Difference between revisions of "Projects"
Jump to navigation
Jump to search
JamesMorris (talk | contribs) |
m (→Integrity) |
||
| (10 intermediate revisions by 4 users not shown) | |||
| Line 4: | Line 4: | ||
* [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks | * [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks | ||
** Mailing list archive: http://kernsec.org/pipermail/linux-security-module-archive/ | |||
* [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system | * [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system | ||
* [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework | * [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework | ||
| Line 11: | Line 12: | ||
* [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework | * [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework | ||
* [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions | * [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions | ||
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes | |||
=== Integrity === | === Integrity === | ||
| Line 16: | Line 18: | ||
This is a rapidly developing area, see the following LWN article for an overview: | This is a rapidly developing area, see the following LWN article for an overview: | ||
* System integrity in Linux | * [[Linux Kernel Integrity]] | ||
* [http://lwn.net/Articles/309441/ System integrity in Linux] | |||
=== Privileges === | === Privileges === | ||
* POSIX File Capabilities | * [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities] | ||
** Filesystem capabilities in Fedora 10 LWN article | ** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article] | ||
=== Networking === | === Networking === | ||
| Line 29: | Line 30: | ||
There are several separately maintained projects relating to network security, including: | There are several separately maintained projects relating to network security, including: | ||
* Netfilter packet filtering | * [http://www.netfilter.org/ Netfilter] packet filtering | ||
* Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog | * Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog] | ||
* NuFW authenticating firewall based on | * [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter | ||
=== Storage === | |||
* [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol | |||
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices | |||
=== Cryptography === | |||
The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list]. | |||
=== Working Group === | |||
* [[Linux Security Workgroup]] | |||
=== | === Self Protection === | ||
* [[Kernel Self Protection Project]] | |||
Latest revision as of 19:08, 14 September 2017
Kernel Security Projects
Access Control
- Linux Security Modules (LSM), the API for access control frameworks
- Mailing list archive: http://kernsec.org/pipermail/linux-security-module-archive/
- AppArmor, a pathname-based access control system
- Security Enhanced Linux (SELinux), a flexible and fine-grained MAC framework
- Smack, the Simplified Mandatory Access Control Kernel for Linux
- TOMOYO, another pathname-based access control system (LiveCD available)
- grsecurity, extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...)
- Rule Set Based Access Control (RSBAC), Linux kernel patch implementing a security framework
- FBAC-LSM aims to provide easy to configure (functionality-based) application restrictions
- Yama adds restrictions to ptrace, providing a programmatic way to declare relationships between processes
Integrity
This is a rapidly developing area, see the following LWN article for an overview:
Privileges
Networking
There are several separately maintained projects relating to network security, including:
- Netfilter packet filtering
- Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog
- NuFW authenticating firewall based on Netfilter
Storage
- Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol
- dm-verity, a device mapper target for efficient, integrity-assured block devices
Cryptography
The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list.