RE: [Dazuko-devel] 2.1.0-pre3 posted

[Tikka, Sami]

>-----Original Message-----
>From: John Ogness [mailto:address@hidden 
>Sent: Thursday, April 07, 2005 4:43 PM
>To: Tikka, Sami
>Cc: address@hidden
>Subject: Re: [Dazuko-devel] 2.1.0-pre3 posted
>
>> int dazukoRegisterTrusted(const char *groupName, const char *token, 
>> int trust_children);
>
>What is meant by child processes - threads, forks, both?
>
>If a thread registers with trust_children=1, does Dazuko trust 
>the parent also?

Yes, that was my meaning. dazukoRegisterTrusted would make the caller and
optionally its children trusted. Perhaps the parameter name should be changed
to "also_children" or something.

As for the question about threads and/or forks, I was under the impression
that on Linux they are the same thing as far as the kernel is concerned. What
I mean is that is it even possible to tell threads and processes apart in a
Linux kernel module?

I no longer remember how they work on FreeBSD and Solaris (It has been 6
years since I last coded something in FreeBSD kernel and 4 years since my
Solaris kernel days.)

I would be happy if also_children applied to forked processes. If it applies
to threads too, it would be a bonus. (I think if you trust one thread in the
process, you really have to trust everything running in the same address
space.)

>When a trusted process does a fork-exec, do I trust this new 
>process as well?

Good question. I think you can make an argument for both cases. I only fork,
so exec is not important for me. Perhaps we can have an opinion from others
who want to use TAF?

>I like the idea of providing an option to trust "related 
>processes", but I 
>am concerned about the overhead. It would mean that when an 
>access event 
>occurs, Dazuko must search through all trusted processes and check if 
>somehow this process is "related" to one of them. This might 
>be expensive. 
>Expensive is ok if it is justified. It is much cheaper if 
>Dazuko knows ahead 
>of time who can be trusted and who not.

In Linux every task has a pointer to its parent task and I don't think the
depth of the tree is usually very deep. And anyway, you would be walking the
tree up towards the root. Something like the following pseudo-code:

int is_trusted_process(process *p, int child_process)
{
        if (is_member(list_of_trusted, p, child_process)) 
                return 1;
        return is_trusted_process(p->parent, 1);
}

And, like you said, the complexity is in the is_member() that would have to
search a list of trusted processes. Preferably the list would be indexed with
the kernel process struct pointer. However, I would guess that usually the
amount of processes that have called dazukoRegisterTrusted() is small, small
enough to be kept in a linked list. (Dazuko used to keep a linked list of
open files :)

-- 
Sami Tikka                tel. +358 9 2520 5115 
senior software engineer  fax. +358 9 2520 5014
                          mobile +358 40 7379388
F-Secure Corporation      http://www.f-secure.com
BE SURE