mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-30 15:38:06 +01:00
Remove MAC kernel config files and add "options MAC" to GENERIC, with the
goal of shipping 8.0 with MAC support in the default kernel. No policies will be compiled in or enabled by default, but it will now be possible to load them at boot or runtime without a kernel recompile. While the framework is not believed to impose measurable overhead when no policies are loaded (a result of optimization over the past few months in HEAD), we'll continue to benchmark and optimize as the release approaches. Please keep an eye out for performance or functionality regressions that could be a result of this change. Approved by: re (kensmith) Obtained from: TrustedBSD Project
This commit is contained in:
parent
923f9901b4
commit
bd875f5f13
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=193334
@ -70,6 +70,7 @@ options KBD_INSTALL_CDEV # install a CDEV entry in /dev
|
||||
options STOP_NMI # Stop CPUS using NMI instead of IPI
|
||||
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
|
||||
options AUDIT # Security event auditing
|
||||
options MAC # TrustedBSD MAC Framework
|
||||
#options KDTRACE_FRAME # Ensure frames are compiled in
|
||||
#options KDTRACE_HOOKS # Kernel DTrace hooks
|
||||
|
||||
|
@ -1,28 +0,0 @@
|
||||
# MAC -- Generic kernel configuration file for FreeBSD/amd64 MAC
|
||||
#
|
||||
# The Mandatory Access Control, or MAC, framework allows administrators to
|
||||
# finely control system security by providing for a loadable security pol-
|
||||
# icy architecture.
|
||||
#
|
||||
# For more information see:
|
||||
#
|
||||
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
include GENERIC
|
||||
ident MAC
|
||||
|
||||
options MAC
|
||||
|
||||
#options MAC_BIBA # BIBA data integrity policy
|
||||
#options MAC_BSDEXTENDED # File system firewall policy
|
||||
#options MAC_IFOFF # Network interface silencing policy
|
||||
#options MAC_LOMAC # Low-watermark data integrity policy
|
||||
#options MAC_MLS # Multi-level confidentiality policy
|
||||
#options MAC_NONE # NULL policy
|
||||
#options MAC_PARTITION # Process partition policy
|
||||
#options MAC_PORTACL # Network port access control policy
|
||||
#options MAC_SEEOTHERUIDS # UID visibility policy
|
||||
#options MAC_STUB # Stub policy
|
||||
#options MAC_TEST # Testing policy for the MAC framework
|
@ -71,6 +71,7 @@ options KBD_INSTALL_CDEV # install a CDEV entry in /dev
|
||||
options STOP_NMI # Stop CPUS using NMI instead of IPI
|
||||
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
|
||||
options AUDIT # Security event auditing
|
||||
options MAC # TrustedBSD MAC Framework
|
||||
#options KDTRACE_HOOKS # Kernel DTrace hooks
|
||||
|
||||
# Debugging for use in -current
|
||||
|
@ -1,28 +0,0 @@
|
||||
# MAC -- Generic kernel configuration file for FreeBSD/i386 MAC
|
||||
#
|
||||
