Updating FreeBSD to TrustedBSD

Robert Watson rwatson at FreeBSD.org
Thu May 6 01:38:31 GMT 2004 

On Mon, 3 May 2004, bogdan wrote:

>    I started cvsupping trustedbsd to /usr/p4cvs and I've noticed it has
> the same directories as /usr/src.  Can I cvsup trustedbsd to /usr/src
> thus downloading only updated files?

As far as I know, there's not really a good way to do this using cvsup, as
cvsup won't be able to tell based on version information which versions
are equivilent, and which aren't.  So this means you're basically stuck
cvsuping the entire thing, although perhaps there is a way to tell it to
download only the kernel source (which is where most of the changes are,
currently).  That said, the trustedbsd_mac branch is actually very close
to the main FreeBSD CVS HEAD right now -- the majority of the large
changes are in the trustedbsd_sebsd branch.  Here's a brief summary
changes between the CVS HEAD and the trustedbsd_mac HEAD:

- The device file system is modified to provide more complete path
  information to the MAC Framework.

- System V IPC and POSIX Semaphores have security labels and MAC policy
  modules can maintain labels and control access on these objects.  The
  various label-based policy modules now control them.

- The NFS server uses real credential references as opposed to embedded
  credential structures.

- The wait()-related system calls can be controlled by MAC policies, and
  are controlled by our label-based policies.

- MAC policies can inspect CIPSO tags and update mbuf labels based on
  them.  No policies currently implement this entry point.  There isn't
  currently a way for policies to insert CIPSO labels on locally generated
  packets.

- A number of additional network components are updated to support MAC
  better, including kernel PPP, SPPP.

- The Biba and MLS label formats allow you to express sequential
  compartment ranges in a more compact format.

- The kernel UFS2 implementation is more resilient to on-disk corruption
  of extended attributes.  The userspace file system checking code is able
  to detect UFS2 extended attribute corruption.

- The ls(1) command can display labels for files without being used with
  the "long" format (-l).

- mac_support(4) man page is a work in progress, but attempts to document
  what is (and is not) supported in a MAC configuration.

- sysinstall(8) supports configuring file systems as multi-label file
  systems from creation.

- login.conf(5) now supports a 'ttylabel' field that is used by login(1)
  command to set tty labels when the user logs in.

- inetd(8) has an improved ability to run commands/daemons with specific
  labels.

- The diskless environment uses multi-label file systems for memory file
  systems.

The SEBSD branch has the larger changes, which are (at a high level) as
follows:

- SEBSD policy module :-).  Port of FLASK/TE based on SELinux.

- Sample Type Enforcement policy, label specification derived from
  SELinux.

- libsebsd support library based on libselinux, although somewhat modified
  as the MAC Framework offer system calls for label management on many
  objects.

- SEBSD policy tools -- checkpolicy, et al.

- Ability to specify a specific label for a new file system at mount using
  a flag to mount(8) (and the mount system call).  Also a system call to
  retrieve the MAC label on a file system.

- All references to suser() replaced with calls to cap_check() and
  explicit POSIX.1e privileges so that MAC policy modules can control
  privileges granted in the kernel.

- Labels on file descriptors (struct file), as well as access controls.
  This was required by FLASK/TE which wishes to control file descriptors
  as a means of communication/control.

- Modifications to the pty driver so that pty devices allocated are
  assigned the label of the process opening them.  This work is incomplete
  as we also need to immediately recycle a pty once it's done being used
  so that the label is reset.

- Additional protect checks and labeling related to file system
  mountpoints and operations (mount, unmount, remount).

- sysinstall(8) modified to exclude features not currently supported or
  built with our SEBSD distribution.

So if you're not going to be using these features, you probably can run on
the CVS HEAD without a problem.  We're working on preparing these features
for merging prior to FreeBSD 5.3.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list