Medusa DS9 Security System

Medusa DS9

History and Concepts - the first thing you should read

Progress and plans - the actual state of project

README file from the current stable release

Change log of the latest stable release

Download area (or FTP link)

CVS repository

Mailing list archive - it's low traffic and all users are strongly suggested to subscribe

GPG key to verify your downloads.

E-mail to the authors




Trusted BSD




Openwall Project


			Here is a list of changes


- kernel patch was splited in two parts:
	- medusa_kernel_fix patch which fixes some kernel problems. This
	  patch will eventually go into the mainstream kernel, and disappear
	  from our distribution.
	- main medusa patch. This one contains the main part of kernel
	  changes, which are required for Medusa, and must be applied AFTER
	  the medusa_kernel_fix patch.
- support for Linux capabilities is now changed: the capabilities now work
  as they're supposed to.
- when kernel (e.g. not some user application) sends a signal, the operation
  is allowed explicitly. this fixes ^C problems, and maybe races in some cases
- disallowed sending SIGSTOP and SIGTSTP to constable, suggested by
  Libor Kratochvil
- fix of filesystem code for 2.4 - now it correctly travels through mountpoints
- some cleanup
- discontinued support for 2.2.x kernels. the patch is still there, but is inaccurate and may be broken. If you are willing to maintain the patch for 2.2, you're welcome. If you need it, request on mailing list.


- patch for 2.4.14 - 2.4.17 kernels
- minor config fixes


- added new event 'START'. It occurs when a process is started (after fork)
- event 'FORK' now accepts process updates from constable for both parent
  and child
- cinfo was extended to array (needed by new Constable)
- when constable starts all processes are set to the default values:
	- cinfo is 0
	- vs is set to BEGIN_VS (see sources;)
	- med_act is set to MPACT_EXEC | MPACT_FORK | MPACT_START
	- syscall tracing is turned off
- write to process memory via /proc/*/mem is enabled (!); this is
  required by the new RBAC module

- fixed dual exec event when executing elf binary in 2.4.x
- fixed vfsmount problem (kernel crashed without constable)
- patches upgraded to linux 2.2.20 and 2.4.14


- fixed a hardlink bug, introduced in 0.8.1 for 2.4 kernels
- added some optimizations
- removed some optimizations (kernel won't run with them:)))


- improved code that handles privilege elevation during execve()
  (when using file capabilities, MED_SKIP works with 'on sexec' from now)
- added several missing permission checks to System V IPC code
- fixed some missing dputs() in VFS code
- added 2.4.x kernels support. This code may contain bugs and is BETA quality.


- fixed - compilation problem when syscall tracing was disabled
- added filesystem capabilities support in Constable: you can use
  linux-like variables icap, pcap and ecap in "for set", or (correct)
  fcap, acap and ecap.
- kernel patches are in more unified format (i.e. "diff" line at
  the beginning of each patch)
- added new sample configuration file
- improved mini libc (Mlibc) Makefile
- appropriate documentation changes


- file hiding is now config option, not a separate patch
- cleaned up System V IPC hooks
- rewritten Linux capabilities support - capabilities sets can be set for any
  file from now (just like vs sets can be) (!!! disabled for a moment,
  due to non-existing support in Constable !!! - will appear soon
  in the next release)
  note: during execve(), the kernel computes new process capabilities sets
  by evaluating file and process capabilities sets by the formula derived
  from POSIX capabilities security model - this is standard kernel behavior
- cleaned up suid binary execution hook, fs/namei.c code
- fixed - MED_YES at 'for exec' does not skip noexec mount flag and
  'x' permission checks, it only skips basic permission() call
- removed passing of filename, argc and argv to security daemon before exec
  (serious technical reasons), however, they are still available after exec
- improved i386 entry.S offset generator
  (the kernel should now compile properly regardless of
  /usr/include/(linux|asm) symlinks)
- init wrapper has been replaced by support in both kernel and constable:
  constable can be started instead of init; in this case it initializes
  itself and starts init. Patch in kernel enables you to use this feature
  without need to pass option "init=..." to the kernel at boot time.
- finally we got rid of that nasty autoconf/automake.


- automake/autoconf support (thanks to Lubos Janica)
- bugfix in constable - log_proc
- added correct ptrace handling (and new event in constable: on ptrace)
- many documentation fixes (thanks to Tony Kocurko)
- `constable.conf' is now named `default.medusa'


- many documentation fixes and updates
- added some example Mlibc forcing routines and documentation
- updated virtual spaces checks to exactly match authorization model
- removed filesystem control config option (it is always enabled by now -
  whole thing wasn't too usable without it anyway)
- fixed exporting of symbol medusa_capable
- added optional patch for file hiding. it's working, but very
  slow, hardly portable and dirty as entire fs/readdir.c in the original

- increased maximum number of arguments of functions in Constable
  config. file to 64
- empty command block '{ }' in Constable config file is now accepted.
- fixed stupid bug in constant parsing in Constable (now you can
  use constant 22 without errors :-) ) 
- fixed some bugs in documentation
- checked and updated virtual spaces checking
- optimized middle communication layer


- major cleanup in constable sources
- offset detection for arch/i386/kernel/entry.S is in kernel again
- improved and cleaned up exec (and raised privileges exec) control
- updated signal delivering control
- enhanced file permissions handling 


- now security daemon can be killed during waiting for request
- fixed command sending bug in Constable
- changed initialization of modules in Constable
- main Makefile cleaned up
- fixed stupid bug in syscall tracing code in the kernel (the offset to
  task_struct was wrong so syscall tracing didn't work)
- added some documentation


- model of virtual spaces has changed and makes more sense now
  (old configs do not work with these, so you have to update them)
- number of vitual spaces was extended from 16 to 32
- handling of virtual spaces in the kernel was rewritten using macros
- corrected some grammatical mistakes in documentation
- added handler type "on init" (people demanded this)
- minor updates and fixes to documentation 
- added support for kernel 2.2.14


- fdprintf function added to mlibc
- completed declarations of wrappers in mlibc for all non-obsolete syscalls
- fixed another Constable compilation problems and did some code cleanup
- finally, order of command line parameters to Constable was reversed
- reboot if security daemon is killed (if the kernel is configured so)
  is now nicer and more portable


- fixed Constable (with disabled code forcing) compilation bug
- some documentation fixes
- removed doc extensions from documentation files


- fixed typo in Constable/Makefile
- some documentation fixes


- some documentation fixes and Makefiles updates
- added Init wrapper utility
- added mlibc (Medusa (or mini) C library to make force code programming
  easier by linking them with it)
- exported kernel symbols bug fixed
- some updates to Constable configuration language


- some kernel patch compilation cleanups 

- fixed stupid bug in System V IPC checking

- added communication protocol version checking
- major part of documentation written
- added dynamic loading of ELF objects for code forcing to Constable
- added patches for 2.2.11 - 2.2.13 kernels


- added some extra parameters for Constable
- added several useful constants to the Constable configuration language

- new feature: quiet mode - disables all messages from kernel
- added some documentation

- fixed communication bug under glibc2

- first beta version (this one seems to be stable)
- fixed many nasty bugs
- added System V IPC checking
- more standard package format

- Constable now compiles well both under libc5 and libc6
- some minor bugfixes

- changed signal delivering code
- added some code forcing routines to Constable
- minor code cleanups

This page is designed for lynx.
Hosted by terminus.
Core design (c) 1999 Www, graphics art (c) 2000 salo.