From 3aed7b375194858cef5594867ea0bedb7a6e40e5 Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Fri, 16 Feb 2007 11:56:01 +0000
Subject: [PATCH] Add mandatory access control project idea. Add "Requirements"
 string ahead of requirement lists for two other TrustedBSD-related ideas I
 put in the list earlier.

---
 en/projects/ideas/index.sgml | 45 +++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/en/projects/ideas/index.sgml b/en/projects/ideas/index.sgml
index 7b6d67f199..280e0cb808 100644
--- a/en/projects/ideas/index.sgml
+++ b/en/projects/ideas/index.sgml
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//FreeBSD//DTD HTML 4.01 Transitional-Based Extension//EN" [
 <!ENTITY base CDATA "../..">
-<!ENTITY date "$FreeBSD: www/en/projects/ideas/index.sgml,v 1.83 2007/02/16 11:40:46 rwatson Exp $">
+<!ENTITY date "$FreeBSD: www/en/projects/ideas/index.sgml,v 1.84 2007/02/16 11:42:32 rwatson Exp $">
 <!ENTITY title "FreeBSD list of projects and ideas for volunteers">
 <!ENTITY % navinclude.developers "INCLUDE">
 <!ENTITY % developers SYSTEM "../../developers.sgml"> %developers;
@@ -117,6 +117,7 @@
   <li><a href="#p-distribaudit">Distributed audit daemon</a></li>
   <li><a href="#p-auditkernel">Audit kernel event sources</a></li>
   <li><a href="#p-securityregression">Security regression tests</a></li>
+  <li><a href="#p-mac">Mandatory Access Control</a></li>
 </ul>
 
 <h3>Userland / Installation Tools</h3>
@@ -1212,6 +1213,7 @@ will likely need some re-working of the kernel audit framework (which is
 currently entirely focused on gathering user and kernel system call audit
 data).
 </p>
+<p><strong>Requirements</strong>:</p>
 <ul>
   <li>Strong C programming skills.</li>
   <li>Familiarity with concurrent programming techniques.</li>
@@ -1236,6 +1238,7 @@ href="http://www.freebsd.org/cgi/cvsweb.cgi/src/tools/regression/">FreeBSD
 regression test tree</a>, but they are both incomplete and and inadequate.
 New tests must be created; existing tests must be completed and updated.
 </p>
+<p><strong>Requirements</strong>:</p>
 <ul>
   <li>Strong C programming skills.</li>
   <li>High tolerance for writing test code.</li>
@@ -1243,6 +1246,46 @@ New tests must be created; existing tests must be completed and updated.
   <li>Rigorous and devious mindset.</li>
 </ul>
 
+<a name="#p-mac"></a>
+<h2>Mandatory Access Control</h2>
+<p><strong>Technical contact</strong>: <a
+  href="mailto:rwatson@FreeBSD.org">&a.rwatson;</a></p>
+<p>
+FreeBSD 5.0 was the first FreeBSD release to ship with support for Mandatory
+Access Control (MAC), an access control technology allowing system
+administrators to implement multi-level security, integrity protection, and
+other "mandatory" policies.  Policies may be compiled into the kernel, or
+loaded as loadable kernel modules.
+Later revisions of FreeBSD and the MAC Framework enhanced MAC support,
+and additional policy modules were made available, such as a port of the
+SELinux FLASK/TE framework available as a third party policy module.
+However, many of the sample MAC modules included with FreeBSD are considered
+experimental examples of what the technology can be used for, rather than
+production policies.
+For example, the Biba integrity policy can be deployed in production, but
+requires significant tuning to do so effectively.
+</p>
+<p>
+This task involves a general review of the MAC Framework and Policy modules,
+with the goal of identifying improvement areas.  It also involves specific
+cleanups, optimizations, and completeness work on specific policy modules --
+most importantly, the Biba and MLS sample labeled policy modules.  Work there
+includes improving memory overhead and efficiency; for example, moving from
+allocating complete labels for every labeled object to referencing common
+label storage where labels are identical, which occurs a great deal of the
+time in most systems.
+Other cleanups include moving towards a canonical/extensible on-disk label
+storage format, adding regression tests, investigating interactions with user
+applications, and writing documentation.
+</p>
+<p><strong>Requirements</strong>:</p>
+<ul>
+  <li>Strong C programming skills.</li>
+  <li>Familiarity with OS security policies, including discretionary and
+    mandatory access control.<li>
+  <li>Familiarity with concurrent programming techniques.</li>
+  <li>Willingness to read the CC/CAPP specification.</li>
+</ul>
 <hr>
 
 <!------------------------------------------------------------------>