upolicy allows unprivileged userspace processes to control access to their child processes system resources. This all is done in a TOCTTOU safe way, by making use of the Linux Security Module API.
upolicy is actually comprised of two pieces of software:
- a kernel extension, which uses the LSM framework,
- a userspace library
These two pieces communicate by the means of a generic netlink socket. The userspace library provides an abstraction of the actual kernel interface, making it quite easy to use (see Examples directory).
As of the time of this writing the code which can be found here should be considered as an early technology preview. It will contain some rough edges at some places and the API must NOT be considered stable and is subject to change at any time.
upolicy is not yet intended to be used in production environments. You have been warned.
- Linux kernel with upolicy patches and upolicy enabled (see below)
- libnl >= 3.2 (specifically also the genl part)
- automake, autoconf, libtool and friends (for building)
- Python >= 2.7, < 3.0 for building the Python bindings
- Doxygen for building the library documentation
On Ubuntu 12.04 the following packages should do:
apt-get install build-essential libnl-3-dev libnl-genl-3-dev python-all-dev automake autoconf libtool perl
upolicy requires a set of kernel patches, which will be available from http://github.com/upolicy/linux in the future. If you want to test-drive upolicy, please use the old code from https://github.com/upolicy/libupolicy/tree/old/master. Please refer to the README.org file there, for a list of requirements and instructions for building.
The upolicy documentation can be found at http://speijnik.github.com/upolicy/doc.