TrustedBSD status from Oct-Dec 2003
Robert Watson
rwatson at FreeBSD.org
Wed Jan 28 19:25:13 GMT 2004
I recently put together the TrustedBSD status reports for October through
December of 2003 for inclusion in the FreeBSD status report for that
period. I've attached those reports below as they may be of interest to
those not following the trustedbsd-cvs and FreeBSD cvs-src lists closely.
These are only the TrustedBSD pieces, and I would encourage anyone with an
interest in FreeBSD to review the full FreeBSD version of the report (just
mailed out to the FreeBSD lists, and should be on the web site in about 12
hours).
Enjoy!
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Senior Research Scientist, McAfee Research
* TrustedBSD "Security-Enhanced BSD" -- FLASK/TE Port
* TrustedBSD Access Control Lists (ACLs)
* TrustedBSD Audit
* TrustedBSD Documentation
* TrustedBSD Mandatory Access Control (MAC)
----------------------------------------------------------------------
TrustedBSD Audit
URL: http://www.trustedbsd.org/components.html#audit
Contact: Robert Watson <rwatson at FreeBSD.org>
Contact: TrustedBSD Audit Discussion List
<trustedbsd-audit at TrustedBSD.org>
The TrustedBSD Project is producing an implementation of CAPP compliant
Audit support for use with FreeBSD. Little progress was made on this
implementation between October and December other than an update to the
existing development tree. However, in January, work began on porting the
Darwin Audit implementation to FreeBSD. Details on this work will appear
in the next report; more information is available on the TrustedBSD audit
discussion list. Perforce messages may be seen on the trustedbsd-cvs
mailing list.
----------------------------------------------------------------------
TrustedBSD Documentation
URL: http://www.TrustedBSD.org/docs.html
Contact: Robert Watson <rwatson at FreeBSD.org>
Contact: TrustedBSD Discussion Mailing List
<trustedbsd-discuss at TrustedBSD.org>
The TrustedBSD Project is implementing many new features for the FreeBSD
Project. It also provides documentation for users, administrators, and
developers.
mac_support.4 added -- documents TrustedBSD MAC Framework feature
compatibility. See also the MAC Framework report.
FreeBSD security architecture updated and corrections/additions made.
A variety of documentation updates relating to API changes, including the
socket-related API changes in libc/mac(3).
----------------------------------------------------------------------
TrustedBSD Mandatory Access Control (MAC)
URL: http://www.trustedbsd.org/mac.html
Contact: Robert Watson <rwatson at FreeBSD.org>
Contact: TrustedBSD Discussion Mailing List
<trustedbsd-discuss at TrustedBSD.org>
The TrustedBSD Mandatory Access Control (MAC) Framework permits the
FreeBSD kernel and userspace access control policies to be adapted at
compile-time, boot-time, or run-time. The MAC Framework provides common
infrastructure components, such as policy-agnostic labeling, making it
possible to easily development and distribute new access control policy
modules. Sample modules include Biba, MLS, and Type Enforcement, as well
as a variety of system hardening polices.
TrustedBSD MAC development branch in Perforce integrated to 5.2-RELEASE.
The TrustedBSD MAC Framework now enforces protections on System V IPC
objects and methods. Shared memory, semaphores, and message queues are
labeled, and most operations are controlled. The Biba, MLS, Test, and Stub
policies have been updated for System V IPC. (Not yet merged)
The TrustedBSD MAC Framework now enforces protections on POSIX semaphore
objects and methods. The Biba, MLS, Test, and Stub policies have been
updated. (Not yet merged)
The TrustedBSD MAC Framework's central kernel implementation previously
existed in one large file, src/sys/kern/kern_mac.c. It is now broken out
into a series of by-service files in src/sys/security/mac.
src/sys/security/mac/mac_internal.h specifies APIs, structures, and
variables used internally across the different parts of the framework.
