Difference between revisions of "Mandatory Access Control Comparison"
(removed ref to nonexisting page) |
m (Typo) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 7: | Line 7: | ||
== Comparison of MAC solution == | == Comparison of MAC solution == | ||
− | + | {| border="1" cellspacing="0" cellpadding="5" | |
− | | | + | |-bgcolor="#80c0d0" |
− | + | !_ | |
− | + | ![http://www.lids.org/ LIDS] | |
− | + | ![http://tomoyo.sourceforge.jp/ TOMOYO] | |
− | + | ![http://rsbac.org/ RSBAC] | |
− | + | ![http://selinux.sourceforge.net/ SELinux] | |
− | + | ![http://en.opensuse.org/AppArmor App Armor] | |
− | + | |- | |
− | | | + | | Security Model |
− | + | | MAC(inode), TPE(1.2),TDE(1.2) | |
− | + | | MAC(path) | |
− | + | | MAC, RC, ACL, FF, UM, PM, DAZ, JAIL | |
− | + | | MAC(label), TE,RBAC,MLC,MCS | |
− | + | | MAC(path) | |
− | |||
− | |||
− | |||
− | | | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
|- | |- | ||
+ | | Type | ||
+ | | LSM (2.6), patch (2.4) | ||
+ | | patch | ||
+ | | patch | ||
+ | | LSM | ||
+ | | LSM | ||
+ | |- | ||
+ | | Current version (2.6) | ||
+ | | 2.2.2 for 2.6.14 (LSM) | ||
+ | | 1.1.3 for 2.6.11-17 | ||
+ | | 1.2.7 for 2.6.16 | ||
| in mainline | | in mainline | ||
| 2.6.X (LSM) | | 2.6.X (LSM) | ||
− | | | + | |- |
− | + | | Current version (2.4) | |
− | + | | 1.2.2 for 2.4.30 | |
− | + | | 1.1.3 for 2.4.20 - 32 | |
− | + | | 1.2.7 for 2.4.32 | |
− | |||
− | |||
− | |||
| obsolete | | obsolete | ||
− | | ? | + | | ? |
− | | | + | |- |
− | + | | Policy learn mode | |
− | + | | /lids/lids.ini | |
− | + | | CCS=0 /root/security/profile0.txt || /etc/selinux/config | |
− | + | | rsbac_softmode | |
− | |||
− | |||
− | |||
| | | | ||
|- | |- | ||
Line 73: | Line 60: | ||
| /etc/lids/ | | /etc/lids/ | ||
| /root/security/ | | /root/security/ | ||
− | | | + | | ? |
| /etc/selinux | | /etc/selinux | ||
− | | | + | | ? |
|- | |- | ||
| Distributions | | Distributions | ||
Line 102: | Line 89: | ||
=== Sizing === | === Sizing === | ||
− | + | Kernel 2.6.16 (linux-openzaurus-2.6.16-r40, Static build) | |
− | {| | + | {| border="1" cellspacing="0" cellpadding="5" |
− | |- | + | |-bgcolor="#80c0d0" |
| | | | ||
| Normal | | Normal | ||
Line 143: | Line 130: | ||
Processor, Process, Local communication latencies | Processor, Process, Local communication latencies | ||
− | {| | + | {| border="1" cellspacing="0" cellpadding="5" |
− | |- | + | |-bgcolor="#80c0d0" |
| | | | ||
| Normal | | Normal | ||
Line 279: | Line 266: | ||
=== Unixbench === | === Unixbench === | ||
− | {| | + | {| border="1" cellspacing="0" cellpadding="5" |
− | |- | + | |-bgcolor="#80c0d0" |
| | | | ||
| Normal | | Normal | ||
Line 375: | Line 362: | ||
== Summary == | == Summary == | ||
− | {| | + | {| border="1" cellspacing="0" cellpadding="5" |
− | |- | + | |-bgcolor="#80c0d0" |
| | | | ||
| LIDS | | LIDS |
Latest revision as of 19:24, 29 April 2012
Table Of Contents:
This page has information about Mandatory Access Control (MAC) solutions, which is of interest to CE Linux Forum members,
because MAC provide strong access control for CE device which has rich resources to be managed.
