Date: Sun, 22 Jul 2012 20:49:01 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 214778 for review Message-ID: <201207222049.q6MKn1Wa081023@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@214778?ac=10 Change 214778 by rwatson@rwatson_fledge on 2012/07/22 20:48:55 Update the TrustedBSD privileges web page to clarify the current status of a kernel privilege model, and point at both priv(9) and the MAC framework. Affected files ... .. //depot/projects/trustedbsd/www/privileges.page#6 edit Differences ... ==== //depot/projects/trustedbsd/www/privileges.page#6 (text+ko) ==== @@ -1,5 +1,5 @@ <!-- - Copyright (c) 2006 Robert N. M. Watson + Copyright (c) 2006-2012 Robert N. M. Watson All rights reserved. Redistribution and use in source and binary forms, with or without @@ -29,7 +29,7 @@ <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/privileges.page#5 $ + $P4: //depot/projects/trustedbsd/www/privileges.page#6 $ </cvs:keyword> </cvs:keywords> @@ -37,6 +37,7 @@ <title>TrustedBSD POSIX.1e Privileges</title> <html> + <!-- <p> <span id="collection-label">Perforce:</span> <span id="cvsup-collection">//depot/projects/trustedbsd/cap/...</span> @@ -45,13 +46,26 @@ <span id="collection-label">Collection:</span> <span id="cvsup-collection">p4-cvs-trustedbsd-cap</span> </p> + --> - <p><b>Historically this project was referred to as fine-grained - capabilities, but due to a vocabulary conflict, it has been renamed + <p><b>In this past, this project was referred to as fine-grained + capabilities, but due to a vocabulary conflict with the <i>capability + system model</i> used in Capsicum, it has been renamed to fine-grained privileges. Information in this page currently refers - to a FreeBSD 5.x-era project to support fine-grained privileges, and - will shortly be superseded by a similar project for FreeBSD - 8.x.</b></p> + to a FreeBSD 5.x-era project to support fine-grained + privileges.</b></p> + + <p><b>In FreeBSD 7.0, the <a + href="http://www.freebsd.org/cgi/man.cgi?query=priv">priv(9) KPI</a> + was introduced, classifying all kernel uses of privileges and + exposing this information to a centralised kernel component. + The kernel's <a href="mac.html">mandatory access control framework</a> + allows MAC policy modules to deny (and grant) privileges, but + FreeBSD does not currently provide a userspace API for privilege + management. + Discussion below is historical.</b></p> + + <hr /> <p>POSIX.1e breaks root privilege into a set of privileges (historically referred to as "Capabilities"), which allow the
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207222049.q6MKn1Wa081023>