Difference between revisions of "Projects"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
Line 11: Line 11:
* [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework  
* [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework  
* [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions
* [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD|Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes


=== Integrity ===
=== Integrity ===

Revision as of 16:37, 16 April 2012

Kernel Security Projects

Access Control

  • Linux Security Modules (LSM), the API for access control frameworks
  • AppArmor, a pathname-based access control system
  • Security Enhanced Linux (SELinux), a flexible and fine-grained MAC framework
  • Smack, the Simplified Mandatory Access Control Kernel for Linux
  • TOMOYO, another pathname-based access control system (LiveCD available)
  • grsecurity, extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...)
  • Rule Set Based Access Control (RSBAC), Linux kernel patch implementing a security framework
  • FBAC-LSM aims to provide easy to configure (functionality-based) application restrictions
  • [1] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes

Integrity

This is a rapidly developing area, see the following LWN article for an overview:

Privileges

Networking

There are several separately maintained projects relating to network security, including:

  • Netfilter packet filtering
  • Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog
  • NuFW authenticating firewall based on Netfilter


Storage

  • Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol
  • dm-verity, a device mapper target for efficient, integrity-assured block devices

Cryptography

The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list.