Collaborate Disseminate
I am new to SMACK and trying to explore SMACK64MMAP attribute and how it works. Basically, I want to control which process can map my shared library.
Hence, I am adding a label to SMACK64MMAP attribute of my shared library file. After this… Continue reading How to add SMACK rule for controlling mmap of shared lib via SMACK64MMAP extended attribute
my question is based on the post made Toaster which never got a reply (Bell-LaPadula Model Compartments). In BLP If a subject has a classification level General and compartment Land (General, {Land}), would he be able to read/write to (Gen… Continue reading Can a subject in Bell-LaPadula model write to other files with different compartments but same classification?
Background
I’m trying to understand more about the Mandatory Integrity Control system in Windows, and have been looking through the background processes that are running at High integrity on my laptop.
I’ve read through all the documentati… Continue reading Why does this Windows process run with High integrity?
For example there is a simple CRUD record management application. Let for simplicity the records are some documents.
I need to implement a mandatory access control to the records. For example if some record is marked as confidential, then … Continue reading How to protect confidential information in a web application
So I know what is mandatory access control, however I don’t see how it helps. Often it seems to be said that if you have something like SELinux or Apparmor enabled you are magically more secure. And with this, the permissions of something … Continue reading How is MAC useful?
Take the following examples:
When I run sshd, it can in theory grant access to anything that the process itself has access to, regardless of provided credentials. For example, I could in theory modify a single if statement in the sshd sou… Continue reading Difference between access control systems that can/can’t be compromised without valid credentials?
I’m trying to harden a Linux installation on a personal computer – I decided to try both SELinux and AppArmor as a Mandatory Access Control (MAC) to supplement the default Discretionary Access Control (DAC) that Linux comes with by default… Continue reading Linux whitelist-based Mandatory Access Control instead of a blacklist-based model
I have read about MAC vs. DAC in the Internet, but I still fail to understand, what kind of attack it is impossible to protect against if one only uses DAC+capabilities in comparison to MAC+DAC+capabilities. If a process does not run as ro… Continue reading Real value of MAC models in Linux
Is apparmor default deny? For example consider the case under SELinux in enforcing mode, where I install a package with no policy associated with it. SELinux’s default behaviour is to deny all syscalls that application makes…. Continue reading Is apparmor default deny?
I am preparing documentation of Access Control for my employer. I need to know what are the best practice or must, to prepare an access control documentation.
Here are some things to narrow down the answer,
We are working… Continue reading Which topics should be included in Access Control Documentation?