capabilities impletementation?

Joey Try jiayong02 at iscas.cn
Tue Nov 29 06:17:24 GMT 2005 

I think so, while I looking into trustedbsd-cap, I found some issues that 
puzzled me, not only in impletementation, but also configuration. 

If under some guide-lines, cap will not be so hard to be added into FreeBSD, 
so will it be between diferent source versions.


>Im game, cause its falling behind, I know we all have jobs, but if we
>can tackle both with some guidance from scott Id be more then happy to
>help get them up to date. The SeBSD branch in its current state, well to
>say the least is buildable anyway. Ive been poking thru this code base
>for a couple weeks, getting more familiar with the changes and looking
>at nmount/mount issues as discussed earlier. sure, get me setup with
>perforce and ill start to pound on this harder. If the others wish to
>partake, the more the merrier. If there is a way to branch a cap2 off
>and move forward there also, so be it.  If scott can provide some
>guidance for us, im for it. At least itll be a beginning. 
>
>On Mon, 2005-11-28 at 14:01 +0000, Robert Watson wrote:
>> On Fri, 25 Nov 2005, Dingo wrote:
>> 
>> > Robert , Scott ?? You guys want to give a bit of insight see if we can 
>> > co-ordinate this between me and Joey, I think we are willing to pitch in 
>> > more. I know Ive been pounding SeBSD into submission, where can we merge 
>> > and bring forth the efforts faster?? And yes.. Scott a diff drop point 
>> > would be good for me
>> 
>> So an interesting question is -- if we want to move forward with the 
>> POSIX.1e privilege/capability implementation, do we want to attempt to 
>> make it a MAC module, or do we want to keep the implementation separate. 
>> Right now, the trustedbsd_cap branch is quite dated, but probably isn't 
>> all that hard to update.  It does depend on changes that are also present 
>> in the SEBSD branch, so there is the potential to combine efforts.  On the 
>> other hand, there are lots of changes required for both that are 
>> dependencies of only one -- for example, the type enforcement related 
>> changes in user space aren't required for the capability implementation. 
>> My leaning would be to keep them in different work areas, but to share as 
>> much of the implementation as possible.
>> 
>> If it would make it easier, it's pretty straight forward to arrange 
>> perforce accounts for both of you so you can get to and work on the 
>> TrustedBSD branches in Perforce.  If you could coordinate with Scott on 
>> SEBSD though, this would be great.  I know that Yanjun Wu is also quite 
>> interested in the SEBSD work, and has had his hands in some local 
>> implementation work relating to SEBSD.  Yanjun is also already set up with 
>> Perforce access.
>> 
>> The most recent integration dates for the various branches are currently:
>> 
>> trustedbsd base		20051110
>>    trustedbsd audit3	20050926
>>    trustedbsd mac	20051110
>>    trustedbsd sebsd	20050710
>> 
>> The CAP branch may well last have been integrated in 2001.  For that, it 
>> might be worth starting with a cap2 branch integrated from 
>> trustedbsd_base, and then propagating specific changes to it from the 
>> SEBSD and CAP branches.
>> 
>> Robert N M Watson
>> 
>> 
>> >
>> > On Fri, 2005-11-25 at 16:44 +0800, Joey Try wrote:
>> >> Yes, I wish to join you.
>> >>
>> >> I have studied the mail you forward to me, maybe Watson plan to merge CAP
>> >> into MAC Framework. I also studied a little of MAC Framework in FreeBSD6.0,
>> >> and found that there are not any cap_check entries, although there is also
>> >> capability.h in sys/ directory! I do not know how Robert Watson plans for
>> >> this.
>> >>
>> >>
>> >>
>> >>
>> >>> ----Dingo----
>> >>> Well per a previous conversation! Not sure how related it is to CAP but
>> >>> as stated below pertaining to SeBSD as a whole. Im trying to pitch in to
>> >>> bring the SeBSD to a more current 6.0 version. If you want to pitch in
>> >>> someplace I think the help would be appreciated.
>> >>>
>> >>> ----SNIP--------
>> >>>> So now that 6.0 is cut and RELEASE are there any plans to run a SeBSD
>> >>>> snapshot ? Its would be nice to see something more current as even the
>> >>>> previous snapshot was based on a dated early version of 6.). Any plans
>> >>>> in the works, I see the base is current, but seBSD tree is still dated
>> >>>
>> >>> I'm in the process of updating the TrustedBSD base branch to a recent
>> >>> 7.x, and hope to finish that in the next few days.  I have plans to then
>> >>> merge those changes towards the MAC branch, although that will take some
>> >>> time to merge due to some conflicting changes between the base FreeBSD
>> >>> tree and MAC branch.  Once those prerequisites are in place, it should
>> >>> be possible to begin work on updating SEBSD to a post 6.0-RELEASE state.
>> >>> One of the conflicts introduced in earlier work was that FreeBSD has
>> >>> made further moves towards using nmount(), which generated conflicts
>> >>> with the introduction of a labeled mount system call in the SEBSD
>> >>> branch.  With the movement towards nmount(), a special system call for a
>> >>> labeled mount is no longer required, as the label can simply become an
>> >>> additional nmount() argument.  However, some further tweaking and
>> >>> merging of that conversion is required.  In short: currently, no ETA,
>> >>> but hopefully in the next month or so.
>> >>>
>> >>> More hands are certainly welcome :-).  The code in the SEBSD branch
>> >>> right now needs to have its update to a slightly older 6.x finished as a
>> >>> first step, which basically involves fixing up any continuing disruption
>> >>> from the nmount change.
>> >>>
>> >>> Robert N M Watson
>> >>> ------SNIP-------------
>> >>>
>> >>> On Fri, 2005-11-25 at 15:57 +0800, Joey Try wrote:
>> >>>> hi all, I am researching the POSIX.1e capabilities impletementation in TrustedBSD
>> >>>>
>> >>>> I only get the trustedbsd-cap source derived from FreeBSD5.0, since FreeBSD has release its 6.0 version, I want to know whether there is any updated source?  whether there is anyone I can discuss with?
>> >>>>
>> >>>> To Unsubscribe: send mail to majordomo at trustedbsd.org
>> >>>> with "unsubscribe trustedbsd-discuss" in the body of the message
>> >>>
>> >>> To Unsubscribe: send mail to majordomo at trustedbsd.org
>> >>> with "unsubscribe trustedbsd-discuss" in the body of the message
>> >>>
>> >>
>> >>
>> >> To Unsubscribe: send mail to majordomo at trustedbsd.org
>> >> with "unsubscribe trustedbsd-discuss" in the body of the message
>> >
>> > To Unsubscribe: send mail to majordomo at trustedbsd.org
>> > with "unsubscribe trustedbsd-discuss" in the body of the message
>> >
>
>To Unsubscribe: send mail to majordomo at trustedbsd.org
>with "unsubscribe trustedbsd-discuss" in the body of the message
>


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list