[rsbac] Resources and Enhanced Role Compatibility

Jörg Lübbert rsbac@rsbac.org
Thu Oct 24 09:30:02 2002

Hash: SHA1


First of all I have to say how much I love RSBAC yet again ;) But being 
a perfectionist I always see things that could be done better.

Having played around with role compatibility of the RC (Should be called 
RBAC to avoid confusion between the compatibility of roles and the role 
based access control module) module I thought that it might be great to 
have an enhanced role compatbility. Why? Because the RC module would be 
even more powerful if a user can be more than one role at the same time. 
With this a new user can be made a website administrator next to a dns 
administrator which would be its default role with just one modification 
instead of having to adjust all fd and dev compatibilities. Sure you can 
switch, but thats not good beacuse switching can become annoying on a 
busy workday ;) Also the role could be a program with an initial role. 
And recoding the program to switch whenever possible is not really good 
;) That's why I came up with the idea of a new role compatibility 
matrix. My basic idea is to have 2 new compatibilities in addition to 
the normal switch only:

Positive overlap: Roles that overlap with others positively acquire all 
rights from other roles in addition to their own.
Negative overlap: Roles that overlap with others negatively will only 
receive rights that all other negatively overlapping roles have as well.


Y=positive Overlap, negative Overlap and no Overlap (only switch) selection.

Enhanced Role Compatibility
          Role 1
         PO  NO  OS
role 1  --  --  --
role 2  XX  --  --
role 3  --  XX  --
role 4  XX  --  --

           Role 2
         PO  NO  OS
role 1  XX  --  --
role 2  --  --  --
role 3  XX  --  --
role 4  XX  --  --

           Role 1
File 1      ---
File 2      RWX
File 3      ---

           Role 2
File 1      RWX
File 2      R
File 3      RW

           Role 3
File 1      -
File 2      R
File 3      RW

           Role 4
File 1      RW
File 2      RW
File 3      RW

Role 1 accesess File 1
Check 1: Is Role 1 allowed? NO (Rights: --)
Check 2: Is there any negative role that is allowed? NO (Rights: --)

Role 1 accesses File 2
Check 1: Is Role 1 allowed? YES (Rights: RWX)
Check 2: Is there any negative role that is allowed? YES (Rights: -RWX + 
R = R)

Role 2 accesses File 3
Check 1: Is Role 2 allowed? YES (Rights RW)
Check 2: Is there any negative role that is allowed? YES (Rights: Skip)
Check 3: Any positive roles? YES (Rights -RW + RWX = RWX)

1) Inter role compatibility is ways too complex for humans and a bit too 
intensive for cpus (if role 1 wants to access a file then all roles it 
is compatible to are checked for any roles it is compatible to for any 
roles it is compatible to etc ;)
Solution: How about a kernel option for masterminds? Or how about one 
level only (not to good I think). This would need some serious 
discussion (or enough switches)
User Solution: Negative Overlapping is bad! Don't use it. (Negative 
Overlapping is good according to least priviledge though ;)

2) Should a YES from check 1 be sufficient for access or should Check 2 
still be called to see if a negatively overlapping rule prevents access?
Solution: Check 1 YES = "always yes" or kernel option for the paranoid 
and masterminds.

I'd also love to see resource control to be possible via RSBAC, just 
like GRSec for example does it:

·  RES_CPU – CPU time in milliseconds
·  RES_FSIZE – Maximum filesize in bytes
·  RES_DATA – Maximum data size in bytes
·  RES_STACK – Maximum stack size in bytes
·  RES_CORE – Maximum core size in bytes
·  RES_RSS – Maximum resident set size
·  RES_NPROC – Maximum number of processes
·  RES_NOFILE – Maximum number of open files
·  RES_MEMLOCK – Maximum locked-in-memory in bytes
·  RES_AS – Address space limit in bytes
·  RES_LOCKS – Maximum file locks

Hope you like my ideas or know how my theory can be improved :)

- - Jörg Lübbert

- -- 
Core developer of:
Kaladix Linux - Secure And Versatile Linux Distribution
URL: http://www.kaladix.org
Version: GnuPG v1.0.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org