Current implementation status

[Robert Watson]

Leaving aside as the somewhat less fruitful discussion of whether or not
features such as MAC and ACLs are desirable, I thought I'd send out an
update on the current implementation status of some of the initial
extensions.  An update on document status will go out in a couple of days
once things settle down a little more.

Supporting Infrastructure
-------------------------

o Generic Authorization Framework

  Still in the design phases, tentatively named, ``Poligraph'' to reflect
its ability to dynamically compose policy engines to build an overall
system policy.  Currently modules are being built directly into the
FreeBSD code as opposed to working via the module interface, which should
provide us with the information we need to fully understand the
requirements of such a dynamic security enforcement system.  Hopefully
some initial design documents for this will be done in a few weeks, and we
would welcome any critical discussion so as to get this right.  As I
described in an earlier email, it is my belief that (if feasible), such a
generic enforcement engine would reduce development and maintenance time
for security modules, as well as make it possible for third parties to
easily distribute additional modules supporting their own policy
mechanisms. 

o File System Extended Attributes

  Most if not all enforcement mechanisms being added as part of the
TrustedBSD project place additional persistent labeling requirements on
file system objects (directories, files, and misc items such as fifos,
device nodes, et al).  While it is possible to build support for this sort
of labeling directly into the file system structure, we have opted for a
less intrusive mechanism built on extended attributes, which consist of
zero or more named data chunks associated with on-disk inodes.  We
anticipate these being used to store capability tags for binaries, ACL
data for files and directories, and security labels for file system
objects protected by MAC policies. 

  The current implementation is essentially complete, and is currently
undergoing review for commit to the base FreeBSD CVS repository later this
week.  In this implementation, named attributes are backed to files in a
per-fs, per-attribute manner.  One disadvantage to this approach is the
performance limitations imposed; one advantage is that this does not
require the underlying file system structure to be modified as
requirements change.  This technique is already used to support file
system quotas on BSD-style operating systems, and seems like a decent fit
for our requirements.  VFS API calls were introduced to support the
extended attributes in 4.0, these new patches providing backing for the
APIs will be committed to the 5.0-CURRENT branch, and be backported when
their stability has been verified. 

Features (for lack of a better term :-)
--------

o Fine-Grained Capabilities

  As part of an effort to improve the least privilege properties of
FreeBSD, we have introduced a capability set based on those described in
the POSIX.1e D17 specification, as well as additions made by the Linux
community to meet their operating requirements.  Capabilities are
currently under active development, and updates will be posted to the web
site on a daily/bi-daily basis.  The present implementation suffers from a
number of limitations--while the framework is largely complete, not all
capabilities have been implemented in kernel, and few userland
applications have been updated to reflect these changes.  Full integration
of the capability code is expected to be finished in about two weeks, at
which point updating userland systems/application code will be a prime
goal. 

o Object Access Control Lists (ACLs)

  In December, APIs and a support library for POSIX.1e ACLs were
introduced in the FreeBSD source tree.  Further code introduction is
waiting on the inclusion of the FFS extended attribute code, although some
of the remaining code is available for download off of the FreeBSD
POSIX.1e implementation site.  Additional code will be online in the next
week or so allowing ACLs to be backed into the extended attribute code
described above.  Currently the POSIX.1e ACL semantics are implemented,
but we are open to other semantics.  For example, there has been
substantial interest in supporting NT-style ACLs, as this would allow
Samba to provide greater transparency to client hosts.  This code is not
heavily tested, and group evaluation is known to be buggy (first match,
not best match). 

o Mandatory Access Control Support

  Initial patches provided by Ilmar S. Habibulin are available for
download, which provide an initial framework for Bell-La Padula mandatory
labeling and access control checks. 

  As I'm not up-to-date on the MAC support status, I'll let Ilmar cover
the status on this component as his schedule permits. 

o Auditing

  The fine-grained event auditing support effort is currently stalled, as
an effort by developers at SRI seems to have fallen through; last year, I
developed an auditing framework based on the POSIX.1e API, but this code
is fairly well aged at this point.  I hope to restart the auditing effort
in a month or so, but this would be a great opportunity for others to leap
in :-). 

  During various phases of earlier development, design and implementation
details for auditing in FreeBSD were discussed extensively; I'll try to
provide a summary of the auditing design choices in the upcoming
documentation.

o Other Features

  Other features, including an analysis of dependencies between boot-time
system binaries, are on the table but as yet undone.  I'll go into more
detail about some of these possible avenues in a followup email on
documentation. 

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message