TrustedBSD progress
Robert Watson
rwatson at FreeBSD.org
Sat Jan 12 02:28:43 GMT 2002
On Fri, 11 Jan 2002 owner-trustedbsd-discuss at cyrus.watson.org wrote:
> +sec.trustedbsd at cyrus.watson.org Fri Jan 11 18:04:29 2002
> Received: from fledge.watson.org (ak82hjs7hex92j at fledge.watson.org [204.156.12.50])
> ...
Sigh. Came back from the USENIX/FREENIX PC meeting, promptly moderated a
pile of back messages, and it was inevitable I'd mess one up. So, leaving
that aside, here's a status update for those interested:
TrustedBSD MAC
Work on the TrustedBSD MAC implementation is progressing rapidly.
o We've gone from a hard-coded MAC framework to the beginning of a
pluggable policy framework, which composes the results of a set of
independent policies that declare themselves using linker sets. Hooks
are still being "faulted in" as we discover we need them, but the
basic set of hooks covers a variety of file system, process, and IPC
labeling operations and access control primitives.
o Substantial work has been done to improve the integration of MAC into
the IP stack, including fixes to get NFS working properly (using the
correct credentials such that there is not inconsistent labeling of
mbufs containing NFS RPCs), new work to properly handle BPF filters,
etc.
o Net-booting and workstation booting of the MAC code is now relatively
functional after a fair amount of tweaking to the boot scripts to
enable per-object labeling on the various memory-backed filesystems
created by the boot process. Special handling is required to allow
booting over the network as normally interfaces have default labels
such that they cannot be used by high integrity processes.
o Additional work to widen the scope of MAC enforcement across a broader
set of filesystems. This is still work-in-progress.
o The partial implementation of Type Enforcement is still underway:
policies are currently hard-coded in the kernel for debugging
purposes, but we hope to have an initial implementation at a boot-time
configurable system policy within a week or two.
TODO:
o Integrate Ilmar's implementations of CIPSO, MAC on additional IPC
objects such as pipes.
o Improve label management interfaces to allow labels from one policy to
be updated without understanding the remainder. This is a further
step towards pluggable policies.
o Support for IPv6 (currently IPv6 sockets do not label out-going mbufs,
and mbufs are noted mediated when they are delivered to sockets.)
o Support for NFS server.
o Default TE policy that allows the system to work moderately well.
Ability to modify TE policy at boot-time, monitor at run-time, and
possibly modify at run-time.
o Integrate Ilmar's compartment support for MLS and Biba.
o Integrate labeling into IPsec SAs, and allow management, possibly
including in the IKE daemon. Currently, labels and access control can
be used with tunnel-mode, but not transport mode.
o MAC integration for devfs so as to label devices properly as they
appear in devfs. Initial hack done, but not yet tested.
TrustedBSD CAP
o Over the past month, substantial progress has been made towards
creating a working system that does not provide the root user with
superuser privilege. Useful labels have been determined for a number
of userland applications, which have been modified not to assume the
presence of root privilege.
TODO:
o More applications, additional work to merge to the mainstream FreeBSD
tree.
o Figure out what to do about /etc/capabilities.
o Documentation, including tutorials.
o More philosophical discussion of integration of suser and cap
privilege models into the same system.
TrustedBSD Audit
o Still in the design phase.
TODO:
o Much. Andrew?
TrustedBSD ACL
This work is largely integrated into the base tree. Currently, we're
not investing much in the way of resources for this, but there has been
progress made in porting to Darwin and OpenBSD. There are some TODO's:
TODO:
o Fix bugs in extended attribute 'remount' case, which can cause
problems with filesystem remount when autostart is enabled.
o Commit Chris Faulhaber's patches for additional userland integration,
including mv, cp, ls, and others. Also, look at committing Thomas
Moestl's work on EA and ACL backup for tar.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list