medusa-team / linux-medusa Goto Github PK
View Code? Open in Web Editor NEWA unique security module for the Linux operating system
License: Other
A unique security module for the Linux operating system
License: Other
There are checks similar to IS_ERR(dentry)
. Is this really needed? Compare with other security modules and delete if required.
There are times when code in L4 has to wait for some event (e.g. when waiting for answer from the authorization server). Sleeping and waking up in these areas is based on changing process state and waking up by PID. This approach should be replaceable by kernel waitqueue mechanism in wait.c. Read more in memory-barriers.txt. Analyze if refactoring would be beneficial and implement the change.
constable
may race in am_i_constable
and that can cause a null dereference. Analyze the situation and implement RCU locking mechanism.
Usage of MEDUSA_EVTYPE_NOTTRIGGERED
in evtypes causes authorization server not able to synchronize internal hierarchy with actual system (filesystem, processes, etc.).
In other words, evtypes need to have bitnr
assigned, so authorization server can decide whether the object can inherit security information from its parent (when object is not monitored) or it needs to be sent to authorization server to get specific security information.
See file_kobj_validate_dentry_dir
in Medusa and generic_set_handler
in Constable for more information.
Meta issue for project "Test socket hooks". This should be closed after the project is closed.
See medusa_ipc_ctl()
. ipcp
is NULL
.
E.g. dget_parent
instead of dentry->d_parent
and others. Check the correct usage in the kernel.
Greeting has 8 bytes. Add two bytes to represent protocol number. We'll continue with version 2
.
memcpy(tk->cmdline, ts_security->cmdline, sizeof(tk->cmdline));
in kobject_process.c
doesn't have an effect since ts_security->cmdline
is empty.
In older version of Medusa, it was populated in medusa_l1_task_alloc
, but this hook was disabled.
One solution would be to bring back get_cmdline
call to process_kern2kobj
like it used to be.
kobject_file.h
is in includes
and also in l2
.
Current implementation uses just ilookup
. It would be better to use internal cache (as in kobject_file
implementation) and then use ilookup
as a fail-safe if the inode is not present in the internal cache.
Take inspiration from https://elixir.bootlin.com/linux/latest/source/security/keys/keyctl.c#L1696.
Try to compile Medusa with CONFIG_SECURITY_MEDUSA_HOOKS_TASK_KILL
not set.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.