www.TrustedBSD.org
Home Developers Documentation Source code ACLs Audit BSMtrace ExtAttr + UFS2 GEOM + GBDE
Mailing Lists News Legal MAC Framework OpenBSM OpenPAM Privileges SEBSD SEDarwin
Trusty

TrustedBSD POSIX.1e Privileges

In this past, this project was referred to as fine-grained capabilities, but due to a vocabulary conflict with the capability system model used in Capsicum, it has been renamed to fine-grained privileges. Information in this page currently refers to a FreeBSD 5.x-era project to support fine-grained privileges.

In FreeBSD 7.0, the priv(9) KPI was introduced, classifying all kernel uses of privileges and exposing this information to a centralised kernel component. The kernel's mandatory access control framework allows MAC policy modules to deny (and grant) privileges, but FreeBSD does not currently provide a userspace API for privilege management. Discussion below is historical.


POSIX.1e breaks root privilege into a set of privileges (historically referred to as "Capabilities"), which allow the granting of specific privilege requirements for POSIX calls, such as setuid(). POSIX.1e defines extension to process and file state to allow privileges to be granted to processes, either by inheritence or a file privilege model similar to setuid/setgid.

The TrustedBSD privileges project is currently inactive, but an implementation of POSIX.1e privileges for an older FreeBSD release is available and functional, and may be found in Perforce. Certain key files are provided in a tarball for download on this page.

The reason that these changes have not yet been integrated into FreeBSD is that they represent a substantial risk, as they change the superuser privilege model, and there have been a number of vulnerabilities in other operating systems relating to both implementation and logic errors with fine-grained privileges, and this implementation has seen insufficient review. Also, the in-kernel API for privilege checking is limited to a 32-bit or 64-bit privilege mask, which does not offer room for sufficient future growth in privileges, or further fine-graining.

Up-to-date versions of the kernel API changes to perform fine-grained privilege checking, without the privilege model itself, may be found in the SEBSD branch, and include modifications to the TrustedBSD MAC Framework to allow MAC modules to deny privilege based on the POSIX.1e privilege categories.

2006-03-26 FreeBSD 5.0 POSIX.1e privileges reference files snapshot. These are reference BSD-licensed POSIX.1e privilege files derived from an early TrustedBSD implementation, and do not represent a complete or supported implementation. Download 20060326-cap.tgz (60K).


    Copyright 2000-2012 Robert N. M. Watson. All rights reserved.
    Copyright 2005 SPARTA, Inc. All rights reserved.
    Copyright 2002, Leigh T. Denault. All rights reserved.
    Copyright 2002, 2003 Networks Associates, Inc. All rights reserved.
    $P4: //depot/projects/trustedbsd/www/privileges.page#7 $