Title : Firewall Builder Compiler Manifest File Author : Vadim Zaliva Revision: 1.1 Status : Proposal ================================================== Rationale --------- Firewall builder allows users to develop their own policy compilers and installation scripts. Compilers and installation scripts are developed by different people. Same policy compiler might have many installation scripts and same installation script might be used with different policy compilers. Manifest file provides a way for install script to tell what files are produced by policy compiler. Also, this manifest file will be used to transmit files to remote machine and to install them there using remote install script. Requirements ------------- All policy compilers compatible with FirewallBuilder must support '-m' option followed by file name. Upon successful policy compiler execution this file must contain "manifest" data in format described in this document. If file happen to exist, it must be overwritten. All policy compilers compatible with FirewallBuilder must support '-m' option followed by file name. This file will contain infromation produced by compiler in "manifest" format. Format ------- File is ASCII text with character 0x0A used as line delimiter. Each line consists of following fields delimited by spaces: 0. Action 1. Filename 2. Action-specific parameters Action tells compiler how file could be installed. There is no strict list actions. Policy compiler and install script developers could add new actions, as long as it supported by compiler and install script both. File name is name of the file generated by compiler. It could be configuration file, shell script, etc. Action arguments contain information passed to action. Their format is not specified, except the fact that it can contain macros, in shell like format. Install script will resolve these macros to values prior to processing action. Example of manifest file: SH policy.fw 0 COPY hosts ${ETC}/hosts 255 ${ETC}/hosts.bak Actions ------- Here are some basic actions: 1. COPY Parameters: destination, permissions, backup_file_name 2. RUN Parameters: uid 3. RUN_CHROOT Parameters: uid, root Macros: ------- Here are few basic macros: 1. ETC - location of system /etc directory 2. TMP - location of system temporary directory 3. FQHN - host name with domain Implementation: --------------- Each action is implemented as shell script or executable command localted in special directory. Only commands located in this directory are executed. User can write new commands and add them to the directory. It is responsibility of each command to enfores security restrictions. For example implementation of COPY command might have configuration file which specify what files and directories it is allowed to write to and what files permissions should be.