PERFORCE change 148447 for review
Robert Watson
rwatson at FreeBSD.org
Mon Aug 25 20:58:45 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=148447
Change 148447 by rwatson at rwatson_fledge on 2008/08/25 20:58:12
Updates to a number of component web pages to bring them more
in sync with reality.
Affected files ...
.. //depot/projects/trustedbsd/www/geom.page#3 edit
.. //depot/projects/trustedbsd/www/mac.page#5 edit
.. //depot/projects/trustedbsd/www/privileges.page#5 edit
.. //depot/projects/trustedbsd/www/sebsd.page#9 edit
.. //depot/projects/trustedbsd/www/sedarwin.page#7 edit
Differences ...
==== //depot/projects/trustedbsd/www/geom.page#3 (text+ko) ====
@@ -29,7 +29,7 @@
<cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
<cvs:keyword name="freebsd">
- $P4: //depot/projects/trustedbsd/www/geom.page#2 $
+ $P4: //depot/projects/trustedbsd/www/geom.page#3 $
</cvs:keyword>
</cvs:keywords>
@@ -47,7 +47,7 @@
<p>GEOM has been present in FreeBSD since FreeBSD 5.0-RELEASE, with
increasing numbers of transform modules over time, including the
- GELI encryption and integrity protection module..</p>
+ GELI encryption and integrity protection module.</p>
<p>GEOM and GBDE were implemented by Poul-Henning Kamp.</p>
==== //depot/projects/trustedbsd/www/mac.page#5 (text+ko) ====
@@ -37,7 +37,7 @@
<cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
<cvs:keyword name="freebsd">
- $P4: //depot/projects/trustedbsd/www/mac.page#4 $
+ $P4: //depot/projects/trustedbsd/www/mac.page#5 $
</cvs:keyword>
</cvs:keywords>
@@ -45,54 +45,32 @@
<title>TrustedBSD Mandatory Access Control (MAC) Framework</title>
<html>
- <p>
- <span id="collection-label">Perforce:</span>
- <span id="cvsup-collection">//depot/projects/trustedbsd/mac/...</span>
- </p>
- <p>
- <span id="collection-label">Collection:</span>
- <span id="cvsup-collection">p4-cvs-trustedbsd-mac</span>
- </p>
- <p>Mandatory access controls extend discretionary access
- controls by allowing administrators to enforce additional
- security for all subjects (e.g. processes or sockets) and
- objects (e.g. sockets, file system objects, sysctl nodes) in
- the system. Development of those new access control models
- is facilitated by the development of a flexible kernel
- access control extension framework, the TrustedBSD MAC
- Framework. This permits new access control models to be
- introduced as kernel modules.</p>
+ <p>Mandatory access controls extend operating system access control
+ policy by allowing administrators to enforce additional constraints
+ on user and application behavior.
+ The TrustedBSD MAC Framework is a kernel programming interface
+ allowing loadable modules to augment the system security policy in
+ order to implement mandatory access control in a flexible manner.</p>
- <p>Currently, modules exist that implement MLS (Multi-Level
- Security), a fixed-label Biba integrity policy, Type
- Enforcement, and several other security policies that
- reflect common requirements of typical FreeBSD deployment
- environments, such as mandatory limits on inter-user
- visibility in multi-user environments. The current
- implementation of Low-Watermark MAC (LOMAC) will also be
- ported to use the module framework. In addition, the
- DARPA-funded Network Associates Laboratories' CBOSS Project
- is porting the NSA FLASK/SELinux implementation (SEBSD) to
- run as an extension model over the TrustedBSD MAC Framework.
- More information on the SEBSD module may be found on the
- <a href="sebsd.html">SEBSD page</a>.</p>
+ <p>The TrustedBSD MAC Framework first shipped in FreeBSD 5.0, with
+ significant functionality, quality, and performance enhancements in
+ later releases. Supported policy modules include rule-based file
+ system firewall support, TCP/UDP port access control lists,
+ inter-user process visibility controls, as well as classic mandatory
+ access control policies such as Multi-Level Security (MLS) with
+ compartments, and fixed- and floating-label Biba integrity policies.
+ Third party policy modules include cryptographic checksums on system
+ binaries, and <a href="sebsd.html">SEBSD</a>, a port of the NSA
+ FLASK/SELinux policy to FreeBSD. A number of commercial
+ FreeBSD-based products make use of the TrustedBSD MAC Framework to
+ locally modify the operating system security policy.</p>
- <p>This work is primarily occuring in a TrustedBSD Perforce
- branch, but much of the framework has been merged to the
- main FreeBSD development tree and was included in FreeBSD
- 5.0 and forwards. The current implementation is appropriate
- for experimental or limited production use; both internal
- and exposed MAC APIs will not be frozen until 5.2-RELEASE.
- All policy modules with the exception of the SEBSD
- implementation have been merged into the FreeBSD tree at
- this point.</p>
-
- <p>Work has also recently begun on an experimental port of
- the TrustedBSD MAC Framework from FreeBSD to Apple's
- Darwin operating system.
