[rsbac] Isolation of processes

[Amon Ott]

On Friday, 8. February 2002 02:07, Jörg Lübbert wrote:
> I'd like to hear your opinion about some thoughts of mine.
>
> My aim is to run daemons that can only be terminated or started by a
> special user and not root and that these daemons are totally isolated
> process/ipc wise.

The 'official' solution is to give the processes and their IPC connections a 
separate RC type:

- Create new process and IPC types as desired
- Create a 'daemon starter' role, which is allowed to execute the daemons
- Give this role the above default_process_{create|execute}_type and 
default_ipc_create_type (see model description)
- Set rights to these types for all roles as desired
- Make a starter skript with 'daemon starter' as initial role, which starts 
all the daemons

You can check the process types with rsbac_process_menu. Certainly, you can 
use several roles and types.

Daemon programs, which fork the daemon process itself from a starter process, 
are even easier: Just give their forced/initial role (if you have one) a 
default_process_create_type.

For IPC (except sockets in 1.1.2, which are not well controlled) there is no 
simple solution for checking - IPC objects are difficult to address.

> I'm now wondering if such a daemon is a wise choice or if there might be
> better ideas to achieve what i want and if you think that potential
> risks of such a daemon are exceeding the extra security of isolated
> processes.

A start skript should be enough, but a daemon could juggle with roles and 
types more easily.

In 1.2.0, you can also use CAP module to allow starting of daemons from 
normal user accounts (e.g. after a setuid) with their roles.

Amon.
--
http://www.rsbac.org