Projects

From Linux Kernel Security Subsystem
(Difference between revisions)
Jump to: navigation, search
(Access Control)
m (Integrity)
 
(11 intermediate revisions by 4 users not shown)
Line 4: Line 4:
  
 
* [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks  
 
* [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks  
* AppArmor, a pathname-based access control system.
+
** Mailing list archive: http://kernsec.org/pipermail/linux-security-module-archive/
* Security Enhanced Linux (SELinux), a flexible and fine-grained MAC framework.
+
* [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system  
* SMACK, the Simplified Mandatory Access Control Kernel for Linux.
+
* [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework  
* TOMOYO, another pathname-based access control system (LiveCD available).
+
* [http://www.schaufler-ca.com/ Smack], the Simplified Mandatory Access Control Kernel for Linux  
* grsecurity, extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...).
+
* [http://tomoyo.sourceforge.jp/ TOMOYO], another pathname-based access control system (LiveCD available)  
* RSBAC: Rule Set Based Access Control, Linux kernel patch implementing a security framework.
+
* [http://grsecurity.net/features.php grsecurity], extensive security enhancement patch for the Linux kernel (RBAC, chroot hardening, auditing, stack/heap protection randomization and more...)  
* FBAC-LSM: aims to provide easy to configure (functionality-based) application restrictions.
+
* [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework  
 +
* [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions
 +
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes
  
 
=== Integrity ===
 
=== Integrity ===
Line 16: Line 18:
 
This is a rapidly developing area, see the following LWN article for an overview:
 
This is a rapidly developing area, see the following LWN article for an overview:
  
* System integrity in Linux.
+
* [[Linux Kernel Integrity]]
 
+
* [http://lwn.net/Articles/309441/ System integrity in Linux]
  
 
=== Privileges ===
 
=== Privileges ===
  
* POSIX File Capabilities
+
* [http://www.friedhoff.org/posixfilecaps.html POSIX File Capabilities]
** Filesystem capabilities in Fedora 10 LWN article.
+
** [http://lwn.net/Articles/313047/ Filesystem capabilities in Fedora 10 LWN article]
 
+
  
 
=== Networking ===
 
=== Networking ===
Line 29: Line 30:
 
There are several separately maintained projects relating to network security, including:
 
There are several separately maintained projects relating to network security, including:
  
* Netfilter packet filtering.
+
* [http://www.netfilter.org/ Netfilter] packet filtering  
* Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog.
+
* Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog]
* NuFW authenticating firewall based on netfilter
+
* [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter
 
+
  
 
=== Storage ===
 
=== Storage ===
  
* Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol.
+
* [http://selinuxproject.org/page/Labeled_NFS Labeled NFS], a project to add MAC labeling support to the NFSv4 protocol
 
+
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/device-mapper/verity.txt dm-verity], a device mapper target for efficient, integrity-assured block devices
  
 
=== Cryptography ===
 
=== Cryptography ===
  
The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list.
+
The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list].
 +
 
 +
=== Working Group ===
 +
 
 +
* [[Linux Security Workgroup]]
 +
 
 +
=== Self Protection ===
 +
 
 +
* [[Kernel Self Protection Project]]

Latest revision as of 19:08, 14 September 2017

Contents

[edit] Kernel Security Projects

[edit] Access Control

[edit] Integrity

This is a rapidly developing area, see the following LWN article for an overview:

[edit] Privileges

[edit] Networking

There are several separately maintained projects relating to network security, including:

  • Netfilter packet filtering
  • Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog
  • NuFW authenticating firewall based on Netfilter

[edit] Storage

  • Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol
  • dm-verity, a device mapper target for efficient, integrity-assured block devices

[edit] Cryptography

The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list.

[edit] Working Group

[edit] Self Protection

Personal tools
Namespaces

Variants
Actions
Navigation
Tools