On 02.01.2015 20:43, Jude Nelson wrote:

Hi,

> I should point out, the ACL criteria for matching processes do not all
> have to be specified, specifically for the reason you point out. Using
> the SHA256 to match the process should be a tool of last resort, useful
> only when the executable's path, inode number, and PID listing commands
> are unreliable (for example, a program that runs from an arbitrary
> location but for which no PID listing program can be created).

I dont believe ACLs are a good idea anyways. They introduce yet another
(orthogonal) dimension to the system, so heavily increase management
complexity. For example, it's hard to trace problems that way, if /dev
layout heavily depends on the calling process.

Instead I'd suggest using chroot's / namespaces for isolation.

> As much as I would like to revoke file descriptors, I'm afraid there's
> no way to do this that I know of without the kernel's help (but I'd love
> to learn of one).

I'd rather raise the question whether that's useful at all.
IMHO, there're two main scenarios:

a) remaining processes after logout
   --> should be killed anyways (eg. via cgroups, etc)
b) physical devices should be assigned temporarily to some session, eg.
   when switching VTs.
   --> we need some proxy server for that, which handles the switchover
       gracefully

For most devices, which unprivileged users get access to (eg. audio),
IMHO should be routed via some server anyways - (most) other devices
should only be available to special privileged users (eg. DRI for
Xserver, etc).


cu
--
Enrico Weigelt,
metux IT consulting
+49-151-27565287