Linux Security Summit 2015/Abstracts/Wojciechowski
Security framework for constraining applications' privileges
Lukasz Wojciechowski, Samsung
Imagine that you install a game. How do you know that it won't read your emails or web browser history? It could – in typical Linux distribution application runs with your user's privileges.
This talk explains, how to constrain 3rd party application privileges in the system. Presented solution allows to configure and control application security environment as a whole – it does not only setup privileges, an application needs, but also configures MAC policy, DAC policy, properly labels all installed files and setups security context before launch.
Proposed framework provides all the tools needed to achieve that – installation and launch support (Security-Manager), privilege/policy checker (Cynara), network privilege handling in interactive way (Nether). It's also integrated with LXC-based container framework (Vasum) – so that launching a sandboxed application in a container is also covered. All modules are open source, available on both tizen.org and github.com.
The talk describes general idea and some interesting challenges, that were encountered during development for Tizen 3.0 platform