"TrustedBSD" addons
Kevin Lyons
kevin_lyons at ofdengineering.com
Tue Jun 29 11:40:42 PDT 2004
>
>> I can already see the security advisories for these things like we've
>> had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad
>> infinitum.
>
>
> How many of these were developed as part of BSD? One: jail.
Well, point being that more layers/lines of code added, the more
potential vulnerabilities. I don't think we can say the FreeBSD or
TrustedBSD developers are any more exploit immune than other folks.
>
>> Is this the right way to go? We're adding more bloat while openbsd is
>> cleaning itself and reworking kernal memory allocation to make
>> exploits near impossible.
>
>
> That's great work. Now, let's build on that so that the entire system
> is properly compartmentalized (i.e., MAC).
But they are not doing that, they are ONLY adding some new
functionalilty. Am I misinformed or has any vm work been done on the
level of openbsd 3.4, beyond perhaps propolice.
>
>> I dloaded 5.2 but haven't installed yet. I hope there is a way to
>> disable the MAC and other of these "trustedbsd features" that seem to
>> keep DARPA funded userland people busy.
>
>
> Is it so much harder to look a little more deeply at the sytem than to
> write a troll/rant?
Not ranting/trolling. Thanks for the info, that is good. As I said, i
have not installed/configured it yet. I have been noticing feaping
creaturism in freebsd as of late so I was simply concerned about it.
> Yes, MAC is a group of kernel compile options, and they are not shipped
> as part of the GENERIC kernel. From /sys/conf/NOTES:
>
> # Support for Mandatory Access Control (MAC):
> options MAC
> options MAC_BIBA
> options MAC_BSDEXTENDED
> options MAC_DEBUG
> options MAC_IFOFF
> options MAC_LOMAC
> options MAC_MLS
> options MAC_NONE
> options MAC_PARTITION
> options MAC_PORTACL
> options MAC_SEEOTHERUIDS
> options MAC_STUB
> options MAC_TEST
>
> Please take a look at the TrustedBSD implementation before ranting about
> "DARPA funded userland people". There are good reasons why these people
> were funded.
Hmmpf. Perhaps it is because there was some leftover when theo lost his
money :).
>
> Guy
> _______________________________________________
> freebsd-chat at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-chat
> To unsubscribe, send any mail to "freebsd-chat-unsubscribe at freebsd.org"
>
--
Kevin Lyons
OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079
Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons at ofdengineering.com
More information about the freebsd-chat
mailing list