- Add Management Interfaces (sysctls, tunables, et al).
- Add Concurrency and Synchronization (busy count handling to synchronize
policy loading).
- Add Policy Registration (management of active poliy lists).
- Flesh out Labeling Support to talk about label initialization and
life cycles, allocation semantics.
- Add System Calls.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
- Move Userland Architecture down to the Userland APIs section.
- Push most of the Policy-related subsections into the MAC Policy
Architecture section. Tweak a little language so it makes
sense.
Note that the MAC Framework can also be used to express DAC policies.
Push the MAC Framework Policy Elements section up a level to sect1 and
name it "MAC Policy Architecture".
Stick "MAC" in front of the Policy Entry Points section header to
improve consistency.
Developer's Handbook: break out the "Entry Point Framework" section
into a number of sections: MAC Policy Declaration, Entry Point
Introduction, MAC Policy Entry Point Reference. Re-order sections
a bit so there's a more logical progression and fewer large chunks
of text over many pages. This greatly improves readability.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
its possible interactions with the MPC_LOADTIME_FLAG_NOTLATE flag.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
the MAC Framework Chapter of the Developer's Handbook with a
cross-reference the the mac(3) man page for the time being.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
of the MAC Framework chapter of the Developer's Handbook into their
own <sect2> sections.
- Re-order the Policy Elements sect2 to the end of the section since
most of the remainder of the subsections talk about parts of the
Framework, not module structure.
- Add text relating to the support for persistent labeling using
extended attributes on supporting file systems.
- Add concurrency/synchronization primitives to the list of framework
elements.
This section needs more work, and will probably grow sub-sections on
most of the major elements in the element list.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
cases, the object pointer was still present as an argument to
label init/destroy calls, although it was removed in the source a
while back. In some cases, we've added blocking dispositions to
initialization calls that previously didn't have them (ipq), so
add that also. Generally call 'how' 'flag' instead to match the
prototypes in mac_policy.h.
- Add missing descriptions of mpo_destroy_vnode_label(), and the
recently added mpo_copy_mbuf_label().
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
of the Developer's Handbook: text on the APIs to access and manipulate
labels on objects, and a brief description of how labels may currently
be set on users using login.conf. This text could also use some more
work, but is probably an improvement over the previous lack of text.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
bits of the Developer's Handbook some. Needs more work, but now
goes into a bit more detail.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
policies, but more generally about a framework for access control
extension.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
information on what MAC is, how the MAC framework supports MAC policies
in FreeBSD, etc.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Document the kernel side of the MAC policy architecture. This
is a little out of date at the moment. Some parts to be filled
in as things are developed, and much is subject to change. It
will, however, give developers a good idea of how things work.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
