"TrustedBSD" addons

[Guy Helmer]

Kevin Lyons wrote:

> I was reading with some surprise that some of the MAC and other 
> "addons" from trusted bsd are to be incorporated.

Old news.

> I can already see the security advisories for these things like we've 
> had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad 
> infinitum.

How many of these were developed as part of BSD?  One: jail.

> Is this the right way to go?  We're adding more bloat while openbsd is 
> cleaning itself and reworking kernal memory allocation to make 
> exploits near impossible.

That's great work.  Now, let's build on that so that the entire system 
is properly compartmentalized (i.e., MAC).

> I dloaded 5.2 but haven't installed yet.  I hope there is a way to 
> disable the MAC and other of these "trustedbsd features" that seem to 
> keep DARPA funded userland people busy.

Is it so much harder to look a little more deeply at the sytem than to 
write a troll/rant?
Yes, MAC is a group of kernel compile options, and they are not shipped 
as part of the GENERIC kernel.  From /sys/conf/NOTES:

# Support for Mandatory Access Control (MAC):
options         MAC
options         MAC_BIBA
options         MAC_BSDEXTENDED
options         MAC_DEBUG
options         MAC_IFOFF
options         MAC_LOMAC
options         MAC_MLS
options         MAC_NONE
options         MAC_PARTITION
options         MAC_PORTACL
options         MAC_SEEOTHERUIDS
options         MAC_STUB
options         MAC_TEST

Please take a look at the TrustedBSD implementation before ranting about 
"DARPA funded userland people".  There are good reasons why these people 
were funded.

Guy