tag:blogger.com,1999:blog-3822757291061444396.post4110564972362665274..comments2024-02-27T03:14:00.412-06:00Comments on From the Canyon Edge: Gazzang the Thang: Big DataDustin Kirklandhttp://www.blogger.com/profile/12464590128908584782noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-3822757291061444396.post-53166021682957203882012-03-19T13:50:47.931-05:002012-03-19T13:50:47.931-05:00Dustin,
I try really really hard not to beat up o...Dustin,<br /><br />I try really really hard not to beat up on technical failings for specific implementations of so I've been reluctant to realy poke at eCryptfs usage scenarios based on my understanding of the security model because of that. But I will say that without a per process based control system I have so far viewed eCryptfs as highly limited in terms of value to security because of the way it exposes mountpoints systemwide. I think the process controls fix this.<br /><br /><br />One question, does the process based control work well with SElinux RBAC and/or MLS? If these technology integrate well together, there's probably a market outside of cloud in the government sector for Gazzang's product.<br /><br />-jefJef Spaletahttps://www.blogger.com/profile/11439754449677675460noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-6433347028791920222012-03-18T23:11:17.555-05:002012-03-18T23:11:17.555-05:00Hi Jef, great question!
The process based access ...Hi Jef, great question!<br /><br />The process based access control is part of the ezNcryptfs layer, which sits on top of eCryptfs. ezNcryptfs is GPLv2 (like eCryptfs), but builds an out-of-tree DKMS kernel module. And as such, it does run on Fedora, CentOS, and RHEL. I have had conversations with the upstream eCryptfs kernel maintainer, but Gazzang's approach (while technically sound) is not acceptable in the upstream kernel in its current state. It will take some rearchitecting and rewriting -- which is a goal of ours -- though it will take some time.<br /><br />DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-55619195294430135072012-03-14T03:34:07.008-05:002012-03-14T03:34:07.008-05:00Hey Dustin, this is GREAT! I was following all th...Hey Dustin, this is GREAT! I was following all the links, but couldn't see where to download it, am i being dumb?Dave Walkernoreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-38676541524060727582012-03-13T18:47:15.271-05:002012-03-13T18:47:15.271-05:00I take the process based access control is specifi...I take the process based access control is specific to the Gazzang offering and not something that is going to be driven into the ecryptfs layer as a standard feature?<br /><br />The process based access control is key. I've never really understood the security model of the common ecryptfs usage as a systemwide mountable filesystem that had the same security afforded normal directories once mounted system wide.<br /><br />But a process based control system that limited the decrypted data stream to specific processes that makes much more sense to me as a security model.<br /><br />-jefJef Spaletahttps://www.blogger.com/profile/11439754449677675460noreply@blogger.com