| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Oct 2007 17:43:30 +0530 From: Pravin <shindepravin@...il.com> To: linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov Subject: userspace Process Classifier based on SELinux Security Contexts for CPUSET, ELSA and Containers Hi, We are trying to solve the problem that, resource management solutions like CPUSET and Containers do need manual process classification into virtual filesystem provided by them as an interface. Also this classification needs to use PID of a process, so the classification can be done only after process is created. And this classification is not persist ant as if process is restarted then PID changes and it needs to be re-classified again. To solve above problem we are working on an idea of using SELinux security contexts as persistent tokens for classification of processes. Unlike PID of a process, SELinux security context does not change when process is restarted or machine is rebooted. So, if we can write rules using on these security contexts, then automatic process classification can be done entirely from userspace. We are using connectors for receiving notifications from kernel about events (ie. fork, exec, id change(uid, gid, suid), exit) in process management. We check the security context of process using system call "getpidcon" after system calls like fork and exec. and we use this security context to classify the process by comparing this security context against the security-contexts provided by system-administrators for classification. These rules provided by system administrators can be used to classify processes in respective class of CPUSET or containers. We also provide wild-character support in security context matching. We are using SELinux security context because they are persistent, flexible and configurable. For more reasons, http://pcss.sourceforge.net/faq.html Please refer the diagrams at http://pcss.sourceforge.net and http://pcss.sourceforge.net/pcss_cpuset.html for architecture of the design. The code for application which will work with CPUSET is hosted on sourceforge site. http://pcss.sourceforge.net/pcss-cpuset.tar This code is not very extensively tested, so there may be some problems with it. We have also applied similar solution to ELSA (Enhanced Linux System Accounting) http://elsa.sourceforge.net/ We are also working on using it for classification for containers. Currently work is not yet over for containers. We are looking forward for some feedback/criticism about the Idea, architecture of the solution and the code. We think that it will be helpful in reducing the burden of system administrators as it uses all existing infrastructure to provide automatic classification solutions for different applications which need them. -- Regards, Pravin Shinde http://pcss.sourceforge.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists