Questions about Trusted BSD

Thu May 6 01:01:32 GMT 2004

On Mon, 3 May 2004, Mark Stanislav wrote:

> I have recently started to implement features available in FreeBSD 5.x
> on a development box, in preperation for usage on a production system.
> So far the features have been very interesting but I had a couple
> questions. 
> 
> I am wondering if by using 5.2.1-RELEASE-p5, I am using the most
> up-to-date versions of the MAC_ implementations. I don't want to miss
> out of any testing features if they are available.

The MAC Framework is still maturing some, so there are differences in
-CURRENT, especially relating to the SMP locking work going on.  However,
if you're primarily interested in limiting access to port binding with
sockets, the MAC Framework revision shouldn't make a difference (just make
sure you recompile the module when you update to a more recent version of
FreeBSD). 

> Also, is it possible/being implemented/decided against to have the
> ability to specify an IP address with a portacl entry? In the
> environment I will be deploying in, we have lengthy amounts of IPs,
> users, and ports that people use. It would behoove me if I was able to
> say, 'User test, 172.16.100.4, port 36', and then 'User test2,
> 172.16.100.5, port 36'. I don't want to allow both users to the same
> port without specific IPs, so they don't overlap and take someone elses
> IP binding.

It hasn't explicitly been decided against, but it also hasn't been
implemented :-).  The basic non-label based MAC policies implementing
simple rule systems, such as mac_bsdextended and mac_portacl, don't have
very mature rule languages.  I've been hoping someone with more time than
me could pick up enhancing these policy modules.  For example, I'd really
like to see a more general-purpose rule language for ugidfw, with the
ability to specify groups of users, exceptions, etc.  Likewise, for the
portacl module, it would be useful to have a more general rule mechanism
that can be managed using a tool rather than a sysctl, which makes it
harder to manage.

> Anyone other then bugghy have documentation they have created? (good job
> by the way, nicely done).

There is somewhat dated documentation of the MAC Framework policy API in
the FreeBSD Developer's Handbook; I need to update it to the latest
version of the API, but it isn't a bad guide to the approach, etc.  There
is a lot less in the way of user documentation -- the policy man pages for
the simple modules (mac_portacl, ugidfw/mac_bsdextended) are fairly
complete, but there's relatively little information on managing systems
with complex policies such as MLS and Biba.  With the SEBSD policy module,
pretty much all SELinux documentation will apply, as well as the policy
management tools from Treysys.  So there's definitely a niche for more
documentation :-).  Tom Rhodes has indicated to me that he's planning to
substantially expand the MAC chapter in the FreeBSD Handbook, drawing in
part from Bugghy's tutorial, which should be good.  Perhaps we can get him
to post some drafts...

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message