[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dazuko-devel] Re: Future of dazuko..

From: John Ogness
Subject: [Dazuko-devel] Re: Future of dazuko..
Date: Mon, 02 May 2005 12:52:09 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913

Jinu Mathew Joy wrote:
Basically we want to have a peep at Dazuko's roadmap and there is no
better person to answer this than you!


The 2.1.0 version of Dazuko is currently as pre-release available. This new version has many dramatic changes to Dazuko over the 2.0.x version. Some of these include:

1. added abstraction layer to the userspace side
This makes it possible to port Dazuko to many other platforms (such as DOS and Windows).

2. no longer uses an internal list of "open files"
This takes care of all reported memory leak issues, increases speed, and increases event reliability. The internal list was used to be able to correctly identify "close" events. But a much more accurate and efficient method has been implemented for 2.1.0.

3. new "Trusted Application Framework"
This allows non-registered applications to be trusted by the Dazuko system. This is particularly useful for anti-virus scanners, where the scanning process is not the same process/thread as the registered process.

4. allowing "exec" events without causing kernel re-entrance
Before 2.1.0 if a registered application called an exec(), this caused an EXEC event to be generated and sent to the registered process. This "recursive" event could cause problems with applications not aware of this. With 2.1.0 the event is not generated for that application's group (it is still generated for the other groups). Applications no longer have to be afraid of calling functions that generated events (that they must handle).

5. separate configuration for each group
Before 2.1.0 all registered applications shared the same set of include/exclude paths and access mask. With 2.1.0 each group has their own set of configurations.

6. caching interface available
2.1.0 extends the interface to support systems that cache events (to reduce context switches). Currently only RSBAC systems support this feature.

7. 32/64-bit compatibility
2.1.0 will be able to support 64-bit kernels talking to 32-bit applications.

As you can see, 2.1.0 offers many significant changes over 2.0.x. During the 2.1.x cycle, there will be only bug fixes and optimizations. Big feature/structure changes occur only during major release changes (for example, from 2.1.x to 2.2.0). It is planned that 2.1.0 becomes the official stable version sometime in June 2005.

Some work has also begun on 2.2.0. At the moment there are 2 major items on that list:

1. based on DazukoFS
Before 2.2.0 Dazuko is based on the system call table. Although effective, this implementation is frowned upon by many security experts. Dazuko is "hooking" the system call table to hijack events. For 2.2.0 Dazuko will be moved deeper into the kernel (to the VFS layer). There it will work as a stackable filesystem. This guarentees that Dazuko can capture all events and also is the preferred method recommended by security experts. However, this is a big change, which will cause the "meaning" of events to change slightly. It will also mean that an administrator must use a completely different procedure for setting up Dazuko (mounting a stackable filesystem). The Dazuko-based applications themselves will not need be changed. (A stackable filesytem should also allow Dazuko to work together with SELinux or AppArmor without any issues.)

2. fine-grained masking
Before 2.2.0 applications could use include/exclude paths and an access mask to define what type of events they are interested in. For 2.2.0 it is planned to actually user the dazuko_event object itself to define interesting events. This would allow an application to specify things like: "I am interested in open events, from user 1004, in directory /home/user, that are owned by user 0". It is still being decided if regular expressions and number ranges are going to be permitted.

Because of these major changes, preleases for 2.2.0 should start showing up really early (sometime in June 2005). A stable version is planned for February 2006 (although this date might be a bit optimistic).

There are other items that are planned, but they are of much less significance and will probably show up sometime during the 2.1.x releases. Right now most of the efforts are going into getting 2.1.0 finished. At that point it will be easier to define a clearer roadmap for 2.1.x and 2.2.0.

John Ogness

P.S. I have CC'd this to dazuko-devel because it contains a lot of information that I am sure is interesting to the Dazuko development community.

Dazuko Maintainer

reply via email to

[Prev in Thread] Current Thread [Next in Thread]