From owner-p4-projects@FreeBSD.ORG  Sun Jul 22 20:49:02 2012
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id D93EB1065670; Sun, 22 Jul 2012 20:49:01 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9B2C1106566C
	for <perforce@freebsd.org>; Sun, 22 Jul 2012 20:49:01 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from skunkworks.freebsd.org (skunkworks.freebsd.org
	[IPv6:2001:4f8:fff6::2d])
	by mx1.freebsd.org (Postfix) with ESMTP id 69D0F8FC19
	for <perforce@freebsd.org>; Sun, 22 Jul 2012 20:49:01 +0000 (UTC)
Received: from skunkworks.freebsd.org (localhost [127.0.0.1])
	by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id q6MKn1nl081027
	for <perforce@freebsd.org>; Sun, 22 Jul 2012 20:49:01 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id q6MKn1Wa081023
	for perforce@freebsd.org; Sun, 22 Jul 2012 20:49:01 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Sun, 22 Jul 2012 20:49:01 GMT
Message-Id: <201207222049.q6MKn1Wa081023@skunkworks.freebsd.org>
X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Precedence: bulk
Cc: 
Subject: PERFORCE change 214778 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Jul 2012 20:49:02 -0000

http://p4web.freebsd.org/@@214778?ac=10

Change 214778 by rwatson@rwatson_fledge on 2012/07/22 20:48:55

	Update the TrustedBSD privileges web page to clarify the current
	status of a kernel privilege model, and point at both priv(9) and
	the MAC framework.

Affected files ...

.. //depot/projects/trustedbsd/www/privileges.page#6 edit

Differences ...

==== //depot/projects/trustedbsd/www/privileges.page#6 (text+ko) ====

@@ -1,5 +1,5 @@
 <!--
-     Copyright (c) 2006 Robert N. M. Watson
+     Copyright (c) 2006-2012 Robert N. M. Watson
      All rights reserved.
      
      Redistribution and use in source and binary forms, with or without
@@ -29,7 +29,7 @@
 
   <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
     <cvs:keyword name="freebsd">
-      $P4: //depot/projects/trustedbsd/www/privileges.page#5 $
+      $P4: //depot/projects/trustedbsd/www/privileges.page#6 $
     </cvs:keyword>
   </cvs:keywords>
 
@@ -37,6 +37,7 @@
     <title>TrustedBSD POSIX.1e Privileges</title>
 
     <html>
+      <!--
       <p>
 	<span id="collection-label">Perforce:</span>
 	<span id="cvsup-collection">//depot/projects/trustedbsd/cap/...</span>
@@ -45,13 +46,26 @@
 	<span id="collection-label">Collection:</span>
 	<span id="cvsup-collection">p4-cvs-trustedbsd-cap</span>
       </p>
+      -->
 
-      <p><b>Historically this project was referred to as fine-grained
-	capabilities, but due to a vocabulary conflict, it has been renamed
+      <p><b>In this past, this project was referred to as fine-grained
+	capabilities, but due to a vocabulary conflict with the <i>capability
+	system model</i> used in Capsicum, it has been renamed
 	to fine-grained privileges. Information in this page currently refers
-	to a FreeBSD 5.x-era project to support fine-grained privileges, and
-	will shortly be superseded by a similar project for FreeBSD
-	8.x.</b></p>
+	to a FreeBSD 5.x-era project to support fine-grained
+	privileges.</b></p>
+
+       <p><b>In FreeBSD 7.0, the <a
+	href="http://www.freebsd.org/cgi/man.cgi?query=priv">priv(9) KPI</a>
+	was introduced, classifying all kernel uses of privileges and
+	exposing this information to a centralised kernel component.
+	The kernel's <a href="mac.html">mandatory access control framework</a>
+	allows MAC policy modules to deny (and grant) privileges, but
+	FreeBSD does not currently provide a userspace API for privilege
+	management.
+	Discussion below is historical.</b></p>
+
+      <hr />
 
       <p>POSIX.1e breaks root privilege into a set of privileges
 	(historically referred to as "Capabilities"), which allow the