Date: Mon, 25 Aug 2008 13:47:38 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 148378 for review Message-ID: <200808251347.m7PDlcUw018816@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=148378 Change 148378 by rwatson@rwatson_fledge on 2008/08/25 13:47:16 Continue general rename of capabilities -> privileges to prepare to put up pages on both the 8.x privileges project and the new capabilities project. Affected files ... .. //depot/projects/trustedbsd/www/components.page#10 edit .. //depot/projects/trustedbsd/www/developers.dev#3 edit .. //depot/projects/trustedbsd/www/mailinglists.page#4 edit .. //depot/projects/trustedbsd/www/privileges.page#2 edit .. //depot/projects/trustedbsd/www/sidebar.xml#11 edit Differences ... ==== //depot/projects/trustedbsd/www/components.page#10 (text+ko) ==== @@ -37,7 +37,7 @@ <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/components.page#9 $ + $P4: //depot/projects/trustedbsd/www/components.page#10 $ </cvs:keyword> </cvs:keywords> @@ -71,7 +71,7 @@ instructions on the mailing lists page. This provides access to CVS and Perforce commit messages associated with development occuring in the TrustedBSD development trees, including the - Base (vendor) branch, Capabilities branch, Audit branch, MAC + Base (vendor) branch, Privileges branch, Audit branch, MAC branch, SEBSD branch, and SEDarwin branch.</p> <p>There are seven main branches of TrustedBSD development:</p> @@ -133,7 +133,7 @@ processes to tag files with arbitrary named data. This provides a location to store the extensive security data required for the various TrustedBSD security extensions, - including ACLs, capabilities and MAC labels. Extended + including ACLs, privileges and MAC labels. Extended attribute support has been developed for FreeBSD's UFS1 file system and integrated with the FreeBSD development tree, and was included in FreeBSD 5.0. UFS2 was @@ -144,29 +144,6 @@ functionality.</p> </dd> - <a name="capabilities" /> - <dt><p>Fine-Grained Capabilities</p></dt> - - <dd> - <p> - <span id="collection-label">Collection:</span> - - <span id="cvsup-collection">p4-cvs-trustedbsd-cap</span> - </p> - - <p>Capabilities provide support for fine-grained process - capabilities to authorize non-root processes to access - privileged system resources, reducing requirements for a - superuser account, and reducing risk in the event of - compromise. The capabilities development branch is - largely complete, but is based on an older FreeBSD - 5.0-CURRENT snapshot. Elements of this implementation - are being updated for FreeBSD 5.2 and are available as - part of the SEBSD version of the TrustedBSD MAC Framework. - For more information, see the <a href="cap.html">Capability - Page</a>.</p> - </dd> - <a name="geom" /> <dt><p>GEOM</p></dt> @@ -216,6 +193,37 @@ Project.</p> </dd> + <a name="privileges" /> + <dt><p>Fine-Grained Privileges</p></dt> + + <dd> + <p> + <span id="collection-label">Collection:</span> + + <span id="cvsup-collection">p4-cvs-trustedbsd-cap</span> + </p> + + <p>NB: Historically this project was referred to as fine-grained + capabilities, but due to a vocabulary conflict, it has been + renamed to fine-grained privileges. Information in this + section and on the privileges page currently refers to a + FreeBSD 5.x-era project to support fine-grained privileges, + and will shortly be superseded by a similar project for + FreeBSD 8.x.</p> + + <p>Privileges provide support for fine-grained process + privileges to authorize non-root processes to access + privileged system resources, reducing requirements for a + superuser account, and reducing risk in the event of + compromise. The privileges development branch is + largely complete, but is based on an older FreeBSD + 5.0-CURRENT snapshot. Elements of this implementation + are being updated for FreeBSD 5.2 and are available as + part of the SEBSD version of the TrustedBSD MAC Framework. + For more information, see the <a href="privileges.html"> + Privileges Page</a>.</p> + </dd> + <a name="sebsd" /> <dt><p>Security-Enhanced BSD (SEBSD)</p></dt> ==== //depot/projects/trustedbsd/www/developers.dev#3 (text+ko) ==== @@ -33,7 +33,7 @@ <developers> <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/developers.dev#2 $ + $P4: //depot/projects/trustedbsd/www/developers.dev#3 $ </cvs:keyword> </cvs:keywords> @@ -61,13 +61,13 @@ <firstname>Ilmar</firstname> <surname>Habibulin</surname> <email>ilmar@watson.org</email> <url>http://www.watson.org/~ilmar/</url>; - <area>Capabilities, Mandatory Access Control</area> + <area>Privileges, Mandatory Access Control</area> </entry> <entry> <firstname>Thomas</firstname> <surname>Moestl</surname> <email>tmm@FreeBSD.org</email> - <area>Capabilities</area> + <area>Privileges</area> </entry> <entry> @@ -86,7 +86,7 @@ <entry> <firstname>Andrew</firstname> <surname>Reisse</surname> <email>Andrew.Reisse@sparta.com</email> - <area>SEDarwin, Capabilities</area> + <area>SEDarwin, Privileges</area> </entry> <entry> ==== //depot/projects/trustedbsd/www/mailinglists.page#4 (text+ko) ==== @@ -37,7 +37,7 @@ <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/mailinglists.page#3 $ + $P4: //depot/projects/trustedbsd/www/mailinglists.page#4 $ </cvs:keyword> </cvs:keywords> @@ -115,7 +115,7 @@ <html> <p>POSIX.1e, the now-withdrawn POSIX draft defining interfaces for operating system security extensions, continues to play an important - role in offering standard interfaces for ACLs, Capabilities, and to + role in offering standard interfaces for ACLs, Privileges, and to a limited extent other services. The POSIX.1e mailing list provides a cross-platform forum for the discussion of the draft, as well as practical implementation and portability issues. More information on ==== //depot/projects/trustedbsd/www/privileges.page#2 (text+ko) ==== @@ -25,16 +25,16 @@ --> <page role="components"> - <title>TrustedBSD POSIX.1e Capabilities</title> + <title>TrustedBSD POSIX.1e Privileges</title> <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/privileges.page#1 $ + $P4: //depot/projects/trustedbsd/www/privileges.page#2 $ </cvs:keyword> </cvs:keywords> <section> - <title>TrustedBSD POSIX.1e Capabilities</title> + <title>TrustedBSD POSIX.1e Privileges</title> <html> <p> @@ -46,15 +46,16 @@ <span id="cvsup-collection">p4-cvs-trustedbsd-cap</span> </p> - <p>POSIX.1e breaks root privilege into a set of capabilities, or - more strictly, privileges, which allow the granting of specific - privilege requirements for POSIX calls, such as setuid(). + <p>POSIX.1e breaks root privilege into a set of privileges + (historically referred to as "Capabilities"), which allow the + granting of specific privilege requirements for POSIX calls, such + as setuid(). POSIX.1e defines extension to process and file state to allow privileges to be granted to processes, either by inheritence or a file privilege model similar to setuid/setgid.</p> - <p>The TrustedBSD capability project is currently inactive, but an - implementation of POSIX.1e capabilities for an older FreeBSD release + <p>The TrustedBSD privileges project is currently inactive, but an + implementation of POSIX.1e privileges for an older FreeBSD release is available and functional, and may be found in Perforce/cvsup. Certain key files are provided in a tarball for download on this page.</p> @@ -70,17 +71,17 @@ sufficient future growth in privileges, or further fine-graining.</p> <p>Up-to-date versions of the kernel API changes to perform - fine-grained privilege checking, without the capability model + fine-grained privilege checking, without the privilege model itself, may be found in the <a href="sebsd.html">SEBSD branch</a>, and include modifications to the TrustedBSD MAC Framework to allow MAC modules to deny privilege based on the POSIX.1e privilege categories.</p> - <p>2006-03-26 FreeBSD 5.0 POSIX.1e capability reference files + <p>2006-03-26 FreeBSD 5.0 POSIX.1e privileges reference files snapshot. These are reference BSD-licensed POSIX.1e privilege files derived from an early TrustedBSD implementation, and do - not represent a complete or supported implementation. - <a href="downloads/20060326-cap.tgz">Download</a>.</p> + not represent a complete or supported implementation. Download + <a href="downloads/20060326-cap.tgz">20060326-cap.tgz</a> (60K).</p> </html> </section> ==== //depot/projects/trustedbsd/www/sidebar.xml#11 (text+ko) ==== @@ -7,11 +7,11 @@ <li><a href="audit.html">Audit</a></li> <li><a href="bsmtrace.html">BSMtrace</a></li> <li><a href="components.html#eas">Extended Attributes and UFS2</a></li> - <li><a href="cap.html">Capabilities</a></li> <li><a href="components.html#geom">GEOM</a></li> <li><a href="mac.html">MAC</a></li> <li><a href="openbsm.html">OpenBSM</a></li> <li><a href="components.html#openpam">OpenPAM</a></li> + <li><a href="privileges.html">Privileges</a></li> <li><a href="sebsd.html">SEBSD</a></li> <li><a href="sedarwin.html">SEDarwin</a></li> </ul> @@ -24,11 +24,11 @@ <li><a href="audit.html">Audit</a></li> <li><a href="bsmtrace.html">BSMtrace</a></li> <li><a href="components.html#eas">Extended Attributes and UFS2</a></li> - <li><a href="cap.html">Capabilities</a></li> <li><a href="components.html#geom">GEOM</a></li> <li><a href="mac.html">MAC</a></li> <li><a href="openbsm.html">OpenBSM</a></li> <li><a href="components.html#openpam">OpenPAM</a></li> + <li><a href="privileges.html">Privileges</a></li> <li><a href="sebsd.html">SEBSD</a></li> <li><a href="sedarwin.html">SEDarwin</a></li> </ul>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808251347.m7PDlcUw018816>