Questions about TrustedBSD

Robert Watson rwatson at FreeBSD.org
Fri Jun 24 20:26:46 GMT 2005 

On Thu, 23 Jun 2005, Kövesdán Gábor wrote:

> I'm very interested in the TrustedBSD project, but I haven't known so 
> much about this project so far. I've read the homepage, but I still have 
> a few questions. I would be glad if somebody in this list would answer 
> my questions.
>
> 1, I see ACLs, MAC and extended attributes have been merged to FreeBSD 
> 5.x. Are these projects complete or there will be further features?

Extended attributes are now part of the native FreeBSD UFS2 file system, 
which is used by default since about 5.1-RELEASE.  ACL support is compiled 
into the kernel, but must be enabled on file systems using tunefs(8) or 
when creating the file system, and relies on the extended attribute 
support.  Enabling ACL support in the kernel has been the default also 
since 5.0 or 5.1, I believe.  Both are considered production quality 
features, although there are some edge case situations where applications 
may not properly preserve ACLs when files are copied, for example.

MAC support is considered experimental, although the MAC Framework on 
which our MAC policy modules are based is considered increasingly mature. 
In the upcoming 6.0 release, it will be much closer to feature complete, 
providing MAC policy support for protecting additional IPC types, such as 
System V IPC.  Some of the policy modules are quite mature; others require 
more documentation or more experimentation in production before we can 
call them production quality.  Some are imply demonstration modules.

> 2, I've read about the Capabilities extension. Is it something similar 
> to RBAC? It sounds similar for me. Can we fine-tune the privileges of 
> one user or what it actually means?

In the context of TrustedBSD, "Capabilities" typically refers to the 
POSIX.1e decomposition of root privilege, and in particular, a model by 
which root privileges are decomposed into a mask of rights that can be 
assigned to processes, and picked up due to executing specific binaries 
similar to setuid.  There are some similarities to concepts in role-based 
access control, but I think there may be more differences.  Specifically, 
POSIX.1e privileges are really oriented on decomposition of the user in 
order to allow privileges to be assigned to users or roles, whereas more 
general Role-Based Access Control is targetted at implementing general 
procedural or data protection for users and applications beyond basic 
system rights.

The POSIX.1e capability work is considered somewhat sidelined right now, 
as I'm not comfortable that it actually provides an immediate security 
benefit, due to the risk level in changing the privilege model.  Some of 
the changes to support this, such as breaking out root privileges into a 
mask of more specific privileges for the purposes of an access control 
decision, are in our SEBSD development branch, so that assignment of these 
privileges can be constrained using Type Enforcement.  I don't currently 
have a specific timeline for merging these privilege check changes.

> 3, As for SEBSD, it is just a hardened kernel, or does it require 
> modifications on the userspace? Has it been already merged to 
> FreeBSD-CURRENT, or will have been it merged by the time 6.0-RELEASE 
> comes out? I don't know so much about the SELinux or SEBSD, but I would 
> like to learn. Do You know any comprehensive documentation about this 
> topic on the Net?

SEBSD requires both kernel and user space changes, as it introduces 
mandatory labeling and protection at all levels in the system. 
Specifically, programs associated with the login process, and other user 
management and switching related activities (cron, sendmail, etc) need to 
be label-aware.  SEBSD really consists of five things right now:

- Modifications to the TrustedBSD MAC Framework required to add support
   for additional access control checks and labels required by SEBSD, but
   not required by previously developed security modules.  For example,
   SEBSD labels file descriptors as well as files, and the above-mentioned
   privilege changes.

- An SEBSD module, which encapsulates a port of NSA's FLASK architecture,
   security server, and Type Enforcement policy, and is loaded as a kernel
   module.

- The ported SELinux support libraries and tools, such as libsepol,
   libselinux, etc, as well as the policy compiler.

- A set of modifications to a number of base FreeBSD tools and libraries,
   such as login-related parts, cron, sshd, password tools, and so on, to
   be aware of Type Enforcement.

- A sample TE policy for constraining applications and components, based
   on the sample policy NSA provides for SELinux.

Of the above, some parts but not all have been merged to the base FreeBSD 
tree for 6.0.  In particular, we haven't yet merged the file descriptor 
labeling support, some changes to the file system mount code, and some 
changes relating to tty labeling for pseudo-terminals.  Several of these 
changes are scheduled for merge to the base FreeBSD tree in time for 6.0, 
but likely not quite all.

We currently distributed SEBSD as an extended FreeBSD release, which can 
be downloaded via CVSUP, or a sample ISO.  Our current ISO snapshot is 
quite old, and a new one will be going online in the next couple of days 
for download, and updates to quite a recent 6.0 snapshot.

You can find information on NSA's FLASK/TE work on the NSA web page; 
interestingly, FLASK/TE were originally devloped on a BSD/Mach-derived 
micro-kernel system, so this is in some ways "the return to BSD" via 
Linux.  :-)

> 4, How is SEDarwin in connection with the TrustedBSD project? Or it just 
> some kind of extra project from TrustedBSD developers who also like 
> Darwin?

SEDarwin is an experimental port of the TrustedBSD MAC Framework and SEBSD 
policy module from FreeBSD to Darwin, which is made easier (although not 
easy) byt the similarities between FreeBSD and Darwin.  It's being done by 
several of the same people who work on the MAC Framework on FreeBSD, as 
well as SEBSD.

> 5, The documentation is pretty rough on the homepage. How can I learn 
> more about the TrustedBSD project?

This is an accurate observation.  Some of the papers there are still quite 
relevant, and there is a fair amount of documentation floating around. 
However, there's relatively little user-oriented documentation.  I have 
high hopes that, among other things, we'll shortly have a Google 
summer-of-code intern who will be interested in helping out with this.

Help from you and others in working to improve the documentation would be 
much appreciated.

Thanks!

Robert N M Watson

>
> Thanks in advance for the answers,
> Cheers,
>
> Gábor Kövesdán
> To Unsubscribe: send mail to majordomo at trustedbsd.org
> with "unsubscribe trustedbsd-discuss" in the body of the message
>

More information about the trustedbsd-discuss mailing list