Monday, 12/January/2015

RSBAC 1.4.9 has been released for kernels 3.14.28, 3.14.27, 3.12.35 and 3.10.64. Please drop us a note if you need support for other kernel versions.

Major changes since 1.4.8 are the ports to longterm kernels 3.12 and 3.14, enhancements in jails, signals and logging and a fix for a long standing race condition with Unix sockets.

The change lists are here: Kernel changes: http://www.rsbac.org/dl.php?file=code/1.4.9/changes-1.4.9.txt

Admin tools changes: http://www.rsbac.org/dl.php?file=code/1.4.9/admin-changes-1.4.9.txt

Have fun!

Thursday, 13/February/2014

RSBAC 1.4.8 has been released for kernel 3.10.29. Please drop us a note if you need support for other kernel versions.

Most important changes since 1.4.7:

• Remove PM module
• Add UDF module
• Various small fixes

The complete lists of changes are available here:

Kernel changes: http://www.rsbac.org/dl.php?file=code/1.4.8/changes-1.4.8.txt

Admin tools changes: http://www.rsbac.org/dl.php?file=code/1.4.8/admin-changes-1.4.8.txt

Have fun!

Thursday, 13/February/2014

Since PaX for the latest longterm kernel 3.10 has not been maintained by the official team for a while, we (m-privacy) have started providing updated patches as well as a git repository with RSBAC and PaX ourselves. You can find everything at https://git.m-privacy.de/

Please test and report, we are interested in your feedback!

Tuesday, 20/August/2013

RSBAC 1.4.7 has been released for kernels 3.10.7 and 3.2.50.

Most important changes since 1.4.6:

• Add optional MOVETO request with kernel config option: used when moving into a dir instead of old WRITE on DIR target.
• Support 32 Bit RSBAC userland under 64 Bit kernel

The complete lists of changes are available here:

Kernel changes: http://www.rsbac.org/dl.php?file=code/1.4.7/changes-1.4.7.txt

Admin tools changes: http://www.rsbac.org/dl.php?file=code/1.4.7/admin-changes-1.4.7.txt

Have fun!

Wednesday, 17/July/2013

RSBAC has been ported to kernel 3.10.1.

You can get the current code with this command:

git clone git://rsbac.org/linux-3.10.y

Please note that RSBAC is under constant maintenance in the various git repositories. A new release 1.4.7 is in progress and is expected soon. The currently best tested and very stable code is in our 3.2 kernel git repository.

Update 02/August/2013: Due to memory address restrictions with PaX, the above git clone currently does not work. Please try a “shallow” clone, which works fine, but has some restrictions. See “git help clone” for details.

git clone --depth 100 git://rsbac.org/linux-3.10.y.git

Update 09/August/2013: PaX problem is fixed, git works as expected.

Tuesday, 13/December/2011

RSBAC 1.4.6 has been released for the kernel 3.1.5.

Most important changes since 1.4.5:

• Add RSBAC syscalls and tools parameters to get and set UM password history size per user
• Security bugfix for sys_open() request types (see earlier post)
• Add rsbac_jail parameter -K for allow_netlink flag
• Add rsbac_usershow parameters to list users with shell or full name

The complete lists of changes are available here:

Kernel changes: http://www.rsbac.org/dl.php?file=code/1.4.6/changes-1.4.6.txt

Admin tools changes: http://www.rsbac.org/dl.php?file=code/1.4.6/admin-changes-1.4.6.txt

Have fun!

Wednesday, 30/Nov/2011

Unfortunately, there is a severe bug in the code that determines the RSBAC request type in sys_open() calls. As a result from this bug, open access will be decided upon by RSBAC with wrong request type, a read open can happen unnoticed. A read() access after opening is intercepted as intended, because only the open interception is wrong.

Affected are all RSBAC git repos for kernels starting from 2.6.35 and the official release 1.4.5 for 2.6.35. RSBAC for kernel 2.6.32 is not affected.

Please update your kernel sources from git or apply the patch for 2.6.35.y, rebuild and reboot to get the bug fixed. I will try to get a new release out for kernel 3.1.4 or later as soon as possible. After fixing, your system might need RSBAC rights adjustments, because the set of accesses changes.

Background: Between 2.6.32 and 2.6.35, the meaning of the flags parameter for sys_open() helper functions changed from some translated internal value to an exact copy of the sys_open() flags parameter. When porting RSBAC code from 2.6.32, we did not notice that change.

Friday, 12/Aug/2011

RSBAC has been successfully ported to Linux kernel 3.0, you find a new git repo at http://git.rsbac.org. Please test it and report so that we can make a new 3.0 based release soon.