Posted Jan 14, 2010 10:44 UTC (Thu) by cliffe (guest, #62958)
Parent article: FBAC-LSM
Thanks for the well educated write-up.
I agree, the code is a bit of a mess in places, particularly the vfs interface you accurately described. Thanks for persevering! I am in the process of cleaning up code, and yes there is lots of work to be done. As you mentioned, I am looking for contributors to help make FBAC-LSM a production ready system. So if anyone is interested please let me know.
As part of my research I conducted a usability study which compared FBAC-LSM with AppArmor and SELinux. The results were encouraging! Adding (reduced feature) export to FBAC-LSM should provide some of the usability benefits of FBAC-LSM to these systems. Users can then benefit from the stability of the other systems while FBAC-LSM continues to be improved. FBAC-LSM policy manager may even be extended to completely manage other LSMs such as AppArmor.
Allowing users to restrict the applications they run lets them protect their own security interests: such as controlling which applications have access to particular files they own. It can cause problems if programs assume they have more privileges than they have. In most cases it is the responsibility of the software developers to check that their assumptions are valid and that the program has access to the resources they expect access to. Most of the applications I have studied so far have fairly predictable needs, and are well modelled by FBAC functionalities. You bring up an interesting point, that the security goals of an administrator might actually require the granting of privileges to a program that a normal user runs, and that allowing a normal user to take these privileges away could present problems. I think that in most cases it is in the best interests of users to grant setuid programs the resources they require. If preventing access to resources causes the programs to misbehave in an insecure fashion, then perhaps the programs need to be updated. Having said that, it would not be hard to extend FBAC to allow administrators to specify which applications users are allowed to create policies for. I would be interested in further justifications for this.