TrustedBSD progress

Robert Watson rwatson at FreeBSD.org
Sat Jan 12 02:28:43 GMT 2002 

On Fri, 11 Jan 2002 owner-trustedbsd-discuss at cyrus.watson.org wrote:

> +sec.trustedbsd at cyrus.watson.org  Fri Jan 11 18:04:29 2002
> Received: from fledge.watson.org (ak82hjs7hex92j at fledge.watson.org [204.156.12.50])
>  ...

Sigh.  Came back from the USENIX/FREENIX PC meeting, promptly moderated a
pile of back messages, and it was inevitable I'd mess one up.  So, leaving
that aside, here's a status update for those interested:

TrustedBSD MAC

  Work on the TrustedBSD MAC implementation is progressing rapidly.

  o We've gone from a hard-coded MAC framework to the beginning of a
    pluggable policy framework, which composes the results of a set of
    independent policies that declare themselves using linker sets.  Hooks
    are still being "faulted in" as we discover we need them, but the
    basic set of hooks covers a variety of file system, process, and IPC
    labeling operations and access control primitives.

  o Substantial work has been done to improve the integration of MAC into
    the IP stack, including fixes to get NFS working properly (using the
    correct credentials such that there is not inconsistent labeling of
    mbufs containing NFS RPCs), new work to properly handle BPF filters,
    etc. 

  o Net-booting and workstation booting of the MAC code is now relatively
    functional after a fair amount of tweaking to the boot scripts to
    enable per-object labeling on the various memory-backed filesystems
    created by the boot process.  Special handling is required to allow
    booting over the network as normally interfaces have default labels
    such that they cannot be used by high integrity processes.

  o Additional work to widen the scope of MAC enforcement across a broader
    set of filesystems.  This is still work-in-progress.

  o The partial implementation of Type Enforcement is still underway:
    policies are currently hard-coded in the kernel for debugging
    purposes, but we hope to have an initial implementation at a boot-time
    configurable system policy within a week or two.

  TODO:

  o Integrate Ilmar's implementations of CIPSO, MAC on additional IPC
    objects such as pipes.

  o Improve label management interfaces to allow labels from one policy to
    be updated without understanding the remainder.  This is a further
    step towards pluggable policies.

  o Support for IPv6 (currently IPv6 sockets do not label out-going mbufs,
    and mbufs are noted mediated when they are delivered to sockets.)

  o Support for NFS server.

  o Default TE policy that allows the system to work moderately well.
    Ability to modify TE policy at boot-time, monitor at run-time, and
    possibly modify at run-time.

  o Integrate Ilmar's compartment support for MLS and Biba.

  o Integrate labeling into IPsec SAs, and allow management, possibly
    including in the IKE daemon.  Currently, labels and access control can
    be used with tunnel-mode, but not transport mode.

  o MAC integration for devfs so as to label devices properly as they
    appear in devfs.  Initial hack done, but not yet tested. 

TrustedBSD CAP

  o Over the past month, substantial progress has been made towards
    creating a working system that does not provide the root user with
    superuser privilege.  Useful labels have been determined for a number
    of userland applications, which have been modified not to assume the
    presence of root privilege. 

  TODO:

  o More applications, additional work to merge to the mainstream FreeBSD
    tree.

  o Figure out what to do about /etc/capabilities.

  o Documentation, including tutorials.

  o More philosophical discussion of integration of suser and cap
    privilege models into the same system.

TrustedBSD Audit

  o Still in the design phase.

  TODO:

  o Much.  Andrew?

TrustedBSD ACL

  This work is largely integrated into the base tree.  Currently, we're
  not investing much in the way of resources for this, but there has been
  progress made in porting to Darwin and OpenBSD.  There are some TODO's:

  TODO:

  o Fix bugs in extended attribute 'remount' case, which can cause
    problems with filesystem remount when autostart is enabled.

  o Commit Chris Faulhaber's patches for additional userland integration,
    including mv, cp, ls, and others.  Also, look at committing Thomas
    Moestl's work on EA and ACL backup for tar.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list