FileStore

Bug #857827
Comment #0

Comment 0 for bug 857827

Revision history for this message

Jason Gerard DeRose (jderose) wrote on 2011-09-23:

The FileStore layout was designed with named-based mandatory access control in mind. As all the Novacut components are heavily network-enabled (which is what makes them interesting), we need to really think about security at every layer in our component stack.

But we also want a great user experience, of course. The nice thing about the FileStore layout is gives as a predictable pattern for the file names that an app needs to access, so we can use very tight-containment here, but without interfering with the user experience.

Files in .dmedia/files/*/* are read-only, and so anything using FileStore needs to at least be able to read from there, something like this:

# FileStore in user's home directory:

owner /home/*/.dmedia/files/*/* r,

# Shared FileStore in /home:

/home/.dmedia/files/*/* r,

# FileStore on removable drives:

/media/*/.dmedia/files/*/* r,

# Partition mount points dedicated just to a FileStore (need to consult FSH on location):

/var/lib/dmedia/*/.dmedia/files/*/* r,

# Does this work in AppAprmor? Perhaps too loose?

**/.dmedia/files/*/* r,

The above should be all that's needed by a read-only app (FileStore-wise) like the novacut player. Because many apps only need read-only access to the FileStore (remember, dmedia does the downloading for them), the common abstraction should only include permissions needed for read-only use.

In terms of writing files, those happen in two directories:

**/.dmedia/tmp/* rw,

**/.dmedia/partial/* rw,

Once a file is written and the content hash computed (or verified), the file is renamed into it's canonical location in .dmedia/files/*/*. I'm not sure if AppArmor has a permsion for "renaming into" separate from "writing", so that an app could rename a file into .dmedia/files/*/*, but only read files already in .dmedia/files/*/*.

Probably the easiest way to explore the FileStore layout is to create a FileStore in a temporary directory, which you can do like this:

jderose@jgd-test:~$ python3
Python 3.2.2 (default, Sep 5 2011, 21:17:14)
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import tempfile
>>> tmpdir = tempfile.mkdtemp()
>>> from filestore import FileStore
>>> fs = FileStore(tmpdir)
>>> fs.parentdir
'/tmp/tmp1vmne7'
>>> fs.basedir
'/tmp/tmp1vmne7/.dmedia'

And then browse the files in /tmp/tmp1vmne7/.dmedia

The FileStore layout was designed with named-based mandatory access control in mind.  As all the Novacut components are heavily network-enabled (which is what makes them interesting), we need to really think about security at every layer in our component stack.

But we also want a great user experience, of course.  The nice thing about the FileStore layout is gives as a predictable pattern for the file names that an app needs to access, so we can use very tight-containment here, but without interfering with the user experience.

Files in .dmedia/files/*/* are read-only, and so anything using FileStore needs to at least be able to read from there, something like this:

# FileStore in user's home directory:

owner /home/*/.dmedia/files/*/* r,

# Shared FileStore in /home:

/home/.dmedia/files/*/* r,

# FileStore on removable drives:

/media/*/.dmedia/files/*/* r,

# Partition mount points dedicated just to a FileStore (need to consult FSH on location):

/var/lib/dmedia/*/.dmedia/files/*/* r,

# Does this work in AppAprmor? Perhaps too loose?

**/.dmedia/files/*/* r,

The above should be all that's needed by a read-only app (FileStore-wise) like the novacut player.  Because many apps only need read-only access to the FileStore (remember, dmedia does the downloading for them), the common abstraction should only include permissions needed for read-only use.

In terms of writing files, those happen in two directories:

**/.dmedia/tmp/* rw,

**/.dmedia/partial/* rw,

Once a file is written and the content hash computed (or verified), the file is renamed into it's canonical location in .dmedia/files/*/*.  I'm not sure if AppArmor has a permsion for "renaming into" separate from "writing", so that an app could rename a file into .dmedia/files/*/*, but only read files already in .dmedia/files/*/*.

Probably the easiest way to explore the FileStore layout is to create a FileStore in a temporary directory, which you can do like this:

jderose@jgd-test:~$ python3
Python 3.2.2 (default, Sep  5 2011, 21:17:14) 
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import tempfile
>>> tmpdir = tempfile.mkdtemp()
>>> from filestore import FileStore
>>> fs = FileStore(tmpdir)
>>> fs.parentdir
'/tmp/tmp1vmne7'
>>> fs.basedir
'/tmp/tmp1vmne7/.dmedia'

And then browse the files in /tmp/tmp1vmne7/.dmedia