Security

Security Hardening

SnakeEngine provides optional hardening layers to minimize risk when exposing privileged driver functionality.

Device access

• Device node: /dev/snakedrv
• udev rule (security/99-snakedrv.rules) sets ownership to group snakeengine
• Add authorized users to the group: sudo usermod -aG snakeengine <user>

AppArmor

• Profile: security/snakeengine.apparmor
• Install (if AppArmor is active):

sudo apparmor_parser -r /etc/apparmor.d/snakeengine  # after copying the profile

• Enforce mode is recommended on production systems.

SELinux

• Policies: security/snakeengine.te and security/snakeengine.fc
• Build/install if SELinux is enforcing and tooling is available:

cd security
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i snakeengine.pp

• Adjust contexts per your distribution policies.

Secure Boot

• If Secure Boot is enabled, sign the module after build:

./sign-module.sh

• Follow the MOK enrollment prompts and reboot if required.

Module parameters

• max_attached_processes (default 16): limit concurrent attachments
• event_queue_size (default 256): bound the debug event queue
• debug_level (0-3): set kernel log verbosity (keep at 1 in production) Configured via /etc/modprobe.d/snakedrv.conf (generated by deploy.sh).

Best practices

• Restrict membership of the snakeengine group.
• Keep debug_level low; raise only for debugging.
• Use VMs or dedicated hosts for development; avoid exposing /dev/snakedrv on shared/untrusted systems.

Audit and logs

• Kernel messages: dmesg | grep snakedrv
• AppArmor/SELinux denials: review audit.log or dmesg for AVC/AppArmor entries.