Begin committing support for Mandatory Access Control and extensible
kernel access control. The MAC framework permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time, and augment the system security policy. This commit includes the initial kernel implementation, although the interface with the userland components of the oeprating system is still under work, and not all kernel subsystems are supported. Later in this commit sequence, documentation of which kernel subsystems will not work correctly with a kernel compiled with MAC support will be added. Label file system mount points, permitting security information to be maintained at the granularity of the file system. Two labels are currently maintained: a security label for the mount itself, and a default label for objects in the file system (in particular, for file systems not supporting per-vnode labeling directly). Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
This commit is contained in:
parent
f8ef020e2e
commit
3b2e600940
@ -43,6 +43,7 @@
|
||||
*/
|
||||
#include <sys/lockmgr.h>
|
||||
|
||||
#include <sys/mac.h>
|
||||
#include <sys/ucred.h>
|
||||
#include <sys/queue.h>
|
||||
#include <sys/uio.h>
|
||||
@ -149,6 +150,8 @@ struct mount {
|
||||
time_t mnt_time; /* last time written*/
|
||||
u_int mnt_iosize_max; /* max IO request size */
|
||||
struct netexport *mnt_export; /* export list */
|
||||
struct label mnt_mntlabel; /* MAC label for the mount */
|
||||
struct label mnt_fslabel; /* MAC label for the fs */
|
||||
};
|
||||
#endif /* _KERNEL */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user