Hi! I would like to notify you on Richard Offer's papers on an approach of a user space security API definition, especially the rationale paper. http://reality.sgiweb.org/offer/papers/PACM/ He have thought about the same thing years ago what I am thinking now. It should not be a mere coincidence, it is a clear sign of the Right Way(TM). I think that there should be an API definition which is suitable for all major security module writers and also to the userspace folks. I propose to create the API definition based on the best features of Richard's paper, the libselinux and the librsbac interface. Actually I think that the libselinux API interface is generic enough to use, only the sid should be an opaque value which references the security attributes maintained by all module for a given subject/object. And of course the sid_to_context and context_to_sid calls should be able to handle the string representation for all of the attrs of all modules. I propose the following deviances from that API: -functions to get only the security attributes of the subject/object (like a stat version which do not care about getting struct stat) -convenience functions with text representation of the attrs -the pam-like approach of Richard -have a more generic interface instead of security_compute_av The problem here that the access vectors are highly different in all modules, and we also need to ask for generic operations, like read and write (not read(2) or write(2)). Maybe an interface like decide(operation_t operation, sid object, sid subject) would be better. It is important that all modules should be able to decide on a small set of generic operations I propose it to be read, write, control and feedback. (Well, I have an access control modell based on Bell&LaPadula, but concerned with access control and covert channel reduction with network connections.) -a way to unambigously describe all security attributes for all modules. It is a matter of a simple syntactic rule. atribute := <module>* module := <modulename>'{'<module-specific attr representation>'},' modulename is the name of the module, and the basic requirement against the attr representation that it should balance '{' and '|}' -avoiding namespace clashes? Even the names of the selinux functions are fairly generic. But they are allocated by selinux. But we have the string "pacm" to put in the appropriate places. What do you think of it? -- GNU GPL: csak tiszta forrásból _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 03:29:48 PDT