About :: TODO :: Blog :: RSS :: Old blog :: Projects :: GIT :: Gallery :: Notes

Sun, 03 Aug 2008

Continuing crazy security ideas.

Implement LSM module, which 'guards' some configured dir, so that every read/write/lookup/readdir for any object from there would require a cryptographically strong authentification, otherwise an empty dir (or some other 'old' content) is shown. Applications from the previous round are those ones which are capable to communicate this system, and thus are capable to read and write directory content.
There is a problem with the case when this filesystem is being read on the system which does not have that magic LSM module to authentificate reading.
We do not want to produce garbage directory content in this case, and instead empty dir should be returned. This can be achieved by hiding actual encrypted directory content links not in the parent dir (so it could be read as garbage without security module), but in some other place (like extended attributes), which can be decrypted by security module only.
In this case reading from directory without security module will result in getting empty context, since every read and write to the directory made with security module, resulted in update of special extended attribute and not actual inode. New inodes still exist in the FS and contain valid data (everything is just encrypted) but they are linked to hidden in extended attributes inode instead of actual directory inode. Security module allows to redirect directory operations to the that hidden object instead of visible one.
This approach should work ok with all underlying filesystems, since extended attributes management has generic helpers with appropriate callbacks to the FS code.

Need to think, although updated security ideas TODO entry...

/devel/other :: Link / Comments ()