Contents
Comparison of MAC solution
_ | LIDS | TOMOYO | RSBAC | SELinux | App Armor |
---|---|---|---|---|---|
Security Model | MAC(inode), TPE(1.2),TDE(1.2) | MAC(path) | MAC, RC, ACL, FF, UM, PM, DAZ, JAIL | MAC(label), TE,RBAC,MLC,MCS | MAC(path) |
Type | LSM (2.6), patch (2.4) | patch | patch | LSM | LSM |
Current version (2.6) | 2.2.2 for 2.6.14 (LSM) | 1.1.3 for 2.6.11-17 | 1.2.7 for 2.6.16 | in mainline | 2.6.X (LSM) |
Current version (2.4) | 1.2.2 for 2.4.30 | 1.1.3 for 2.4.20 - 32 | 1.2.7 for 2.4.32 | obsolete | ? |
Policy learn mode | /lids/lids.ini | CCS=0 /root/security/profile0.txt | /etc/selinux/config | rsbac_softmode | |
disable option | lids=0 | selinux=0 | |||
Policy location | /etc/lids/ | /root/security/ | ? | /etc/selinux | ? |
Distributions | Hardened Gentoo | Redhat, Fedora Core, Hardened Gentoo | Open Suse | ||
(by 3rd party) | Fedora core, Debian | Fedora core, Debian | Debian | Suse, Ubuntu | Slackware |
Benchmark
MEN WORKING
Hardware : Sharp Zaurus C860, CPU :XScale 400MHz, Memory : --MB, OS : Openzaurus 3.5.4.1 + OPIE 1.2
Sizing
Kernel 2.6.16 (linux-openzaurus-2.6.16-r40, Static build)
Normal | LIDS | TOMOYO | RSBAC | SELinux | |
Kernel size (Image) | 2487744 | 2554880 | 2541808 | 2974224 | ? |
Kernel size (zImage) | 1181660 | 1205324 | 1207288 | 1351432 | ? |
image size overhead | 0 | 67136 | 54064 | 486480 | ? |
policy size | 0 | ||||
memory consumption | 0 |
Lmbench
Processor, Process, Local communication latencies
Normal | LIDS | TOMOYO | RSBAC | SELinux | |
null call | 0.46 | 0.46 | 0.46 | ||
null I/O | 1.77 | 1.97 (11%) | 1.77 | ||
stat | 12.7 | 15.7 (24%) | 12.8 (1%) | ||
open/close | 18.7 | 22.5 (20%) | 59 (216%) | ||
select TCP | 91.3 | 91.6 | 91.3 | ||
sig inst | 2.89 | 2.83 (-2%) | 2.84 (-2%) | ||
sig hndl | 7.58 | 7.66 (1%) | 9.25 (22%) | ||
fork | 3795 | 3808 | 3757 (-1%) | ||
execve | 13000 | 13000 | 15000 (15%) | ||
sh | 36000 | 37000 (3%) | 41000 (14%) | ||
ctxsw | 175 | 186.3 (7%) | 177.2 | ||
pipe | 356.9 | 375.6 (5%) | 358.1 | ||
AF_UNIX | 674 | 718 (7%) | 723 (7%) | ||
UDP | 747.5 | 776.3 (4%) | 765.1 (2%) | ||
RPC/UDP | 969.1 | 1013 (5%) | 1193 (23%) | ||
TCP | 957.3 | 1004 (5%) | 964.6 (1%) | ||
RPC/TCP | 1332 | 1380 (4%) | 1353 (2%) | ||
TCP connect | 2302 | 2379 (3%) | 2357 (2%) | ||
0KB create | 461 | 605.7 (31%) | 669.8 (45%) | ||
0KB delete | 232.5 | 267.1 (15%) | 329.5 (42%) | ||
10KB create | 5128.2 | 5234.6 (2%) | 5235.6 (2%) | ||
10KB delete | 298.8 | 349.8 (17%) | 415.1 (39%) | ||
Mmap latency | - | - | - | ||
Prot Fault | 1.72 | 1.71 | 0.61 (-64%) | ||
Page Fault | 92 | 92 | 86 (-7%) |
Unixbench
Normal | LIDS | TOMOYO | RSBAC | SELinux | |
execl | 89.3 lps | 84.6 | 59.5 | ||
file read 1KB | 53974.0 KBps | 52176 | 53505 | ||
file write 1KB | 328.0 KBps | 321 | 376 | ||
file copy 1KB | 288.0 KBps | 199 | 311 | ||
file read 256B | 34766.0 KBps | 33831 | 34742 | ||
file write 256B | 133.0 KBps | 121 | 138 | ||
file copy 256B | 126.0 KBps | 121 | 121 | ||
file read 4KB | 69148.0 KBps | 67961 | 68851 | ||
file write 4KB | 1417.0 KBps | 1417 | 1333 | ||
file copy 4KB | 1268.0 KBps | 1237 | 1249 | ||
pipe | 112917.5 lps | 108924 | 112137 | ||
pipe switching | 2655.4 lps | 2559.6 | 2700 | ||
process creation | 272.9 lps | 367.8 | 276.4 | ||
system call | 269446.2 lps | 267748 | 268823.9 | ||
shell scripts (1) | 82.2 lpm | 77.6 | 58.6 | ||
shell scripts (8) | 5.3 lpm | 5.6 | 5.4 | ||
shell scripts (16) | 2.0 lpm | 0 | 2 |
Summary
LIDS | TOMOYO | RSBAC | SELinux | App Armor | |
build (kenrel) (easy:5 - 1:hard) | 4 | 4 | 3 | 5 | ? |
build (userland) (easy:5 - 1:hard) | 4 | 4 | 3 | ? | ? |
image size | 2% | 2% | 15% | 3% | ? |
performance | ? | ||||
policy lean mode (good:5 - 1:poor) | 4 | 5 | ? | 3 | ? |
symlink | by wrapper | support(alias) | ? | ||
filesystem JFFS2 | ok | ok | ok? |
Other resources
Access Control Comparison Table http://gentoo-wiki.com/Access_Control_Comparison_Table