The new RSBAC (Rule Set Based Access Control) version 1.0.4 is out and can
be downloaded from
http://agn-www.informatik.uni-hamburg.de/people/1ott/rsbac
RSBAC provides additional mandatory access control for Linux systems, see
above web URL. The special new feature (apart from 2.1 port) is the socket
level malware scan in the MS module.
Amon.·
-----------------------------------------------------------·
RSBAC Changes in recent versions
--------------------------------
1.0.4-pre2:
- Port to 2.1.111
- Attribute mac_trusted_for_user added to FILE aci. Value meanings:
RSBAC_NO_USER (-3): program is not MAC-trusted
RSBAC_ALL_USERS (-4): program is MAC-trusted for all users
other user-ID: program is MAC-trusted, if invoked by this user
Especially the last is useful for daemon programs that can be
started by all users.
Init process is checked, too, but is MAC-trusted by default.
- Syscalls rsbac_mac_set/get_max_seclevel added. Now a process can
reduce its own maximum security level. Useful for wrapper daemons
like inetd after forking and before invoking another program.
- Object dependent logging #ifdef'd with configuration option.
- Configuration option 'Maintenance Kernel' added. Disables all other
options.
- removed CONFIG_RSBAC_ADMIN and rsbac_admin() stuff - now we have
capabilities, and there is no suser() anymore to extend
- changed locking for Data Structures component from semaphores to
read/write spinlocks
- added (U)MOUNT requests for target DEV to sys_(u)mount. Now both
target dir and device are checked for access (MAC: dir: read-write,
dev: depending on mount mode read or read-write). Note: After
mount, all file/dir accesses on this device are checked as usual.
- Moved checks for valid request/target combinations from MAC module
to extra functions in rsbac/adf/check.c.
1.0.4
- Port via 2.1.115 and 2.1.124 to 2.1.125
- IPC targets: changed ids for sockets from pid/fd combination to
pointer to sock structure, including (many) changes in the
handling.
- Added socket level scanning (tcp and udp) to module Malware Scan.
This feature can stop malware while still being transferred to
your system. Added new attributes for IPC, process and file/dir
targets to manage socket scan.
- Reordered configuration options
- Added CONFIG_RSBAC_NO_WRITE to totally disable writing to disk for
testing purposes and kernel parameter rsbac_debug_no_write to
temporarily disable disk writing
- Added CONFIG_RSBAC_*_ROLE_PROTection for all role dependant
modules: Now change-owner (setuid etc.) can be restricted between
users with special roles - see configuration help for details
- Some more bugfixes, mostly to decision modules
12/10/98
Amon Ott.
-- ## CrossPoint v3.11 ##- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/