Why a MAC Framework?

• MAC has its fingers everywhere

  • Socket, file system access, network stack, signalling, ...

• Rather than scatter the logic all over the place for many specific policies, provide an extension framework

  • Don't have policy-specific data in standard system structures (mbufs, vnodes, ...)
  • Framework can be reused for a variety of other security mechanisms that people keep talking about
  • Permit hese new services to be encapsulated in self-contained modules