os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Break out Policy Background from the Introduction.

Browse source 
Note that the MAC Framework can also be used to express DAC policies.

Push the MAC Framework Policy Elements section up a level to sect1 and
name it "MAC Policy Architecture".

Stick "MAC" in front of the Policy Entry Points section header to
improve consistency.
This commit is contained in:
Robert Watson 2003-04-20 17:09:56 +00:00
parent f4d495b054
commit be5924b944
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=16624
2 changed files with 86 additions and 66 deletions
en_US.ISO8859-1/books
arch-handbook/mac
chapter.sgml
developers-handbook/mac
chapter.sgml

76
en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml
View file

@ -140,6 +140,10 @@
services to assist policy writers, including support for
transient and persistent policy-agnostic object security
labels. This support is currently considered experimental.</para>
</sect1>
<sect1>
<title>Policy Background</title>
<para>Mandatory Access Control (MAC), refers to a set of
access control policies that are mandatorily enforced on
@ -157,6 +161,13 @@
identity, role, and security clearance, as well as security labels
on objects representing concepts such as data sensitivity and
integrity.</para>
<para>The TrustedBSD MAC Framework is capable of supporting policy
modules that implement all of these policies, as well as a broad
class of system hardening policies. In addition, despite the
name, the MAC Framework can also be used to implement purely
discretionary policies, as policy modules are given substantial
flexibility in how they authorize protections.</para>
</sect1>
<sect1 id="mac-kernel-arch">
@ -255,36 +266,6 @@
are used to permit consistent compound updates of
security labels on vnodes.</para>
</sect2>
<sect2 id="mac-kernel-arch-policy-elements">
<title>MAC Framework Policy Elements</title>
<para>Security policies are either linked directly into the kernel,
or compiled into loadable kernel modules that may be loaded at
boot, or dynamically using the module loading system calls at
runtime. Policy modules interact with the system through a
set of declared entry points, providing access to a stream of
system events and permitting the policy to influence access
control decisions. Each policy contains a number of elements:</para>
<itemizedlist>
<listitem><para>Optional configuration parameters for
policy.</para></listitem>
<listitem><para>Centralized implementation of the policy
logic and parameters.</para></listitem>
<listitem><para>Optional implementation of policy life cycle
events, such as initialization and destruction.</para></listitem>
<listitem><para>Optional support for initializing, maintaining, and
destroying labels on selected kernel objects.</para></listitem>
<listitem><para>Optional support for user process inspection and
modification of labels on selected objects.</para></listitem>
<listitem><para>Implementation of selected access control
entry points that are of interest to the policy.</para></listitem>
<listitem><para>Declaration of poicy identity, module entry
points, and policy properties.</para></listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1 id="mac-userland-arch">
@ -368,7 +349,36 @@
following such a change.</para></note>
</sect2>
</sect1>
<sect1 id="mac-policy-architecture">
<title>MAC Policy Architecture</title>
<para>Security policies are either linked directly into the kernel,
or compiled into loadable kernel modules that may be loaded at
boot, or dynamically using the module loading system calls at
runtime. Policy modules interact with the system through a
set of declared entry points, providing access to a stream of
system events and permitting the policy to influence access
control decisions. Each policy contains a number of elements:</para>
<itemizedlist>
<listitem><para>Optional configuration parameters for
policy.</para></listitem>
<listitem><para>Centralized implementation of the policy
logic and parameters.</para></listitem>
<listitem><para>Optional implementation of policy life cycle
events, such as initialization and destruction.</para></listitem>
<listitem><para>Optional support for initializing, maintaining, and
destroying labels on selected kernel objects.</para></listitem>
<listitem><para>Optional support for user process inspection and
modification of labels on selected objects.</para></listitem>
<listitem><para>Implementation of selected access control
entry points that are of interest to the policy.</para></listitem>
<listitem><para>Declaration of poicy identity, module entry
points, and policy properties.</para></listitem>
</itemizedlist>
</sect1>
<sect1 id="mac-policy-declaration">
<title>MAC Policy Declaration</title>
@ -484,8 +494,8 @@
to have label storage.</para></note>
</sect1>
<sect1 id="mac-entry-point-intro">
<title>Entry Point Introduction</title>
<sect1 id="mac-policy-entry-points">
<title>MAC Policy Entry Points</title>
<para>Four classes of entry points are offered to policies
registered with the framework: entry points associated with

