|
|
What is a2
|
Download
|
What is a2
In the middle of December 2003, linux kernel 2.6.0 cames out with the
brand new Linux Security Module as default security framework. LSM
introduces a pool of function hooks that can be called by a security
module to perform sanity checks before kernel satisfies user request.
These hooks are placed in some of the most important part of the kernel
such as in task creation code, filesystem mount and unmount, socket
creation and tcp/ip packates send and receive. If a module register a
particular hook, every time the kernel execute that code the module hook
is called to ensure that the request can be performed or not.
The approach followed by LSM team is that the kernel Discretional Access
Control must come before security module policies. If the kernel
normally won't allow a particular request a security module can not
bypass this default behaviour.
The introduction of such as security framework allows people to
implement security modules that interact with kernel without system call
interposition. The modules security checks are invocated directly by the
kernel without kernel source code modification.
AngeL is intended to be a security module LSM compliant in order to work
with kernel version 2.6.0 or higher. For such a result a source code
rewriting is performed and reorganized from scratch and a lot of changes
are done over the package.
First of all a new package, angel-devel, is written from scratch. This
package contains header file, script and a small tool named
"angel-config" needed by the module in order to compile correctly. So if
you want to compile angel version greater than 0.10, you must
install angel-devel before or your module won't compile. Looking at main
angel tarball you'll notice that now the standard GNU compilation steps
are performed. So before compiling the module you have to configure it
enabling or disabling feature without editing result Makefile. After
configuration step is done you can safetly compile the module and
enjoying the new security policies implemented without system call
interposition so without the stability issues that takes angel for these
years.
The module name is still angel and this remains the main project name,
when we'll talk about a2 we're meaning module releases
greater than 0.10 so we're talking about releases that uses LSM and
netfilter to interact with kernel.
The support tool arc2 is now a separated project not included
in angel tarball. This tool's goal will be writing security policies,
setting up hot angel parameters and so on.
Please note that I released a2 code at this point mainly as a
proof of concept code about interaction with LSM subsystem. By now, I
mean release 0.15, just the sniffing attempts are denied and no log is
performed nor /proc informations are exported. So just download that
code to check it out and to look the new AngeL face. I won't accept any
new patch until all the AngeL 0.8 security checks will be implemented
using the LSM subsystem. Please don't use a2 to protect your
systems because this module is not able to do that by now.
Download
|
|
|
|
latest
|
latest
|
(no realeases available)
|
Development platform
a2 is developed using Debian 3.0 GNU/Linux distribution
upgraded to support 2.6 kernel familty using gcc version 2.95.4. In
order to running a2 code the linux flavour you use is not
important but please take care about using a vanilla kernel. If you
choose to use your distro pre compiled kernel package, we can't assure
that a2 will run without problems. Please remember that
kernel prior 2.6.0 aren't supported by the module, if you choose to test
a2 using a kernel 2.4 patched to have lsm support maybe
you'll found angel working perfectly but even this is considered an
unsupported kernel version.
Last kernel version the module clean works with: 2.6.1
Back to the main page
$Id: a2.html,v 1.6 2004/09/20 20:37:15 sponge Exp $