System calls and registration still occur in kern_mac.c. This permits more
easy maintenance of locally added object types. (Merged)
Break out mac_policy_list into two different lists, one to hold "static"
policy modules -- ones loaded prior to kernel initialization, and that may
not be loaded, and one for "dynamic" policy modules -- that are either
loaded later in boot, or may be unloaded. Perform less synchronization
when using static modules only, reducing overhead for entering the
framework when not using dynamic modules. (Merged)
Introduced a kernel option, MAC_STATIC, which permits only statically
registered policy modules to be loaded at boot or compiled into the
kernel. When running with MAC_STATIC, no internal synchronization is
required in the MAC Framework, lowering the cost of MAC Framework entry
points. (Not yet merged)
Make mac.h userland API definition C++-happy. (Merged)
Created mac_support.4, a declaration of what kernel and userspace features
are (and aren't) supported with MAC. (Not yet merged)
Stale SEBSD module deleted from MAC branch; SEBSD module will solely be
developed in the SEBSD branch from now on. See the TrustedBSD SEBSD report
for more detail.
Use only pointers to 'struct label' in various kernel objects outside the
MAC Framework, and use a zone allocator to allocate label storage. This
permits label structures to have their size changed more easily without
changing the normal kernel ABI. This also lowers the non-MAC memory
overhead for base kernel structures. This also simplifies handling and
storage of labels in some of the edge cases where labels are exposed
outside of the Framework, such as in execve(). Include files outside of
the Framework are substantially simplified and now frequently no longer
require _label.h. (Merged)
Giant pushed down into the MAC Framework in a number of MAC related system
calls, as it is not required for almost all of the MAC Framework. The
exceptions are areas where the Framework interacts with pieces of the
kernel still covered by MAC and relies on Giant to protect label storage
in those structures. However, even in those cases, we can push Giant in
quite a bit past label internalization/externalization/ storage
allocation/deallocation. This substantially simplifies file
descriptor-based MAC label system calls. (Merged)
Remove unneeded mpo_destroy methods for Biba, LOMAC, and MLS since they
cannot be unloaded. (Merged)
Biba and MLS now use UMA zones for label allocation, which improves
storage efficiency and enhances performance. (Merged)
Bug fix for mac_prepare_type() to better support arbitrary object label
definitions in /etc/mac.conf. (Merged)
Labels added to 'struct inpcb', which represents TCP and UDP connections
at the network layer. These labels cache socket labels at the application
layer so that the labels may be accessed without application layer socket
locks. When a label is changed on the socket, it is pushed down to the
network layer through additional entry points. Biba, MLS policies updated
to reflect this change. (Merged)
SO_PEERLABEL socket option fixed so that peer socket labels may be
retrieved. (Merged)
mac_get_fd() learns to retrieve local socket labels, providing a simpler
API than SO_LABEL with getsockopt(). mac_set_fd() learns about local
socket labels, providing a simpler API than SO_LABEL with setsockopt().
This also improves the ABI by not embedding a struct label in the socket
option arguments, instead using the copyin/copyout routine for labels used
for other object types. (Merged)
Some function names simplified relating to socket options. (Merged)
Library call mac_get_peer() implemented in terms of getsockopt() with
SO_PEERLABEL to improve API/ABI for networked applications that speak MAC.
(Merged)
mac_create_cred() renamed to mac_cred_copy(), similar to other label
copying methods, allowing policies to implement all the label copying
method with a single function, if desired. This also provides a better
semantic match for the crdup() behavior. (Merged)
Support "id -M", similar to Trusted IRIX. (Not yet merged)
TCP now uses the inpcb label when responding in timed wait, avoiding
reaching up to the socket layer for label information in otherwise
network-centric code.
Numerous bug fixes, including assertion fixes in the MAC test policy
relating to execution and relabeling. (Merged)
----------------------------------------------------------------------
TrustedBSD "Security-Enhanced BSD" -- FLASK/TE Port
URL: http://www.TrustedBSD.org/sebsd.html
Contact: Robert Watson <rwatson at FreeBSD.org>
Contact: TrustedBSD Discussion Mailing List
<trustedbsd-discuss at TrustedBSD.org>
TrustedBSD "Security-Enhanced BSD" (SEBSD) is a port of NSA's SELinux
FLASK security architecture, Type Enforcement (TE) policy engine and
language, and sample policy to FreeBSD using the TrustedBSD MAC Framework.
