Common default options:

  -h --help             Shows help!
  -v --version          Shows RSBAC_NR (Version 1.3.0pre eg)
  -V                    Specify old version to upgrade things from. (like acl_grant, etc)
  -T --transaction ta   Specify a transaction number to operate on (can also use env var RSBAC_TA)
  -d --device           Specify which device to use (major:minor) (FIXME Do we really need it ?)
  -R --recursive        Does the action recursively

Tools to set,get, or modify attributes on objects.

MODULES are always one of GEN, MAC, PM, FF, RC, DAZ, PAX, AUTH. (UM ?)

We need a dictionary that can output ordered lists of MODULES for the user to know wtf he's doing there. This list should be generated from the bindings if possible. Checking /proc/rsbac-info/active if the MODULE is available before displaying it, else mark it disabled:

Modules supported by this kernel:
AUTH
RC

Modules not supported by this kernel:
MAC
..

TARGETS are target-types, usually one of FILE, DIR, FIFO, SYMLINK, DEV ( can't we always us FD autoselect ?) or… USER, GROUP, PROCESS or… NETDEV, NETTEMP,NETOBJ or… IPC

We need a dictionary that can output ordered lists of TARGETS for the user to know wtf he's doing there. This list should be generated from the bindings if possible.

Targets list:
FILE, DIR, FIFO, SYMLINK, DEV
USER, GROUP, PROCESS
...

ATTRIBUTES are usually A_log_array_low, A_rc_type, A_auth_may_setuid, A_…. see types.h Of course bindings remove the “A_” and just ask for the value, like “auth_may_setuid 1”

We need a dictionary that can output ordered lists of TARGETS for the user to know wtf he's doing there. This list should be generated from the bindings if possible.

Attributes list:
auth_may_setuid
auth_may_setcap

rc_type
rc_..

...

OPTIONS: OPTIONS are switches, including the default common options, but including also:

  -a --add           Adds something ?
  -r --remove        Remove something ?
  -s --set           Set something ?
  -t --ttl           TTL if supported:
-t +300 (relative, for 300 seconds)
-t +02:20 (relative, til 2h 20 later)
-t 02:20 (absolute, today at 2h20)
-t +15:02:20 (in 15d..)

• attr_mod MODULE [OPTIONS] OBJECT TARGET ATTRIBUTE value

e.g.: set a file attribute: attr_util AUTH -s /bin/login FD auth_may_setuid 1

e.g.: view log attribute for user: attr_util GEN root USER log_user_based

e.g.: set log attribute for user: attr_util GEN -s root USER log_user_based SEARCH 1

e.g.: change PaX flags: attr_util PAX -Rs /opt FD PMeRxS

• Able to restore policy from simple config files
• Able to include per package config files as well, in a compatible manner with above
• Able to read the policy by different means (plugins), like, flat, xml,
• Able to simplify per package configurations to inherited global settings in some clever way:

  ==>> /usr/bin inheritance, class executable
  ==>> /etc/ inheritance, class config
  /usr/bin/chess <= Class executable not applied
  /etc/chess.conf <= Class config not applied
  /usr/bin/ping <= Class Executable+Net ==> only class net applied

• Able to load per path and per package (eg policy /proc at mount)

Policy representation:

• Needs to be concise (clear, precise)
• Easy for the user (not a list of rules only)
• Logical to maintain (per module ? what if some modules are on and others off ?)
• Support classes (executables, scripts, libraries, …)