• TrustedBSDTODO

TrustedBSD TODO

Here are a few TODO items from the TrustedBSD TODO list:

ACLs

TODO:

• Investigate allowing cmask to override umask (as in Linux, Solaris) for POSIX.1e.
• Add ACL support to devfs. After converting bpf and friends to cdevpriv, it's no longer possible to allow multiple users/groups to access the device.
• Teach smbfs and samba about NFSv4 ACL support.
• Validate that POSIX.1e ACL support in tar/dump/etc works with NFSv4 ACL support.
• Improve robustness in the presence of ACL corruption or I/O failures.

IN PROGRESS:

• (trasz) Implement NFSv4 ACLs for local file system use (see NFSv4_ACLs).

• (macklem) Adapt NFSv4 client and server for local NFSv4 ACL implementation

DONE:

• (rwatson) Don't update mtime when ACLs are set, changed, and removed.

Audit

TODO:

• Complete review of various ABI system call lists to confirm all relevant system calls are assigned events. Add new event types as required. The mapping for most system calls to audit events is stored in the various syscalls.master (and similarly named files) around the kernel tree.
• Complete review of system calls to make sure that all key arguments are being audited. As necessary, add AUDIT_ARG() calls to system call implementations.
• Complete userland review, in particular of administrative and login-related tools, to make sure they are all auditing events appropriately. Many login programs do perform necessary auditing (sshd, login) but some still don't (ftpd). Administrative tools require more work -- pw(8), password change tools, etc, all require audit support.
• Investigate adding multiple simultaneous audit trails with different security properties (i.e., allowing Apache to maintain its own application-layer trail). This might be implemented by encapsulating the notion of an "audit pipeline" in a structure/object that can be replicated. Quite a bit of work is required to figure out the right model here. One very nice property of this is that it would allow applications to submit audit records to a trail they could not later modify.
• Create new application Audit API allowing stateful and context-aware interpretation of audit trails -- starting with file endian, but also including account information, etc.
• Built-in support for compressing trails on rotation.
• Investigation of the issue of cryptographic protection of trails, and perhaps a sample configuration for audit_notify showing how to encrypt trails on rotation.
• Add NIS/YP/NSS support for audit configuration files so that audit configuration can be distributed with password/group/etc configuration data.
• Refine the relationship between jail and audit: add "zone" token support and stick jail names into zone tokens when auditing events in jails. Explore privilege issues relating to audit and jail: which audit system calls should, and which should not, be allowed in jail? Is audit about a single system trail tracking jails, or is there interest in per-jail audit trails? Since login/sshd/etc determine what should be audited for a user, does that require that we let jails determine what is audited?

IN PROGRESS:

• (csjp) Sequence-based IDS using BSM
• (csjp) Network extensions to sequence-based IDS using BSM
• (diego) Teach kernel firewalls and other kernel security systems how to use audit to report events, rather than syslog. This may require some amount of re-working of the kernel audit APIs to allow construction. Of particular interest will be changes to allow the audit code to run in ithread contexts where firewalls may be running. Add "ipfw audit"?
• (simon) Investigate creation of a distributed audit daemon to reliably manage the transfer of audit trails to central audit management hosts. Ideally it would support cryptographic protection (SSL?) and reliable delivery (i.e., if the delivery aborts due to a reboot, it picks up about where it left off when it comes up again).

DONE:

• (sson) Move towards more explicit management of the audit trail directory so that it's clear who owns entries in the directory -- auditd or other consumers -- in order to more reliably handle issues like reboot during audit trail rotation.
• (rwatson) Finer-grained locking for audit, in particular, a global read-write lock for configuration and perhaps an audit pipe lock or per-pipe locks.

MAC

TODO:

• Add create checks to System V IPC primitives so that use of the name space can be controlled by policies.
• Allow label memory to be properly garbage-collected, and label lots cleared, when a labeled policy is unloaded.

IN PROGRESS

• (rwatson) Complete mac2 API update to sync to Darwin -- primarily in renaming many entry points to a consistent naming scheme.
• (wsalamon) Audit/MAC integration: allow MAC to control audit, allow MAC to annotate audit records. For example, allow MAC to add label information relating to vnodes to vnode-related records.

DONE

• (rwatson) Move to conditional labeling of objects based on policy requirements

Priv

TODO:

• Clean up aging #ifdef compat suser consumers.
• Consider a notion of "default privileges" for users on the system instead of many sysctls determining whether or not privilege is required. Perhaps similar to the Solaris privs system. In the past, we have implemented POSIX.1e capabilities for FreeBSD, and found that the model leaves a lot to be desired, but perhaps a subset would be appropriate. See the trustedbsd_cap branch for more information on the past information.

IN PROGRESS:

• (bz) Update IPv6 use of privilege for priv(9)

DONE:

• (rwatson) Remove PRIV_ROOT.
• (attilio) Update mac_bsdextended use of privilege for priv(9)
• (attilio) Remove suser() and suser_cred() functions (dependent on removing any remaining suser() calls).
• (rwatson) Complete migration of jail policy state from API calls into jail privilege context: remove SUSER_ALLOWJAIL argument to priv_check_cred().
• (rwatson) Remove SUSER_RUID.
• (rwatson) Finish resolving System V IPC interactions with priv by removing the bogus permission check in System V shm and restoring a privilege-aware ipcperm.

SEBSD

TODO:

• Update to 8-CURRENT
  • Adapt for priv(9), implementing new privilege entry points and mapping FreeBSD privileges to Linux/POSIX.1e privileges for use by SEBSD. This means we can get rid of all of the SEBSD-branch changes to suser().
  • Update for new MAC KPI work, synchronizing to Mac OS X MAC Framework changes.
• Add protections for unsupported object types, such as newer IPC primitives, networking, etc.
• Merge features to CVS
  • struct file labeling and access control
  • Additional mountpoint access control points
• Update to latest SELinux parts
• Spend lots of time on policy
• Produce a port so it's easy to install SEBSD

IN PROGRESS:

DONE:

CategoryTODO