not look like the prerequisites to fill it in properly will be in the tree
for the upcoming release, but it's mostly done, so there is no need for these
to stay around to remind us.
to run patches to make(1) by. Hopefully this will make it easier to get bugs
fixed in make(1), as well as get review by people with experience working on,
in, around, etc., make(1).
Currently it points to two people who have demonstrated maintainership (ru@
and myself) and one person interested in helping (alane@). That list is
subject to expansion and contraction.
if it's not defined as efi. This makes sure we create a proper
MFS root filesystem and still allow the boot disk to be EFI
based.
At this time EFI auto boot works and we're properly loading the
MFS root file system. Time to create drivers.conf and get this
show on the road!
manipulated directly (rather than using sballoc()/sbfree()); update them
to tweak the new sb_ctl field too.
Sponsored by: NTT Multimedia Communications Labs
o ia64: Set DOFS_SH to point to an alternate version.
o ia64: Lower BIGBOOTSIZE from 120M (LS-120) to ~5M.
o ia64: Set BIGBOOTLABEL to efi so that we can check for it
in the alternate doFS.sh script. If the label is not efi, we
can invoke the generic doFS.sh.
(1) Permit userland applications to request a change of label atomic
with an execve() via mac_execve(). This is required for the
SEBSD port of SELinux/FLASK. Attempts to invoke this without
MAC compiled in result in ENOSYS, as with all other MAC system
calls. Complexity, if desired, is present in policy modules,
rather than the framework.
(2) Permit policies to have access to both the label of the vnode
being executed as well as the interpreter if it's a shell
script or related UNIX nonsense. Because we can't hold both
vnode locks at the same time, cache the interpreter label.
SEBSD relies on this because it supports secure transitioning
via shell script executables. Other policies might want to
take both labels into account during an integrity or
confidentiality decision at execve()-time.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Allow transitioning to be twiddled off using the process and fs enforcement
flags, although at some point this should probably be its own flag.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
entrypoints, #ifdef MAC. The supporting logic already existed in
kern_mac.c, so no change there. This permits MAC policies to cause
a process label change as the result of executing a binary --
typically, as a result of executing a specially labeled binary.
For example, the SEBSD port of SELinux/FLASK uses this functionality
to implement TE type transitions on processes using transitioning
binaries, in a manner similar to setuid. Policies not implementing
a notion of transition (all the ones in the tree right now) require
no changes, since the old label data is copied to the new label
via mac_create_cred() even if a transition does occur.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories