The TOMOYO security framework from NTT was merged. This is the first significant LSM scheme to be merged since SELinux in 2003. TOMOYO is characterized by its targeting of non-technical users, where security policy is automatically generated with a "learning mode" tool. This scheme utilizes pathnames for determining access to filesystem objects. Another interesting feature is that a domain, i.e. an active subject which acts on objects, is defined as a history of process invocations, rather than a single process. This allows policy to be applied to a particular branch of processes in the system. For example, an access permitted for
init->httpd->perlmay not be permitted for
init->httpd->bash. Sample policy may be found here.
IBM's Integrity Measurement Architecture was also merged. This uses the TPM to verify and store cryptographic checksums of files used by the system, i.e. measurement. If a measured file has been modified on disk, this will be detected and stored permanently in the TPM. The aim is to help detect attacks based on modifying files—such as executable binaries or configuration files—although it cannot detect runtime attacks, and requires checksums to be known in advance for the full system startup chain. Files to be measured may be specified in a policy loadable via securityfs.
- Remove Old SELinux Network Controls
The original SELinux network controls were deprecated by the iptables-based Secmark system several years ago, although they remained available via the
compat_netoption for the likely few people who were using them. The old code has now been removed entirely, and users should transition to Secmark: Paul Moore has written a detailed guide for this.
The remaining changes were primarily bugfixes and enhancements across most parts of the security subsystem, including SELinux, SMACK, and keys.
Paul and I are finalizing the schedule for the security microconf at the upcoming Linux Plumbers Conference. It's looking like a great line-up at this stage—stay tuned for more details soon.