Skip to content

speijnik/upolicy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

am

am

 
 

doc

doc

 
 

examples

examples

 
 

kernel

kernel

 
 

lib

lib

 
 

m4

m4

 
 

.gitignore

.gitignore

 
 

COPYING

COPYING

 
 

COPYING.KERNEL

COPYING.KERNEL

 
 

Makefile.am

Makefile.am

 
 

README.org

README.org

 
 

autogen.sh

autogen.sh

 
 

configure.ac

configure.ac

 
 

Repository files navigation

upolicy - Sandboxing with policy decisions in userspace

Introduction

upolicy allows unprivileged userspace processes to control access to their child processes system resources. This all is done in a TOCTTOU safe way, by making use of the Linux Security Module API.

upolicy is actually comprised of two pieces of software:

  • a kernel module, which plugs into the LSM API and
  • a userspace library

These two pieces communicate by the means of a generic netlink socket. The userspace library provides an abstraction of the actual kernel interface, making it quite easy to use (see Examples directory).

As of the time of this writing the code which can be found here should be considered as an early technology preview. It will contain some rough edges at some places and the API must NOT be considered stable and is subject to change at any time.

upolicy is not yet intended to be used in production environments. You have been warned.

Installing

Requirements

  • kernel with LSMStub patch (see below)
  • libnl >= 3.2 (specifically also the genl part)
  • automake, autoconf, libtool and friends (for building)
  • Python >= 2.7, < 3.0 for building the Python bindings
  • Doxygen for building the library documentation
  • Perl for building the kernel documentation

Requirements (Ubuntu 12.04)

On Ubuntu 12.04 the following packages should do:

apt-get install build-essential libnl-3-dev libnl-genl-3-dev python-all-dev automake autoconf libtool perl

Additionally the LSMStub PPA is required: apt-add-repository ppa:speijnik/lsmstub-kernel

LSMStub kernel

In upolicy’s early development stage it is favorable to be able to load and unload the module at will. Unfortunately, this is not possible with the LSM API per-se, because it is not exported to loadable kernel modules. In short: upolicy requires a patched kernel, which implements the LSMStub API. Such kernels can be either found in code-form at github.com/speijnik/linux/ or pre-compiled for Ubuntu 12.04 at launchpad: LSMStub enabled kernels PPA. Be warned that AppArmor is not enabled by default in the pre-built kernels, so do not use them on production systems.

Documentation

The upolicy documentation can be found at http://speijnik.github.com/upolicy/doc.

About

Userspace security policies

Resources

Readme

License

GPL-3.0, GPL-2.0 licenses found

Licenses found

GPL-3.0
COPYING
GPL-2.0
COPYING.KERNEL
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages