[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lids-user
Subject:    [lids] configuration file
From:       w.j.hengeveld
Date:       1999-10-24 18:26:45
[Download RAW message or body]

I order to support more complex restrictions, the configuration file
format
should be extended.

here are some ideas

1) for each restriction you can specify what files this should apply to.
---------------------------------------------
section allow read
/etc/passwd

section allow read, execute
/bin        

section allow read, append

# or another way of putting it:
section deny modify
/etc

-------------------------------------------------

2) for each file you specify the restrictions
-------------------------------------------------
/etc/passwd allow(read)
/bin        allow(read, execute)
/var/log    allow(read, append)
/dev/kmem   allow(read)
/dev        deny(rmdir)
/tmp        allow(readwrite)
/etc        deny(write)
/etc/utmp   allow(readwrite)
---------------------------------
3) maybe both formats should be allowed.



 the access types are defined in another section, where is specified
    which systemcalls this translates to.

define read
  sys_open(O_RDONLY)
  sys_stat
  sys_fstat
  sys_read
  sys_lseek

define append
  sys_open(O_RDONLY, O_APPEND)
  sys_stat
  sys_fstat
  sys_read
  sys_write

** I think that maybe this last configuration is something for a later
version,
   and first we just apply some predefined standard systemcall-sets.


willem

[prev in list] [next in list] [prev in thread] [next in thread]