https://github.com/OpenDZ/timgad
Timgad is a Linux Security Module that collects per process and system-wide security protections that are not handled by the core kernel itself.
https://github.com/OpenDZ/timgad
kernel linux sandbox security security-hardening
Last synced: about 1 month ago
JSON representation
Timgad is a Linux Security Module that collects per process and system-wide security protections that are not handled by the core kernel itself.
- Host: GitHub
- URL: https://github.com/OpenDZ/timgad
- Owner: OpenDZ
- License: gpl-2.0
- Created: 2017-01-27T14:05:31.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2017-02-16T10:49:07.000Z (about 8 years ago)
- Last Synced: 2024-07-31T20:30:24.730Z (9 months ago)
- Topics: kernel, linux, sandbox, security, security-hardening
- Language: C
- Homepage:
- Size: 85.9 KB
- Stars: 1
- Watchers: 5
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.GPL2
- Security: security/Kconfig
Awesome Lists containing this project
- awesome-algeria - Timgad - Timgad is a kernel Linux Security Module that collects per process and system-wide security protections that are not handled by the core kernel itself. (Applications)
README
# Timgad
Timgad is a Linux Security Module that collects per process and
system-wide security protections that are not handled by the core kernel
itself.
This is selectable at build-time with CONFIG_SECURITY_TIMGAD, and can be
controlled at run-time through sysctls in /proc/sys/kernel/timgad:
or prctl() interface.
Link: http://www.openwall.com/lists/kernel-hardening/2017/02/02/21
- module_restrict
==============================================================
Linux containers need robust settings to control if modules are allowed to
be loaded or unloaded globally or per process/container policy.
This adds global sysctl settings to indicate if the modules are allowed
to be loaded or unloaded, at same time it also supports a
per-process/container settings based on prctl(2) interface. The prctl(2)
settings are inherited by children created by fork(2) and clone(2), and
preserved across execve(2).
*) The per-process prctl() settings are:
prctl(PR_TIMGAD_OPTS, PR_TIGMAD_SET_MOD_RESTRICT, value, 0, 0)
Where value means:
0 - Classic module load and unload permissions, nothing changes.
1 - The current process must have CAP_SYS_MODULE to be able to load and
unload modules. CAP_NET_ADMIN should allow the current process to
load and unload only netdev aliased modules.
2 - Current process can not loaded nor unloaded modules.
*) The sysctl settings (writable only with CAP_SYS_MODULE) are:
/proc/sys/kernel/timgad/module_restrict
0 - Classic module load and unload permissions, nothing changes.
1 - Only processes with CAP_SYS_MODULE should be able to load and
unload modules. Processes with CAP_NET_ADMIN should be able to
load and unload only netdev aliased modules.
2 - Modules can not be loaded nor unloaded. Once set, this sysctl value
cannot be changed.
Rules:
First the prctl() settings are checked, if the access is not denied
then the global sysctl settings are checked.
The original idea and inspiration is from grsecurity
'GRKERNSEC_MODHARDEN'
==============================================================