# The Mandatory Access Control, or MAC, framework allows administrators to
|
||||
# finely control system security by providing for a loadable security pol-
|
||||
# icy architecture.
|
||||
#
|
||||
# For more information see:
|
||||
#
|
||||
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
include GENERIC
|
||||
ident MAC
|
||||
|
||||
options MAC
|
||||
|
||||
#options MAC_BIBA # BIBA data integrity policy
|
||||
#options MAC_BSDEXTENDED # File system firewall policy
|
||||
#options MAC_IFOFF # Network interface silencing policy
|
||||
#options MAC_LOMAC # Low-watermark data integrity policy
|
||||
#options MAC_MLS # Multi-level confidentiality policy
|
||||
#options MAC_NONE # NULL policy
|
||||
#options MAC_PARTITION # Process partition policy
|
||||
#options MAC_PORTACL # Network port access control policy
|
||||
#options MAC_SEEOTHERUIDS # UID visibility policy
|
||||
#options MAC_STUB # Stub policy
|
||||
#options MAC_TEST # Testing policy for the MAC framework
|
@ -40,6 +40,7 @@ options INVARIANTS # Enable calls of extra sanity checking
|
||||
options INVARIANT_SUPPORT # required by INVARIANTS
|
||||
options KDB # Enable kernel debugger support
|
||||
options KTRACE # ktrace(1) syscall trace support
|
||||
options MAC # TrustedBSD MAC Framework
|
||||
options MD_ROOT # MD usable as root device
|
||||
options MSDOSFS # MSDOS Filesystem
|
||||
options NFSCLIENT # Network Filesystem Client
|
||||
|
@ -1,28 +0,0 @@
|
||||
# MAC -- Generic kernel configuration file for FreeBSD/ia64 MAC
|
||||
#
|
||||
# The Mandatory Access Control, or MAC, framework allows administrators to
|
||||
# finely control system security by providing for a loadable security pol-
|
||||
# icy architecture.
|
||||
#
|
||||
# For more information see:
|
||||
#
|
||||
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
include GENERIC
|
||||
ident MAC
|
||||
|
||||
options MAC
|
||||
|
||||
#options MAC_BIBA # BIBA data integrity policy
|
||||
#options MAC_BSDEXTENDED # File system firewall policy
|
||||
#options MAC_IFOFF # Network interface silencing policy
|
||||
#options MAC_LOMAC # Low-watermark data integrity policy
|
||||
#options MAC_MLS # Multi-level confidentiality policy
|
||||
#options MAC_NONE # NULL policy
|
||||
#options MAC_PARTITION # Process partition policy
|
||||
#options MAC_PORTACL # Network port access control policy
|
||||
#options MAC_SEEOTHERUIDS # UID visibility policy
|
||||
#options MAC_STUB # Stub policy
|
||||
#options MAC_TEST # Testing policy for the MAC framework
|
@ -73,6 +73,7 @@ options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
|
||||
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
|
||||
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
|
||||
options AUDIT # Security event auditing
|
||||
options MAC # TrustedBSD MAC Framework
|
||||
|
||||
# Debugging for use in -current
|
||||
options KDB # Enable kernel debugger support.
