TrustedBSD POSIX.1e Privileges
In this past, this project was referred to as fine-grained
capabilities, but due to a vocabulary conflict with the capability
system model used in Capsicum, it has been renamed
to fine-grained privileges. Information in this page currently refers
to a FreeBSD 5.x-era project to support fine-grained
privileges.
In FreeBSD 7.0, the priv(9) KPI
was introduced, classifying all kernel uses of privileges and
exposing this information to a centralised kernel component.
The kernel's mandatory access control framework
allows MAC policy modules to deny (and grant) privileges, but
FreeBSD does not currently provide a userspace API for privilege
management.
Discussion below is historical.
POSIX.1e breaks root privilege into a set of privileges
(historically referred to as "Capabilities"), which allow the
granting of specific privilege requirements for POSIX calls, such
as setuid().
POSIX.1e defines extension to process and file state to allow
privileges to be granted to processes, either by inheritence or
a file privilege model similar to setuid/setgid.
The TrustedBSD privileges project is currently inactive, but an
implementation of POSIX.1e privileges for an older FreeBSD release
is available and functional, and may be found in Perforce.
Certain key files are provided in a tarball for download on this
page.
The reason that these changes have not yet been integrated into
FreeBSD is that they represent a substantial risk, as they change
the superuser privilege model, and there have been a number of
vulnerabilities in other operating systems relating to both
implementation and logic errors with fine-grained privileges, and
this implementation has seen insufficient review.
Also, the in-kernel API for privilege checking is limited to a
32-bit or 64-bit privilege mask, which does not offer room for
sufficient future growth in privileges, or further fine-graining.
Up-to-date versions of the kernel API changes to perform
fine-grained privilege checking, without the privilege model
itself, may be found in the SEBSD branch,
and include modifications to the TrustedBSD MAC Framework to allow
MAC modules to deny privilege based on the POSIX.1e privilege
categories.
2006-03-26 FreeBSD 5.0 POSIX.1e privileges reference files
snapshot. These are reference BSD-licensed POSIX.1e privilege
files derived from an early TrustedBSD implementation, and do
not represent a complete or supported implementation. Download
20060326-cap.tgz (60K).
|