SeDarwin

[Robert Watson]

On Sat, 28 May 2005, Jörg Bornschein wrote:

> where do i get a current snapshot of SeDarwin? drop5.tgz on 
> trustedbsd.org seems to be incomplete (bootstrap_instructions missing 
> for example) and p4-cvs-trustedbsd-sedarwin73 is not available on 
> cvsup10 either.

I just put online the DSEP 20050331 drop from McAfee (now SPARTA) a couple 
of minutes ago.  This release includes the missing build instructions, as 
well a some other notes on policies, installs, debugging, etc; we have to 
do some sanitization of source and documentation before exporting them, 
and that was omitted in the last release.  The major feature change list 
is below.  I've put the tarball up on the:

     http://www.TrustedBSD.org/sedarwin.html

web page; the old DSEP drop 5 tarball will remain online there as well.

We anticipate a new DSEP baseline being made available sometime in 
mid-July, which will include an update to the more recent 10.3.9 source 
base, integration of audit support into the MAC Framework on Darwin, and a 
number of other significant improvements.  The SEDarwin work relating to 
the port of FLASK/TE to Darwin is largely being developed and maintained 
in FreeBSD's Perforce server based on the most recent DSEP drop, and is 
continuing.  We'll be ready to do a new code drop of that code in another 
month or so -- Andrew is in the process of updating the FLASK/TE code on 
Darwin to match the recent update on the FreeBSD side.

The Perforce location of the most recent SEDarwin work is:

     //depot/projects/trustedbsd/sedarwin7/...

This should be getting exported via a p4-cvs-trustedbsd-sedarwin7 branch 
on cvsup10, but my understanding is there's been a recent problem with the 
p4/cvs export scripts, and the FreeBSD perforce server administrators are 
working to correct that in the near future.  If it isn't fixed in the next 
few days, we'll start doing regular snapshot tarballs from the work branch 
in addition to the release snapshots.

FYI, members of the TrustedBSD team will be attending Apple's WWDC 
conference next week in San Francisco.

Thanks, and sorry about that,

Robert N M Watson

+New Features in the 20050331 release
+====================================
+
+    - Support labelling and access control for Posix IPC (semaphores
+      and shared memory). This includes support for Posix IPC in mls and
+      stub policies.
+
+    - Modifications to the Darwin kernel to assign labels to
+      sockets and other supporting IPv4 data structures, and the
+      addition of access control checks to socket-related operations.
+      Extensions to the MAC Framework to permit policy modules to
+      implement these entry points.
+
+    - Build improvements to convert all remaining BSD Makefiles to GNU
+      Makefiles.  The build is further isolated; it no longer builds
+      and installs BootX tools in the user's home directory.  The
+      mach_init program was added to the installation.

+    - Modified Darwin kernel with additional experimental labeling and
+      access control for Mach IPC.  Prototype modifications to the MLS
+      policy to control information flow via Mach IPC.
+
+    - Additional maturing in VFS security; in particular, vn_read,
+      vn_write, and vn_rdwr access controls were changed.