http://kernsec.org/wiki/api.php?action=feedcontributions&feedformat=atom&user=JarkkoSakkinenLinux Kernel Security Subsystem - User contributions [en]2026-04-09T06:24:08ZUser contributionsMediaWiki 1.36.1http://kernsec.org/wiki/index.php?title=Linux_Kernel_Integrity&diff=3901Linux Kernel Integrity2017-09-15T17:13:30Z<p>JarkkoSakkinen: </p>
<hr />
<div>'''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC the '''linux-security-module@vger.kernel.org''' mailing list for more broad screening.<br />
<br />
TPM and IMA have have their own maintainers and GIT trees:<br />
<br />
* '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git<br />
* '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git</div>JarkkoSakkinenhttp://kernsec.org/wiki/index.php?title=Linux_Kernel_Integrity&diff=3900Linux Kernel Integrity2017-09-14T19:16:03Z<p>JarkkoSakkinen: Created page with "'''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. For non-trivial patch sets, such as patch sets that touch multiple s..."</p>
<hr />
<div>'''linux-integrity@vger.kernel.org''' is the mailing list for TPM and IMA targeted patches and discussion. For non-trivial patch sets, such as patch sets that touch multiple subsystems, it is recommended to CC them also to '''linux-security-module@vger.kernel.org''' mailing list for more broad screening.<br />
<br />
TPM and IMA have have their own maintainers and GIT trees:<br />
<br />
* '''IMA:''' Mimi Zohar, git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git<br />
* '''TPM:''' Jarkko Sakkinen, git://git.infradead.org/users/jjs/linux-tpmdd.git</div>JarkkoSakkinenhttp://kernsec.org/wiki/index.php?title=Projects&diff=3899Projects2017-09-14T19:08:22Z<p>JarkkoSakkinen: /* Integrity */</p>
<hr />
<div>== Kernel Security Projects ==<br />
<br />
=== Access Control ===<br />
<br />
* [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks <br />
** Mailing list archive: http://kernsec.org/pipermail/linux-security-module-archive/<br />
* [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system <br />
* [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework <br />
* [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux <br />
* [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available) <br />
* [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...) <br />
* [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework <br />
* [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions<br />
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes<br />
<br />
=== Integrity ===<br />
<br />
This is a rapidly developing area, see the following LWN article for an overview:<br />
<br />
* [[Linux Kernel Integrity]]<br />
* [http://lwn.net/Articles/309441/ System integrity in Linux]<br />
<br />
=== Privileges ===<br />
<br />
* [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities]<br />
** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article]<br />
<br />
=== Networking ===<br />
<br />
There are several separately maintained projects relating to network security, including:<br />
<br />
* [http://www.netfilter.org/ Netfilter] packet filtering <br />
* Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] <br />
* [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter <br />
<br />
=== Storage ===<br />
<br />
* [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol<br />
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices<br />
<br />
=== Cryptography ===<br />
<br />
The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list].<br />
<br />
=== Working Group ===<br />
<br />
* [[Linux Security Workgroup]]<br />
<br />
=== Self Protection ===<br />
<br />
* [[Kernel Self Protection Project]]</div>JarkkoSakkinen