From owner-freebsd-arch@FreeBSD.ORG Wed Jun 1 16:55:10 2005 Return-Path: X-Original-To: arch@FreeBSD.org Delivered-To: freebsd-arch@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BAB416A41C for ; Wed, 1 Jun 2005 16:55:10 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 526BD43D49 for ; Wed, 1 Jun 2005 16:55:10 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by cyrus.watson.org (Postfix) with ESMTP id BCEFD46B3E for ; Wed, 1 Jun 2005 12:55:09 -0400 (EDT) Date: Wed, 1 Jun 2005 17:55:11 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: arch@FreeBSD.org Message-ID: <20050601174758.B689@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Status of various and sundry TrustedBSD/FreeBSD pieces (fwd) X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 16:55:10 -0000 For those not actively following the TrustedBSD lists, here's some recent status information that might be of more general interest, especially with respect to changes in the pipeline for 6.0. Robert N M Watson ---------- Forwarded message ---------- Date: Tue, 31 May 2005 23:01:33 +0100 (BST) From: Robert Watson To: trustedbsd-discuss@TrustedBSD.org Subject: Status of various and sundry TrustedBSD/FreeBSD pieces Since I know many people following the TrustedBSD work aren't following the FreeBSD or TrustedBSD commit mailing lists, I thought I'd give a brief status update on various "works in progress": - At BSDCan and the associated FreeBSD Developer Summit, presentations were given on several TrustedBSD-related topics, including the Audit and OpenBSM implementations, the TrustedBSD MAC Framework, SEBSD policy module, and the experimental port to Darwin, as well as Christian Peron's work on an executable and kernel module checksumming policy module, mac_chkexec. - Christian Peron has integrated his mac_chkexec module and tools into the TrustedBSD MAC development branch on the FreeBSD perforce server, as well as some tweaks to the MAC Framework required to support proper checksumming of shared libraries as they are mapped (this change has been merged to FreeBSD 6.x and 5.x). - Changes to label and enforce protections for POSIX semaphores on FreeBSD were merged back to the FreeBSD 6.x tree from the TrustedBSD MAC development tree in early May, and will ship as part of FreeBSD 6.0 later this summer. - In April a number of enhancements were made to the set of socket-related acess control protections, such as protections for accept, poll, and others. These have been merged to the FreeBSD CVS tree for 6.0. - In April the addition of credential-related checks in the MAC Framework was merged to the FreeBSD CVS tree for 6.0. These allow MAC policies to control changes in UNIX credentials, and while not required for our labeled policies, are desirable for other hardening policies, such as the suidacl policy module from Samy Al Bahra. The credential changes were submitted by Samy. - In March, the System V IPC labeling and enforcement protections for the MAC Framework were merged to the FreeBSD CVS tree for 6.0. - An updated SEBSD ISO, based on an updated SELinux FLASK/TE drop from 20040819, as well as updated FreeBSD pieces, has been put together by Andrew Reisse and Scott Long. They're currently testing this release, and we hope to get an ISO on the web site in the near future. The ource for all of these changes is in the trustedbsd_sebsd branch currently. There are still a number of SEBSD-related changes that haven't been merged back to the base FreeBSD tree, such as relating to the labeling on cloned pseudo-devices; I met with Poul-Henning Kamp at the FreeBSD developer summit and he's cleared the way for these changes to be merged into FreeBSD CVS for 6.0. - Work to merge Audit/BSM to the base FreeBSD tree has now begun; the system call table format and structures were updated in the last couple of days to hold audit event mapping information, and we're currently polishing OpenBSM for a 1.0 release. The primary obstacles to progress here are finishing the cleanup, and waiting on Apple to relicense some of the kernel-related files under a BSD license (this is currently in the hands of Apple Legal, and should move shortly). Our hope is to ship Audit as an experimental feature in FreeBSD 6.0, and a production feature in FreeBSD 6.1. Many thanks to Wayne Salamon, Tom Rhodes, and others for their work on this. After meeting with Apple two weeks ago in Cupertino, it sounds like they're interested in picking up the OpenBSM bug fixes and enhancements to the user space BSM library, tools, documentation, etc, which would be another great outcome. So things are coming together nicely for the 6.0 release, although the deadlines for it are getting a bit tight! Robert N M Watson To Unsubscribe: send mail to majordomo@trustedbsd.org with "unsubscribe trustedbsd-discuss" in the body of the message