{"id":13408408,"url":"https://github.com/OpenDZ/timgad","last_synced_at":"2025-03-14T13:30:56.480Z","repository":{"id":77894919,"uuid":"80212360","full_name":"OpenDZ/timgad","owner":"OpenDZ","description":"Timgad is a Linux Security Module that collects per process and system-wide security protections that are not handled by the core kernel itself.","archived":false,"fork":false,"pushed_at":"2017-02-16T10:49:07.000Z","size":88,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-07-31T20:30:24.730Z","etag":null,"topics":["kernel","linux","sandbox","security","security-hardening"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OpenDZ.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.GPL2","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security/Kconfig","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-01-27T14:05:31.000Z","updated_at":"2018-11-16T20:18:40.000Z","dependencies_parsed_at":"2023-03-12T02:29:43.096Z","dependency_job_id":null,"html_url":"https://github.com/OpenDZ/timgad","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenDZ%2Ftimgad","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenDZ%2Ftimgad/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenDZ%2Ftimgad/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenDZ%2Ftimgad/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OpenDZ","download_url":"https://codeload.github.com/OpenDZ/timgad/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243584126,"owners_count":20314705,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kernel","linux","sandbox","security","security-hardening"],"created_at":"2024-07-30T20:00:52.692Z","updated_at":"2025-03-14T13:30:56.446Z","avatar_url":"https://github.com/OpenDZ.png","language":"C","funding_links":[],"categories":["Applications"],"sub_categories":[],"readme":"# Timgad\n\nTimgad is a Linux Security Module that collects per process and\nsystem-wide security protections that are not handled by the core kernel\nitself.\n\nThis is selectable at build-time with CONFIG_SECURITY_TIMGAD, and can be\ncontrolled at run-time through sysctls in /proc/sys/kernel/timgad:\nor prctl() interface.\n\nLink: http://www.openwall.com/lists/kernel-hardening/2017/02/02/21\n\n- module_restrict\n\n==============================================================\n\nLinux containers need robust settings to control if modules are allowed to\nbe loaded or unloaded globally or per process/container policy.\n\nThis adds global sysctl settings to indicate if the modules are allowed\nto be loaded or unloaded, at same time it also supports a\nper-process/container settings based on prctl(2) interface. The prctl(2)\nsettings are inherited by children created by fork(2) and clone(2), and\npreserved across execve(2).\n\n\n*) The per-process prctl() settings are:\n   prctl(PR_TIMGAD_OPTS, PR_TIGMAD_SET_MOD_RESTRICT, value, 0, 0)\n\n   Where value means:\n\n0 - Classic module load and unload permissions, nothing changes.\n\n1 - The current process must have CAP_SYS_MODULE to be able to load and\n    unload modules. CAP_NET_ADMIN should allow the current process to\n    load and unload only netdev aliased modules.\n\n2 - Current process can not loaded nor unloaded modules.\n\n\n*) The sysctl settings (writable only with CAP_SYS_MODULE) are:\n   /proc/sys/kernel/timgad/module_restrict\n\n0 - Classic module load and unload permissions, nothing changes.\n\n1 - Only processes with CAP_SYS_MODULE should be able to load and\n    unload modules. Processes with CAP_NET_ADMIN should be able to\n    load and unload only netdev aliased modules.\n\n2 - Modules can not be loaded nor unloaded. Once set, this sysctl value\n    cannot be changed.\n\nRules:\nFirst the prctl() settings are checked, if the access is not denied\nthen the global sysctl settings are checked.\n\n\nThe original idea and inspiration is from grsecurity\n'GRKERNSEC_MODHARDEN'\n\n==============================================================\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOpenDZ%2Ftimgad","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOpenDZ%2Ftimgad","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOpenDZ%2Ftimgad/lists"}