User space API definition

From: Magosányi Árpád (magat_private)
Date: Mon Aug 18 2003 - 03:22:51 PDT

  • Next message: Stephen Smalley: "Re: User space API definition"

    Hi!
    
    I would like to notify you on Richard Offer's papers
    on an approach of a user space security API definition,
    especially the rationale paper.
    
    http://reality.sgiweb.org/offer/papers/PACM/
    
    He have thought about the same thing years ago what
    I am thinking now. It should not be a mere coincidence,
    it is a clear sign of the Right Way(TM).
    I think that there should be an API definition which
    is suitable for all major security module writers and
    also to the userspace folks.
    I propose to create the API definition based on the
    best features of Richard's paper, the libselinux and
    the librsbac interface.
    
    Actually I think that the libselinux API interface is
    generic enough to use, only the sid should be an opaque
    value which references the security attributes maintained
    by all module for a given subject/object. And of course the
    sid_to_context and context_to_sid calls should be able
    to handle the string representation for all of the attrs
    of all modules.
    I propose the following deviances from that API:
    -functions to get only the security attributes of the
     subject/object (like a stat version which do not care
     about getting struct stat)
    -convenience functions with text representation of the
     attrs
    -the pam-like approach of Richard
    -have a more generic interface instead of security_compute_av
    	The problem here that the access vectors are highly
    	different in all modules, and we also need to ask for
    	generic operations, like read and write (not read(2)
    	or write(2)). Maybe an interface like
    	decide(operation_t operation, sid object, sid subject)
    	would be better. It is important that all modules should
    	be able to decide on a small set of generic operations
    	I propose it to be read, write, control and feedback.
    	(Well, I have an access control modell based on Bell&LaPadula,
    	but concerned with access control and covert channel reduction
    	with network connections.)
    -a way to unambigously describe all security attributes for all modules.
      It is a matter of a simple syntactic rule.
      atribute := <module>*
      module := <modulename>'{'<module-specific attr representation>'},'
      modulename is the name of the module, and the basic requirement
      against the attr representation that it should balance '{' and '|}'
    -avoiding namespace clashes? Even the names of the selinux functions
     are fairly generic. But they are allocated by selinux. But we have
     the string "pacm" to put in the appropriate places.
    
    What do you think of it?
    
    -- 
    GNU GPL: csak tiszta forrásból
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 03:29:48 PDT