FYI: Darwin 7.3 DSEP import into Perforce
Robert Watson
rwatson at FreeBSD.org
Mon Jan 31 19:41:17 GMT 2005
For those interested in the on-going work to port of the MAC Framework to
Darwin by McAfee Research, I've imported the latest DSEP code (drop 5)
into the FreeBSD perforce repository. That way we can integrate changes
from that work into the FreeBSD work easily.
Robert N M Watson
---------- Forwarded message ----------
Date: Mon, 31 Jan 2005 17:55:06 GMT
From: Robert Watson <rwatson at FreeBSD.org>
To: Perforce Change Reviews <perforce at freebsd.org>
Subject: PERFORCE change 70045 for review
http://perforce.freebsd.org/chv.cgi?CH=70045
Change 70045 by rwatson at rwatson_tislabs on 2005/01/31 17:54:31
Import DSEP drop 5, a forward port of the SEDarwin work from Darwin
10.2.8 to 10.3.3 with substantial enhancements brought in from
FreeBSD, as well as separately developed. Includes some interesting
things that we should merge to FreeBSD, including integration of the
Darwin audit code and TrustedBSD MAC Framework (experimental), and
various other things, including stack tracing and IPC tracing MAC
Framework modules, extensions to the mac_test module, support for
Mach IPC, etc.
I have not imported the majority of the docs and testbed trees at
this time, just the base source. Exercept from the drop-5 release
notes follows:
Port of TrustedBSD MAC Framework to Darwin 10.3.3
McAfee Research
15204 Omega Drive, Suite 300
Rockville, MD 20850
Introduction
============
This release includes a port of the TrustedBSD MAC Framework to
Apple's Darwin 7.3 (Mac OS X 10.3.3) operating system, made up of
kernel, library, and user space tool extensions to support flexible
policy introduction. In addition, several sample policy modules ar
present:
- SEDarwin, a port of NSA's FLASK security architecture and
Type Enforcement policy language from SELinux.
- MLS, a simple implementation of multi-level security.
- ipctrace, a facility for collecting information on the use of
Mach IPC.
- mac_none, an example of a very minimal policy
- mac_stub, an example of a policy that defines all entry points
a no-op
- mac_test, a debugging tool for ensuring that the framework is
managing labels correctly.
- stacktrace, a debugging tool to capture stack traces
This release is a development snapshot; not all components are
appropriate for use in production environments.
The following modifications have been made relative to Apple's Darwin
10.3.3 release:
- HFS extended attributes to hold persistent file labels.
- Inclusion of a subset of the MAC Framework entry points to
provide label support and protection of files, processes,
System V semaphores and shared memory, and labeling and
controls for Mach IPC.
- A port and enhancement of the mac_test policy module.
- The SEDarwin module, a port of the SELinux FLASK and Type
Enforcement implementation from FreeBSD.
- Ports of the SELinux policy tools for use with SEDarwin.
- Ports of the TrustedBSD MAC label management tools and extended
attribute tools.
- A port of the TrustedBSD MLS policy module.
- Modifications to the ls(1) and ps(1) commands to optionally
display label information.
- Enhancements to the BootX boot loader and XNU kernel extension
linker to support the loading of policy KEXTs earlier in the
boot sequence.
New Features in Drop 5
======================
- Additional maturing in VFS security. This includes new security
controls for mmap operations, better support for file descriptor
label system calls, and a bugfix for the link entry point.
- Improved audit support. The extended attribute and security
system calls may are now audited. The MLS policy was further
extended to provide audit support to log permitted and denied
access.
- Build improvements to move some BSD-style Makefiles to GNU, with
the intent that the build system use consistently uses only the
GNU format.
- Additional documentation on the test framework and on CMW-like
access controls for Apple OS X is nearly complete and will be
separately shipped.
New Features in Drop 4
======================
- The default module is now the mac_mls module, not the sedarwin
module. By default, all modules will be built, but only the MLS
module will be installed.
