hello, anybody there?

Mon Feb 5 07:28:54 GMT 2001

On Sun, 4 Feb 2001, Robert Watson wrote:

> Well, leaving aside a botched attempt to approve your post -- yes, things
> are alive, and yes, they are also very quiet.
still waters run deep - in russian is something like: quiet pool has
daemons inside. (i hope the translation is correct) ;-)

> I'm preparing a set of commits that moves the existing jail(8) support
> such that it's under process credentials, instead of a property of the
> process itself, and also have a 0.5.2 of ACL support ready to push out the
> door with updated fixed support for ACL mask setting in setfacl.
> (these further fixes to setfacl are courtesy of Chris Faulhaber).  I'd
> like to start committing more ACL code to the base system, but don't have
> a precise timeline for that yet.  Probably it will begin with the
> committing of src/sys/kern_acl.c support routines, then a review pass on
> freebsd-arch and related lists.
Will it include ACLs in extanded attributes or only mode bits are
used? Sorry, i have TrustedBSD installed (i think, you understand me ;-)),
and i don't want to reinstall everything to check every change in other
subsystems, except MAC.

> I'm also working on a set of improvements for the MAC code to handle
> network stack integration better; right now packets are labeled when
> coming in from network interfaces based on a default interface label.  I
> need to add additional ioctl()'s for interface configuration to allow the
> setting of that default label, and work on the enforcement code some more.
> Right now, labels on packets/etc are copied around, but this should
> probably change to a reference counted label model, similar to
> credentials.  I received a set of modifications to my current MAC code
> from Ilmar Habibulin to support non-hierarchal labels in MLS and Biba
> policies, as well as more flexible handling of label names, as well as
> confirmation that he seemed to have the code working for him enforcing
> inter-process and process-file labeling policies.
Sorry, maybe there is some misunderstanding. I add non-hierarchical part
into label, but no other in-kernel changes were made. Because, there is
some -arch issue, i think. Non-hierarchycal part of mac label is some sort
of bitmask or an array of unique elements. I chose bitmask, but kernel
lacks bitmask support. So i have just copied <bitstring.h> content into
<mac.h>. The issue is - will it be only in <mac.h>, or maybe kernel need
some generic support for bitstrings, so there will be header for in-kernel
bitmasks.
So i just introdused my vision and way of progress.
I also introdused my vision of mac labels to text and back convertion
routines. I have some doubts about their correctness (do you have such
word?), I'm thinking about their i18n - how should it be done and so on.

> Andrew Reiter has been working on the auditing subsystem design, and
> hopefully will have the opportunity to post something about that work in
> the near future :-).

Robert, can we have some common patch, which will include all subsystems?

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message