From owner-p4-projects@FreeBSD.ORG Sun Jul 22 20:49:02 2012
Return-Path:
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
id D93EB1065670; Sun, 22 Jul 2012 20:49:01 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
by hub.freebsd.org (Postfix) with ESMTP id 9B2C1106566C
for ; Sun, 22 Jul 2012 20:49:01 +0000 (UTC)
(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from skunkworks.freebsd.org (skunkworks.freebsd.org
[IPv6:2001:4f8:fff6::2d])
by mx1.freebsd.org (Postfix) with ESMTP id 69D0F8FC19
for ; Sun, 22 Jul 2012 20:49:01 +0000 (UTC)
Received: from skunkworks.freebsd.org (localhost [127.0.0.1])
by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id q6MKn1nl081027
for ; Sun, 22 Jul 2012 20:49:01 GMT
(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id q6MKn1Wa081023
for perforce@freebsd.org; Sun, 22 Jul 2012 20:49:01 GMT
(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Sun, 22 Jul 2012 20:49:01 GMT
Message-Id: <201207222049.q6MKn1Wa081023@skunkworks.freebsd.org>
X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to
bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson
To: Perforce Change Reviews
Precedence: bulk
Cc:
Subject: PERFORCE change 214778 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: p4 projects tree changes
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Sun, 22 Jul 2012 20:49:02 -0000
http://p4web.freebsd.org/@@214778?ac=10
Change 214778 by rwatson@rwatson_fledge on 2012/07/22 20:48:55
Update the TrustedBSD privileges web page to clarify the current
status of a kernel privilege model, and point at both priv(9) and
the MAC framework.
Affected files ...
.. //depot/projects/trustedbsd/www/privileges.page#6 edit
Differences ...
==== //depot/projects/trustedbsd/www/privileges.page#6 (text+ko) ====
@@ -1,5 +1,5 @@
- Historically this project was referred to as fine-grained
- capabilities, but due to a vocabulary conflict, it has been renamed
+
In this past, this project was referred to as fine-grained
+ capabilities, but due to a vocabulary conflict with the capability
+ system model used in Capsicum, it has been renamed
to fine-grained privileges. Information in this page currently refers
- to a FreeBSD 5.x-era project to support fine-grained privileges, and
- will shortly be superseded by a similar project for FreeBSD
- 8.x.
+ to a FreeBSD 5.x-era project to support fine-grained
+ privileges.
+
+ In FreeBSD 7.0, the priv(9) KPI
+ was introduced, classifying all kernel uses of privileges and
+ exposing this information to a centralised kernel component.
+ The kernel's mandatory access control framework
+ allows MAC policy modules to deny (and grant) privileges, but
+ FreeBSD does not currently provide a userspace API for privilege
+ management.
+ Discussion below is historical.
+
+
POSIX.1e breaks root privilege into a set of privileges
(historically referred to as "Capabilities"), which allow the