Difference between revisions of "Projects"

From Linux Kernel Security Subsystem
Jump to navigation Jump to search
 
(6 intermediate revisions by 3 users not shown)
Line 4: Line 4:


* [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks  
* [http://vger.kernel.org/vger-lists.html#linux-security-module Linux Security Modules (LSM)], the API for access control frameworks  
** Mailing list archive: http://kernsec.org/pipermail/linux-security-module-archive/
* [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system  
* [http://www.novell.com/linux/security/apparmor/ AppArmor], a pathname-based access control system  
* [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework  
* [http://selinuxproject.org/page/Main_Page Security Enhanced Linux (SELinux)], a flexible and fine-grained MAC framework  
Line 11: Line 12:
* [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework  
* [http://www.rsbac.org/why Rule Set Based Access Control (RSBAC)], Linux kernel patch implementing a security framework  
* [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions
* [http://schreuders.org/FBAC-LSM FBAC-LSM] aims to provide easy to configure (functionality-based) application restrictions
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/security/Yama.txt;hb=HEAD Yama] adds restrictions to ptrace, providing a programmatic way to declare relationships between processes


=== Integrity ===
=== Integrity ===
Line 16: Line 18:
This is a rapidly developing area, see the following LWN article for an overview:
This is a rapidly developing area, see the following LWN article for an overview:


* [[Linux Kernel Integrity]]
* [http://lwn.net/Articles/309441/ System integrity in Linux]
* [http://lwn.net/Articles/309441/ System integrity in Linux]


Line 30: Line 33:
* Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog]  
* Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see [http://paulmoore.livejournal.com/ Paul Moore's blog]  
* [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter  
* [http://www.nufw.org/ NuFW] authenticating firewall based on Netfilter  


=== Storage ===
=== Storage ===
Line 40: Line 42:


The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list].
The cryptographic subsystem is maintained separately by Herbert Xu, refer to the [http://vger.kernel.org/vger-lists.html#linux-crypto mailing list].
=== Working Group ===
* [[Linux Security Workgroup]]
=== Self Protection ===
* [[Kernel Self Protection Project]]

Latest revision as of 19:08, 14 September 2017

Kernel Security Projects

Access Control

Integrity

This is a rapidly developing area, see the following LWN article for an overview:

Privileges

Networking

There are several separately maintained projects relating to network security, including:

  • Netfilter packet filtering
  • Labeled Networking, including NetLabel, CIPSO, Labeled IPsec and SECMARK, see Paul Moore's blog
  • NuFW authenticating firewall based on Netfilter

Storage

  • Labeled NFS, a project to add MAC labeling support to the NFSv4 protocol
  • dm-verity, a device mapper target for efficient, integrity-assured block devices

Cryptography

The cryptographic subsystem is maintained separately by Herbert Xu, refer to the mailing list.

Working Group

Self Protection