Linux Security Summit 2015/Abstracts/Wojciechowski

From Linux Kernel Security Subsystem
Revision as of 14:18, 1 July 2015 by JamesMorris (talk | contribs) (→‎Title)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Security framework for constraining applications' privileges


Lukasz Wojciechowski, Samsung


Imagine that you install a game. How do you know that it won't read your emails or web browser history? It could – in typical Linux distribution application runs with your user's privileges.

This talk explains, how to constrain 3rd party application privileges in the system. Presented solution allows to configure and control application security environment as a whole – it does not only setup privileges, an application needs, but also configures MAC policy, DAC policy, properly labels all installed files and setups security context before launch.

Proposed framework provides all the tools needed to achieve that – installation and launch support (Security-Manager), privilege/policy checker (Cynara), network privilege handling in interactive way (Nether). It's also integrated with LXC-based container framework (Vasum) – so that launching a sandboxed application in a container is also covered. All modules are open source, available on both and

The talk describes general idea and some interesting challenges, that were encountered during development for Tizen 3.0 platform