|
| From: | John Ogness |
| Subject: | [Dazuko-devel] TAF vs. fine-grained masking |
| Date: | Wed, 30 Mar 2005 10:05:31 +0200 |
| User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913 |
Hi,I have been doing a lot of thinking and reviewing of Dazuko. The two hot topics lately include TAF (trusted application framework) and fine-grained masking. Here are my thoughts about the two similar, yet different features:
The trusted application framework has the advantage that you can have a helper application be safely ignored by Dazuko. I say safely because your helper application uses tokens to request access and can give up the trusted priviledges as soon as it is finished (thus closing the "hole" behind it). Trusted applications are ignored from Dazuko as a whole (not just one group).
Trusted applications are ideal if a helper application needs to work with files as events occur (for example a file scanner). It works in a safe manner because it verifies with each access that the trusted process is the same process that requested trusted access originally. If a new process is seen (even if it has the same PID/UID), the process is stripped of trusted priveledges.
Fine-grained masking allows your group to specify very specific events that should be watched and ignored. If a registered group is only interested in the EXEC activity of user 1000 in directory /usr, then this can be specified in the mask. Currently this is possible by having your application ignore the other events. But this causes wasted context switches and hurts system performance. Fine-grained masking is group-specific and the mask attributes are limited to the fields of the dazuko_access structure.
Fine-grained masking is ideal if you are only interested in very specific types of events. However, fine-grained masking is *not* intended to be used for helper applications. Although it could be (ab)used for this purpose, it may not be as safe because Dazuko is not doing checks to see if the "process" has changed. It is only matching the mask, which is PID/UID.
I really like the idea of fine-grained masking, because it generalizes and extends the existing AddExcludePath/AddIncludePath functions. It is also something that can improve performance for applications that are only interested in specific users and/or pid's. But I would like to extend it even further to allow for removal of specific masks as well. This will eliminate the "all or nothing" approach currently implemented in masks.
I think that trusted applications are important for registered processes that would like to do "external work" on the files being accessed. An example of this is an anti-virus application using an all-purpose scan daemon.
Fine-grained masking will take more time than I originally thought, mainly because I want to do a "complete" implementation with individual mask removal included. This means that I will not include it in the 2.1.x series, but will plan it for the 2.2.x series. The main motivation for this decision is that 2.1.0-pre3 already includes many improvements over 2.0.6 and I want to get a stable release of it finished soon. Fine-grained masking will involve many fundamental changes in Dazuko (the underlying implementation as well as API extension) and we are too close to a 2.1.0 release to start digging up the code.
John Ogness -- Dazuko Maintainer
| [Prev in Thread] | Current Thread | [Next in Thread] |