SEBSD is available as a loadable policy module for the MAC Framework,
along with a set of userspace extensions support security-extended
labeling calls. In most cases, existing MAC Framework functions provide
the necessary abstractions for SEBSD to plug in without SEBSD-specific
changes, but some extensions to the MAC Framework have been required;
these changes are developed in the SEBSD development branch, then merged
to the MAC branch as they mature, and then to the FreeBSD development
tree.
Unlike other MAC Framework policy modules, the SEBSD module falls under
the GPL, as it is derived from NSA's implementation. However, the eventual
goal is to support plugging SEBSD into a base FreeBSD install without any
modifications to FreeBSD itself.
TrustedBSD SEBSD development branch in Perforce integrated to 5.2-RELEASE.
Other changes in the MAC branch, including restructuring of MAC Framework
files also integrated, and a move to zone allocation for labels. See the
TrustedBSD MAC Framework report for more detail on these and other MAC
changes that also affect the SEBSD work.
FreeBSD PTY code modified so that the MAC Framework and SEBSD module can
create pty's with the label of the process trying to access them. Improves
compatibility with the SELinux sample policy. (Not yet merged)
SEBSD now loads its initial policy in the boot loader rather than using a
dummy policy until the root file system is mounted, and then loading it
using VFS operations. This avoids initial labeling and access control
conditions during the boot.
security_load_policy() now passes a memory buffer and length to the
kernel, permitting the policy reload mechanisms to be shared between the
early boot load and late reloads. The kernel SEBSD code now no longer
needs to perform direct file I/O relating to reading the policy.
checkpolicy now mmap's the policy before making the system call.
SEBSD now enforces protections on System V IPC objects and methods. Shared
memory, semaphores, and message queues are labeled, and most operations
are controlled. The sample policy has been updated.
The TrustedBSD MAC Framework now controls mount, umount, and remount
operations. A new MAC system call, mac_get_fs() can be used to query the
mountpoint label. lmount() system call allows a mount label to be
explicitly specified at mount time. The SEBSD policy module has been
updated to reflect this functionality, and sample TE policy has been
updated. (Not yet merged)
SEBSD now enforces protections on POSIX semaphores; the sample policy has
been updated to demonstrate how to label and control sempahores. This
includes sample rules for PostgreSQL.
The SEBSD sample policy, policy syntax, and policy tools have been updated
to the SELinux code drop from August. Bmake these pieces so we don't need
gmake.
Provide file ioctl() MAC Framework entry point and SEBSD implementation.
A large number of sample policy tweaks and fixes. The policy has been
updated to permit cron to operate properly. It has been updated for
FreeBSD 5.2 changes, including dynamically linked root. Teach the sample
policy about FreeBSD's sendmail wrapper.
Adapt sysinstall and install process for SEBSD pieces. Teach sysinstall,
newfs, et al, about multilabel file systems, install SEBSD sample policy
pieces, build policy. Automatically load the SEBSD module on first boot
after install.
Allow "ls -Z" to print out labels without long format.
----------------------------------------------------------------------
TrustedBSD Access Control Lists (ACLs)
URL: http://www.trustedbsd.org/components.html#acls
Contact: Robert Watson <rwatson at FreeBSD.org>
Contact: TrustedBSD Discussion Mailing List
<trustedbsd-discuss at TrustedBSD.org>
TrustedBSD Access Control Lists (ACLs) provide extended discretionary
access control support for the UFS and UFS2 file systems on FreeBSD. They
implement POSIX.1e ACLs with some extensions, and meet the Common Criteria
CAPP requirements. Most ACL-related work is complete, with remaining tasks
associated with userspace integration, third party applications, and
compatibility
Prototyped Solaris/Linux semantics for combining ACLs and the umask: if an
default ACL mask is defined, substitute that mask for the umask,
permitting ACLs to override umasks. (Not merged)
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list