|
||||
|
@ -1,28 +0,0 @@
|
||||
# MAC -- Generic kernel configuration file for FreeBSD/pc98 MAC
|
||||
#
|
||||
# The Mandatory Access Control, or MAC, framework allows administrators to
|
||||
# finely control system security by providing for a loadable security pol-
|
||||
# icy architecture.
|
||||
#
|
||||
# For more information see:
|
||||
#
|
||||
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
include GENERIC
|
||||
ident MAC
|
||||
|
||||
options MAC
|
||||
|
||||
#options MAC_BIBA # BIBA data integrity policy
|
||||
#options MAC_BSDEXTENDED # File system firewall policy
|
||||
#options MAC_IFOFF # Network interface silencing policy
|
||||
#options MAC_LOMAC # Low-watermark data integrity policy
|
||||
#options MAC_MLS # Multi-level confidentiality policy
|
||||
#options MAC_NONE # NULL policy
|
||||
#options MAC_PARTITION # Process partition policy
|
||||
#options MAC_PORTACL # Network port access control policy
|
||||
#options MAC_SEEOTHERUIDS # UID visibility policy
|
||||
#options MAC_STUB # Stub policy
|
||||
#options MAC_TEST # Testing policy for the MAC framework
|
@ -64,6 +64,7 @@ options SYSVSEM #SYSV-style semaphores
|
||||
options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
|
||||
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
|
||||
options AUDIT # Security event auditing
|
||||
options MAC # TrustedBSD MAC Framework
|
||||
|
||||
# Debugging for use in -current
|
||||
options KDB #Enable the kernel debugger
|
||||
|
@ -1,28 +0,0 @@
|
||||
# MAC -- Generic kernel configuration file for FreeBSD/powerpc MAC
|
||||
#
|
||||
# The Mandatory Access Control, or MAC, framework allows administrators to
|
||||
# finely control system security by providing for a loadable security pol-
|
||||
# icy architecture.
|
||||
#
|
||||
# For more information see:
|
||||
#
|
||||
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
include GENERIC
|
||||
ident MAC
|
||||
|
||||
options MAC
|
||||
|
||||
#options MAC_BIBA # BIBA data integrity policy
|
||||
#options MAC_BSDEXTENDED # File system firewall policy
|
||||
#options MAC_IFOFF # Network interface silencing policy
|
||||
#options MAC_LOMAC # Low-watermark data integrity policy
|
||||
#options MAC_MLS # Multi-level confidentiality policy
|
||||
#options MAC_NONE # NULL policy
|
||||
#options MAC_PARTITION # Process partition policy
|
||||
#options MAC_PORTACL # Network port access control policy
|
||||
#options MAC_SEEOTHERUIDS # UID visibility policy
|
||||
#options MAC_STUB # Stub policy
|
||||
#options MAC_TEST # Testing policy for the MAC framework
|
@ -65,6 +65,7 @@ options SYSVSEM # SYSV-style semaphores
|
||||
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
|
||||
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
|
||||
options AUDIT # Security event auditing
|
||||
options MAC # TrustedBSD MAC Framework
|
||||
|
||||
# Debugging for use in -current
|
||||
options KDB # Enable kernel debugger support.
|
||||
|
@ -1,28 +0,0 @@
|
||||
# MAC -- Generic kernel configuration file for FreeBSD/sparc64 MAC
|
||||
#
|
||||
# The Mandatory Access Control, or MAC, framework allows administrators to
|
||||
# finely control system security by providing for a loadable security pol-
|
||||
# icy architecture.
|
||||
#
|
||||
# For more information see:
|
||||
#
|
||||
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
include GENERIC
|
||||
ident MAC
|
||||
|
||||
options MAC
|
||||
|
||||
#options MAC_BIBA # BIBA data integrity policy
|
||||
#options MAC_BSDEXTENDED # File system firewall policy
|
||||
#options MAC_IFOFF # Network interface silencing policy
|
||||
#options MAC_LOMAC # Low-watermark data integrity policy
|
||||
#options MAC_MLS # Multi-level confidentiality policy
|
||||
#options MAC_NONE # NULL policy
|
||||
#options MAC_PARTITION # Process partition policy
|
||||
#options MAC_PORTACL # Network port access control policy
|
||||
#options MAC_SEEOTHERUIDS # UID visibility policy
|
||||
#options MAC_STUB # Stub policy
|
||||
#options MAC_TEST # Testing policy for the MAC framework
|
@ -66,6 +66,7 @@ options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
|
||||
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
|
||||
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
|
||||
options AUDIT # Security event auditing
|
||||
options MAC # TrustedBSD MAC Framework
|
||||
|
||||
# Debugging for use in -current
|
||||
options KDB # Enable kernel debugger support.
|
||||
|
@ -1,28 +0,0 @@
|
||||
# MAC -- Generic kernel configuration file for FreeBSD/sparc64 MAC
|
||||
#
|
||||
# The Mandatory Access Control, or MAC, framework allows administrators to
|
||||
# finely control system security by providing for a loadable security pol-
|
||||
# icy architecture.
|
||||
#
|
||||
# For more information see:
|
||||
#
|
||||
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
include GENERIC
|
||||
ident MAC
|
||||
|
||||
options MAC
|
||||
|
||||
#options MAC_BIBA # BIBA data integrity policy
|
||||
#options MAC_BSDEXTENDED # File system firewall policy
|
||||
#options MAC_IFOFF # Network interface silencing policy
|
||||
#options MAC_LOMAC # Low-watermark data integrity policy
|
||||
#options MAC_MLS # Multi-level confidentiality policy
|
||||
#options MAC_NONE # NULL policy
|
||||
#options MAC_PARTITION # Process partition policy
|
||||
#options MAC_PORTACL # Network port access control policy
|
||||
#options MAC_SEEOTHERUIDS # UID visibility policy
|
||||
#options MAC_STUB # Stub policy
|
||||
#options MAC_TEST # Testing policy for the MAC framework
|
Loading…
Reference in New Issue
Block a user