From ParabolaWiki
Jump to: navigation, search
Warning: The linux-libre-xtreme kernel has been deprecated since Arch kernels have all LSMs enabled by default (and so do Parabola kernels) for x86_64 and i686 while linux-libre-lts-xtreme due to knock patches being discontinued. This page might be removed in the future.

1 General details

The linux-libre-xtreme package is a kernel with all the standard Linux Security Modules enabled: AppArmor, TOMOYO, SMACK, SELinux, and YAMA, plus hardened patches, while linux-libre-lts-xtreme it's the same but with Knock patches instead of hardened ones, making it the best kernel for servers. They aim to bring maximum (or even more: extreme) security to what Grsecurity+Knock was in the past.

They are officially available in the kernels repository for the x86_64, i686 and ARMv7h architectures.

Note: Linux-hardened patch is made for x86_64 and arm64, that means that linux-libre-xtreme for x86_64 is the only one with the hardened patch. However, it has all LSMs on i686 and armv7h too.

2 Security projects

2.1 Linux Hardened

From Linux Hardened wiki:

Our goals are:
* Encourage and facilitate open source development of security features for the Linux kernel.
* Track progress of development work.
* Maintain a set of patches for security features that have not yet been merged into mainline.
* Remain distribution agnostic. We want to focus on patches that affect Linux directly.
* Work with the KSPP.

The Linux-hardened project works together with the Kernel Self Protection Project, a project that starts with the premise that kernel bugs have a very long lifetime, and that the kernel must be designed in ways to protect against these flaws. Their community has already found and fixed individual bugs via static checkers (compiler flags, smatch, coccinelle, coverity) and dynamic checkers (kernel configs, trinity, KASan).

2.2 AppArmor

From Wikipedia:

AppArmor ("Application Armour") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It was included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.

AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours. (source)


From TOMOYO's home page:

TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It was launched in March 2003 and had been sponsored by NTT DATA Corporation, Japan until March 2012.

The Tomoyo Linux project started as a patch for the Linux kernel to provide MAC. Porting Tomoyo Linux to the mainline Linux kernel required the introduction of hooks into the LSM that had been designed and developed specifically to support SELinux and its label-based approach. (source)


From SMACK's website:

Smack is the the Simplified Mandatory Access Control Kernel. Smack is a kernel based implementation of mandatory access control that includes simplicity in its primary design goals.

Smack is a Linux kernel security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control (MAC) rules, with simplicity as its main design goal. It has been officially merged since the Linux 2.6.25 release. (source)

2.5 SELinux

From SELinux's home page:

SELinux is a security enhancement to Linux which allows users and administrators more control over access control.
Access can be constrained on such variables as which users and applications can access which resources. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.

NSA Security-Enhanced Linux is a set of patches to the Linux kernel and utilities to provide a strong, flexible, mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering, and bypassing of application security mechanisms, to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.

2.6 YAMA

From kernel.org website:

Yama is a Linux Security Module that collects system-wide DAC security protections that are not handled by the core kernel itself. This is selectable at build-time with CONFIG_SECURITY_YAMA, and can be controlled at run-time through sysctls in /proc/sys/kernel/yama

The Yama Linux Security Module collects DAC security improvements (specifically just ptrace restrictions) that have existed in various forms over the years and have been carried outside the mainline kernel by other Linux kernel derivatives like Openwall and grsecurity.

2.7 Knock

From Knock homepage:

Knock is a kernel patch that implements a new NAT-compatible TCP option for stealthy port knocking with a few new twists for improved security which is referred to as TCP Stealth.

The knock project provides patches to the Linux kernel which enhance security like grsecurity, but it makes a TCP server not respond (positively) to a TCP SYN request unless a particular "knock" packet has been sent first. This can be helpful for security, as an attacker that cannot establish a TCP connection also cannot really attack the TCP server.

3 Additional packages

You can install apparmor to configure MAC for individual applications through profiles, and also install apparmor-openrc in the case you use the OpenRC init system.

4 See also