From abdc2ff2589260a06fd81877cd99b78ba5a0b980 Mon Sep 17 00:00:00 2001 From: fedir Date: Sat, 12 Apr 2025 18:00:01 +0200 Subject: [PATCH] Added the usage instructions --- approach.tex | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/approach.tex b/approach.tex index b464d59..138ef17 100644 --- a/approach.tex +++ b/approach.tex @@ -14,6 +14,20 @@ At the same time, it allows for broader, more general rules, which helps to redu It is backwards compatible: ICFS overrides the regular system call interface using FUSE framework, which means that any software that wishes to use the files ICFS protects has to respect it's policies. Its interactivity combined with the ability to only grant permissions for the lifetime of a specific process makes proxy attacks very difficult to go unnoticed. +\section{Usage} + +To use ICFS, the user only needs to select a directory that they wish to protect, and run: + +\begin{minted}{bash} + icfs path/to/directory +\end{minted} + +Upon running this command, ICFS will be mounted over the chosen directory, and access to every file in it will from now on be controlled by ICFS. + +Although it has the words ``File System`` in the name, ICFS is not an alternative to real filesystems like ext4 or btrfs. Instead, it is a \emph{filesystem layer}, that sits in between the actual on-disk filesystem and the virtual file system presented to the processes. It acts as an intermediary that intercepts the filesystem calls and enforces it's own logic. The exact details of the implementation of such mechanism will be discussed in the \autoref{impl:fuse}. + +What is important for this section however, is that from the standpoint of the user processes it looks just like the underlying filesystem would. Processes would just see the same folder that once was in ICFS's place. + \section{Access Control Model} As promised, the access control model of ICFS is trivially simple. It features processes as it's subjects, and files as objects. Whenever a process attempts to open, remove or change the access mode of an existing file and no previous decisions were made regarding process's access to the file, window with a dialogue is displayed with three options: