trustedbsd/RBAC and BSD/OS?

Robert Watson rwatson at FreeBSD.org
Wed Jul 11 16:45:38 GMT 2001 

Matt,

Sorry about the delay there--as I may have mentioned to you, I'll be
getting married this Saturday, and so life has been fairly hectic, and
will continue to be so for a bit.  There are a number of sets of changes
that you will want to identify and port to support the work.  This
includes:

1) Changes to introduce extended attributes

	- Addition of EA VOP's to vnode_if.src
	- Addition of ufs_extattr.c, supporting changes to ufs_vnops.c
	- Addition of new system calls (syscalls.master) for EA access
	- Addition of new system call implementations in vfs_syscalls.c
	- Addition of kernel EA call wrappers to vfs_vnops.c
	- extattr.h
	- Userland library support in libutil (moving to libc sometime)
	- Userland utility support (getextattr, setextattr, extattrctl)

Note that Thomas Moestl <tmm at FreeBSD.org> currently has the EA token and
has a number of outstanding interface improvements to make support for
backing up EAs easier, etc.  You'll want to coordinate with his changes
there.  We also just signed a contract with DARPA to implement EAs at the
FFS block layer, with Kirk McKusick and Poul-Henning Kamp doing the
implementation work, which will yield much higher performance and better
soft updates integration.  That won't be done for a while, but it's worth
keeping in mind.

2) Changes to introduce access control lists

	- Addition of ACL VOP's to vnode_if.src
	- Addition of ufs_acl.c, supporting changes fo ufs_vnops.c
	- Addition of new system calls (syscalls.master) for ACL access
	- Addition of kern_acl.c to manage ACLs as well as provide
	  generic ACL evaluation
	- acl.h
	- Userland library support in libc/posix1e
	- Userland utilities (getfacl, setfacl)

ACLs rely on Extended Attributes.

These patches rely on the introduction of vaccess(), which will also be
different from the BSD/OS code base -- vaccess() is a utility routine to
do access control, and with ACLs, is replaced with vaccess_acl_posix1e()

Note that Chris Faulhaber <jedgar at FreeBSD.org> currently has the ACL
token, and has outstanding patches to improve userland integration of the
ACL code.  You may want to coordinate porting efforts with him.

3) Changes to introduce process capabilities

	- Addition of new system calls (syscalls.master) for capability
	  management
	- Addition of kern_cap.c to manage capabilities as well as
	  provide supporting evaluation calls/policy.
	- Modification to process credential (ucred) to hold capability
	  information
	- Modification of inter-process authorization checks to support
	  capabilities
	- Replacement of suser*() calls with cap_check*() calls
	- Locate remaining uid==0/uid!=0 checks and replace also
	- cap.h
	- Userland library support in libc/posix1e
	- Userland utilities

Capabilities rely on Extended Attributes if they are to be bound to files
(which makes sense to do in most environments to reduce the use of setuid
root).

Note that Thomas Moestl <tmm at FreeBSD.org> currently has the Capability
token, and has outstanding patches (newer than the ones on the TrustedBSD
site) that update and improve the implementation.  Since this work is
still under development, you'll want to coordinate with Thomas closely.

4) Changes to introduce mandatory access control

These patches are still experimental, and therefore probably not a good
porting target until September.

	- Addition of Generic Object Labeling support (kern_objlabel.c)
	  to allow label management on kernel objects
	- Addition of objlabel to network subsystem (universal addition of
	  hooks for objlabel management an initialization in interface
	  code, protocol code, ipfw code, ioctl support, socket code,
	  etc).
	- Modification of process credential (ucred) to hold label
	  information
	- Modification of inter-process authorization checks to
	  support MAC
	- Modification of file system vaccess() calls to include
	  invocation of vaccess_mac()
	- Userland support in libc/posix1e
	- Userland utilities

At this point I'd hold off on looking at the MAC stuff seriously until
mid-September, when I hope to have made more serious progress and have hte
objlabel code better integrated.

Note also there have been some relevant changes in the base FreeBSD code
that would need to be either replicated or adapted for: introduction of
vaccess(), improved inter-process authorization abstractions, merging of
pcred and ucred, etc.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services

On Mon, 9 Jul 2001 mms at internap.com wrote:

> On Fri, 29 Jun 2001, matt sommer wrote:
> 
> hey robert,
> 
> sorry to hassel you again, but i was wondering if i could get the
> information described below?
> 
> > On Thu, 21 Jun 2001, matt sommer wrote:
> >
> > hey robert,
> >
> > i remember that you are fairly busy, but i was wondering if you had a
> > chance to compile a list of files for me to have a look at and start the
> > integration process?
> >
> > > On Wed, 20 Jun 2001, Robert Watson wrote:
> > >
> > > > :-).  Right now, the primary target is FreeBSD, with secondary targets of
> > > > Darwin and OpenBSD (meaning that I work on them as time and funding
> > > > permit).  Porting to BSD/OS would require fairly large patches, but
> > > > shouldn't be a difficult task given the similarities between the FreeBSD
> > > > and BSD/OS source bases.  Doing it would, however, require you to pull
> > > > commit patchsets out of FreeBSD CVS, as the patches on the TrustedBSD web
> > > > site are by no means complete (and tend to be from before merges, with
> > > > significant work done after merges).  If you want to take initiative on
> > > > this, I'd be happy to work with you to point out what needs to get merged,
> > > > provide advice on the merging, etc.
> > > >
> > >
> > > id love to take the initiative and any and all pointers would be more than
> > > welcome. ill be happy to take the time, and have enough of it that i
> > > should be able to make "reasonably" fast work of the port. i have done
> > > alot of BSD/OS kernel work for commercial projects and some small work
> > > for public domain projects ...
> > >
> > > > said, I would be happy to see the work happen, and would help as much as
> > > > possible.
> > > >
> > >
> > > much appreciated. i shouldnt need to much assistance besides pointers to
> > > procurement, and the occasional mail regarding correctness. i have a
> > > pretty good relationship with many bsdi ( now wind river ) folks such as
> > > abc and seebs, and if you want to check in with some folks who have
> > > worked with me in the past john polstra knows me from when he did some
> > > consulting for f5.
> > >
> > > id really like to take this project on and would truly appreciate any and
> > > all assistance you are willing to provide. id love to see a well thought
> > > out RBAC implementation like trustedbsd make it into BSD/OS.
> > >
> > > if you just want to point me at what files apply in cvs and from the
> > > most applicable host ill pull them, and make a first pass.
> > >
> > > thanks again! this should be fun!
> > >
> > >
> >
> >
> 
> -- 
> Matt Sommer [MMS26], CISSP
> 
> 
> 


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list