[rsbac] New decision module UDF
Amon Ott
ao at rsbac.org
Fri Dec 13 16:22:27 CET 2013
Hello all!
We now have a new decision module User Space Decision Facility (UDF),
which is mostly meant as replacement for DAZ (Dazuko) for malware
scanning. So far, it is only in the 3.10 git repository, but a new
release 1.4.8 will soon come with it. So far, it has done well in
several tests in product environments.
To keep module numbers consistent within 1.4 versions, I have decided to
remove the PM module, which has neither been updated nor known to be
used anywhere for several years, and use its number for UDF.
This is the Kconfig help text:
User Space Decision Facility (UDF) allows to register a user
space program (checker) through RSBAC proc interface or kernel
parameter rsbac_udf_checker=/path/to/prog to be called for
decisions, e.g. a virus scanner wrapper.
The request types leading to a check are listed in
include/rsbac/adf_main.h in the macro RSBAC_UDF_REQUEST_VECTOR.
Checking results may optionally be cached, see
CONFIG_RSBAC_UDF_CACHE below.
To avoid loops, the checker program should be marked as
udf_checker to bypass checking for this program.
Only UDF security administrators are allowed to modify udf_checked
or udf_checker.
The checker program has to exit with 0 for "allow", 1 for "deny",
254 for "temporary failure, allow" (do not cache) or 255 for
"temporary failure, deny" (do not cache). Any other exit code is
undefined, but for now treated as "deny". If the checker got
killed by a signal, it is treated as "temporary failure, deny".
Please note that the checker is started as user mode process,
but with attributes inherited from kernel context. E.g. its RC
role is the kernel role, explicitly set a force role for the
checker to have different rights.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list