Abstract:
"The area Of Linux sandboxing has various developments in recent years with the introduction of operating system containers and the ever present need to harden the security of applications. Two of the more prominent technologies that have been used when creating sandboxes are namespaces and system call filters... This work proposes to use these two technologies to enforce the Principle of Leas/ Privilege on every process on a system. The solution extends a Grsecurity hardened Linux kernel and allows the user to define security policies for each process which permit them to behave intended. The presented demonstrate the effectiveness of the extended Linux kernel and its impact on performance. The results provide a basis that may be built upon to deliver a comprehensive solution that would be appealing for in real world environments". Tomado del abstract
