In this talk, we'll take a journey through FreeBSD's MAC framework, starting at the syscall and making a trip through mac(9) into individual policies and back. We'll touch on the following:
DAC vs MAC
Basic history of privileged operations (priv(9))
MAC Fundamentals
How syscalls hook in the MAC framework
MAC policy design
Recent MAC work (mdo, jail integration)
This talk is expected to largely focus on providing the basic background one needs to be able to design MAC additions to the kernel, or to design and write one's own MAC policies. Additionally, we attempt to inspire ideas for new policies by describing techniques that one can leverage in writing a policy.