Re: FreeBSD and MAC




On Sat, 7 Mar 2009, Zahemszky Gábor wrote:

I have two simple questions about the Mandatory Access Control framework of FreeBSD:

a) what has happened with the SEBSD modul? When will be available (or will it be at all) in the system (or can I find one for an up-to-date kernel: 7.x or up)?

b) when will be the "options MAC" in the GENERIC kernel, or why not? (I think, more people can test the MAC-modules, if they don't need to config a kernel for it.)

Dear Gábor:

Right now no one is maintaining the SEBSD module; this is unfortunate, but largely a property of people having enough time. If this is something you can contribute to (or anyone else who's interested) I'm happy to provide pointers and advice. Most of the MAC Framework dependencies for SEBSD were merged back into the base tree, but it would need quite a bit of adaptation to move forward to FreeBSD7/8. Also, SEBSD uses what are now quite old SELinux parts, so those would also need updating (although I guess that isn't required). Feel free to ask questions here, or on the trustedbsd-discuss mailing list.

"options MAC" is believed to cause a significant performance loss on 7.x and earlier; we're currently working to address that with the hope of shipping "options MAC" in GENERIC starting with FreeBSD 8.0. I've not re-benchmarked in a few months but we've merged a number of improvements that should be getting us close. For example, whereas previously MAC automatically allocated memory to hold security labels for objects, now it only allocates memory when policies are registered that specifically require labels on those object types. On a similar note, the locking for the MAC Framework itself has been significantly optimized over the last few weeks to lower overhead, and there are more changes in the works. We'll probably pause and take stock sometime in the next month and see what performance regressions remain.

Robert N M Watson
Computer Laboratory
University of Cambridge_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • mac_xxx error
    ... but i got the following error when the system trying to load the kernel: ... I have inserted the following options in the GENERIC file when ... options MAC ...
    (comp.unix.bsd.freebsd.misc)
  • Cant register mac_xxx during boot
    ... but i got the following error when the system trying to load the kernel: ... I have inserted the following options in the GENERIC file when ... options MAC ...
    (comp.unix.bsd.freebsd.misc)
  • kldload issue
    ... mac_seeotheruids into the running kernel, forgetting that i had not set ... "options MAC" in the kernel and received a kind of misleading error. ...
    (freebsd-stable)