Changes

Page history
Adjust for ikiwiki → GitLab wiki authored by intrigeri's avatar intrigeri
Show whitespace changes
Inline Side-by-side
Mandatory_Access_Control.md
View page @ a5d53a93
[[!tag archived]]
Rationale Rationale
========= =========
Using some kind of [[!wikipedia Mandatory Access Control]], such as Using some kind of [Mandatory Access Control](https://en.wikipedia.org/wiki/Mandatory%20Access%20Control), such as
GrSecurity, AppArmor or SELinux, would make exploitation of security GrSecurity, AppArmor or SELinux, would make exploitation of security
issues in bundled software harder. issues in bundled software harder.
...@@ -13,7 +13,7 @@ Possible solutions ...@@ -13,7 +13,7 @@ Possible solutions
AppArmor AppArmor
-------- --------
See [[contribute/design/application_isolation]]. See [application isolation](https://tails.boum.org/contribute/design/application_isolation).
grsecurity grsecurity
---------- ----------
...@@ -39,7 +39,7 @@ Users: ...@@ -39,7 +39,7 @@ Users:
it does not include grsecurity RBAC feature. it does not include grsecurity RBAC feature.
- Work to add a grsec kernel flavour to Debian seems to be stalled: - Work to add a grsec kernel flavour to Debian seems to be stalled:
[[!debbug 605090]]. [Debian bug #605090](https://bugs.debian.org/605090).
- Ubuntu developers [used to actively work](https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening) - Ubuntu developers [used to actively work](https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening)
to upstream grsec features mainline, but this effort seems to have to upstream grsec features mainline, but this effort seems to have
stalled, or rather moved to another employer along with Kees Cook. stalled, or rather moved to another employer along with Kees Cook.
...@@ -65,8 +65,7 @@ Smack ...@@ -65,8 +65,7 @@ Smack
----- -----
The Smack MAC LSM is part of the Linux kernel The Smack MAC LSM is part of the Linux kernel
([homepage](http://schaufler-ca.com/), [[!wikipedia ([homepage](http://schaufler-ca.com/), [Simplified Mandatory Access Control Kernel](https://en.wikipedia.org/wiki/Simplified%5FMandatory%5FAccess%5FControl%5FKernel)). It does not seem to be
Simplified_Mandatory_Access_Control_Kernel]]). It does not seem to be
used by any GNU/Linux distribution out there. used by any GNU/Linux distribution out there.
TOMOYO Linux TOMOYO Linux
...@@ -86,7 +85,7 @@ A "tomoyo learning daemon" is actually being developed by a third party : ...@@ -86,7 +85,7 @@ A "tomoyo learning daemon" is actually being developed by a third party :
[tomld](http://log69.com/tomld_en.html), might be worst having a look and test it. [tomld](http://log69.com/tomld_en.html), might be worst having a look and test it.
For informations on the ongoing tests of this solution, see the For informations on the ongoing tests of this solution, see the
[[tomoyo|Mandatory_Access_Control/tomoyo]] subpage. [tomoyo](Mandatory_Access_Control/tomoyo) subpage.
RSBAC RSBAC
----- -----
...@@ -110,3 +109,4 @@ Resources ...@@ -110,3 +109,4 @@ Resources
- [yet another comparison](http://elinux.org/Mandatory_Access_Control_Comparison) - [yet another comparison](http://elinux.org/Mandatory_Access_Control_Comparison)
- [An exploit that was able to bypass SELinux and AppArmor protections](http://lwn.net/Articles/341773/) by the author - [An exploit that was able to bypass SELinux and AppArmor protections](http://lwn.net/Articles/341773/) by the author
of grsecurity, which was safe. of grsecurity, which was safe.