This initial distribution implements integrity labels only at the moment and not sensitivity labels (following the KISS principle that compartment separation and system integrity labels are more useful in real life than sensitivity gradings).
Download.
README.
Bufflink - fast lightweight kernel/userland communication
Bufflink provides a quick and easy way for kernel code to create a
ring buffer and write to it from any context (process, bottom half
or interrupt). A userland process can access it via a character device
which behaves mostly like a FIFO.
Latest version is 0.3.
Download.
README.
Reqlog: write details of each block I/O request to a ring buffer
reqlog is a small patch to the Linux 2.2.12 kernel which writes
brief
details of each physical disk read/write to a ring buffer from where a
userland program can make use of the information. Example uses of this
information are for hot migration of live in-use block devices, as by
the bmigrate suite detailed below or detailed disk I/O monitoring
utilities (I'm going to write one Real Soon Now).
Latest version is 0.3.
Download.
README.
Bmigrate: hot migration of live in-use block devices
bmigrate is a set of programs which make use of the
CONFIG_REQUEST_LOG
option available in (the reqlog patch to) the Linux kernel in order to
migrate the contents of a live in-use block device to a new location.
This can be used to help migrate a large filesystem or database to a
new system with only a few seconds unavailability time as the service
is switched over.
Latest version is 0.3.
Download.
README.
Sockfs: a pseudo-filesystem for user/group-based access to
privileged ports
sockfs is a pseudo-filesystem which allows the setting of owner,
group
and permissions for each reserved internet-domain port (i.e. family
AF_INET, ports 1-1024). When mounted, directory entries for each
reserved port appear (named 1, 2, 3, etc., rather like the procfs
entries for each process named by PID).
The filesystem replaces the kernel privilege check for binding reserved ports. Instead of the default check which allows only root to bind to reserved ports, it checks whether the appropriate entry in the sockfs filesystem is writable by the process attempting the bind(). Owner, group and "other" bits are checked just as for ordinary file permission checks. The superuser (in fact, the fsuser just as for ordinary filesystems) is always granted permission. The filesystem allows the owner, group and permission bits to be changed by whoever has write access to the root of the mounted filesystem (usually root alone).
Sockfs was written for the 2.0 kernel and has not been updated since 1998 when the kernel patch side was refused into the main kernel. If anyone is interested, it can be easily updated for 2.2+.
Latest version is alpha2.
Download.
README.