76
en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml
View file

@ -140,6 +140,10 @@
services to assist policy writers, including support for
transient and persistent policy-agnostic object security
labels. This support is currently considered experimental.</para>
</sect1>
<sect1>
<title>Policy Background</title>
<para>Mandatory Access Control (MAC), refers to a set of
access control policies that are mandatorily enforced on
@ -157,6 +161,13 @@
identity, role, and security clearance, as well as security labels
on objects representing concepts such as data sensitivity and
integrity.</para>
<para>The TrustedBSD MAC Framework is capable of supporting policy
modules that implement all of these policies, as well as a broad
class of system hardening policies. In addition, despite the
name, the MAC Framework can also be used to implement purely
discretionary policies, as policy modules are given substantial
flexibility in how they authorize protections.</para>
</sect1>
<sect1 id="mac-kernel-arch">
@ -255,36 +266,6 @@
are used to permit consistent compound updates of
security labels on vnodes.</para>
</sect2>
<sect2 id="mac-kernel-arch-policy-elements">
<title>MAC Framework Policy Elements</title>
<para>Security policies are either linked directly into the kernel,
or compiled into loadable kernel modules that may be loaded at
boot, or dynamically using the module loading system calls at
runtime. Policy modules interact with the system through a
set of declared entry points, providing access to a stream of
system events and permitting the policy to influence access
control decisions. Each policy contains a number of elements:</para>
<itemizedlist>
<listitem><para>Optional configuration parameters for
policy.</para></listitem>
<listitem><para>Centralized implementation of the policy
logic and parameters.</para></listitem>
<listitem><para>Optional implementation of policy life cycle
events, such as initialization and destruction.</para></listitem>
<listitem><para>Optional support for initializing, maintaining, and
destroying labels on selected kernel objects.</para></listitem>
<listitem><para>Optional support for user process inspection and
modification of labels on selected objects.</para></listitem>
<listitem><para>Implementation of selected access control
entry points that are of interest to the policy.</para></listitem>
<listitem><para>Declaration of poicy identity, module entry
points, and policy properties.</para></listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1 id="mac-userland-arch">
@ -368,7 +349,36 @@
following such a change.</para></note>
</sect2>
</sect1>
<sect1 id="mac-policy-architecture">
<title>MAC Policy Architecture</title>
<para>Security policies are either linked directly into the kernel,
or compiled into loadable kernel modules that may be loaded at
boot, or dynamically using the module loading system calls at
runtime. Policy modules interact with the system through a
set of declared entry points, providing access to a stream of
system events and permitting the policy to influence access
control decisions. Each policy contains a number of elements:</para>
<itemizedlist>
<listitem><para>Optional configuration parameters for
policy.</para></listitem>
<listitem><para>Centralized implementation of the policy
logic and parameters.</para></listitem>
<listitem><para>Optional implementation of policy life cycle
events, such as initialization and destruction.</para></listitem>
<listitem><para>Optional support for initializing, maintaining, and
destroying labels on selected kernel objects.</para></listitem>
<listitem><para>Optional support for user process inspection and
modification of labels on selected objects.</para></listitem>
<listitem><para>Implementation of selected access control
entry points that are of interest to the policy.</para></listitem>
<listitem><para>Declaration of poicy identity, module entry
points, and policy properties.</para></listitem>
</itemizedlist>
</sect1>
<sect1 id="mac-policy-declaration">
<title>MAC Policy Declaration</title>
@ -484,8 +494,8 @@
to have label storage.</para></note>
</sect1>
<sect1 id="mac-entry-point-intro">
<title>Entry Point Introduction</title>
<sect1 id="mac-policy-entry-points">
<title>MAC Policy Entry Points</title>
<para>Four classes of entry points are offered to policies
registered with the framework: entry points associated with