Date: Mon, 25 Aug 2008 20:58:44 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 148447 for review Message-ID: <200808252058.m7PKwiUn003844@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=148447 Change 148447 by rwatson@rwatson_fledge on 2008/08/25 20:58:12 Updates to a number of component web pages to bring them more in sync with reality. Affected files ... .. //depot/projects/trustedbsd/www/geom.page#3 edit .. //depot/projects/trustedbsd/www/mac.page#5 edit .. //depot/projects/trustedbsd/www/privileges.page#5 edit .. //depot/projects/trustedbsd/www/sebsd.page#9 edit .. //depot/projects/trustedbsd/www/sedarwin.page#7 edit Differences ... ==== //depot/projects/trustedbsd/www/geom.page#3 (text+ko) ==== @@ -29,7 +29,7 @@ <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/geom.page#2 $ + $P4: //depot/projects/trustedbsd/www/geom.page#3 $ </cvs:keyword> </cvs:keywords> @@ -47,7 +47,7 @@ <p>GEOM has been present in FreeBSD since FreeBSD 5.0-RELEASE, with increasing numbers of transform modules over time, including the - GELI encryption and integrity protection module..</p> + GELI encryption and integrity protection module.</p> <p>GEOM and GBDE were implemented by Poul-Henning Kamp.</p> ==== //depot/projects/trustedbsd/www/mac.page#5 (text+ko) ==== @@ -37,7 +37,7 @@ <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/mac.page#4 $ + $P4: //depot/projects/trustedbsd/www/mac.page#5 $ </cvs:keyword> </cvs:keywords> @@ -45,54 +45,32 @@ <title>TrustedBSD Mandatory Access Control (MAC) Framework</title> <html> - <p> - <span id="collection-label">Perforce:</span> - <span id="cvsup-collection">//depot/projects/trustedbsd/mac/...</span> - </p> - <p> - <span id="collection-label">Collection:</span> - <span id="cvsup-collection">p4-cvs-trustedbsd-mac</span> - </p> - <p>Mandatory access controls extend discretionary access - controls by allowing administrators to enforce additional - security for all subjects (e.g. processes or sockets) and - objects (e.g. sockets, file system objects, sysctl nodes) in - the system. Development of those new access control models - is facilitated by the development of a flexible kernel - access control extension framework, the TrustedBSD MAC - Framework. This permits new access control models to be - introduced as kernel modules.</p> + <p>Mandatory access controls extend operating system access control + policy by allowing administrators to enforce additional constraints + on user and application behavior. + The TrustedBSD MAC Framework is a kernel programming interface + allowing loadable modules to augment the system security policy in + order to implement mandatory access control in a flexible manner.</p> - <p>Currently, modules exist that implement MLS (Multi-Level - Security), a fixed-label Biba integrity policy, Type - Enforcement, and several other security policies that - reflect common requirements of typical FreeBSD deployment - environments, such as mandatory limits on inter-user - visibility in multi-user environments. The current - implementation of Low-Watermark MAC (LOMAC) will also be - ported to use the module framework. In addition, the - DARPA-funded Network Associates Laboratories' CBOSS Project - is porting the NSA FLASK/SELinux implementation (SEBSD) to - run as an extension model over the TrustedBSD MAC Framework. - More information on the SEBSD module may be found on the - <a href="sebsd.html">SEBSD page</a>.</p> + <p>The TrustedBSD MAC Framework first shipped in FreeBSD 5.0, with + significant functionality, quality, and performance enhancements in + later releases. Supported policy modules include rule-based file + system firewall support, TCP/UDP port access control lists, + inter-user process visibility controls, as well as classic mandatory + access control policies such as Multi-Level Security (MLS) with + compartments, and fixed- and floating-label Biba integrity policies. + Third party policy modules include cryptographic checksums on system + binaries, and <a href="sebsd.html">SEBSD</a>, a port of the NSA + FLASK/SELinux policy to FreeBSD. A number of commercial + FreeBSD-based products make use of the TrustedBSD MAC Framework to + locally modify the operating system security policy.</p> - <p>This work is primarily occuring in a TrustedBSD Perforce - branch, but much of the framework has been merged to the - main FreeBSD development tree and was included in FreeBSD - 5.0 and forwards. The current implementation is appropriate - for experimental or limited production use; both internal - and exposed MAC APIs will not be frozen until 5.2-RELEASE. - All policy modules with the exception of the SEBSD - implementation have been merged into the FreeBSD tree at - this point.