From owner-trustedbsd-cvs@FreeBSD.ORG Tue Oct 3 16:37:23 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2710F16A407 for ; Tue, 3 Oct 2006 16:37:23 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AF2743D53 for ; Tue, 3 Oct 2006 16:37:21 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id 343C546C50 for ; Tue, 3 Oct 2006 12:37:20 -0400 (EDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 5337C5C06E; Tue, 3 Oct 2006 16:37:09 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id B84C316A55F; Tue, 3 Oct 2006 16:37:05 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6550916A557 for ; Tue, 3 Oct 2006 16:37:04 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 397A943D46 for ; Tue, 3 Oct 2006 16:37:04 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k93Gb4a8047762 for ; Tue, 3 Oct 2006 16:37:04 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k93Gb3dk047758 for perforce@freebsd.org; Tue, 3 Oct 2006 16:37:03 GMT (envelope-from millert@freebsd.org) Date: Tue, 3 Oct 2006 16:37:03 GMT Message-Id: <200610031637.k93Gb3dk047758@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 107198 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2006 16:37:23 -0000 http://perforce.freebsd.org/chv.cgi?CH=107198 Change 107198 by millert@millert_macbook on 2006/10/03 16:37:00 Update from DSEP Affected files ... .. //depot/projects/trustedbsd/sedarwin8/ERRATA#2 edit .. //depot/projects/trustedbsd/sedarwin8/README#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/ERRATA#2 (text+ko) ==== @@ -16,10 +16,6 @@ 96: There is no security for fsoctl, ioctl, sysctl. (225 was duplicate) -117: The mpo_check_port_relabel entry point does not hold the task - label lock. Policies implmenting this entry point should - exercise caution. - 130: The Mach error returns from the framework don't always map well. Most framework entry points return bsd errno values, which are not usable as returns from mach calls. Ideally, the ==== //depot/projects/trustedbsd/sedarwin8/README#2 (text+ko) ==== @@ -9,13 +9,23 @@ ============ This release includes a port of the TrustedBSD MAC Framework to Apple's -Darwin 8.6 (Mac OS X 10.4.6) operating system, made up of kernel, library, +Darwin 8.7 (Mac OS X 10.4.7) operating system, made up of kernel, library, and user space tool extensions to support flexible policy introduction. In addition, several sample policy modules are present: - SEDarwin, a port of NSA's FLASK security architecture and Type Enforcement policy language from SELinux. - - MLS, a simple implementation of multi-level security + - mac_mls, a simple implementation of multi-level security + - mac_console policy, an example policy that demonstrates how login context + labels are used to identify processes associated with the current user + - mac_color policy, an example policy that demonstrates how login context + labels are used to share privilege amongst a group of processes. It also + demonstrates the use of floating labels. + - mac_device_access policy, an example policy to allow connection of + specified USB and FireWire devices and to prevent the use of unknown + devices. + - mac_extattr_test policy, an example policy to test the operation of + extremely long extended attribute values. - mac_fwinteg, an example of a minimal base policy that enforces other required and allowable policies - mac_readonly, an example integrity policy to maintain a valid @@ -34,7 +44,7 @@ appropriate for use in production environments. The following modifications have been made relative to Apple's Darwin -10.4.6 release: +10.4.7 release: - Inclusion of a subset of the MAC Framework entry points to provide label support and protection of files, processes, System V @@ -50,6 +60,124 @@ Mach servers. The launchd and notifyd daemons have been modified to use our security-enhanced MiG. +New Features in the 20060929 release +===================================== + + - Update to a newer version of Tiger; the vendor source base was + updated to Apple's 10.4.7 release (xnu-792.6.76 for PPC). + + - The MLS policy module was updated to + -- handle the access() permissions correctly. A separate + mac_mls_check_vnode_access() entry point was + implemented instead of using mac_mls_check_vnode_open(). + -- require both read and write access for all System V shared + memory operations on struct shmid_ds. + -- mediate system accounting (acct) to match mdeiation for auditing. + The file must be set to high; the subject privileged. + + - Changed how label handles are freed when their reference count is zero to + fix a race condition between a user program requesting and accessing a + label of a labeled kernel object and the destruction of that object. + + - Made changes to kernel credential caching by adding a + kauth_cred_dup_add() function to duplicate an existing ucred and adding + the dupe to the cred hash. This helps policy modules modify the ucred of + a specific process at fork time, so credentials are shared amongst + threads in a single process, but not among different processes. + + - New entrypoints have been added for more granular Mach access control + checks: + mpo_check_port_make + mpo_check_port_make_send_once + mpo_check_port_move_send + mpo_check_port_move_send_once + mpo_check_port_receive + + - MAC Policy socket interfaces were updated to use xsocket structure + instead of a socket, as information such as protocol number and protocol + family are unavailable. Modified entrypoints are: + mpo_create_socket + mpo_create_socket_from_socket + mpo_create_mbuf_from_socket + mpo_relabel_socket + mpo_set_socket_peer_from_socket + mpo_set_socket_peer_from_mbuf + mpo_check_socket_accept + mpo_check_socket_bind + mpo_check_socket_connect + mpo_check_socket_deliver + mpo_check_socket_kqfilter + mpo_check_socket_listen + mpo_check_socket_receive + mpo_check_socket_relabel + mpo_check_socket_select + mpo_check_socket_send + mpo_check_socket_stat + + - Completed mount label support. User space mount programs were + modified to allow additional parameters to specify labels. + + - Auditing of system calls such as mac_xxx(), setlcid(), getlcid(), + mac_mount(), mac_get_mount(), mac_getfsstat() was added. + + - Policies do not need mac.h anymore. The entire policy interface is + available in mac_policy.h + + - A new mac_console policy demonstrates how login context labels are used + to identify processes associated with the current user + + - A new mac_color policy demonstrates how login context labels are used + to share privilege amongst a group of processes. It also demonstrates + the use of floating labels. + + - A new mac_device_access policy demonstrates a mechanism to block + use of unknown or unauthorized USB and FireWire devices as well as + a way to allow use of known, authorized devices. This policy uses + the following entry point. + mpo_check_device_allowed + + - A new mac_extattr_test policy demonstrates how to test the operation of + extremely long extended attribute values. + + - Modules can access data items from their Info.plist files and can be + accessed by the new mac_find_module_data() function. + + - The ipctrace module has been updated with additional NULL label checks + so that it may be loaded late. Locking has been improved/corrected and + a new destroy method has been added. + + - The mac_test module has been updated to generate mac_test_check_xxx + routines automatically from mac_policy.h. + + - The stub, count and stacktrace policy build commands have been updated to + correctly interpret typedefs that are encountered in mac_policy.h. + + - Fixed the order of message checks: port check should be done before + rights check. + + - Cleanup of code by removing MAC_DEBUG, fields from label structure used + in panther, unused definitions for atomic operations. + + - Correct label allocation for System V message queues to manage label + storage entirely within the MAC Framework. + + - MAC helper functions have been added to delete extended attributes. + + - kernel symbol printing has been reenabled. + + - Improved documentation has been included. In particular, + updates were made to the Design and Implementation document, the + Policy Module Writing guide, and man pages. A new document + (ISSO-06-008-Boot.pdf) discusses Boot time improvements made, their + interaction with the MAC Framework and sample policies with respect to + boot integrity. + + - The MAC Framework API documentation has been updated; + documentation is available in the docs/Framework/html/ + directory. + + - The ERRATA has the current list of defects. + New Features in the 20060630 release =====================================