Skip to content

farhan90/sys_rbac

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

.gitignore

.gitignore

 
 

Kconfig

Kconfig

 
 

Kconfig.security

Kconfig.security

 
 

Kernel.config

Kernel.config

 
 

Makefile

Makefile

 
 

Makefile.security

Makefile.security

 
 

README

README

 
 

sys_rbac.c

sys_rbac.c

 
 

user_admin

user_admin

 
 

user_admin.c

user_admin.c

 
 

Repository files navigation

This is the documentation for SBRACK project

DESIGN
------
Since the project was an open ended project with no specification,I decided
to implement a very simple role based access model using Linux Security Model
framework. 

In my role based access model I first had to idenitfy the tasks which could
be performed on the file system. I decided to have simple tasks or operations
like reading,writing,renaming or creating or deleting a file. So i decided to 
have 3 main ops which are READ, RDWR, CRTDEL. 

The READ task or op only allows a user to read a file
The RDWR task allows someone to read a file, write to a file
The CRTDEL tasks allows someone to read,write, create,delete or rename a file

So any role can be assigned any of these 3 tasks, which can be performed by
the users of that role.

BUILDING THE MODULE
-------------------
I did not implement my LSM module as a loadable module since I could not use
the function register_module to register my security module. To get around the
problem I had to built the module as a security module.
To compile the module:

1) mkdir sysec in the security folder of the linux source code folder.
2) copy the sys_rbac.c, Kconfig, and Makefile into the sysec folder
3) copy the file Kconfig.security and Makefile.security into Kconfig and 
Makefile in the security directory
4) replace the .config file in linux source code folder with Kernel.config 
and rename the file .config
5) Run make, make modules_install and make install

USING THE USER PROGRAM
----------------------
The user program source code is in the user_admin.c file.

The user_admin executable can be used with these options:
	./user_admin -h  -- to print usage help
	./user_admin -l  -- to list all the user created roles
	./user_admin -c  -- to create a role
	./user_admin -a [USER NAME] [ROLE NAME] -- to assign a role to a user



WORKFLOW
--------
The workflow for the LSM works through the user program. Every time an admin 
user assigns a role to a regular user, the data is passed to the LSM through
the procfs. The LSM module maintains a linked list of all the users and their
roles.

So when a regular user tries to carry out a task he is not entitled too, he will receive an EPERM error.

A problem with this worflow design is that every time the system reboots
the kernel module looses all the user data. One solution would be for the module to write the data into a file and on initilization read from that file.
But file reading and writing is advised against in the kernel and since the 
module is built into the kernel reading a large file could slow the kernel down.

My work around this would be that the admin user creates backup scripts to
assign roles to users.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages