Re: [Dazuko-devel] RedirFS and Dazuko Filter

[John Ogness]

Frantisek Hrbata wrote:
> I have prepared the Dazuko Filter patch for Dazuko 2.2.0. Could you please 
> check it? 

Hi,

I looked at the patch. It should work ok, but there are some things I
want the RedirFS integration to be a bit differently (so that it is more
efficient). The integration should be similar to the RSBAC integration.
Since this would result in a lot of copy/paste code, I will think about
a way to restructure the code so that this does not happen. (After all,
Linux support should only be implemented once.)

I also don't want to patch dazuko_core.c with RedirFS-specific code.
Dazuko_Core is a cross platform layer that shouldn't include such
ifdef's. However, I need to add hooks to the core, so that
include/exclude paths can be handled by external modules.

All of this shouldn't be too much work and will result in a cleaner
support for RedirFS. Until then, the patch looks like it would work just
fine.

One comment about RedirFS for Dazuko: In your paper on RedirFS you
described that the PID of the priveledged app must be provided to the
kernel module. Since Dazuko has its own mechanism to provide these
checks (dynamically at runtime), it would be helpful if RedirFS would
allow filters to decide who is allowed and who is not. This is actually
not so simple because you probably don't want to trust filters at that
level. But it's just something to think about.

I will keep you posted with my work about integrating RedirFS into the
official Dazuko branch.

John Ogness

-- 
Dazuko Maintainer