[rsbac] Conditional rules

Javier Martínez tazok.id0 at gmail.com
Sun Jun 8 09:42:56 CEST 2008


Hi all, I think it would be useful to have some kind of mechanism to
grant or deny de access depending for example in the requests made by
the role that made them.

For example, we have two ways of execution of untrusted scripts,
executing the file with the needs of EXECUTE and READ_OPEN rights or
interpreting them with the lonely need of READ_OPEN, we could only
grant the access to the execution if both requests are made, to permit
it change to the proper role and deny the access in case of
interpretation (as perl my_script).

Maybe it would be useful for other tasks but I'm not sure.

What do you think about this¿?

Would this be too costly to implement¿?

If it couldn't what about some kind of mechanism to change a role in a
point of the execution¿?. think in systrace, we know all the syscalls
that a program make, and it's order and we want to actively change the
role when for example it reach to the LISTEN request for example.


More information about the rsbac mailing list