[rsbac] New decision module UDF

[Amon Ott]

Hello all!

We now have a new decision module User Space Decision Facility (UDF),
which is mostly meant as replacement for DAZ (Dazuko) for malware
scanning. So far, it is only in the 3.10 git repository, but a new
release 1.4.8 will soon come with it. So far, it has done well in
several tests in product environments.

To keep module numbers consistent within 1.4 versions, I have decided to
remove the PM module, which has neither been updated nor known to be
used anywhere for several years, and use its number for UDF.

This is the Kconfig help text:

          User Space Decision Facility (UDF) allows to register a user
          space program (checker) through RSBAC proc interface or kernel
          parameter rsbac_udf_checker=/path/to/prog to be called for
          decisions, e.g. a virus scanner wrapper.
          The request types leading to a check are listed in
          include/rsbac/adf_main.h in the macro RSBAC_UDF_REQUEST_VECTOR.
          Checking results may optionally be cached, see
          CONFIG_RSBAC_UDF_CACHE below.

          To avoid loops, the checker program should be marked as
          udf_checker to bypass checking for this program.
          Only UDF security administrators are allowed to modify udf_checked
          or udf_checker.

          The checker program has to exit with 0 for "allow", 1 for "deny",
          254 for "temporary failure, allow" (do not cache) or 255 for
          "temporary failure, deny" (do not cache). Any other exit code is
          undefined, but for now treated as "deny". If the checker got
          killed by a signal, it is treated as "temporary failure, deny".

          Please note that the checker is started as user mode process,
          but with attributes inherited from kernel context. E.g. its RC
          role is the kernel role, explicitly set a force role for the
          checker to have different rights.



Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22