</p> - - <p>Work has also recently begun on an experimental port of - the TrustedBSD MAC Framework from FreeBSD to Apple's - Darwin operating system. - Information on this port may be found on the <a - href="sedarwin.html">SEDarwin page</a>.</p> + <p>The TrustedBSD MAC Framework is also present in Mac + OS X as of the Leopard release, where it is used to implement + Seatbelt and other system security services. A port of FLASK and + SELinux is also available via <a + href="sedarwin.html">SEDarwin</a>.</p> </html> </section> ==== //depot/projects/trustedbsd/www/privileges.page#5 (text+ko) ==== @@ -29,7 +29,7 @@ <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/privileges.page#4 $ + $P4: //depot/projects/trustedbsd/www/privileges.page#5 $ </cvs:keyword> </cvs:keywords> @@ -46,11 +46,12 @@ <span id="cvsup-collection">p4-cvs-trustedbsd-cap</span> </p> - <p>NB: Historically this project was referred to as fine-grained + <p><b>Historically this project was referred to as fine-grained capabilities, but due to a vocabulary conflict, it has been renamed to fine-grained privileges. Information in this page currently refers to a FreeBSD 5.x-era project to support fine-grained privileges, and - will shortly be superseded by a similar project for FreeBSD 8.x.</p> + will shortly be superseded by a similar project for FreeBSD + 8.x.</b></p> <p>POSIX.1e breaks root privilege into a set of privileges (historically referred to as "Capabilities"), which allow the ==== //depot/projects/trustedbsd/www/sebsd.page#9 (text+ko) ==== @@ -32,12 +32,12 @@ SUCH DAMAGE. --> -<page role="components"> +<page role="sebsd"> <title>SEBSD</title> <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/sebsd.page#8 $ + $P4: //depot/projects/trustedbsd/www/sebsd.page#9 $ </cvs:keyword> </cvs:keywords> ==== //depot/projects/trustedbsd/www/sedarwin.page#7 (text+ko) ==== @@ -31,12 +31,12 @@ SUCH DAMAGE. --> -<page role="components"> +<page role="sedarwin"> <title>SEDarwin</title> <cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0"> <cvs:keyword name="freebsd"> - $P4: //depot/projects/trustedbsd/www/sedarwin.page#6 $ + $P4: //depot/projects/trustedbsd/www/sedarwin.page#7 $ </cvs:keyword> </cvs:keywords> @@ -45,40 +45,18 @@ policy module to Apple's Darwin operating system</title> <html> - <p> - <span id="collection-label">Perforce:</span> - <span id="cvsup-collection">//depot/projects/trustedbsd/sedarwin7/...</span> - </p> - <p> - <span id="collection-label">Collection:</span> - <span id="cvsup-collection">p4-cvs-trustedbsd-sedarwin</span> - </p> - <p>SEDarwin is a port of the <a href="mac.html">TrustedBSD MAC - Framework</a> access control extension framework to Apple's - Darwin operating system platform, along with a port of the - <a href="sebsd.html">SEBSD policy module</a>. - SEDarwin is highly experimental, but is currently sufficiently - functional to allow the enforcement of mandatory process - and file protections under Mac OS 10.3.8 and Darwin 7.3 on - a variety of Apple PowerPC hardware. + <p>The SEDarwin Project consisted of two parts: a port of the + <a href="mac.html">TrustedBSD MAC Framework</a> to the Mac OS X + operating system, and a similar adaptation of <a + href="sebsd.html">SEBSD</a> to MAC OS X based on that port. This + port was made available against Mac OS X Panther and Mac OS X Tiger; + as of Mac OS X Leopard, the TrustedBSD MAC Framework is now + available as part of the shipping Mac OS X product.</p> - The SEDarwin project has recently moved to it's own website at + <p>The SEDarwin project has recently moved to it's own website at <a href="http://www.sedarwin.org">www.sedarwin.org</a>. More - information and current versions of SEDarwin can be found there. - </p> - - <p>The Darwin Security Extension Project (DSEP) complements the - SEDarwin work, but has a different goal. DSEP is primarily concerned - with updating and maintaining the TrustedBSD MAC Framework on - Darwin. While still experimental, the MAC Framework has been - updated to support Mac OS X "Tiger", currently supporting Mac OS X - 10.4.3 (Darwin 8.4). Note that the DSEP releases typically won't - have the newest FLASK and SELinux components; they will be migrated - to the Tiger platform soon.</p> - - <p>The DSEP sources have also recently moved to - <a href="http://www.sedarwin.org">sedarwin.org</a></p>; + information and current versions of SEDarwin can be found there.</p> </html> </section>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808252058.m7PKwiUn003844>