| 2011-09-23 22:18:40 |
Jason Gerard DeRose |
description |
The FileStore layout was designed with named-based mandatory access control in mind. As all the Novacut components are heavily network-enabled (which is what makes them interesting), we need to really think about security at every layer in our component stack.
But we also want a great user experience, of course. The nice thing about the FileStore layout is gives as a predictable pattern for the file names that an app needs to access, so we can use very tight-containment here, but without interfering with the user experience.
Files in .dmedia/files/*/* are read-only, and so anything using FileStore needs to at least be able to read from there, something like this:
# FileStore in user's home directory:
owner /home/*/.dmedia/files/*/* r,
# Shared FileStore in /home:
/home/.dmedia/files/*/* r,
# FileStore on removable drives:
/media/*/.dmedia/files/*/* r,
# Partition mount points dedicated just to a FileStore (need to consult FSH on location):
/var/lib/dmedia/*/.dmedia/files/*/* r,
# Does this work in AppAprmor? Perhaps too loose?
**/.dmedia/files/*/* r,
The above should be all that's needed by a read-only app (FileStore-wise) like the novacut player. Because many apps only need read-only access to the FileStore (remember, dmedia does the downloading for them), the common abstraction should only include permissions needed for read-only use.
In terms of writing files, those happen in two directories:
**/.dmedia/tmp/* rw,
**/.dmedia/partial/* rw,
Once a file is written and the content hash computed (or verified), the file is renamed into it's canonical location in .dmedia/files/*/*. I'm not sure if AppArmor has a permsion for "renaming into" separate from "writing", so that an app could rename a file into .dmedia/files/*/*, but only read files already in .dmedia/files/*/*.
Probably the easiest way to explore the FileStore layout is to create a FileStore in a temporary directory, which you can do like this:
jderose@jgd-test:~$ python3
Python 3.2.2 (default, Sep 5 2011, 21:17:14)
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import tempfile
>>> tmpdir = tempfile.mkdtemp()
>>> from filestore import FileStore
>>> fs = FileStore(tmpdir)
>>> fs.parentdir
'/tmp/tmp1vmne7'
>>> fs.basedir
'/tmp/tmp1vmne7/.dmedia'
And then browse the files in /tmp/tmp1vmne7/.dmedia |
The FileStore layout was designed with named-based mandatory access control in mind. As all the Novacut components are heavily network-enabled (which is what makes them interesting), we need to really think about security at every layer in our component stack.
But we also want a great user experience, of course. The nice thing about the FileStore layout is gives us a predictable pattern for the file names that an app needs to access, so we can use very tight-containment here, but without interfering with the user experience.
Files in .dmedia/files/*/* are read-only, and so anything using FileStore needs to at least be able to read from there, something like this:
# FileStore in user's home directory:
owner /home/*/.dmedia/files/*/* r,
# Shared FileStore in /home:
/home/.dmedia/files/*/* r,
# FileStore on removable drives:
/media/*/.dmedia/files/*/* r,
# Partition mount points dedicated just to a FileStore (need to consult FSH on location):
/var/lib/dmedia/*/.dmedia/files/*/* r,
# Does this work in AppAprmor? Perhaps too loose?
**/.dmedia/files/*/* r,
The above should be all that's needed by a read-only app (FileStore-wise) like the novacut player. Because many apps only need read-only access to the FileStore (remember, dmedia does the downloading for them), the common abstraction should only include permissions needed for read-only use.
In terms of writing files, those happen in two directories:
**/.dmedia/tmp/* rw,
**/.dmedia/partial/* rw,
Once a file is written and the content hash computed (or verified), the file is renamed into it's canonical location in .dmedia/files/*/*. I'm not sure if AppArmor has a permsion for "renaming into" separate from "writing", so that an app could rename a file into .dmedia/files/*/*, but only read files already in .dmedia/files/*/*.
Probably the easiest way to explore the FileStore layout is to create a FileStore in a temporary directory, which you can do like this:
jderose@jgd-test:~$ python3
Python 3.2.2 (default, Sep 5 2011, 21:17:14)
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import tempfile
>>> tmpdir = tempfile.mkdtemp()
>>> from filestore import FileStore
>>> fs = FileStore(tmpdir)
>>> fs.parentdir
'/tmp/tmp1vmne7'
>>> fs.basedir
'/tmp/tmp1vmne7/.dmedia'
And then browse the files in /tmp/tmp1vmne7/.dmedia |
|
| 2011-09-23 22:25:39 |
Jason Gerard DeRose |
description |
The FileStore layout was designed with named-based mandatory access control in mind. As all the Novacut components are heavily network-enabled (which is what makes them interesting), we need to really think about security at every layer in our component stack.
