From bd875f5f13b7874fc451fd1295730f577bcbc2bd Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Tue, 2 Jun 2009 18:31:08 +0000 Subject: [PATCH] Remove MAC kernel config files and add "options MAC" to GENERIC, with the goal of shipping 8.0 with MAC support in the default kernel. No policies will be compiled in or enabled by default, but it will now be possible to load them at boot or runtime without a kernel recompile. While the framework is not believed to impose measurable overhead when no policies are loaded (a result of optimization over the past few months in HEAD), we'll continue to benchmark and optimize as the release approaches. Please keep an eye out for performance or functionality regressions that could be a result of this change. Approved by: re (kensmith) Obtained from: TrustedBSD Project --- sys/amd64/conf/GENERIC | 1 + sys/amd64/conf/MAC | 28 ---------------------------- sys/i386/conf/GENERIC | 1 + sys/i386/conf/MAC | 28 ---------------------------- sys/ia64/conf/GENERIC | 1 + sys/ia64/conf/MAC | 28 ---------------------------- sys/pc98/conf/GENERIC | 1 + sys/pc98/conf/MAC | 28 ---------------------------- sys/powerpc/conf/GENERIC | 1 + sys/powerpc/conf/MAC | 28 ---------------------------- sys/sparc64/conf/GENERIC | 1 + sys/sparc64/conf/MAC | 28 ---------------------------- sys/sun4v/conf/GENERIC | 1 + sys/sun4v/conf/MAC | 28 ---------------------------- 14 files changed, 7 insertions(+), 196 deletions(-) delete mode 100644 sys/amd64/conf/MAC delete mode 100644 sys/i386/conf/MAC delete mode 100644 sys/ia64/conf/MAC delete mode 100644 sys/pc98/conf/MAC delete mode 100644 sys/powerpc/conf/MAC delete mode 100644 sys/sparc64/conf/MAC delete mode 100644 sys/sun4v/conf/MAC diff --git a/sys/amd64/conf/GENERIC b/sys/amd64/conf/GENERIC index 569e0cd6790c..6ff85e296d99 100644 --- a/sys/amd64/conf/GENERIC +++ b/sys/amd64/conf/GENERIC @@ -70,6 +70,7 @@ options KBD_INSTALL_CDEV # install a CDEV entry in /dev options STOP_NMI # Stop CPUS using NMI instead of IPI options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework #options KDTRACE_FRAME # Ensure frames are compiled in #options KDTRACE_HOOKS # Kernel DTrace hooks diff --git a/sys/amd64/conf/MAC b/sys/amd64/conf/MAC deleted file mode 100644 index 306f36f6b3f8..000000000000 --- a/sys/amd64/conf/MAC +++ /dev/null @@ -1,28 +0,0 @@ -# MAC -- Generic kernel configuration file for FreeBSD/amd64 MAC -# -# The Mandatory Access Control, or MAC, framework allows administrators to -# finely control system security by providing for a loadable security pol- -# icy architecture. -# -# For more information see: -# -# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html -# -# $FreeBSD$ - -include GENERIC -ident MAC - -options MAC - -#options MAC_BIBA # BIBA data integrity policy -#options MAC_BSDEXTENDED # File system firewall policy -#options MAC_IFOFF # Network interface silencing policy -#options MAC_LOMAC # Low-watermark data integrity policy -#options MAC_MLS # Multi-level confidentiality policy -#options MAC_NONE # NULL policy -#options MAC_PARTITION # Process partition policy -#options MAC_PORTACL # Network port access control policy -#options MAC_SEEOTHERUIDS # UID visibility policy -#options MAC_STUB # Stub policy -#options MAC_TEST # Testing policy for the MAC framework diff --git a/sys/i386/conf/GENERIC b/sys/i386/conf/GENERIC index 7475efd48c2f..08edaf77f2ae 100644 --- a/sys/i386/conf/GENERIC +++ b/sys/i386/conf/GENERIC @@ -71,6 +71,7 @@ options KBD_INSTALL_CDEV # install a CDEV entry in /dev options STOP_NMI # Stop CPUS using NMI instead of IPI options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework #options KDTRACE_HOOKS # Kernel DTrace hooks # Debugging for use in -current diff --git a/sys/i386/conf/MAC b/sys/i386/conf/MAC deleted file mode 100644 index d20874119178..000000000000 --- a/sys/i386/conf/MAC +++ /dev/null @@ -1,28 +0,0 @@ -# MAC -- Generic kernel configuration file for FreeBSD/i386 MAC -# -# The Mandatory Access Control, or MAC, framework allows administrators to -# finely control system security by providing for a loadable security pol- -# icy architecture. -# -# For more information see: -# -# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html -# -# $FreeBSD$ - -include GENERIC -ident MAC - -options MAC - -#options MAC_BIBA # BIBA data integrity policy -#options MAC_BSDEXTENDED # File system firewall policy -#options MAC_IFOFF # Network interface silencing policy -#options MAC_LOMAC # Low-watermark data integrity policy -#options MAC_MLS # Multi-level confidentiality policy -#options MAC_NONE # NULL policy -#options MAC_PARTITION # Process partition policy -#options MAC_PORTACL # Network port access control policy -#options MAC_SEEOTHERUIDS # UID visibility policy -#options MAC_STUB # Stub policy -#options MAC_TEST # Testing policy for the MAC framework diff --git a/sys/ia64/conf/GENERIC b/sys/ia64/conf/GENERIC index ab471f78f348..83d1f60619c0 100644 --- a/sys/ia64/conf/GENERIC +++ b/sys/ia64/conf/GENERIC @@ -40,6 +40,7 @@ options INVARIANTS # Enable calls of extra sanity checking options INVARIANT_SUPPORT # required by INVARIANTS options KDB # Enable kernel debugger support options KTRACE # ktrace(1) syscall trace support +options MAC # TrustedBSD MAC Framework options MD_ROOT # MD usable as root device options MSDOSFS # MSDOS Filesystem options NFSCLIENT # Network Filesystem Client diff --git a/sys/ia64/conf/MAC b/sys/ia64/conf/MAC deleted file mode 100644 index a4acaeba9288..000000000000 --- a/sys/ia64/conf/MAC +++ /dev/null @@ -1,28 +0,0 @@ -# MAC -- Generic kernel configuration file for FreeBSD/ia64 MAC -# -# The Mandatory Access Control, or MAC, framework allows administrators to -# finely control system security by providing for a loadable security pol- -# icy architecture. -# -# For more information see: -# -# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html -# -# $FreeBSD$ - -include GENERIC -ident MAC - -options MAC - -#options MAC_BIBA # BIBA data integrity policy -#options MAC_BSDEXTENDED # File system firewall policy -#options MAC_IFOFF # Network interface silencing policy -#options MAC_LOMAC # Low-watermark data integrity policy -#options MAC_MLS # Multi-level confidentiality policy -#options MAC_NONE # NULL policy -#options MAC_PARTITION # Process partition policy -#options MAC_PORTACL # Network port access control policy -#options MAC_SEEOTHERUIDS # UID visibility policy -#options MAC_STUB # Stub policy -#options MAC_TEST # Testing policy for the MAC framework diff --git a/sys/pc98/conf/GENERIC b/sys/pc98/conf/GENERIC index 539feab92cb4..82b8888b9529 100644 --- a/sys/pc98/conf/GENERIC +++ b/sys/pc98/conf/GENERIC @@ -73,6 +73,7 @@ options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework # Debugging for use in -current options KDB # Enable kernel debugger support. diff --git a/sys/pc98/conf/MAC b/sys/pc98/conf/MAC deleted file mode 100644 index 6aee5da07582..000000000000 --- a/sys/pc98/conf/MAC +++ /dev/null @@ -1,28 +0,0 @@ -# MAC -- Generic kernel configuration file for FreeBSD/pc98 MAC -# -# The Mandatory Access Control, or MAC, framework allows administrators to -# finely control system security by providing for a loadable security pol- -# icy architecture. -# -# For more information see: -# -# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html -# -# $FreeBSD$ - -include GENERIC -ident MAC - -options MAC - -#options MAC_BIBA # BIBA data integrity policy -#options MAC_BSDEXTENDED # File system firewall policy -#options MAC_IFOFF # Network interface silencing policy -#options MAC_LOMAC # Low-watermark data integrity policy -#options MAC_MLS # Multi-level confidentiality policy -#options MAC_NONE # NULL policy -#options MAC_PARTITION # Process partition policy -#options MAC_PORTACL # Network port access control policy -#options MAC_SEEOTHERUIDS # UID visibility policy -#options MAC_STUB # Stub policy -#options MAC_TEST # Testing policy for the MAC framework diff --git a/sys/powerpc/conf/GENERIC b/sys/powerpc/conf/GENERIC index 819d7684c421..2f9b26461ab4 100644 --- a/sys/powerpc/conf/GENERIC +++ b/sys/powerpc/conf/GENERIC @@ -64,6 +64,7 @@ options SYSVSEM #SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework # Debugging for use in -current options KDB #Enable the kernel debugger diff --git a/sys/powerpc/conf/MAC b/sys/powerpc/conf/MAC