Difference between revisions of "Mandatory Access Control Comparison"

From eLinux.org
Jump to: navigation, search
(Comparison of MAC solution)
m (Typo)
 
(One intermediate revision by one other user not shown)
Line 7: Line 7:
 
== Comparison of MAC solution ==
 
== Comparison of MAC solution ==
  
{|
+
{| border="1" cellspacing="0" cellpadding="5"
 +
|-bgcolor="#80c0d0"
 
!_
 
!_
 
![http://www.lids.org/ LIDS]
 
![http://www.lids.org/ LIDS]
Line 59: Line 60:
 
|  /etc/lids/  
 
|  /etc/lids/  
 
|  /root/security/  
 
|  /root/security/  
|   
+
?
 
|  /etc/selinux  
 
|  /etc/selinux  
|   
+
?
 
|-  
 
|-  
 
|  Distributions
 
|  Distributions
Line 88: Line 89:
 
=== Sizing ===
 
=== Sizing ===
  
Kerenl 2.6.16 (linux-openzaurus-2.6.16-r40, Static build)
+
Kernel 2.6.16 (linux-openzaurus-2.6.16-r40, Static build)
{|  
+
{| border="1" cellspacing="0" cellpadding="5"
|-  
+
|-bgcolor="#80c0d0"
 
|   
 
|   
 
|  Normal   
 
|  Normal   
Line 129: Line 130:
  
 
Processor, Process, Local communication latencies
 
Processor, Process, Local communication latencies
{|  
+
{| border="1" cellspacing="0" cellpadding="5"
|-  
+
|-bgcolor="#80c0d0"
 
|   
 
|   
 
|  Normal  
 
|  Normal  
Line 265: Line 266:
  
 
=== Unixbench ===
 
=== Unixbench ===
{|  
+
{| border="1" cellspacing="0" cellpadding="5"
|-  
+
|-bgcolor="#80c0d0"
 
|   
 
|   
 
|  Normal         
 
|  Normal         
Line 361: Line 362:
  
 
== Summary ==
 
== Summary ==
{|  
+
{| border="1" cellspacing="0" cellpadding="5"
|-  
+
|-bgcolor="#80c0d0"
 
|   
 
|   
 
|  LIDS  
 
|  LIDS  

Latest revision as of 02:24, 30 April 2012

Table Of Contents:


This page has information about Mandatory Access Control (MAC) solutions, which is of interest to CE Linux Forum members, because MAC provide strong access control for CE device which has rich resources to be managed.

Comparison of MAC solution

_ LIDS TOMOYO RSBAC SELinux App Armor
Security Model MAC(inode), TPE(1.2),TDE(1.2) MAC(path) MAC, RC, ACL, FF, UM, PM, DAZ, JAIL MAC(label), TE,RBAC,MLC,MCS MAC(path)
Type LSM (2.6), patch (2.4) patch patch LSM LSM
Current version (2.6) 2.2.2 for 2.6.14 (LSM) 1.1.3 for 2.6.11-17 1.2.7 for 2.6.16 in mainline 2.6.X (LSM)
Current version (2.4) 1.2.2 for 2.4.30 1.1.3 for 2.4.20 - 32 1.2.7 for 2.4.32 obsolete  ?
Policy learn mode /lids/lids.ini CCS=0 /root/security/profile0.txt /etc/selinux/config rsbac_softmode
disable option lids=0 selinux=0
Policy location /etc/lids/ /root/security/  ? /etc/selinux  ?
Distributions Hardened Gentoo Redhat, Fedora Core, Hardened Gentoo Open Suse
(by 3rd party) Fedora core, Debian Fedora core, Debian Debian Suse, Ubuntu Slackware

Benchmark

MEN WORKING

Hardware : Sharp Zaurus C860, CPU :XScale 400MHz, Memory : --MB, OS : Openzaurus 3.5.4.1 + OPIE 1.2

Sizing

Kernel 2.6.16 (linux-openzaurus-2.6.16-r40, Static build)

Normal LIDS TOMOYO RSBAC SELinux
Kernel size (Image) 2487744 2554880 2541808 2974224  ?
Kernel size (zImage) 1181660 1205324 1207288 1351432  ?
image size overhead 0 67136 54064 486480  ?
policy size 0
memory consumption 0

Lmbench

Processor, Process, Local communication latencies

Normal LIDS TOMOYO RSBAC SELinux
null call 0.46 0.46 0.46
null I/O 1.77 1.97 (11%) 1.77
stat 12.7 15.7 (24%) 12.8 (1%)
open/close 18.7 22.5 (20%) 59 (216%)
select TCP 91.3 91.6 91.3
sig inst 2.89 2.83 (-2%) 2.84 (-2%)
sig hndl 7.58 7.66 (1%) 9.25 (22%)
fork 3795 3808 3757 (-1%)
execve 13000 13000 15000 (15%)
sh 36000 37000 (3%) 41000 (14%)
ctxsw 175 186.3 (7%) 177.2
pipe 356.9 375.6 (5%) 358.1
AF_UNIX 674 718 (7%) 723 (7%)
UDP 747.5 776.3 (4%) 765.1 (2%)
RPC/UDP 969.1 1013 (5%) 1193 (23%)
TCP 957.3 1004 (5%) 964.6 (1%)
RPC/TCP 1332 1380 (4%) 1353 (2%)
TCP connect 2302 2379 (3%) 2357 (2%)
0KB create 461 605.7 (31%) 669.8 (45%)
0KB delete 232.5 267.1 (15%) 329.5 (42%)
10KB create 5128.2 5234.6 (2%) 5235.6 (2%)
10KB delete 298.8 349.8 (17%) 415.1 (39%)
Mmap latency - - -
Prot Fault 1.72 1.71 0.61 (-64%)
Page Fault 92 92 86 (-7%)

Unixbench

Normal LIDS TOMOYO RSBAC SELinux
execl 89.3 lps 84.6 59.5
file read 1KB 53974.0 KBps 52176 53505
file write 1KB 328.0 KBps 321 376
file copy 1KB 288.0 KBps 199 311
file read 256B 34766.0 KBps 33831 34742
file write 256B 133.0 KBps 121 138
file copy 256B 126.0 KBps 121 121
file read 4KB 69148.0 KBps 67961 68851
file write 4KB 1417.0 KBps 1417 1333
file copy 4KB 1268.0 KBps 1237 1249
pipe 112917.5 lps 108924 112137
pipe switching 2655.4 lps 2559.6 2700
process creation 272.9 lps 367.8 276.4
system call 269446.2 lps 267748 268823.9
shell scripts (1) 82.2 lpm 77.6 58.6
shell scripts (8) 5.3 lpm 5.6 5.4
shell scripts (16) 2.0 lpm 0 2

Summary

LIDS TOMOYO RSBAC SELinux App Armor
build (kenrel) (easy:5 - 1:hard) 4 4 3 5  ?
build (userland) (easy:5 - 1:hard) 4 4 3  ?  ?
image size 2% 2% 15% 3%  ?
performance  ?
policy lean mode (good:5 - 1:poor) 4 5  ? 3  ?
symlink by wrapper support(alias)  ?
filesystem JFFS2 ok ok ok?

Other resources

Access Control Comparison Table http://gentoo-wiki.com/Access_Control_Comparison_Table