Thank you for trying CaitSith.
[email protected] wrote:
> 1. I thought such scheme will require 12 rules, but actually it required 22
> rules, also becasue some acls, like link, rename, etc. have two arguments
> (like new_path, old_path) which should be checked separately.
>
Right. That's reason why you can't write like
1 acl writable_access path="/home/repo/\(\*\)/\*"
1 deny task.exe!="/usr/local/bin/repo-accessor"
1 allow
.
If we want generic write permission, which actions should be included into
generic write permission? Some will say only write/append/truncate should be,
some others will say write/append/truncate/create should be, yet some others
will say write/append/truncate/create/link/rename should be, and ...
If we simplify the granularity up to read/write/execute (e.g. DAC), we lose the
benefit of fine grained acl.
> # grep BACK policy/current
> 1 acl write path=@BACKUPS
> 1 acl append path=@BACKUPS
> 1 acl create path=@BACKUPS
> 1 acl unlink path=@BACKUPS
> 1 acl mkdir path=@BACKUPS
> 1 acl rmdir path=@BACKUPS
> 1 acl mkfifo path=@BACKUPS
> 1 acl mksock path=@BACKUPS
> 1 acl truncate path=@BACKUPS
> 1 acl symlink path=@BACKUPS
> 1 acl mkblock path=@BACKUPS
> 1 acl mkchar path=@BACKUPS
> 1 acl link old_path=@BACKUPS
> 1 acl link new_path=@BACKUPS
> 1 acl rename old_path=@BACKUPS
> 1 acl rename new_path=@BACKUPS
> 1 acl chmod path=@BACKUPS
> 1 acl chown path=@BACKUPS
> 1 acl chdrp path=@BACKUPS
s/chdrp/chgrp/
> 1 acl ioctl path=@BACKUPS
> 1 acl mount source=@BACKUPS
> 1 acl mount target=@BACKUPS
>
> I think I covered all operations that can modify files, excluding all that
> read only.
This is different from my expected usage.
In TOMOYO/AKARI/CaitSith, I'm allowing users to restrict actions up to the
user's skill/resource affords. That is, you can choose actions to restrict.
However, as one of CaitSith's advantages compared to TOMOYO/AKARI, you don't
have to treat all actions equally because you can choose conditions to check
and conditions to allow/deny independently. Please see Chapter 4 in
http://events.linuxfoundation.org/images/stories/pdf/lcna_co2012_handa.pdf for
examples. For example, you can define rules for write/append/truncate (actions
which may change the content of file) for per-a-pathname basis
1 acl write path=@BACKUPS
1 acl append path=@BACKUPS
1 acl truncate path=@BACKUPS
and can define rules for create/link/rename/unlink (actions which may
change the content of directory) for per-device basis (examples below
use /dev/sda2 where its major number is 8 and minor number is 2)
1 acl create path.parent.major=8 path.parent.minor=2
1 acl link old_path.major=8 old_path.minor=2
1 acl rename old_path.major=8 old_path.minor=2
1 acl unlink path.major=8 path.minor=2
or per-filesystemtype basis (examples below use ext2/ext3/ext4 where its
filesystem magic number is 0xEF53)
1 acl create path.parent.fsmagic=0xEF53
1 acl link old_path.fsmagic=0xEF53
1 acl rename old_path.fsmagic=0xEF53
1 acl unlink path.fsmagic=0xEF53
and can define rules for mount/unmount for system-wide
100 acl mount
1 deny task.exe!="/bin/mount"
10 allow target="/proc/" fstype="proc" flags=0x0
10 allow target="/sys/" fstype="sysfs" flags=0x0
10 allow target="/dev/pts/" fstype="devpts" flags=0x0
10 allow target="/dev/shm/" fstype="tmpfs" flags=0x0
10 allow target="/" fstype="--remount" flags=0x1
10 allow target="/" fstype="--remount" flags=0x400
10 allow target="sysfs:/kernel/security/" fstype="securityfs" flags=0x0
100 deny
1 acl unmount
1 deny task.exe!="/bin/umount"
.
> 2. I wonder why operations like touch file (acl create) report ENOENT instead
> of EPERM (which would be logical). ENOENT is confusing.
This is because /bin/touch ignores failure of open(O_CREAT) but reports failure
of utime().
"strace touch /tmp/file" with a rule like
1 acl create task.exe="/bin/touch"
1 deny
shows
open("/tmp/file", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK|O_LARGEFILE, 0666) =
-1 EPERM (Operation not permitted)
utimensat(AT_FDCWD, "/tmp/file", NULL, 0) = -1 ENOENT (No such file or
directory)
write(2, "touch: ", 7) = 7
write(2, "setting times of `/tmp/file'", 28) = 28
write(2, ": No such file or directory", 27) = 27
write(2, "\n", 1) = 1
.
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
