capabilities impletementation?

Robert Watson rwatson at FreeBSD.org
Mon Nov 28 14:01:53 GMT 2005 

On Fri, 25 Nov 2005, Dingo wrote:

> Robert , Scott ?? You guys want to give a bit of insight see if we can 
> co-ordinate this between me and Joey, I think we are willing to pitch in 
> more. I know Ive been pounding SeBSD into submission, where can we merge 
> and bring forth the efforts faster?? And yes.. Scott a diff drop point 
> would be good for me

So an interesting question is -- if we want to move forward with the 
POSIX.1e privilege/capability implementation, do we want to attempt to 
make it a MAC module, or do we want to keep the implementation separate. 
Right now, the trustedbsd_cap branch is quite dated, but probably isn't 
all that hard to update.  It does depend on changes that are also present 
in the SEBSD branch, so there is the potential to combine efforts.  On the 
other hand, there are lots of changes required for both that are 
dependencies of only one -- for example, the type enforcement related 
changes in user space aren't required for the capability implementation. 
My leaning would be to keep them in different work areas, but to share as 
much of the implementation as possible.

If it would make it easier, it's pretty straight forward to arrange 
perforce accounts for both of you so you can get to and work on the 
TrustedBSD branches in Perforce.  If you could coordinate with Scott on 
SEBSD though, this would be great.  I know that Yanjun Wu is also quite 
interested in the SEBSD work, and has had his hands in some local 
implementation work relating to SEBSD.  Yanjun is also already set up with 
Perforce access.

The most recent integration dates for the various branches are currently:

trustedbsd base		20051110
   trustedbsd audit3	20050926
   trustedbsd mac	20051110
   trustedbsd sebsd	20050710

The CAP branch may well last have been integrated in 2001.  For that, it 
might be worth starting with a cap2 branch integrated from 
trustedbsd_base, and then propagating specific changes to it from the 
SEBSD and CAP branches.

Robert N M Watson


>
> On Fri, 2005-11-25 at 16:44 +0800, Joey Try wrote:
>> Yes, I wish to join you.
>>
>> I have studied the mail you forward to me, maybe Watson plan to merge CAP
>> into MAC Framework. I also studied a little of MAC Framework in FreeBSD6.0,
>> and found that there are not any cap_check entries, although there is also
>> capability.h in sys/ directory! I do not know how Robert Watson plans for
>> this.
>>
>>
>>
>>
>>> ----Dingo----
>>> Well per a previous conversation! Not sure how related it is to CAP but
>>> as stated below pertaining to SeBSD as a whole. Im trying to pitch in to
>>> bring the SeBSD to a more current 6.0 version. If you want to pitch in
>>> someplace I think the help would be appreciated.
>>>
>>> ----SNIP--------
>>>> So now that 6.0 is cut and RELEASE are there any plans to run a SeBSD
>>>> snapshot ? Its would be nice to see something more current as even the
>>>> previous snapshot was based on a dated early version of 6.). Any plans
>>>> in the works, I see the base is current, but seBSD tree is still dated
>>>
>>> I'm in the process of updating the TrustedBSD base branch to a recent
>>> 7.x, and hope to finish that in the next few days.  I have plans to then
>>> merge those changes towards the MAC branch, although that will take some
>>> time to merge due to some conflicting changes between the base FreeBSD
>>> tree and MAC branch.  Once those prerequisites are in place, it should
>>> be possible to begin work on updating SEBSD to a post 6.0-RELEASE state.
>>> One of the conflicts introduced in earlier work was that FreeBSD has
>>> made further moves towards using nmount(), which generated conflicts
>>> with the introduction of a labeled mount system call in the SEBSD
>>> branch.  With the movement towards nmount(), a special system call for a
>>> labeled mount is no longer required, as the label can simply become an
>>> additional nmount() argument.  However, some further tweaking and
>>> merging of that conversion is required.  In short: currently, no ETA,
>>> but hopefully in the next month or so.
>>>
>>> More hands are certainly welcome :-).  The code in the SEBSD branch
>>> right now needs to have its update to a slightly older 6.x finished as a
>>> first step, which basically involves fixing up any continuing disruption
>>> from the nmount change.
>>>
>>> Robert N M Watson
>>> ------SNIP-------------
>>>
>>> On Fri, 2005-11-25 at 15:57 +0800, Joey Try wrote:
>>>> hi all, I am researching the POSIX.1e capabilities impletementation in TrustedBSD
>>>>
>>>> I only get the trustedbsd-cap source derived from FreeBSD5.0, since FreeBSD has release its 6.0 version, I want to know whether there is any updated source?  whether there is anyone I can discuss with?
>>>>
>>>> To Unsubscribe: send mail to majordomo at trustedbsd.org
>>>> with "unsubscribe trustedbsd-discuss" in the body of the message
>>>
>>> To Unsubscribe: send mail to majordomo at trustedbsd.org
>>> with "unsubscribe trustedbsd-discuss" in the body of the message
>>>
>>
>>
>> To Unsubscribe: send mail to majordomo at trustedbsd.org
>> with "unsubscribe trustedbsd-discuss" in the body of the message
>
> To Unsubscribe: send mail to majordomo at trustedbsd.org
> with "unsubscribe trustedbsd-discuss" in the body of the message
>
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list