[rsbac] Resources and Enhanced Role Compatibility
Jörg Lübbert
rsbac@rsbac.org
Thu Oct 24 09:30:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello!
First of all I have to say how much I love RSBAC yet again ;) But being
a perfectionist I always see things that could be done better.
Having played around with role compatibility of the RC (Should be called
RBAC to avoid confusion between the compatibility of roles and the role
based access control module) module I thought that it might be great to
have an enhanced role compatbility. Why? Because the RC module would be
even more powerful if a user can be more than one role at the same time.
With this a new user can be made a website administrator next to a dns
administrator which would be its default role with just one modification
instead of having to adjust all fd and dev compatibilities. Sure you can
switch, but thats not good beacuse switching can become annoying on a
busy workday ;) Also the role could be a program with an initial role.
And recoding the program to switch whenever possible is not really good
;) That's why I came up with the idea of a new role compatibility
matrix. My basic idea is to have 2 new compatibilities in addition to
the normal switch only:
Positive overlap: Roles that overlap with others positively acquire all
rights from other roles in addition to their own.
Negative overlap: Roles that overlap with others negatively will only
receive rights that all other negatively overlapping roles have as well.
Example:
X=Roles
Y=positive Overlap, negative Overlap and no Overlap (only switch) selection.
Enhanced Role Compatibility
Role 1
PO NO OS
role 1 -- -- --
role 2 XX -- --
role 3 -- XX --
role 4 XX -- --
Role 2
PO NO OS
role 1 XX -- --
role 2 -- -- --
role 3 XX -- --
role 4 XX -- --
Access (TYPE_COMP_FD)
Role 1
File 1 ---
File 2 RWX
File 3 ---
Role 2
File 1 RWX
File 2 R
File 3 RW
Role 3
File 1 -
File 2 R
File 3 RW
Role 4
File 1 RW
File 2 RW
File 3 RW
Role 1 accesess File 1
Check 1: Is Role 1 allowed? NO (Rights: --)
Check 2: Is there any negative role that is allowed? NO (Rights: --)
NOT GRANTED
Role 1 accesses File 2
Check 1: Is Role 1 allowed? YES (Rights: RWX)
Check 2: Is there any negative role that is allowed? YES (Rights: -RWX +
R = R)
R GRANTED
Role 2 accesses File 3
Check 1: Is Role 2 allowed? YES (Rights RW)
Check 2: Is there any negative role that is allowed? YES (Rights: Skip)
Check 3: Any positive roles? YES (Rights -RW + RWX = RWX)
RWX GRANTED
Problems:
1) Inter role compatibility is ways too complex for humans and a bit too
intensive for cpus (if role 1 wants to access a file then all roles it
is compatible to are checked for any roles it is compatible to for any
roles it is compatible to etc ;)
Solution: How about a kernel option for masterminds? Or how about one
level only (not to good I think). This would need some serious
discussion (or enough switches)
User Solution: Negative Overlapping is bad! Don't use it. (Negative
Overlapping is good according to least priviledge though ;)
2) Should a YES from check 1 be sufficient for access or should Check 2
still be called to see if a negatively overlapping rule prevents access?
Solution: Check 1 YES = "always yes" or kernel option for the paranoid
and masterminds.
I'd also love to see resource control to be possible via RSBAC, just
like GRSec for example does it:
· RES_CPU – CPU time in milliseconds
· RES_FSIZE – Maximum filesize in bytes
· RES_DATA – Maximum data size in bytes
· RES_STACK – Maximum stack size in bytes
· RES_CORE – Maximum core size in bytes
· RES_RSS – Maximum resident set size
· RES_NPROC – Maximum number of processes
· RES_NOFILE – Maximum number of open files
· RES_MEMLOCK – Maximum locked-in-memory in bytes
· RES_AS – Address space limit in bytes
· RES_LOCKS – Maximum file locks
Hope you like my ideas or know how my theory can be improved :)
- - Jörg Lübbert
- --
Core developer of:
Kaladix Linux - Secure And Versatile Linux Distribution
URL: http://www.kaladix.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE9tzvE4+zGoVB1iK8RAnW+AKDQ4zA4OYJmY2HzrrtSyfG1bqqcTgCffh0q
twd6icAIJ2p0L+c5sev8m2E=Oclb
-----END PGP SIGNATURE-----