From owner-freebsd-current@FreeBSD.ORG Fri May 16 09:39:49 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C5B737B401; Fri, 16 May 2003 09:39:49 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id F17A443F93; Fri, 16 May 2003 09:39:47 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h4GGdVOn033228; Fri, 16 May 2003 12:39:31 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h4GGdVNK033225; Fri, 16 May 2003 12:39:31 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 16 May 2003 12:39:31 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Ilmar S. Habibulin" In-Reply-To: <20030516041042.U29447@fledge.watson.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: re@FreeBSD.org cc: current@FreeBSD.org Subject: Re: 5.2-RELEASE TODO X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2003 16:39:49 -0000 On Fri, 16 May 2003, Ilmar S. Habibulin wrote: > On Thu, 15 May 2003, Robert Watson wrote: > > > Desired Features for 5.2-RELEASE > > > > +------------------------------------------------------------------------+ > > | Issue | Status | Responsible | Description | > > |-------------+--------+---------------+---------------------------------| > > | | | | Currently, MAC protections are | > > | | | | enforced only on locally | > > | | | | originated file system | > > | | | | operations (VOPs), and not on | > > | | | | RPCs generated via the NFS | > > | MAC support | | | server. Improvements in NFS | > > | for NFS | -- | Robert Watson | server credential handling are | > > | Server | | | required to correct this | > > | | | | problem, as well as the | > > | | | | introduction of new entry | > > | | | | points to properly label NFS | > > | | | | credentials and perform | > > | | | | enforcement properly. | > > |-------------+--------+---------------+---------------------------------| > > Do you plan to transfer labels over NFS? If so, why not to make some > generic extended attributes transfer mechanism over NFS and use it for > ACL too? Right now, no mediation is performed on requests received via NFS RPC's, so the first bit of the work is to provide for that mediation based on current credentials. The second bit is to find useful sources of label data for those credentials -- that might include host mapping tables, additional NFS RPCs, packet labels, etc. The mediation element falls out easily once you have some of the NFS credential fixes we have in the MAC tree, and shouldn't be hard. Then the question of where the labels come from and how to integrate the policies are raised, and I think some experimentation is called for. > And what about packet labeling - it's still desired feature for > trustedbsd/6.0-current? Yes. It could be we get it in for 5.2, though. Both improvements in IPSEC integration, and CIPSO are highly desirable features. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories