old-www/HOWTO/Secure-Programs-HOWTO/unix-extensions.html

<HTML
><HEAD
><TITLE
>Specialized Security Extensions for Unix-like Systems</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Secure Programming for Linux and Unix HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Summary of Linux and Unix Security Features"
HREF="features.html"><LINK
REL="PREVIOUS"
TITLE="PAM"
HREF="pam.html"><LINK
REL="NEXT"
TITLE="Security Requirements"
HREF="requirements.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Secure Programming for Linux and Unix HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="pam.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 3. Summary of Linux and Unix Security Features</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="requirements.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="UNIX-EXTENSIONS"
></A
>3.10. Specialized Security Extensions for Unix-like Systems</H1
><P
>A vast amount of research and development has gone into
extending Unix-like systems to support security needs of various
communities.
For example, several Unix-like systems have been extended to support the
U.S. military's desire for multilevel security.
If you're developing software, you should try to design your software
so that it can work within these extensions.</P
><P
>FreeBSD has a new system call,
<A
HREF="http://docs.freebsd.org/44doc/papers/jail/jail.html"
TARGET="_top"
>jail(2)</A
>.
The jail system call supports sub-partitioning an environment
into many virtual machines (in a sense, a ``super-chroot'');
its most popular use has been to provide
virtual machine services for Internet Service Provider environments. 
Inside a jail, all processes (even those owned by root)
have the the scope of their requests limited to the jail.
When a FreeBSD system is booted up after a fresh install,
no processes will be in jail.
When a process is placed in a jail, it, and any descendants of
that process created will be in that jail.
Once in a jail,
access to the file name-space is restricted in the style of chroot(2)
(with typical chroot escape routes blocked),
the ability to bind network resources is limited to a specific IP address,
the ability to manipulate system resources and perform privileged operations
is sharply curtailed, and the ability to interact with other processes
is limited to only processes inside the same jail. 
Note that each jail is bound to a single IP address;
processes within the jail may not make use of any other IP
address for outgoing or incoming connections.</P
><P
>Some extensions available in Linux, such as POSIX capabilities and
special mount-time options, have already been discussed.
Here are a few of these efforts for Linux systems for creating
restricted execution environments; there are many different approaches.
The U.S. National Security Agency (NSA) has developed
<A
HREF="http://www.nsa.gov/selinux"
TARGET="_top"
>Security-Enhanced Linux (Flask)</A
>,
which supports defining a security policy in a specialized language
and then enforces that policy.
The <A
HREF="http://medusa.fornax.sk"
TARGET="_top"
>Medusa DS9</A
>
extends Linux by supporting, at the kernel level,
a user-space authorization server.
<A
HREF="http://www.lids.org"
TARGET="_top"
>LIDS</A
>
protects files and processes, allowing administrators to
``lock down'' their system.
The ``Rule Set Based Access Control'' system,
<A
HREF="http://www.rsbac.de"
TARGET="_top"
>RSBAC</A
>
is based on the Generalized Framework for Access Control (GFAC)
by Abrams and LaPadula and provides a flexible system of access
control based on several kernel modules.
<A
HREF="http://subterfugue.org"
TARGET="_top"
>Subterfugue</A
>
is a framework for ``observing and playing with the reality of software'';
it can intercept system calls and change their parameters
and/or change their return values to implement sandboxes, tracers,
and so on;
it runs under Linux 2.4 with no changes (it doesn't require
any kernel modifications).
<A
HREF="http://www.cs.berkeley.edu/~daw/janus"
TARGET="_top"
>Janus</A
>
is a security tool for sandboxing untrusted applications
within a restricted execution environment.
Some have even used
<A
HREF="http://user-mode-linux.sourceforge.net"
TARGET="_top"
>User-mode Linux</A
>,
which implements ``Linux on Linux'', as a sandbox implementation.
Because there are so many different approaches to implementing more
sophisticated security models, Linus Torvalds has requested that a
generic approach be developed so different security policies can be
inserted; for more information about this, see
<A
HREF="http://mail.wirex.com/mailman/listinfo/linux-security-module"
TARGET="_top"
>http://mail.wirex.com/mailman/listinfo/linux-security-module</A
>.</P
><P
>There are many other extensions for security on various Unix-like systems,
but these are really outside the scope of this document.</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="pam.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="requirements.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>PAM</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="features.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Security Requirements</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>