GACI item list - to give some items for discussion

From: Amon Ott (aoat_private)
Date: Thu Apr 12 2001 - 01:22:09 PDT

  • Next message: Amon Ott: "GACI item list - to give some items for discussion"

    Hi!
    
    Please take this as a base list for things to be discussed.
    
    Personally, I do believe that a module interface will be insufficient for
    RSBAC, SELinux and some other projects.
    
    Amon.
    
    -----------------------------
    
    Already agreed (?)
    ------------------
    
    - Pure mechanism without implied policy
    
    - Kernel level interface
    
    - Optional user space interface:
       - Hooks into kernel level interface
       - Compile time flag: not included, module, compiled in
       - Functionally as much as possible the same as kernel level interface
    
    - (De)registration functions for decision functions
       - List of requests the registered function is interested in
       - 32 Bit (?) handle for all registration related stuff, which is only known
           to registered module
       - Registration for decision and notification calls
       - Separate handling of logging modules, because these must always be called
    
    - Single syscall for all registered modules
       - Handle based dispatcher
       - (De)registration function
    
    - Decision dispatcher
       - Priority based: higher priority is called first
       - First version: If one function returns error code, this is returned as
           result
       - Logging functions always get called, and they are only called with the
           final result
    
    - Old Linux AC model
       - Included as one registered decision function
    
    - Proc interface:
       - dir: /proc/gaci
       - every module can register whatever is needed here
       - if a module registers several files, a subdir should be used
    
    
    To be discussed
    ---------------
    
    - Metapolicies (how are the single results combined to a final result)
       - 'AND' (s.a.)
       - 'OR' (if one allows access, grant)
       - Configurable as boolean expression
       - Priority based (needs extra result code 'do not care', which means 'use
          lower priority')
    
    - Interception
       - All syscalls or some?
       - Group syscalls or keep them separate? (grouping makes decision table
         simpler and allows to intercept common subfunctions instead of every
         single syscall, e.g. chown_common)
       - Intercept all VFS functions
       - Intercept widely used helper functions, e.g. path_walk, lookup_one
       - 'Common Interest Table' which is updated, whenever a function changes
         its set of requests
       - Decision / notification dispatcher is only called, if request is
         in 'Common Interest Table'
       - What parameters are supplied to the decision/notification dispatcher?
         (Same as syscall (unchecked) or preprocessed and -checked?)
    
    - PROC interface
      - Each module must check, if desired name already exists
      - Or: we provide a gaci_proc_register, which returns an error 'EEXIST',
        if name exists
    
    - Funtionality of first version (proof of concept)
       - Intercept syscalls only
       - Kernel level interface only
       - Handle based (de)registration for decision, notification, logging,
         syscalls
       - 'AND' metapolicy
       - PROC interface with list of registered functions
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:21 PDT