SeDarwin
Robert Watson
rwatson at FreeBSD.org
Tue May 31 21:43:23 GMT 2005
On Sat, 28 May 2005, Jörg Bornschein wrote:
> where do i get a current snapshot of SeDarwin? drop5.tgz on
> trustedbsd.org seems to be incomplete (bootstrap_instructions missing
> for example) and p4-cvs-trustedbsd-sedarwin73 is not available on
> cvsup10 either.
I just put online the DSEP 20050331 drop from McAfee (now SPARTA) a couple
of minutes ago. This release includes the missing build instructions, as
well a some other notes on policies, installs, debugging, etc; we have to
do some sanitization of source and documentation before exporting them,
and that was omitted in the last release. The major feature change list
is below. I've put the tarball up on the:
http://www.TrustedBSD.org/sedarwin.html
web page; the old DSEP drop 5 tarball will remain online there as well.
We anticipate a new DSEP baseline being made available sometime in
mid-July, which will include an update to the more recent 10.3.9 source
base, integration of audit support into the MAC Framework on Darwin, and a
number of other significant improvements. The SEDarwin work relating to
the port of FLASK/TE to Darwin is largely being developed and maintained
in FreeBSD's Perforce server based on the most recent DSEP drop, and is
continuing. We'll be ready to do a new code drop of that code in another
month or so -- Andrew is in the process of updating the FLASK/TE code on
Darwin to match the recent update on the FreeBSD side.
The Perforce location of the most recent SEDarwin work is:
//depot/projects/trustedbsd/sedarwin7/...
This should be getting exported via a p4-cvs-trustedbsd-sedarwin7 branch
on cvsup10, but my understanding is there's been a recent problem with the
p4/cvs export scripts, and the FreeBSD perforce server administrators are
working to correct that in the near future. If it isn't fixed in the next
few days, we'll start doing regular snapshot tarballs from the work branch
in addition to the release snapshots.
FYI, members of the TrustedBSD team will be attending Apple's WWDC
conference next week in San Francisco.
Thanks, and sorry about that,
Robert N M Watson
+New Features in the 20050331 release
+====================================
+
+ - Support labelling and access control for Posix IPC (semaphores
+ and shared memory). This includes support for Posix IPC in mls and
+ stub policies.
+
+ - Modifications to the Darwin kernel to assign labels to
+ sockets and other supporting IPv4 data structures, and the
+ addition of access control checks to socket-related operations.
+ Extensions to the MAC Framework to permit policy modules to
+ implement these entry points.
+
+ - Build improvements to convert all remaining BSD Makefiles to GNU
+ Makefiles. The build is further isolated; it no longer builds
+ and installs BootX tools in the user's home directory. The
+ mach_init program was added to the installation.
+ - Modified Darwin kernel with additional experimental labeling and
+ access control for Mach IPC. Prototype modifications to the MLS
+ policy to control information flow via Mach IPC.
+
+ - Additional maturing in VFS security; in particular, vn_read,
+ vn_write, and vn_rdwr access controls were changed.
More information about the trustedbsd-discuss
mailing list