sample 5.3 based trusted os ;-)
Tom Rhodes
trhodes at FreeBSD.org
Wed Jan 19 14:37:33 GMT 2005
On Wed, 19 Jan 2005 12:10:20 +0000 (GMT)
Robert Watson <rwatson at FreeBSD.org> wrote:
> On Wed, 19 Jan 2005, Ilmar S. Habibulin wrote:
>
> > http://www.watson.org/~ilmar/download/trustedos.tbz
> >
> > This patch is for 5.3, it adds:
> > - trustedbsd sysv mac support
>
> FYI, I've started merging the System V IPC MAC code to 6.x but haven't yet
> finished. I'm hope to get that done in the next few weeks. I need to
> look at ABI issues relating to merging that work to 5.x, as it requires a
> bump of the MAC Framework module version number. My leaning is to defer a
> merge to 5.x until a few other changes are also merged to the MAC
> Framework and then merge the entire new ABI/API and provide a
> compatibility stub to get older MAC modules to work without issue.
I was wondering why the work merge seemed to slowly halt, thanks
for the info!
>
> > - audit2 hacked (working audit)
>
> This is the slightly older BSM code in audit2 rather than the slightly
> newer (but in progress) BSM code in audit3, right? Do you see any
> impediments or issues with moving to the newer code base, other than
> getting the necessary audit calls into the system call code as you've
> presumably done (haven't looked at your drop yet :-). Did we ever get the
> audit3 tree exported usefully via cvsup?
No, we never exported audit3 under CVSup. And last time I brought
it up, everyone said "Use p4" so I began to use p4.
>
> > - NFS server cred MAC hack (prevent kernel panic in nfsd with MAC enabled
> > and mkdir/creat op)
>
> Do you have a patch for this specific change? We've got a number of
> NFS-related MAC changes in the MAC branch that need to be cleaned up,
> fixed, and merged, so that NFS server credentials are "real" managed
> credentials, not struct cred's embedded in another data structure.
This much I didn't know. :)
>
> > - network packet labeling (CIPSO & IPSec)
> >
> > audit2 is working audit implementation with kernel record to bsm token
> > convertion, MAC label (slabel) support. Most syscalls are audited.
>
> I've just imported some of Apple's basic audit test tools (developed at
> McAfee Research) into the audit3 tree in
>
> //depot/projects/trustedbsd/audit3/tools/regression/audit/test/...
>
> Those pieces have been generously made available by Apple under a BSD
> license.
I've added some Make glue to install the manual pages, an rc.d/
script for audit and other things to make audit3 easier to just
'get working'. More things to come. It would be lovely to see
some help in this area. *hint hint, Robert; hint hint Ilmar* :P
--
Tom Rhodes
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list