|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Slawa Olhovchenkov 2:5030/500 08 Mar 2007 03:11:50
To : All
Subject : Вести с полей
--------------------------------------------------------------------------------
TrustedBSD priv(9)
URL: http://www.TrustedBSD.org/
Contact: Robert Watson <rwatson@FreeBSD.org>
TrustedBSD priv(9) replaces suser(9) as an in-kernel interface for
checking privilege in FreeBSD 7.x. Each privilege check now takes a
specific named privilege. This allows both centralization of jail
logic relating to privilege, which is currently distributed around the
kernel at the point of each call to suser(9), and allows
instrumentation of the privilege logic by the MAC Framework. Two new
MAC Framework entry points, one to grant and the other to limit
privilege, are now available, providing fine-grained control of kernel
privilege by policy modules. This lays the kernel infrastructure
groundwork for further refinement and extension of the kernel
privilege model. The priv(9) implementation has been committed to
FreeBSD 7-CURRENT.
This software was developed by Robert N. M. Watson for the TrustedBSD
Project under contract to nCircle Network Security, Inc.
Open tasks:
1. Complete review of kernel privilege checks, removal of suser(9)
jail flag now that checks are centralized.
2. Explore possible changes to kernel privilege model along lines of
POSIX.1e privileges, the Solaris privilege interface, etc. This
has been explored previously as part of the TrustedBSD
Capabilities project also.
TrustedBSD Audit
URL: http://www.TrustedBSD.org/audit.html
URL: http://www.OpenBSM.org/
Contact: Robert Watson <rwatson@FreeBSD.org>
Contact: Christian Peron <csjp@FreeBSD.org>
Contact: Wayne Salamon <wsalamon@FreeBSD.org>
FreeBSD 6.2-RELEASE, the first release of FreeBSD with experimental
audit support is now available. The plan is to make audit a full
production feature as of FreeBSD 6.3-RELEASE, with "options AUDIT"
compiled in by default. A TODO list has been posted to
trustedbsd-audit.
OpenBSM 1.0 alpha 13, which includes support for XML record printing,
additional 64-bit token types, additional audit events, and more
cross-platform build support, has been released. OpenBSM 1.0 alpha 14,
which adds support for warnings clean building with gcc 4.1, will be
released shortly. The new OpenBSM release will be merged to FreeBSD
CVS in late January or early February.
Open tasks:
1. Complete assignment of audit events to non-native and a few
remaining native system calls. Add additional system call argument
auditing.
2. Merge MAC Framework hooks allowing MAC modules to control access
to kernel audit services. Refine and merge MAC labeling support in
audit, including support for MAC annotations in the audit trail.
3. Complete pass through user space services adding audit support to
system management tools (and ftpd). Work with third party software
maintainers to add audit support for applications like
xdm/kdm/gdm.
4. Merge latest OpenBSM, including XML output support.
Porting ZFS to FreeBSD
URL:
http://perforce.FreeBSD.org/depotTreeBrowser.cgi?FSPC=//depot/user/pjd
/zfs
URL: http://www.opensolaris.org/os/community/zfs/porting/
URL: http://docs.FreeBSD.org/cgi/mid.cgi?20060822104516.GB16033
Contact: Pawel Jakub Dawidek <pjd@FreeBSD.org>
The ZFS file system works quite well on FreeBSD now. The first
patchset has already been published on the freebsd-fs@FreeBSD.org
mailing list .
All file system methods are already implemented (except ACL-related).
Basically all stress tests I tried work, even under very high load.
There is still a problem with memory allocation, which can get out of
control, but from what I know the SUN guys also work on this.
Recently I have been working on a file system regression test suite.
From what I found, there are no such test suites for free. I've
already more than 3000 tests and I'm testing correctness of most file
system related syscalls (chflags, chmod, chown, link, mkdir, mkfifo,
open, rename, rmdir, symlink, truncate, unlink). I'm also working to
make it usable on other operating systems (like Solaris, where it
already works and Linux).
Few days ago I also (almost) finished NFS support. You can't use the
'zfs share' command yet, but you can export file systems via
/etc/exports and you can also access snapshots. It was quite hard,
because snapshots are separate file systems and after exporting the
main file system, we need to also serve data from snapshots under it.
The one big thing which is missing is ACL support. This is not an easy
task, because we first have to make some decisions. Currently we use
POSIX ACLs in our UFS, but the market is moving slowly to
NTFS/NFSv4-type ACLs. In Solaris they use POSIX ACLs for UFS and
NFSv4-type ACLs for ZFS and we probably also want to use NFSv4-type
ACLs in our ZFS, which requires some work outside ZFS.
Network Stack Virtualization
URL: http://imunes.tel.fer.hr/virtnet/
Contact: Marko Zec <zec@fer.hr>
The network stack virtualization project aims at extending the FreeBSD
kernel to maintain multiple independent instances of networking state.
This will allow for complete networking independence between jails on
a system, including giving each jail its own firewall, virtual network
interfaces, rate limiting, routing tables, and IPSEC configuration.
The prototype currently virtualizes the basic INET and INET6 kernel
structures and subsystems, including the TCP machinery and the IPFW
firewall. The focus is currently being kept on resolving bugs and
sporadic lockups, and defining the internal and management APIs. It is
expected that within the next month the code will become sufficiently
complete and stable for testing by early adopters.
... В раю намного мягче климат, но лучше общество в аду.
--- GoldED+/BSD 1.1.5
* Origin: (2:5030/500)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
Вести с полей |
Slawa Olhovchenkov |
08 Mar 2007 03:11:50 |
|
|