- Additional example policies
The 'mac_none' policy module implements a sample MAC policy that
has no effect on access control in the system. Unlike
'mac_stub', none of the MAC entry points are defined.
The 'mac_stub' policy module implements a sample MAC policy that
has no effect on access control in the system. Unlike mac_none,
each MAC entry point is defined as a no-op, so the policy module
will be entered for each event, but no change in system behavior
should result.
- Stacktrace security module
The stacktrace security module is provided as an example of a
policy module useful for debugging. Loading the policy module
and then performing normal operations will cause the stacktrace
module's functions to be invoked at each MAC check. When each
function is invoked, it walks backward up the call stack and
saves a trace of how the function was called into a wired trace
buffer in the kernel.
An example of the output generated by this module is provided in
examples/stacktrace.
- Add the 'top' package to the build, it directly references
kernel objects that were modified by the MAC framework, so it
must be recompiled.
- The System V IPC entry points were renamed from *ipc* to *sysv*
to help distinguish System V IPC entry points from other IPC
objects (Posix, Mach).
- Audit prototype
This release includes a prototype of the integration of audit
support into the Darwin MAC framework. This prototype introduces
controls on kernel audit functions and provides interfaces so
that security policies may add information to the audit log.
- There have been other miscellaneous improvements to the build
infrastructure, the test framework, and the entry point coverage
and accuracy.
New Features in Drop 3
======================
- Mach IPC tracing facility - The 'ipctrace' policy module causes
the system to store a log of how IPC is used in Darwin. More
information on ipctrace can be found in docs/ipctrace.txt.
Some example results are also included in examples/ipctrace.
- System V IPC controls and labelling - Darwin's implementation of
System V shared memory and semaphore arrays was extended to
include security labels and security framework hooks for policy
modules to implement controls on SysV IPC. (Darwin does not
support System V message queues.)
- Updates to SEDarwin - The SEDarwin policy module was extended to
support System V IPC security. The supplied policy permits IPC
only between programs running in the same domain. More
information on the sedarwin module is available in
docs/sedarwin.txt.
- MLS (Multi-Level Security) policy module - We have ported the
TrustedBSD MLS policy module to the Darwin security
framework. More information on the macmls module is available
in docs/macmls.txt.
- Updates to the mactest policy module - We have made improvements
to the mactest module so that it now supports additional entry
points and has improved tracking of label states.
- A prototype test suite for the Darwin MAC Framework was added.
More information on installing and running the test suite is
available in testbed/README.
- Updates to framework to match recent changes in the FreeBSD
implementation. Most notably, the way security labels are
allocated has been made simpler.
New Features in Drop 2
======================
- Tree and build system rearrangement. The source tree has been
rearranged to better reflect system packaging and development.
Modifications to Apple's Darwin operating system are now in the
darwin/ sub-tree, and policy modules and policy-related tools
are in their own directories. The consistent of the build
system has been improved, and the build is now stand-alone (the
additional /usr/local tarball is no longer required.)
- Policies may now be loaded as kernel extensions. We have
modified the kernel linker to allow policy modules to be loaded
sufficiently early that policies must no longer be linked
directly to the kernel, permitting them to be distributed
separately from XNU. This required reordering some events in
the boot sequence, and introducing additional linker code to use
loader-allocated memory.
- The mac_test module has been updated and enhanced. The mac_test
policy module performs a series of assertions to verify correct
behavior of a number of aspects of the TrustedBSD MAC Framework.
The module has been ported to Darwin, and enhanced to detect
additional failure modes.
- In addition, a large number of bug fixes and minor enhancements
have been made to improve the isolation of policy-independent
and policy-specific components.
Affected files ...
.. //depot/projects/trustedbsd/dsep/ERRATA#1 add
.. //depot/projects/trustedbsd/dsep/README#1 add
.. //depot/projects/trustedbsd/dsep/VERSION#1 add
...
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list