Re: A TrustedBSD "voluntary sandbox" policy.

2007-11-15 Thread Christopher Davis 
On Nov 8, 2007 9:23 AM, Pawel Jakub Dawidek <[EMAIL PROTECTED]> wrote:
> First problem is that it is hard to operate on file paths. MAC passes a
> locked vnode to you and you cannot go from there to a file name easly.
> You could do it by comparsion: call VOP_GETATTR(9) on the given vnode,
> do the same for /etc/passwd and others and compare their inodes and
> file system ids. Performance hit may be significant for complex
> policies.
>
> You can register yourself for process_exit, process_fork and
> process_exec in-kernel events and do your cleanups from your event
> handler. Take a look at EVENTHANDLER(9).
>
> --
> Pawel Jakub Dawidek   http://www.wheel.pl
> [EMAIL PROTECTED]   http://www.FreeBSD.org
> FreeBSD committer Am I Evil? Yes, I Am!
>

Couldn't you use stat() syscall on the paths from the userland utility
that parses the rules, collect the mount point or mount id and the
inode from the stat struct,  then have the MAC policy module
match that data with the file id and mount id available from the
vnode?


-- 
Christopher Davis
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD cache memory allocation

2007-11-15 Thread John Baldwin 
On Wednesday 14 November 2007 04:02:05 pm icantthinkofone wrote:
> On Wednesday 14 November 2007 11:11:41 am Rob Belics wrote:
>  > > Someone I can't stand said this about FreeBSD.  Though I know C, I 
> don't
>  > > know anything about this and would love to respond. My first 
> thought was
>  > > 'contigmalloc' but I'm not sure it's equivalent.
>  > > [QUOTE]The kernel is really lacking some features. They need a 
> method to
>  > > set precise type of memory cache but BSD doesn't provide way to 
> specify
>  > > memory cache.
>  > >
>  > > For that reason MS has the beautiful
>  > > MmAllocateContigousMemorySpecifyCache()[/QUOTE]
> 
> For kernel memory on i386 and amd64 in 6.3 and later you can use
> pmap_change_attr() to adjust the caching mode of memory after you have
> allocated it.   It is best used only with allocations that are a 
> multiple of
> the page size.
> 
> -- John Baldwin
> 
> I posted using the wrong email address above.
> 
> Apparently the person I was referring to was probably talking about he 
> nvidia issue and I see you, John, are working on that pmap function.  
> One question I have is whether nvidia got themselves into a bind (for 
> lack of a better word) because they wrote their drive using Windows 
> functions but now want FreeBSD to create kernel functions "just like 
> Windows" rather than rewriting their own code.  Or is all this truly a 
> lacking feature in FreeBSD?

It's a lacking feature in FreeBSD.

-- 
John Baldwin
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Patch for ping6 -o

2007-11-15 Thread Dima Dorfman 
The ping(8) utility has an -o switch that tells it to exit after
receiving the first reply. This is useful, but ping6(8) doesn't have
it.

Simple patch attached.

Comments/reviews/whatnots?

I'll commit to HEAD in a few days if I don't hear any objections.

--
Dima Dorfman
Index: ping6.8
===
RCS file: /home/ncvs/src/sbin/ping6/ping6.8,v
retrieving revision 1.23
diff -u -r1.23 ping6.8
--- ping6.8 10 Feb 2005 09:19:32 -  1.23
+++ ping6.8 15 Nov 2007 11:44:31 -
@@ -29,7 +29,7 @@
 .\"
 .\" $FreeBSD: src/sbin/ping6/ping6.8,v 1.23 2005/02/10 09:19:32 ru Exp $
 .\"
-.Dd May 17, 1998
+.Dd November 15, 2007
 .Dt PING6 8
 .Os
 .Sh NAME
@@ -40,7 +40,7 @@
 .Sh SYNOPSIS
 .Nm
 .\" without ipsec, or new ipsec
-.Op Fl dfHmnNqtvwW
+.Op Fl dfHmnNoqtvwW
 .\" old ipsec
 .\" .Op Fl AdEfmnNqRtvwW
 .Bk -words
@@ -225,6 +225,8 @@
 outgoing interface needs to be specified by
 .Fl I
 option.
+.It Fl o
+Exit successfully after receiving one reply packet.
 .It Fl p Ar pattern
 You may specify up to 16
 .Dq pad
Index: ping6.c
===
RCS file: /home/ncvs/src/sbin/ping6/ping6.c,v
retrieving revision 1.31
diff -u -r1.31 ping6.c
--- ping6.c 1 Jul 2007 12:08:06 -   1.31
+++ ping6.c 15 Nov 2007 11:45:12 -
@@ -188,6 +188,7 @@
 #define F_NIGROUP  0x4
 #define F_SUPTYPES 0x8
 #define F_NOMINMTU 0x10
+#define F_ONCE 0x20
 #define F_NOUSERDATA   (F_NODEADDR | F_FQDN | F_FQDNOLD | F_SUPTYPES)
 u_int options;
 
@@ -344,7 +345,7 @@
 #endif /*IPSEC_POLICY_IPSEC*/
 #endif
while ((ch = getopt(argc, argv,
-   "a:b:c:dfHg:h:I:i:l:mnNp:qS:s:tvwW" ADDOPTS)) != -1) {
+   "a:b:c:dfHg:h:I:i:l:mnNop:qS:s:tvwW" ADDOPTS)) != -1) {
 #undef ADDOPTS
switch (ch) {
case 'a':
@@ -485,6 +486,9 @@
case 'N':
options |= F_NIGROUP;
break;
+   case 'o':
+   options |= F_ONCE;
+   break;
case 'p':   /* fill buffer with user pattern */
options |= F_PINGFILLED;
fill((char *)datap, optarg);
@@ -1164,7 +1168,8 @@
 */
pr_pack(packet, cc, &m);
}
-   if (npackets && nreceived >= npackets)
+   if (( (options & F_ONCE) != 0 && nreceived > 0) ||
+   (npackets > 0 && nreceived >= npackets))
break;
}
summary();
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"