- Information on this port may be found on the <a
- href="sedarwin.html">SEDarwin page</a>.</p>
+ <p>The TrustedBSD MAC Framework is also present in Mac
+ OS X as of the Leopard release, where it is used to implement
+ Seatbelt and other system security services. A port of FLASK and
+ SELinux is also available via <a
+ href="sedarwin.html">SEDarwin</a>.</p>
</html>
</section>
==== //depot/projects/trustedbsd/www/privileges.page#5 (text+ko) ====
@@ -29,7 +29,7 @@
<cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
<cvs:keyword name="freebsd">
- $P4: //depot/projects/trustedbsd/www/privileges.page#4 $
+ $P4: //depot/projects/trustedbsd/www/privileges.page#5 $
</cvs:keyword>
</cvs:keywords>
@@ -46,11 +46,12 @@
<span id="cvsup-collection">p4-cvs-trustedbsd-cap</span>
</p>
- <p>NB: Historically this project was referred to as fine-grained
+ <p><b>Historically this project was referred to as fine-grained
capabilities, but due to a vocabulary conflict, it has been renamed
to fine-grained privileges. Information in this page currently refers
to a FreeBSD 5.x-era project to support fine-grained privileges, and
- will shortly be superseded by a similar project for FreeBSD 8.x.</p>
+ will shortly be superseded by a similar project for FreeBSD
+ 8.x.</b></p>
<p>POSIX.1e breaks root privilege into a set of privileges
(historically referred to as "Capabilities"), which allow the
==== //depot/projects/trustedbsd/www/sebsd.page#9 (text+ko) ====
@@ -32,12 +32,12 @@
SUCH DAMAGE.
-->
-<page role="components">
+<page role="sebsd">
<title>SEBSD</title>
<cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
<cvs:keyword name="freebsd">
- $P4: //depot/projects/trustedbsd/www/sebsd.page#8 $
+ $P4: //depot/projects/trustedbsd/www/sebsd.page#9 $
</cvs:keyword>
</cvs:keywords>
==== //depot/projects/trustedbsd/www/sedarwin.page#7 (text+ko) ====
@@ -31,12 +31,12 @@
SUCH DAMAGE.
-->
-<page role="components">
+<page role="sedarwin">
<title>SEDarwin</title>
<cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
<cvs:keyword name="freebsd">
- $P4: //depot/projects/trustedbsd/www/sedarwin.page#6 $
+ $P4: //depot/projects/trustedbsd/www/sedarwin.page#7 $
</cvs:keyword>
</cvs:keywords>
@@ -45,40 +45,18 @@
policy module to Apple's Darwin operating system</title>
<html>
- <p>
- <span id="collection-label">Perforce:</span>
- <span id="cvsup-collection">//depot/projects/trustedbsd/sedarwin7/...</span>
- </p>
- <p>
- <span id="collection-label">Collection:</span>
- <span id="cvsup-collection">p4-cvs-trustedbsd-sedarwin</span>
- </p>
- <p>SEDarwin is a port of the <a href="mac.html">TrustedBSD MAC
- Framework</a> access control extension framework to Apple's
- Darwin operating system platform, along with a port of the
- <a href="sebsd.html">SEBSD policy module</a>.
- SEDarwin is highly experimental, but is currently sufficiently
- functional to allow the enforcement of mandatory process
- and file protections under Mac OS 10.3.8 and Darwin 7.3 on
- a variety of Apple PowerPC hardware.
+ <p>The SEDarwin Project consisted of two parts: a port of the
+ <a href="mac.html">TrustedBSD MAC Framework</a> to the Mac OS X
+ operating system, and a similar adaptation of <a
+ href="sebsd.html">SEBSD</a> to MAC OS X based on that port. This
+ port was made available against Mac OS X Panther and Mac OS X Tiger;
+ as of Mac OS X Leopard, the TrustedBSD MAC Framework is now
+ available as part of the shipping Mac OS X product.</p>
- The SEDarwin project has recently moved to it's own website at
+ <p>The SEDarwin project has recently moved to it's own website at
<a href="http://www.sedarwin.org">www.sedarwin.org</a>. More
- information and current versions of SEDarwin can be found there.
- </p>
-
- <p>The Darwin Security Extension Project (DSEP) complements the
- SEDarwin work, but has a different goal. DSEP is primarily concerned
- with updating and maintaining the TrustedBSD MAC Framework on
- Darwin. While still experimental, the MAC Framework has been
- updated to support Mac OS X "Tiger", currently supporting Mac OS X
- 10.4.3 (Darwin 8.4). Note that the DSEP releases typically won't
- have the newest FLASK and SELinux components; they will be migrated
- to the Tiger platform soon.</p>
-
- <p>The DSEP sources have also recently moved to
- <a href="http://www.sedarwin.org">sedarwin.org</a></p>
+ information and current versions of SEDarwin can be found there.</p>
</html>
</section>
More information about the p4-projects
mailing list