PERFORCE change 107198 for review

Todd Miller millert at FreeBSD.org
Tue Oct 3 09:37:23 PDT 2006


http://perforce.freebsd.org/chv.cgi?CH=107198

Change 107198 by millert at millert_macbook on 2006/10/03 16:37:00

	Update from DSEP

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/ERRATA#2 edit
.. //depot/projects/trustedbsd/sedarwin8/README#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/ERRATA#2 (text+ko) ====

@@ -16,10 +16,6 @@
 
  96: There is no security for fsoctl, ioctl, sysctl. (225 was duplicate)
 
-117: The mpo_check_port_relabel entry point does not hold the task
-     label lock.  Policies implmenting this entry point should
-     exercise caution.
-
 130: The Mach error returns from the framework don't always map
      well. Most framework entry points return bsd errno values, which
      are not usable as returns from mach calls.  Ideally, the

==== //depot/projects/trustedbsd/sedarwin8/README#2 (text+ko) ====

@@ -9,13 +9,23 @@
 ============
 
 This release includes a port of the TrustedBSD MAC Framework to Apple's
-Darwin 8.6 (Mac OS X 10.4.6) operating system, made up of kernel, library,
+Darwin 8.7 (Mac OS X 10.4.7) operating system, made up of kernel, library,
 and user space tool extensions to support flexible policy introduction.  
 In addition, several sample policy modules are present:
 
     - SEDarwin, a port of NSA's FLASK security architecture and
       Type Enforcement policy language from SELinux.
-    - MLS, a simple implementation of multi-level security
+    - mac_mls, a simple implementation of multi-level security
+    - mac_console policy, an example policy that demonstrates how login context
+      labels are used to identify processes associated with the current user 
+    - mac_color policy, an example policy that demonstrates how login context
+      labels are used to share privilege amongst a group of processes. It also
+      demonstrates the use of floating labels.
+    - mac_device_access policy, an example policy to allow connection of
+      specified USB and FireWire devices and to prevent the use of unknown 
+      devices.
+    - mac_extattr_test policy, an example policy to test the operation of
+      extremely long extended attribute values.
     - mac_fwinteg, an example of a minimal base policy that enforces other
       required and allowable policies
     - mac_readonly, an example integrity policy to maintain a valid
@@ -34,7 +44,7 @@
 appropriate for use in production environments.
 
 The following modifications have been made relative to Apple's Darwin
-10.4.6 release:
+10.4.7 release:
 
     - Inclusion of a subset of the MAC Framework entry points to
       provide label support and protection of files, processes, System V 
@@ -50,6 +60,124 @@
       Mach servers.  The launchd and notifyd daemons have been modified
       to use our security-enhanced MiG.
 
+New Features in the 20060929 release
+=====================================
+
+    - Update to a newer version of Tiger; the vendor source base was
+      updated to Apple's 10.4.7 release (xnu-792.6.76 for PPC).
+
+    - The MLS policy module was updated to 
+         -- handle the access() permissions correctly. A separate 
+            mac_mls_check_vnode_access() entry point was 
+            implemented instead of using mac_mls_check_vnode_open().
+         -- require both read and write access for all System V shared 
+            memory operations on struct shmid_ds.
+         -- mediate system accounting (acct) to match mdeiation for auditing. 
+            The file must be set to high; the subject privileged.
+
+    - Changed how label handles are freed when their reference count is zero to
+      fix a race condition between a user program requesting and accessing a 
+      label of a labeled kernel object and the destruction of that object.
+
+    - Made changes to kernel credential caching by adding a 
+      kauth_cred_dup_add() function to duplicate an existing ucred and adding
+      the dupe to the cred hash. This helps policy modules modify the ucred of 
+      a specific process at fork time, so credentials are shared amongst 
+      threads in a single process, but not among different processes.
+
+    - New entrypoints have been added for more granular Mach access control
+      checks:
+          mpo_check_port_make
+          mpo_check_port_make_send_once
+          mpo_check_port_move_send
+          mpo_check_port_move_send_once
+          mpo_check_port_receive
+          
+     - MAC Policy socket interfaces were updated to use xsocket structure 
+       instead of a socket, as information such as protocol number and protocol
+       family are unavailable.  Modified entrypoints are:
+          mpo_create_socket
+          mpo_create_socket_from_socket
+          mpo_create_mbuf_from_socket
+          mpo_relabel_socket
+          mpo_set_socket_peer_from_socket
+          mpo_set_socket_peer_from_mbuf
+          mpo_check_socket_accept
+          mpo_check_socket_bind
+          mpo_check_socket_connect
+          mpo_check_socket_deliver
+          mpo_check_socket_kqfilter
+          mpo_check_socket_listen
+          mpo_check_socket_receive
+          mpo_check_socket_relabel
+          mpo_check_socket_select
+          mpo_check_socket_send
+          mpo_check_socket_stat
+          
+    - Completed mount label support.  User space mount programs were
+      modified to allow additional parameters to specify labels.
+
+    - Auditing of system calls such as mac_xxx(), setlcid(), getlcid(), 
+      mac_mount(), mac_get_mount(), mac_getfsstat() was added.
+
+    - Policies do not need mac.h anymore.  The entire policy interface is
+      available in mac_policy.h
+ 
+    - A new mac_console policy demonstrates how login context labels are used 
+      to identify processes associated with the current user 
+
+    - A new mac_color policy demonstrates how login context labels are used 
+      to share privilege amongst a group of processes. It also demonstrates 
+      the use of floating labels.
+
+    - A new mac_device_access policy demonstrates a mechanism to block
+      use of unknown or unauthorized USB and FireWire devices as well as
+      a way to allow use of known, authorized devices.  This policy uses 
+      the following entry point.
+          mpo_check_device_allowed
+
+    - A new mac_extattr_test policy demonstrates how to test the operation of
+      extremely long extended attribute values.
+
+    - Modules can access data items from their Info.plist files and can be 
+      accessed by the new mac_find_module_data() function. 
+
+    - The ipctrace module has been updated with additional NULL label checks
+      so that it may be loaded late. Locking has been improved/corrected and 
+      a new destroy method has been added.
+
+    - The mac_test module has been updated to generate mac_test_check_xxx
+      routines automatically from mac_policy.h.
+
+    - The stub, count and stacktrace policy build commands have been updated to 
+      correctly interpret typedefs that are encountered in mac_policy.h.
+
+    - Fixed the order of message checks: port check should be done before 
+      rights check.
+
+    - Cleanup of code by removing MAC_DEBUG, fields from label structure used 
+      in panther, unused definitions for atomic operations.
+
+    - Correct label allocation for System V message queues to manage label
+      storage entirely within the MAC Framework.
+
+    - MAC helper functions have been added to delete extended attributes.
+
+    - kernel symbol printing has been reenabled.
+
+    - Improved documentation has been included.  In particular,
+      updates were made to the Design and Implementation document, the
+      Policy Module Writing guide, and man pages. A new document 
+      (ISSO-06-008-Boot.pdf) discusses Boot time improvements made, their 
+      interaction with the MAC Framework and sample policies with respect to 
+      boot integrity.
+
+    - The MAC Framework API documentation has been updated;
+      documentation is available in the docs/Framework/html/
+      directory.
+
+    - The ERRATA has the current list of defects.
+
 
 New Features in the 20060630 release
 =====================================


More information about the trustedbsd-cvs mailing list