aren't available at vnode > inception. We'll introduce a work around for this shortly. > > Approved by: re > Obtained from: TrustedBSD Project > Sponsored by: DARPA, Network Associates Laboratories > > Revision Changes Path > 1.729 +0 -1 src/sys/conf/files > 1.54 +1 -1 src/sys/fs/devfs/devfs_vnops.c > 1.8 +0 -1 src/sys/fs/procfs/procfs.c > 1.45 +0 -3 src/sys/fs/procfs/procfs.h > 1.2 +0 -68 src/sys/fs/procfs/procfs_mac.c (dead) > 1.22 +0 -10 src/sys/fs/pseudofs/pseudofs.h > 1.32 +0 -47 src/sys/fs/pseudofs/pseudofs_vnops.c > 1.49 +90 -486 src/sys/kern/kern_mac.c > 1.419 +2 -0 src/sys/kern/vfs_subr.c > 1.28 +0 -2 src/sys/modules/procfs/Makefile > 1.29 +120 -61 src/sys/security/mac_biba/mac_biba.c > 1.27 +98 -61 src/sys/security/mac_mls/mac_mls.c > 1.15 +43 -39 src/sys/security/mac_none/mac_none.c > 1.13 +43 -40 src/sys/security/mac_test/mac_test.c > 1.19 +9 -7 src/sys/sys/mac.h > 1.19 +23 -24 src/sys/sys/mac_policy.h > 1.196 +18 -0 src/sys/ufs/ffs/ffs_vfsops.c > 1.219 +12 -15 src/sys/ufs/ufs/ufs_vnops.c > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021026144653.2493D-100000>