Status of various and sundry TrustedBSD/FreeBSD pieces

[Robert Watson]

Since I know many people following the TrustedBSD work aren't following 
the FreeBSD or TrustedBSD commit mailing lists, I thought I'd give a brief 
status update on various "works in progress":

- At BSDCan and the associated FreeBSD Developer Summit, presentations
   were given on several TrustedBSD-related topics, including the Audit and
   OpenBSM implementations, the TrustedBSD MAC Framework, SEBSD policy
   module, and the experimental port to Darwin, as well as Christian
   Peron's work on an executable and kernel module checksumming policy
   module, mac_chkexec.

- Christian Peron has integrated his mac_chkexec module and tools into the
   TrustedBSD MAC development branch on the FreeBSD perforce server, as
   well as some tweaks to the MAC Framework required to support proper
   checksumming of shared libraries as they are mapped (this change has
   been merged to FreeBSD 6.x and 5.x).

- Changes to label and enforce protections for POSIX semaphores on FreeBSD
   were merged back to the FreeBSD 6.x tree from the TrustedBSD MAC
   development tree in early May, and will ship as part of FreeBSD 6.0
   later this summer.

- In April a number of enhancements were made to the set of socket-related
   acess control protections, such as protections for accept, poll, and
   others.  These have been merged to the FreeBSD CVS tree for 6.0.

- In April the addition of credential-related checks in the MAC Framework
   was merged to the FreeBSD CVS tree for 6.0.  These allow MAC policies to
   control changes in UNIX credentials, and while not required for our
   labeled policies, are desirable for other hardening policies, such as
   the suidacl policy module from Samy Al Bahra.  The credential changes
   were submitted by Samy.

- In March, the System V IPC labeling and enforcement protections for the
   MAC Framework were merged to the FreeBSD CVS tree for 6.0.

- An updated SEBSD ISO, based on an updated SELinux FLASK/TE drop from
   20040819, as well as updated FreeBSD pieces, has been put together by
   Andrew Reisse and Scott Long.  They're currently testing this release,
   and we hope to get an ISO on the web site in the near future.  The ource
   for all of these changes is in the trustedbsd_sebsd branch currently.
   There are still a number of SEBSD-related changes that haven't been
   merged back to the base FreeBSD tree, such as relating to the labeling
   on cloned pseudo-devices; I met with Poul-Henning Kamp at the FreeBSD
   developer summit and he's cleared the way for these changes to be merged
   into FreeBSD CVS for 6.0.

- Work to merge Audit/BSM to the base FreeBSD tree has now begun; the
   system call table format and structures were updated in the last couple
   of days to hold audit event mapping information, and we're currently
   polishing OpenBSM for a 1.0 release.  The primary obstacles to progress
   here are finishing the cleanup, and waiting on Apple to relicense some
   of the kernel-related files under a BSD license (this is currently in
   the hands of Apple Legal, and should move shortly).  Our hope is to ship
   Audit as an experimental feature in FreeBSD 6.0, and a production
   feature in FreeBSD 6.1.  Many thanks to Wayne Salamon, Tom Rhodes, and
   others for their work on this.  After meeting with Apple two weeks ago
   in Cupertino, it sounds like they're interested in picking up the
   OpenBSM bug fixes and enhancements to the user space BSM library, tools,
   documentation, etc, which would be another great outcome.

So things are coming together nicely for the 6.0 release, although the 
deadlines for it are getting a bit tight!

Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message