[rsbac] todo list item

Magosányi Árpád mag at bunuel.tii.matav.hu
Fri Mar 5 13:08:38 CET 2004 

A levelezőm azt hiszi, hogy Amon Ott a következőeket írta:
> > So if you need one feature of jail, but blocked by another one,
> > you are in trouble. This is the case with ntpd, this is my case with
> > X, and I am sure that there are others out there with similar
> > problematic setups.
> 
> AFAIK, the only JAIL feature not available in RC with network templates and 
> ordinary chroot is the automatic adjustment of the "any" IP address 
> 0.0.0.0, but you can sure limit binding to only one (or more) address.

I happen to need exactly that feature.
One can argue that I actually need this feature added to the RC modell,
but I think that a security implementation should be as simple as
possible.

> I agree that the hardwired SCD limits can be a burden, but from my 
> experience they work for almost all network and many local services. The 
> few percent not fitting into the scheme should rather be restricted by 
> other models than making JAILs more complicated, because that would be 
> against its main goal of simple usage.
> 
> X is an ugly beast, which is not easy to put into a preconfigured and 
> simple jail. What exactly is missing in this case? SCD kmem access? We 
> have still room for a few more flags, but SCD kmem makes me shudder.

We are talking here about avoiding creeping featurism. One way is
redesigning RSBAC, and put every feature where it needs to be, making
the models orthogonal, so they can be used together. This would mean
that you should drop some features from certain models because they
are already implemented in another models, and you would have to
drop some models entirely. This would arguably mean that one should
either put more efforts to configure certain setups, or use smarter
tools (for example the rsbac_jail program could be a script which
sets up a RC role with the needed accesses, do a chroot, a role
change, and IP "any" adjustment.

Note that as it means a complete redesign, I did not propose this.
I am just proposing that every feature of the jail which makes it
non-orthogonal to other models could be turned off. This could mean
that the default is having these options turned on, as not to surprise
the users. Yes, this certainly includes SCD kmem access, as it
is paralell with RC at least. It should not make you shudder:
having the other features of jail is better than having none of them.

-- 
GNU GPL: csak tiszta forrásból

More information about the rsbac mailing list