But we also want a great user experience, of course. The nice thing about the FileStore layout is gives us a predictable pattern for the file names that an app needs to access, so we can use very tight-containment here, but without interfering with the user experience.
Files in .dmedia/files/*/* are read-only, and so anything using FileStore needs to at least be able to read from there, something like this:
# FileStore in user's home directory:
owner /home/*/.dmedia/files/*/* r,
# Shared FileStore in /home:
/home/.dmedia/files/*/* r,
# FileStore on removable drives:
/media/*/.dmedia/files/*/* r,
# Partition mount points dedicated just to a FileStore (need to consult FSH on location):
/var/lib/dmedia/*/.dmedia/files/*/* r,
# Does this work in AppAprmor? Perhaps too loose?
**/.dmedia/files/*/* r,
The above should be all that's needed by a read-only app (FileStore-wise) like the novacut player. Because many apps only need read-only access to the FileStore (remember, dmedia does the downloading for them), the common abstraction should only include permissions needed for read-only use.
In terms of writing files, those happen in two directories:
**/.dmedia/tmp/* rw,
**/.dmedia/partial/* rw,
Once a file is written and the content hash computed (or verified), the file is renamed into it's canonical location in .dmedia/files/*/*. I'm not sure if AppArmor has a permsion for "renaming into" separate from "writing", so that an app could rename a file into .dmedia/files/*/*, but only read files already in .dmedia/files/*/*.
Probably the easiest way to explore the FileStore layout is to create a FileStore in a temporary directory, which you can do like this:
jderose@jgd-test:~$ python3
Python 3.2.2 (default, Sep 5 2011, 21:17:14)
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import tempfile
>>> tmpdir = tempfile.mkdtemp()
>>> from filestore import FileStore
>>> fs = FileStore(tmpdir)
>>> fs.parentdir
'/tmp/tmp1vmne7'
>>> fs.basedir
'/tmp/tmp1vmne7/.dmedia'
And then browse the files in /tmp/tmp1vmne7/.dmedia |
The FileStore layout was designed with named-based mandatory access control in mind. As all the Novacut components are heavily network-enabled (which is what makes them interesting), we need to really think about security at every layer in our component stack.
But we also want a great user experience, of course. The nice thing about the FileStore layout is it gives us a predictable pattern for the file names that an app needs to access, so we can use very tight-containment here, but without interfering with the user experience.
Files in .dmedia/files/*/* are read-only, and so anything using FileStore needs to at least be able to read from there, something like this:
# FileStore in user's home directory:
owner /home/*/.dmedia/files/*/* r,
# Shared FileStore in /home:
/home/.dmedia/files/*/* r,
# FileStore on removable drives:
/media/*/.dmedia/files/*/* r,
# Partition mount points dedicated just to a FileStore (need to consult FSH on location):
/var/lib/dmedia/*/.dmedia/files/*/* r,
# Does this work in AppAprmor? Perhaps too loose?
**/.dmedia/files/*/* r,
The above should be all that's needed by a read-only app (FileStore-wise) like the novacut player. Because many apps only need read-only access to the FileStore (remember, dmedia does the downloading for them), the common abstraction should only include permissions needed for read-only use.
In terms of writing files, those happen in two directories:
**/.dmedia/tmp/* rw,
**/.dmedia/partial/* rw,
Once a file is written and the content hash computed (or verified), the file is renamed into it's canonical location in .dmedia/files/*/*. I'm not sure if AppArmor has a permsion for "renaming into" separate from "writing", so that an app could rename a file into .dmedia/files/*/*, but only read files already in .dmedia/files/*/*.
Probably the easiest way to explore the FileStore layout is to create a FileStore in a temporary directory, which you can do like this:
jderose@jgd-test:~$ python3
Python 3.2.2 (default, Sep 5 2011, 21:17:14)
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import tempfile
>>> tmpdir = tempfile.mkdtemp()
>>> from filestore import FileStore
>>> fs = FileStore(tmpdir)
>>> fs.parentdir
'/tmp/tmp1vmne7'
>>> fs.basedir
'/tmp/tmp1vmne7/.dmedia'
And then browse the files in /tmp/tmp1vmne7/.dmedia |
|
