To Do List

To Do List

• RBAC integration:
  • Map Solaris roles to FMAC roles.
  • Support conversion of RBAC profiles to FMAC policy.
• Expand the example policy:
  • Introduce suitable domain definitions so that no system service in the default install is left unconfined (initrc_t).
  • Provide policy for specific services of interest, e.g. apache
  • Demonstrate confinement of published vulnerabilities and classes of vulnerabilities.
• Extend fine-grained privilege granting support:
  • Add controls to remaining secpolicy hooks.
  • Replace pfexec
• Extend filesystem labeling support:
  • Labeling of files types beyond just regular and directory.
  • Labeling of devfs and dev nodes in order to control access to devices.
  • Default labeling for other pseudo filesystem types.
• Control remaining process operations not mediated via *hasprocperm.
• Control inheritance and receipt of open file descriptors.
• Apply labeling and controls to additional objects and operations:
  • Label doors and control door IPC.
  • Label sockets and control socket IPC (local + network).
  • Label and control System V IPC.
  • Zone labeling and controls.
• Investigate if further checks to limit the observability of /proc/pid state to other contexts are necessary, where they are not already mediated via priv_proc_cred_perm().
• Read the context of a process from its /proc/pid files.
• Modify avc reporting to use the Solaris audit facility.
• Add labeling to the image packaging system (IPS).
• Migrate to modern policy toolchain, version, and refpolicy.