|| ||Cliffe <email@example.com> |
|| ||firstname.lastname@example.org, email@example.com,
|| ||New security system FBAC-LSM announcement and call for collaborators |
|| ||Fri, 11 Dec 2009 16:30:39 +0800|
|| ||Article, Thread
In preparation for my LCA talk "A New Paradigm for Restricting Applications
and Protecting Yourself from Your Processes", today I have released the
code for FBAC-LSM. This initial development version of FBAC-LSM is
functional, but is unstable and slow. It is developed against an older
version of the LSM interface (using the AppArmor path-based hooks), and
will be updated to work with the new interface in the future. There is
quite a bit of work to be done before it is ready for production systems or
formal code review.
I developed FBAC-LSM for my PhD research. FBAC-LSM restricts programs based
on the features each application provides. Reusable policy abstractions,
known as functionalities, can be used to grant the authority to perform
high level features (for example using the Web_Browser functionality) or
lower level features (such as using the HTTP_Client functionality) or to
grant privileges to access any specified resources. Functionalities are
parameterised, which allows them to be adapted to the needs of specific
applications. Functionalities are also hierarchical; that is,
functionalities can contain other functionalities.
Over one hundred applications were analysed, and functionalities and
policies were developed. A number of techniques for automating aspects of
policy specification were also developed. A usability study comparing
FBAC-LSM with SELinux and AppArmor found that the new approach provided
significant benefits including higher levels of user satisfaction and of
successful policy creation. In the near future I will share the results of
the usability study, including suggestions for improving the usability of
SELinux and AppArmor.
Currently I am planning on expanding the FBAC-LSM tools to export to and
manage AppArmor and SEEdit policies.
I am looking for anyone interested in collaborating on the project. Please
contact me. There are a number of problems with the synchronisation in the
LSM code, which I hope someone on one of these mailinglists can help with.
Programmed in C and C++, using the LSM and Qt frameworks. Policy
abstractions in FBAC-LSM-PL policy language. Licensed GPL.
Check out the FBAC-LSM homepage which has lots more information and videos:
Pull the sourceforge Git repo (which includes the Linux Security Module
(LSM), graphical policy manager, and policies) to your computer with the
git clone git://fbac-lsm.git.sourceforge.net/gitroot/fbac-lsm/fbac-lsm
If you are attending the 2010 linux.conf.au conference, I hope to see you
at my talk in room Renouf 2 at 16:45 on Wednesday 20/01/10:
Z. Cliffe Schreuders
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html