Denis Obrezkov
Email: <denis13_obrezkov8_5 AT SPAMFREE gmail DOT com> (remove anything but letters)
Contents
Location Aware Security Project
Link: Location Aware Security Project
Description
People use their computer in various different locations/contexts, like at home, the office or in public spaces.
The need for security settings and policies are different for the aforementioned locations. At home, e.g., it might not be needed to ask the user for passwords when connecting thunderbolt devices and also USB devices can probably be trusted more. Additionally the screen locking timeouts can be more relaxed.
- The project would need to first address how different locations can be learned (or explicitly defined) and automatically switched.
- Relevant security policies will then need to be identified and components need to be adjusted to react to different security contexts.
Tasks
- find the source of information about current location
- identify security policies and mechanisms for different locations
- figure out how to allow a user to easily change security policies (?)
Technologies to consider
selinux (SELinux Project Wiki, SELinuxGame)
- xdg portals
- namespaces
- Android security and how it works (SELinux + MLS (?))
- seccomp filters
- sssd
- cgroups
- usbguard, bolt
Prototype for tests
Fedora Workstation 28 + QEMU + switcher of wifi spots (script for qemu?)
In order to imitate different wifi spots mac80211_hwsim might be used.
Prototype will consist of a daemon and a client application communicating via D-Bus. Client app will allow to list available zones (and corresponding devices), attach different labels to wifi networks, interfaces and usb devices. Daemon will keep all those information in a database (?) and provide clients with the information and be responsible for changing security regimes. Daemon will be written in C, client in C or Python (?).
Some concerns
What are the project goals?
I think there is also a problem - there is no usable simple policy management tool. So, a user can't even restrain some application without good knowledge of firewall rules or SELinux. So, it is hard to say right now how to make a usable mechanism for location aware security since in that case a user should define security rules on its own. So, it seems to me that this project is more for system administrators.