On Sat, 7 Mar 2009, Zahemszky G?bor wrote:
> I have two simple questions about the Mandatory Access Control framework of
> FreeBSD:
>
> a) what has happened with the SEBSD modul? When will be available (or will
> it be at all) in the system (or can I find one for an up-to-date kernel:
7.x
> or up)?
>
> b) when will be the "options MAC" in the GENERIC kernel, or why
not? (I
> think, more people can test the MAC-modules, if they don't need to
config a
> kernel for it.)
Dear G?bor:
Right now no one is maintaining the SEBSD module; this is unfortunate, but
largely a property of people having enough time. If this is something you can
contribute to (or anyone else who's interested) I'm happy to provide
pointers
and advice. Most of the MAC Framework dependencies for SEBSD were merged back
into the base tree, but it would need quite a bit of adaptation to move
forward to FreeBSD7/8. Also, SEBSD uses what are now quite old SELinux parts,
so those would also need updating (although I guess that isn't required).
Feel free to ask questions here, or on the trustedbsd-discuss mailing list.
"options MAC" is believed to cause a significant performance loss on
7.x and
earlier; we're currently working to address that with the hope of shipping
"options MAC" in GENERIC starting with FreeBSD 8.0. I've not
re-benchmarked
in a few months but we've merged a number of improvements that should be
getting us close. For example, whereas previously MAC automatically allocated
memory to hold security labels for objects, now it only allocates memory when
policies are registered that specifically require labels on those object
types. On a similar note, the locking for the MAC Framework itself has been
significantly optimized over the last few weeks to lower overhead, and there
are more changes in the works. We'll probably pause and take stock sometime
in the next month and see what performance regressions remain.
Robert N M Watson
Computer Laboratory
University of Cambridge