-
Notifications
You must be signed in to change notification settings - Fork 0
/
SPECS
182 lines (122 loc) · 4.59 KB
/
SPECS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
## File Name : SPECS
## Project : TBAC
## Licence : Creative Commons - Attribution-Noncommmercial 2.5
## Licence-url : http://creativecommons.org/licenses/by-nc/2.5
## Last modified : 11/Jun/2009
#
Timed Based Access Control
==========================
The main purpose of this security model is to illustrate the usage
of the RSBAC[1] Linux framework.
This module provides access control based on time information.
The goal is to formalize legal working hour, and let the "time officer"
grant access to file system objects only during working hours.
(ie: accountability file for a corporation)
Definitions
===========
"Time officer" means a subject.
"Working hours" means a time period in whitch access should be granted.
"Spare time" means the oposite of Working hours.
"THE_EPOCH" means the date 1970-01-01 00:00:00 UTC
TBAC FD Attributes
==================
Every time variable below is UNIX time (seconds since THE_EPOCH).
Every hour variable below is in the range [0: 24*3600] (seconds).
tbac_flags: bit field;
bit 0 : TBAC control if set.
bit 1 : automatic control if set, custom if not set.
bit 2 : (if automatic) : working hours if set,
spare time if not set.
(if custom) : access granted between tbac_min and
tbac_max if set,
access granted since tbac_min if not
set.
remainder reserved for future use.
tbac_range: struct;
min : a time;
max : a time;
Examples of flags for tbac_flags:
"UNSET" : [0, 0, 0] = 0x0
No decision
"WORKINGHOURS" : [1, 1, 1] = 0x7
Access granted if current time match a working hour
"SPAREHOUR" : [1, 1, 0] = 0x6
Access granted if current time does not match a working hour
"RANGE" : [1, 0, 1] = 0x5
Access granted if current time is in [tbac_min, tbac_max]
"SINCE" : [1, 0, 0] = 0x4
Access granted if current time is superior than tbac_min
TBAC Syscall
============
tbac_set_oneshot_holiday(time);
tbac_set_working_hours(morning_hour, evening_hour);
All those syscalls only store statically the parameter, they will be
used later for decision making.
Time will be converted in the first second of the date.
(ie: 1244734957 will be converted in 11/Jun/2009)
TBAC default values
===================
A time set to 0 is irrelevant because Januray 1st 1970 has elapsed some
time ago already. Hence it is reused to mean no time is set.
Default working hour is 8:30 - 19:00.
TBAC Internal Static Attributes
===============================
oneshot_holiday: the first second of the next holiday.
morning_hour: the first second of a working day.
evening_hour: the last second of a working day.
Initial Configuration
=====================
By default, Files and directory (FD) have tbac_flags set to 0 (no tbac).
Secoff is the only user able to use the tbac related syscalls.
Working Hour Calculation
========================
First a check is done on the hour.
If access time is < morning_hour or > evening_hour then this
is not a working hour.
Then a check on the day is done.
If day isn't between [Monday:Friday], then this is not a
working hour.
Finally holiday are found this way:
holiday must be set manually by the admin with the
tbac_set_oneshot_holiday syscall before the day D.
Food For Though
===============
* Localization is not assumed, ie local working hours setting require
correct userland time translation. REG module only speak UTC.
* tbac_flags could have more meaning:
* cron like events,
* ical formats.
* TBAC could be used to enforce inode time information modification.
* Define a time officer role.
* Working hour definition could be enhanced in many ways:
* Import an official source of information
and try to optimize lookup in this database.
* tbac_set_working_hours per day
* Dynamics holidays.
* Allow the admin to set-up his own working hour definition
(ie: set the last 2 week end of the year as working days).
Usage examples
==============
* first admin does:
tbac_set_working_hours(9 * 3600, 18 * 3600);
tbac_set_oneshot_holiday(1272711642);
* a lecture:
tbac_flags = [ 1, 0, 1 ]
tbac_min set to the lecture date.
* a marketing event:
tbac_flags = [ 1, 0, 0 ]
tbac_min and tbac_max for the sale period.
* a game binary:
tbac_flags = [ 1, 1, 0 ]
* Stock Market flows:
tbac_flags = [ 1, 1, 1 ]
tbac_set_working_hours(market opening, market ending);
Caveats
=======
TBAC being a REG, it does not include:
* transaction
* attribute inheritance
References
==========
[1]: http://www.rsbac.org Ruled Set Based Access Control
Extending Linux Security Beyond the Limits