|
|
[[!tag archived]]
|
|
|
|
|
|
|
|
|
Rationale
|
|
|
=========
|
|
|
|
|
|
Using some kind of [[!wikipedia Mandatory Access Control]], such as
|
|
|
Using some kind of [Mandatory Access Control](https://en.wikipedia.org/wiki/Mandatory%20Access%20Control), such as
|
|
|
GrSecurity, AppArmor or SELinux, would make exploitation of security
|
|
|
issues in bundled software harder.
|
|
|
|
... | ... | @@ -13,7 +13,7 @@ Possible solutions |
|
|
AppArmor
|
|
|
--------
|
|
|
|
|
|
See [[contribute/design/application_isolation]].
|
|
|
See [application isolation](https://tails.boum.org/contribute/design/application_isolation).
|
|
|
|
|
|
grsecurity
|
|
|
----------
|
... | ... | @@ -39,7 +39,7 @@ Users: |
|
|
it does not include grsecurity RBAC feature.
|
|
|
|
|
|
- Work to add a grsec kernel flavour to Debian seems to be stalled:
|
|
|
[[!debbug 605090]].
|
|
|
[Debian bug #605090](https://bugs.debian.org/605090).
|
|
|
- Ubuntu developers [used to actively work](https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening)
|
|
|
to upstream grsec features mainline, but this effort seems to have
|
|
|
stalled, or rather moved to another employer along with Kees Cook.
|
... | ... | @@ -65,8 +65,7 @@ Smack |
|
|
-----
|
|
|
|
|
|
The Smack MAC LSM is part of the Linux kernel
|
|
|
([homepage](http://schaufler-ca.com/), [[!wikipedia
|
|
|
Simplified_Mandatory_Access_Control_Kernel]]). It does not seem to be
|
|
|
([homepage](http://schaufler-ca.com/), [Simplified Mandatory Access Control Kernel](https://en.wikipedia.org/wiki/Simplified%5FMandatory%5FAccess%5FControl%5FKernel)). It does not seem to be
|
|
|
used by any GNU/Linux distribution out there.
|
|
|
|
|
|
TOMOYO Linux
|
... | ... | @@ -86,7 +85,7 @@ A "tomoyo learning daemon" is actually being developed by a third party : |
|
|
[tomld](http://log69.com/tomld_en.html), might be worst having a look and test it.
|
|
|
|
|
|
For informations on the ongoing tests of this solution, see the
|
|
|
[[tomoyo|Mandatory_Access_Control/tomoyo]] subpage.
|
|
|
[tomoyo](Mandatory_Access_Control/tomoyo) subpage.
|
|
|
|
|
|
RSBAC
|
|
|
-----
|
... | ... | @@ -110,3 +109,4 @@ Resources |
|
|
- [yet another comparison](http://elinux.org/Mandatory_Access_Control_Comparison)
|
|
|
- [An exploit that was able to bypass SELinux and AppArmor protections](http://lwn.net/Articles/341773/) by the author
|
|
|
of grsecurity, which was safe.
|
|
|
|