sample 5.3 based trusted os ;-)

Tom Rhodes trhodes at FreeBSD.org
Wed Jan 19 14:37:33 GMT 2005


On Wed, 19 Jan 2005 12:10:20 +0000 (GMT)
Robert Watson <rwatson at FreeBSD.org> wrote:

> On Wed, 19 Jan 2005, Ilmar S. Habibulin wrote:
> 
> > http://www.watson.org/~ilmar/download/trustedos.tbz
> > 
> > This patch is for 5.3, it adds:
> > - trustedbsd sysv mac support
> 
> FYI, I've started merging the System V IPC MAC code to 6.x but haven't yet
> finished.  I'm hope to get that done in the next few weeks.  I need to
> look at ABI issues relating to merging that work to 5.x, as it requires a
> bump of the MAC Framework module version number.  My leaning is to defer a
> merge to 5.x until a few other changes are also merged to the MAC
> Framework and then merge the entire new ABI/API and provide a
> compatibility stub to get older MAC modules to work without issue.

I was wondering why the work merge seemed to slowly halt, thanks
for the info!

> 
> > - audit2 hacked (working audit)
> 
> This is the slightly older BSM code in audit2 rather than the slightly
> newer (but in progress) BSM code in audit3, right?  Do you see any
> impediments or issues with moving to the newer code base, other than
> getting the necessary audit calls into the system call code as you've
> presumably done (haven't looked at your drop yet :-).  Did we ever get the
> audit3 tree exported usefully via cvsup?

No, we never exported audit3 under CVSup.  And last time I brought
it up, everyone said "Use p4" so I began to use p4.

> 
> > - NFS server cred MAC hack (prevent kernel panic in nfsd with MAC enabled
> >   and mkdir/creat op)
> 
> Do you have a patch for this specific change?  We've got a number of
> NFS-related MAC changes in the MAC branch that need to be cleaned up,
> fixed, and merged, so that NFS server credentials are "real" managed
> credentials, not struct cred's embedded in another data structure.

This much I didn't know.  :)

> 
> > - network packet labeling (CIPSO & IPSec)
> > 
> > audit2 is working audit implementation with kernel record to bsm token
> > convertion, MAC label (slabel) support. Most syscalls are audited. 
> 
> I've just imported some of Apple's basic audit test tools (developed at
> McAfee Research) into the audit3 tree in
> 
>   //depot/projects/trustedbsd/audit3/tools/regression/audit/test/...
> 
> Those pieces have been generously made available by Apple under a BSD
> license.

I've added some Make glue to install the manual pages, an rc.d/
script for audit and other things to make audit3 easier to just
'get working'.  More things to come.  It would be lovely to see
some help in this area.  *hint hint, Robert; hint hint Ilmar* :P

-- 
Tom Rhodes
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message



More information about the trustedbsd-discuss mailing list