[rsbac] dynamic created devices

murf murf at post.cz
Sun Mar 27 11:26:54 CEST 2005


Hello,

I have an example of problematic part of configuration in rsbac-1.2.4.

Problematic part is defining RC restriction on dynamic created 
pseudo-terminals slaves under /dev/pts according Unix98 pty naming.
(we get descriptors pairs after opening /dev/ptmx).

Some subjects (daemons working with pseudo terminals e.g. sshd) would like to 
READ_WRITE access to theese dynamic created devices (on target DEV not FD). 
But they are created as 0 rc_type of target DEV.

Here it is. We cannot allow READ_WRITE to rc_type 0 of target DEV, because its 
default type for all devices.

There are theese possibilities come to my mind:

1) manage the subject (in following named s_cre), which theese devices create to create 
it with special rc dev type. But Its not possible in rsbac (there is only default rc fd type creation). 
If its possible there is also some other problems, like that s_cre is in most probability 
run under root. So it would have to be default dev created type for user root role.
(e.g. udevd process in userland for 2.6.11 kernels)

2) change rc type of all devices to another type and next set policy to default created type
more benevolent. But Its not possible, because of dynamic created devices 
(today by udevd in most cases).

3) use another policy module like ACL. So one module allow mentioned access (RC) 
and another dissallow (ACL). Its not elegant. Its only workaround and its not usable for users
who dont want to use another module just for theese states.

4) we can define access on directory for target DEV (devices inherited this setting
from the parent dir). Its is the most elegant, but its not implemented in RSBAC. 
Feature request? Please comment this, if its possible.

6) some other solution that I didn't mention. If you have any other idea, please
tell me.

Now I cannot restrict effectively subjects working with pseudoterminals (e.g sshd).

regards,

murf


More information about the rsbac mailing list