[Dazuko-devel] Re: Future of dazuko..

[John Ogness]

Jinu Mathew Joy wrote:
> Basically we want to have a peep at Dazuko's roadmap and there is no
> better person to answer this than you!

Hi,

The 2.1.0 version of Dazuko is currently as pre-release available. This new 
version has many dramatic changes to Dazuko over the 2.0.x version. Some of 
these include:

1. added abstraction layer to the userspace side
This makes it possible to port Dazuko to many other platforms (such as DOS 
and Windows).

2. no longer uses an internal list of "open files"
This takes care of all reported memory leak issues, increases speed, and 
increases event reliability. The internal list was used to be able to 
correctly identify "close" events. But a much more accurate and efficient 
method has been implemented for 2.1.0.

3. new "Trusted Application Framework"
This allows non-registered applications to be trusted by the Dazuko system. 
This is particularly useful for anti-virus scanners, where the scanning 
process is not the same process/thread as the registered process.

4. allowing "exec" events without causing kernel re-entrance
Before 2.1.0 if a registered application called an exec(), this caused an 
EXEC event to be generated and sent to the registered process. This 
"recursive" event could cause problems with applications not aware of this. 
With 2.1.0 the event is not generated for that application's group (it is 
still generated for the other groups). Applications no longer have to be 
afraid of calling functions that generated events (that they must handle).

5. separate configuration for each group
Before 2.1.0 all registered applications shared the same set of 
include/exclude paths and access mask. With 2.1.0 each group has their own 
set of configurations.

6. caching interface available
2.1.0 extends the interface to support systems that cache events (to reduce 
context switches). Currently only RSBAC systems support this feature.

7. 32/64-bit compatibility
2.1.0 will be able to support 64-bit kernels talking to 32-bit applications.


As you can see, 2.1.0 offers many significant changes over 2.0.x. During the 
2.1.x cycle, there will be only bug fixes and optimizations. Big 
feature/structure changes occur only during major release changes (for 
example, from 2.1.x to 2.2.0). It is planned that 2.1.0 becomes the official 
stable version sometime in June 2005.


Some work has also begun on 2.2.0. At the moment there are 2 major items on 
that list:

1. based on DazukoFS
Before 2.2.0 Dazuko is based on the system call table. Although effective, 
this implementation is frowned upon by many security experts. Dazuko is 
"hooking" the system call table to hijack events. For 2.2.0 Dazuko will be 
moved deeper into the kernel (to the VFS layer). There it will work as a 
stackable filesystem. This guarentees that Dazuko can capture all events and 
also is the preferred method recommended by security experts. However, this 
is a big change, which will cause the "meaning" of events to change 
slightly. It will also mean that an administrator must use a completely 
different procedure for setting up Dazuko (mounting a stackable filesystem). 
The Dazuko-based applications themselves will not need be changed. (A 
stackable filesytem should also allow Dazuko to work together with SELinux 
or AppArmor without any issues.)

2. fine-grained masking
Before 2.2.0 applications could use include/exclude paths and an access mask 
to define what type of events they are interested in. For 2.2.0 it is 
planned to actually user the dazuko_event object itself to define 
interesting events. This would allow an application to specify things like: 
"I am interested in open events, from user 1004, in directory /home/user, 
that are owned by user 0". It is still being decided if regular expressions 
and number ranges are going to be permitted.


Because of these major changes, preleases for 2.2.0 should start showing up 
really early (sometime in June 2005). A stable version is planned for 
February 2006 (although this date might be a bit optimistic).

There are other items that are planned, but they are of much less 
significance and will probably show up sometime during the 2.1.x releases. 
Right now most of the efforts are going into getting 2.1.0 finished. At that 
point it will be easier to define a clearer roadmap for 2.1.x and 2.2.0.

John Ogness

P.S. I have CC'd this to dazuko-devel because it contains a lot of 
information that I am sure is interesting to the Dazuko development community.

--
Dazuko Maintainer