Hi!
Please take this as a base list for things to be discussed.
Personally, I do believe that a module interface will be insufficient for
RSBAC, SELinux and some other projects.
Amon.
-----------------------------
Already agreed (?)
------------------
- Pure mechanism without implied policy
- Kernel level interface
- Optional user space interface:
- Hooks into kernel level interface
- Compile time flag: not included, module, compiled in
- Functionally as much as possible the same as kernel level interface
- (De)registration functions for decision functions
- List of requests the registered function is interested in
- 32 Bit (?) handle for all registration related stuff, which is only known
to registered module
- Registration for decision and notification calls
- Separate handling of logging modules, because these must always be called
- Single syscall for all registered modules
- Handle based dispatcher
- (De)registration function
- Decision dispatcher
- Priority based: higher priority is called first
- First version: If one function returns error code, this is returned as
result
- Logging functions always get called, and they are only called with the
final result
- Old Linux AC model
- Included as one registered decision function
- Proc interface:
- dir: /proc/gaci
- every module can register whatever is needed here
- if a module registers several files, a subdir should be used
To be discussed
---------------
- Metapolicies (how are the single results combined to a final result)
- 'AND' (s.a.)
- 'OR' (if one allows access, grant)
- Configurable as boolean expression
- Priority based (needs extra result code 'do not care', which means 'use
lower priority')
- Interception
- All syscalls or some?
- Group syscalls or keep them separate? (grouping makes decision table
simpler and allows to intercept common subfunctions instead of every
single syscall, e.g. chown_common)
- Intercept all VFS functions
- Intercept widely used helper functions, e.g. path_walk, lookup_one
- 'Common Interest Table' which is updated, whenever a function changes
its set of requests
- Decision / notification dispatcher is only called, if request is
in 'Common Interest Table'
- What parameters are supplied to the decision/notification dispatcher?
(Same as syscall (unchecked) or preprocessed and -checked?)
- PROC interface
- Each module must check, if desired name already exists
- Or: we provide a gaci_proc_register, which returns an error 'EEXIST',
if name exists
- Funtionality of first version (proof of concept)
- Intercept syscalls only
- Kernel level interface only
- Handle based (de)registration for decision, notification, logging,
syscalls
- 'AND' metapolicy
- PROC interface with list of registered functions
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:21 PDT