[systemd-devel] [PATCH/RFC] FuseMAC: user space MAC in systemd

Lennart Poettering lennart at poettering.net
Sun Mar 8 16:16:26 PDT 2015


On Mon, 02.03.15 22:49, Topi Miettinen (toiwoton at gmail.com) wrote:

> Intercept and filter filesystem operations of processes launched
> by systemd with FUSE.
> 
> Implement learning, enforcing and auto enforcing/learning modes,
> enabled with new exec directive FuseMAC.
> 
> FS operations can be filtered by access type (e.g. getattr/read,
> cf. AppArmor or TOMOYO Linux) or for more fine grained control,
> which area of the file is being accessed.
> 
> Due to limitations of FUSE, API file systems can't be intercepted.
> 
> Also the patch seems to trigger bugs in kernel (hang CPU).

Hmm, if I understand this patch right, then you proxy all file system
access through a userspace fuse tool to enforce additional access
restrictions?

Well, I am pretty sure that systemd should not be in the business of
implementing a new access control mechanism. It's fine to expose ones
that are supported in the kernel in ways, or even using things like
namespacing to implement access control, but it really shouldn't be
systemd that is the one enforcing file access rights here, I am very
sure. It might be the place to encode and configure policy, but not
the place to enforce it.

I think this is better done outside of systemd, and quite frankly, in
the kernel, already for performance reasons.

Sorry!

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list