deleted file mode 100644 index 862638397da7..000000000000 --- a/sys/powerpc/conf/MAC +++ /dev/null @@ -1,28 +0,0 @@ -# MAC -- Generic kernel configuration file for FreeBSD/powerpc MAC -# -# The Mandatory Access Control, or MAC, framework allows administrators to -# finely control system security by providing for a loadable security pol- -# icy architecture. -# -# For more information see: -# -# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html -# -# $FreeBSD$ - -include GENERIC -ident MAC - -options MAC - -#options MAC_BIBA # BIBA data integrity policy -#options MAC_BSDEXTENDED # File system firewall policy -#options MAC_IFOFF # Network interface silencing policy -#options MAC_LOMAC # Low-watermark data integrity policy -#options MAC_MLS # Multi-level confidentiality policy -#options MAC_NONE # NULL policy -#options MAC_PARTITION # Process partition policy -#options MAC_PORTACL # Network port access control policy -#options MAC_SEEOTHERUIDS # UID visibility policy -#options MAC_STUB # Stub policy -#options MAC_TEST # Testing policy for the MAC framework diff --git a/sys/sparc64/conf/GENERIC b/sys/sparc64/conf/GENERIC index a3dad1cb31ef..943dc74599e2 100644 --- a/sys/sparc64/conf/GENERIC +++ b/sys/sparc64/conf/GENERIC @@ -65,6 +65,7 @@ options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework # Debugging for use in -current options KDB # Enable kernel debugger support. diff --git a/sys/sparc64/conf/MAC b/sys/sparc64/conf/MAC deleted file mode 100644 index 56af83d0a806..000000000000 --- a/sys/sparc64/conf/MAC +++ /dev/null @@ -1,28 +0,0 @@ -# MAC -- Generic kernel configuration file for FreeBSD/sparc64 MAC -# -# The Mandatory Access Control, or MAC, framework allows administrators to -# finely control system security by providing for a loadable security pol- -# icy architecture. -# -# For more information see: -# -# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html -# -# $FreeBSD$ - -include GENERIC -ident MAC - -options MAC - -#options MAC_BIBA # BIBA data integrity policy -#options MAC_BSDEXTENDED # File system firewall policy -#options MAC_IFOFF # Network interface silencing policy -#options MAC_LOMAC # Low-watermark data integrity policy -#options MAC_MLS # Multi-level confidentiality policy -#options MAC_NONE # NULL policy -#options MAC_PARTITION # Process partition policy -#options MAC_PORTACL # Network port access control policy -#options MAC_SEEOTHERUIDS # UID visibility policy -#options MAC_STUB # Stub policy -#options MAC_TEST # Testing policy for the MAC framework diff --git a/sys/sun4v/conf/GENERIC b/sys/sun4v/conf/GENERIC index 2291087d4ba1..438db17fe862 100644 --- a/sys/sun4v/conf/GENERIC +++ b/sys/sun4v/conf/GENERIC @@ -66,6 +66,7 @@ options AHC_REG_PRETTY_PRINT # Print register bitfields in debug options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed. options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing +options MAC # TrustedBSD MAC Framework # Debugging for use in -current options KDB # Enable kernel debugger support. diff --git a/sys/sun4v/conf/MAC b/sys/sun4v/conf/MAC deleted file mode 100644 index 56af83d0a806..000000000000 --- a/sys/sun4v/conf/MAC +++ /dev/null @@ -1,28 +0,0 @@ -# MAC -- Generic kernel configuration file for FreeBSD/sparc64 MAC -# -# The Mandatory Access Control, or MAC, framework allows administrators to -# finely control system security by providing for a loadable security pol- -# icy architecture. -# -# For more information see: -# -# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html -# -# $FreeBSD$ - -include GENERIC -ident MAC - -options MAC - -#options MAC_BIBA # BIBA data integrity policy -#options MAC_BSDEXTENDED # File system firewall policy -#options MAC_IFOFF # Network interface silencing policy -#options MAC_LOMAC # Low-watermark data integrity policy -#options MAC_MLS # Multi-level confidentiality policy -#options MAC_NONE # NULL policy -#options MAC_PARTITION # Process partition policy -#options MAC_PORTACL # Network port access control policy -#options MAC_SEEOTHERUIDS # UID visibility policy -#options MAC_STUB # Stub policy -#options MAC_TEST # Testing policy for the MAC framework