PERFORCE change 107198 for review
Todd Miller
millert at FreeBSD.org
Tue Oct 3 09:37:23 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=107198
Change 107198 by millert at millert_macbook on 2006/10/03 16:37:00
Update from DSEP
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/ERRATA#2 edit
.. //depot/projects/trustedbsd/sedarwin8/README#2 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/ERRATA#2 (text+ko) ====
@@ -16,10 +16,6 @@
96: There is no security for fsoctl, ioctl, sysctl. (225 was duplicate)
-117: The mpo_check_port_relabel entry point does not hold the task
- label lock. Policies implmenting this entry point should
- exercise caution.
-
130: The Mach error returns from the framework don't always map
well. Most framework entry points return bsd errno values, which
are not usable as returns from mach calls. Ideally, the
==== //depot/projects/trustedbsd/sedarwin8/README#2 (text+ko) ====
@@ -9,13 +9,23 @@
============
This release includes a port of the TrustedBSD MAC Framework to Apple's
-Darwin 8.6 (Mac OS X 10.4.6) operating system, made up of kernel, library,
+Darwin 8.7 (Mac OS X 10.4.7) operating system, made up of kernel, library,
and user space tool extensions to support flexible policy introduction.
In addition, several sample policy modules are present:
- SEDarwin, a port of NSA's FLASK security architecture and
Type Enforcement policy language from SELinux.
- - MLS, a simple implementation of multi-level security
+ - mac_mls, a simple implementation of multi-level security
+ - mac_console policy, an example policy that demonstrates how login context
+ labels are used to identify processes associated with the current user
+ - mac_color policy, an example policy that demonstrates how login context
+ labels are used to share privilege amongst a group of processes. It also
+ demonstrates the use of floating labels.
+ - mac_device_access policy, an example policy to allow connection of
+ specified USB and FireWire devices and to prevent the use of unknown
+ devices.
+ - mac_extattr_test policy, an example policy to test the operation of
+ extremely long extended attribute values.
- mac_fwinteg, an example of a minimal base policy that enforces other
required and allowable policies
- mac_readonly, an example integrity policy to maintain a valid
@@ -34,7 +44,7 @@
appropriate for use in production environments.
The following modifications have been made relative to Apple's Darwin
-10.4.6 release:
+10.4.7 release:
- Inclusion of a subset of the MAC Framework entry points to
provide label support and protection of files, processes, System V
@@ -50,6 +60,124 @@
Mach servers. The launchd and notifyd daemons have been modified
to use our security-enhanced MiG.
+New Features in the 20060929 release
+=====================================
+
+ - Update to a newer version of Tiger; the vendor source base was
+ updated to Apple's 10.4.7 release (xnu-792.6.76 for PPC).
+
+ - The MLS policy module was updated to
+ -- handle the access() permissions correctly. A separate
+ mac_mls_check_vnode_access() entry point was
+ implemented instead of using mac_mls_check_vnode_open().
+ -- require both read and write access for all System V shared
+ memory operations on struct shmid_ds.
+ -- mediate system accounting (acct) to match mdeiation for auditing.
+ The file must be set to high; the subject privileged.
+
+ - Changed how label handles are freed when their reference count is zero to
+ fix a race condition between a user program requesting and accessing a
+ label of a labeled kernel object and the destruction of that object.
+
+ - Made changes to kernel credential caching by adding a
+ kauth_cred_dup_add() function to duplicate an existing ucred and adding
+ the dupe to the cred hash. This helps policy modules modify the ucred of
+ a specific process at fork time, so credentials are shared amongst
+ threads in a single process, but not among different processes.
+
+ - New entrypoints have been added for more granular Mach access control
+ checks:
+ mpo_check_port_make
+ mpo_check_port_make_send_once
+ mpo_check_port_move_send
+ mpo_check_port_move_send_once
+ mpo_check_port_receive
+
+ - MAC Policy socket interfaces were updated to use xsocket structure
+ instead of a socket, as information such as protocol number and protocol
+ family are unavailable. Modified entrypoints are:
+ mpo_create_socket
+ mpo_create_socket_from_socket
+ mpo_create_mbuf_from_socket
+ mpo_relabel_socket
+ mpo_set_socket_peer_from_socket
+ mpo_set_socket_peer_from_mbuf
+ mpo_check_socket_accept
+ mpo_check_socket_bind
+ mpo_check_socket_connect
+ mpo_check_socket_deliver
+ mpo_check_socket_kqfilter
+ mpo_check_socket_listen
+ mpo_check_socket_receive
+ mpo_check_socket_relabel
+ mpo_check_socket_select
+ mpo_check_socket_send
+ mpo_check_socket_stat
+
+ - Completed mount label support. User space mount programs were
+ modified to allow additional parameters to specify labels.
+
+ - Auditing of system calls such as mac_xxx(), setlcid(), getlcid(),
+ mac_mount(), mac_get_mount(), mac_getfsstat() was added.
+
+ - Policies do not need mac.h anymore. The entire policy interface is
+ available in mac_policy.h
+
+ - A new mac_console policy demonstrates how login context labels are used
+ to identify processes associated with the current user
+
+ - A new mac_color policy demonstrates how login context labels are used
+ to share privilege amongst a group of processes. It also demonstrates
+ the use of floating labels.
+
+ - A new mac_device_access policy demonstrates a mechanism to block
+ use of unknown or unauthorized USB and FireWire devices as well as
+ a way to allow use of known, authorized devices. This policy uses
+ the following entry point.
+ mpo_check_device_allowed
+
+ - A new mac_extattr_test policy demonstrates how to test the operation of
+ extremely long extended attribute values.
+
+ - Modules can access data items from their Info.plist files and can be
+ accessed by the new mac_find_module_data() function.
+
+ - The ipctrace module has been updated with additional NULL label checks
+ so that it may be loaded late. Locking has been improved/corrected and
+ a new destroy method has been added.
+
+ - The mac_test module has been updated to generate mac_test_check_xxx
+ routines automatically from mac_policy.h.
+
+ - The stub, count and stacktrace policy build commands have been updated to
+ correctly interpret typedefs that are encountered in mac_policy.h.
+
+ - Fixed the order of message checks: port check should be done before
+ rights check.
+
+ - Cleanup of code by removing MAC_DEBUG, fields from label structure used
+ in panther, unused definitions for atomic operations.
+
+ - Correct label allocation for System V message queues to manage label
+ storage entirely within the MAC Framework.
+
+ - MAC helper functions have been added to delete extended attributes.
+
+ - kernel symbol printing has been reenabled.
+
+ - Improved documentation has been included. In particular,
+ updates were made to the Design and Implementation document, the
+ Policy Module Writing guide, and man pages. A new document
+ (ISSO-06-008-Boot.pdf) discusses Boot time improvements made, their
+ interaction with the MAC Framework and sample policies with respect to
+ boot integrity.
+
+ - The MAC Framework API documentation has been updated;
+ documentation is available in the docs/Framework/html/
+ directory.
+
+ - The ERRATA has the current list of defects.
+
New Features in the 20060630 release
=====================================
More information about the trustedbsd-cvs
mailing list