manipulated directly (rather than using sballoc()/sbfree()); update them
to tweak the new sb_ctl field too.
Sponsored by: NTT Multimedia Communications Labs
o ia64: Set DOFS_SH to point to an alternate version.
o ia64: Lower BIGBOOTSIZE from 120M (LS-120) to ~5M.
o ia64: Set BIGBOOTLABEL to efi so that we can check for it
in the alternate doFS.sh script. If the label is not efi, we
can invoke the generic doFS.sh.
(1) Permit userland applications to request a change of label atomic
with an execve() via mac_execve(). This is required for the
SEBSD port of SELinux/FLASK. Attempts to invoke this without
MAC compiled in result in ENOSYS, as with all other MAC system
calls. Complexity, if desired, is present in policy modules,
rather than the framework.
(2) Permit policies to have access to both the label of the vnode
being executed as well as the interpreter if it's a shell
script or related UNIX nonsense. Because we can't hold both
vnode locks at the same time, cache the interpreter label.
SEBSD relies on this because it supports secure transitioning
via shell script executables. Other policies might want to
take both labels into account during an integrity or
confidentiality decision at execve()-time.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Allow transitioning to be twiddled off using the process and fs enforcement
flags, although at some point this should probably be its own flag.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
entrypoints, #ifdef MAC. The supporting logic already existed in
kern_mac.c, so no change there. This permits MAC policies to cause
a process label change as the result of executing a binary --
typically, as a result of executing a specially labeled binary.
For example, the SEBSD port of SELinux/FLASK uses this functionality
to implement TE type transitions on processes using transitioning
binaries, in a manner similar to setuid. Policies not implementing
a notion of transition (all the ones in the tree right now) require
no changes, since the old label data is copied to the new label
via mac_create_cred() even if a transition does occur.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Strip ${RD}/mfsfd/stand/etc/defaults/rc.conf.
Don't copy loader.help to ${RD}/mfsfd/boot, it serves no useful purpose.
Removed the now no-op commands to copy ${RD}/trees/base/dev bits to
${RD}/mfsfd/dev, now that DEVFS is the default.
Removed UFS_ACL, PSEUDOFS, and COMPAT_FREEBSD4 options from the BOOTMFS
kernel.
Moved miibus network module to the drivers floppy.
isp(4) and mpt(4) now have corresponding modules, move them to the third
floppy as well.
Caution! With these changes, mfsroot.flp has only 11K left, and
kern.flp has even less -- 5K.
with them in non-C cases, outside of the kernel.
Include <sys/cdefs.h> for __BEGIN_DECLS/__END_DECLS as other headers seem
to do in this area.
Requested by: Patrick Hartling <patrick@137.org>
the loader in an EFI partition. This automaticly means we need the
kernel there as well.
In order to avoid having to worry about a geometry as much as
possible, we partition the disk with GPT.
With this, auto-boot works, but we have a problem mounting the
MFS.
the module compiled in or loaded instead of bogusly checking for ppp0.
Also if and only if the caller is actually root and the kernel does not
have ppp support, try to load the ppp module before giving up.
describes an image activation instance. Instead, make use of the
existing fname structure entry, and introduce two new entries,
userspace_argv, and userspace_envv. With the addition of
mac_execve(), this divorces the image structure from the specifics
of the execve() system call, removes a redundant pointer, etc.
No semantic change from current behavior, but it means that the
structure doesn't depend on syscalls.master-generated includes.
There seems to be some redundant initialization of imgact entries,
which I have maintained, but which could probably use some cleaning
up at some point.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
the page myself. The new language is more accurate than what was there
before, but the most accurate way of describing the funcionality eludes
me.
PR: kern/33904
MFC after: 1 month
