Linux Security Summit 2015/Abstracts/Wojciechowski

From Linux Kernel Security Subsystem
Jump to navigation Jump to search

Title

Security framework for constraining applications' privileges

Presenter

Lukasz Wojciechowski, Samsung

Abstract

Imagine that you install a game. How do you know that it won't read your emails or web browser history? It could – in typical Linux distribution application runs with your user's privileges.

This talk explains, how to constrain 3rd party application privileges in the system. Presented solution allows to configure and control application security environment as a whole – it does not only setup privileges, an application needs, but also configures MAC policy, DAC policy, properly labels all installed files and setups security context before launch.

Proposed framework provides all the tools needed to achieve that – installation and launch support (Security-Manager), privilege/policy checker (Cynara), network privilege handling in interactive way (Nether). It's also integrated with LXC-based container framework (Vasum) – so that launching a sandboxed application in a container is also covered. All modules are open source, available on both tizen.org and github.com.

The talk describes general idea and some interesting challenges, that were encountered during development for Tizen 3.0 platform