"TrustedBSD" addons

Kevin Lyons kevin_lyons at ofdengineering.com
Tue Jun 29 11:40:42 PDT 2004 

 >
 >> I can already see the security advisories for these things like we've
 >> had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad
 >> infinitum.
 >
 >
 > How many of these were developed as part of BSD?  One: jail.

Well, point being that more layers/lines of code added, the more
potential vulnerabilities. I don't think we can say the FreeBSD or
TrustedBSD developers are any more exploit immune than other folks.

 >
 >> Is this the right way to go?  We're adding more bloat while openbsd is
 >> cleaning itself and reworking kernal memory allocation to make
 >> exploits near impossible.
 >
 >
 > That's great work.  Now, let's build on that so that the entire system
 > is properly compartmentalized (i.e., MAC).

But they are not doing that, they are ONLY adding some new
functionalilty. Am I misinformed or has any vm work been done on the
level of openbsd 3.4, beyond perhaps propolice.

 >
 >> I dloaded 5.2 but haven't installed yet.  I hope there is a way to
 >> disable the MAC and other of these "trustedbsd features" that seem to
 >> keep DARPA funded userland people busy.
 >
 >
 > Is it so much harder to look a little more deeply at the sytem than to
 > write a troll/rant?

Not ranting/trolling.  Thanks for the info, that is good.  As I said, i
have not installed/configured it yet.  I have been noticing feaping
creaturism in freebsd as of late so I was simply concerned about it.

 > Yes, MAC is a group of kernel compile options, and they are not shipped
 > as part of the GENERIC kernel.  From /sys/conf/NOTES:
 >
 > # Support for Mandatory Access Control (MAC):
 > options         MAC
 > options         MAC_BIBA
 > options         MAC_BSDEXTENDED
 > options         MAC_DEBUG
 > options         MAC_IFOFF
 > options         MAC_LOMAC
 > options         MAC_MLS
 > options         MAC_NONE
 > options         MAC_PARTITION
 > options         MAC_PORTACL
 > options         MAC_SEEOTHERUIDS
 > options         MAC_STUB
 > options         MAC_TEST
 >
 > Please take a look at the TrustedBSD implementation before ranting about
 > "DARPA funded userland people".  There are good reasons why these people
 > were funded.

Hmmpf.  Perhaps it is because there was some leftover when theo lost his
money :).

 >
 > Guy
 > _______________________________________________
 > freebsd-chat at freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-chat
 > To unsubscribe, send any mail to "freebsd-chat-unsubscribe at freebsd.org"
 >

-- 
Kevin Lyons
OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079
Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons at ofdengineering.com

More information about the freebsd-chat mailing list