Date: Tue, 3 Oct 2006 16:37:03 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 107198 for review Message-ID: <200610031637.k93Gb3dk047758@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=107198 Change 107198 by millert@millert_macbook on 2006/10/03 16:37:00 Update from DSEP Affected files ... .. //depot/projects/trustedbsd/sedarwin8/ERRATA#2 edit .. //depot/projects/trustedbsd/sedarwin8/README#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/ERRATA#2 (text+ko) ==== @@ -16,10 +16,6 @@ 96: There is no security for fsoctl, ioctl, sysctl. (225 was duplicate) -117: The mpo_check_port_relabel entry point does not hold the task - label lock. Policies implmenting this entry point should - exercise caution. - 130: The Mach error returns from the framework don't always map well. Most framework entry points return bsd errno values, which are not usable as returns from mach calls. Ideally, the ==== //depot/projects/trustedbsd/sedarwin8/README#2 (text+ko) ==== @@ -9,13 +9,23 @@ ============ This release includes a port of the TrustedBSD MAC Framework to Apple's -Darwin 8.6 (Mac OS X 10.4.6) operating system, made up of kernel, library, +Darwin 8.7 (Mac OS X 10.4.7) operating system, made up of kernel, library, and user space tool extensions to support flexible policy introduction. In addition, several sample policy modules are present: - SEDarwin, a port of NSA's FLASK security architecture and Type Enforcement policy language from SELinux. - - MLS, a simple implementation of multi-level security + - mac_mls, a simple implementation of multi-level security + - mac_console policy, an example policy that demonstrates how login context + labels are used to identify processes associated with the current user + - mac_color policy, an example policy that demonstrates how login context + labels are used to share privilege amongst a group of processes. It also + demonstrates the use of floating labels. + - mac_device_access policy, an example policy to allow connection of + specified USB and FireWire devices and to prevent the use of unknown + devices. + - mac_extattr_test policy, an example policy to test the operation of + extremely long extended attribute values. - mac_fwinteg, an example of a minimal base policy that enforces other required and allowable policies - mac_readonly, an example integrity policy to maintain a valid @@ -34,7 +44,7 @@ appropriate for use in production environments. The following modifications have been made relative to Apple's Darwin -10.4.6 release: +10.4.7 release: - Inclusion of a subset of the MAC Framework entry points to provide label support and protection of files, processes, System V @@ -50,6 +60,124 @@ Mach servers. The launchd and notifyd daemons have been modified to use our security-enhanced MiG. +New Features in the 20060929 release +===================================== + + - Update to a newer version of Tiger; the vendor source base was + updated to Apple's 10.4.7 release (xnu-792.6.76 for PPC). + + - The MLS policy module was updated to + -- handle the access() permissions correctly. A separate + mac_mls_check_vnode_access() entry point was + implemented instead of using mac_mls_check_vnode_open(). + -- require both read and write access for all System V shared + memory operations on struct shmid_ds. + -- mediate system accounting (acct) to match mdeiation for auditing. + The file must be set to high; the subject privileged. + + - Changed how label handles are freed when their reference count is zero to + fix a race condition between a user program requesting and accessing a + label of a labeled kernel object and the destruction of that object. + + - Made changes to kernel credential caching by adding a + kauth_cred_dup_add() function to duplicate an existing ucred and adding + the dupe to the cred hash. This helps policy modules modify the ucred of + a specific process at fork time, so credentials are shared amongst + threads in a single process, but not among different processes. + + - New entrypoints have been added for more granular Mach access control + checks: + mpo_check_port_make + mpo_check_port_make_send_once + mpo_check_port_move_send + mpo_check_port_move_send_once + mpo_check_port_receive + + - MAC Policy socket interfaces were updated to use xsocket structure + instead of a socket, as information such as protocol number and protocol + family are unavailable. Modified entrypoints are: + mpo_create_socket + mpo_create_socket_from_socket + mpo_create_mbuf_from_socket + mpo_relabel_socket + mpo_set_socket_peer_from_socket + mpo_set_socket_peer_from_mbuf + mpo_check_socket_accept + mpo_check_socket_bind + mpo_check_socket_connect + mpo_check_socket_deliver + mpo_check_socket_kqfilter + mpo_check_socket_listen + mpo_check_socket_receive + mpo_check_socket_relabel + mpo_check_socket_select + mpo_check_socket_send + mpo_check_socket_stat + + - Completed mount label support. User space mount programs were + modified to allow additional parameters to specify labels. + + - Auditing of system calls such as mac_xxx(), setlcid(), getlcid(), + mac_mount(), mac_get_mount(), mac_getfsstat() was added. + + - Policies do not need mac.h anymore. The entire policy interface is + available in mac_policy.h + + - A new mac_console policy demonstrates how login context labels are used + to identify processes associated with the current user + + - A new mac_color policy demonstrates how login context labels are used + to share privilege amongst a group of processes. It also demonstrates + the use of floating labels. + + - A new mac_device_access policy demonstrates a mechanism to block + use of unknown or unauthorized USB and FireWire devices as well as + a way to allow use of known, authorized devices. This policy uses + the following entry point. + mpo_check_device_allowed + + - A new mac_extattr_test policy demonstrates how to test the operation of + extremely long extended attribute values. + + - Modules can access data items from their Info.plist files and can be + accessed by the new mac_find_module_data() function. + + - The ipctrace module has been updated with additional NULL label checks + so that it may be loaded late. Locking has been improved/corrected and + a new destroy method has been added. + + - The mac_test module has been updated to generate mac_test_check_xxx + routines automatically from mac_policy.h. + + - The stub, count and stacktrace policy build commands have been updated to + correctly interpret typedefs that are encountered in mac_policy.h. + + - Fixed the order of message checks: port check should be done before + rights check. + + - Cleanup of code by removing MAC_DEBUG, fields from label structure used + in panther, unused definitions for atomic operations. + + - Correct label allocation for System V message queues to manage label + storage entirely within the MAC Framework. + + - MAC helper functions have been added to delete extended attributes. + + - kernel symbol printing has been reenabled. + + - Improved documentation has been included. In particular, + updates were made to the Design and Implementation document, the + Policy Module Writing guide, and man pages. A new document + (ISSO-06-008-Boot.pdf) discusses Boot time improvements made, their + interaction with the MAC Framework and sample policies with respect to + boot integrity. + + - The MAC Framework API documentation has been updated; + documentation is available in the docs/Framework/html/ + directory. + + - The ERRATA has the current list of defects. + New Features in the 20060630 release =====================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610031637.k93Gb3dk047758>