Linux Security Module (LSM) is a lightweight general-purpose Linux kernel access control framework. This article describes the Linux Security Module (LSM) of the relevant background, design, implementation method; and explains how to use the Linux Security Module (LSM) to enhance security of Linux systems: one is the interface between the core developers and security researchers to use for on the other hand is a module for ordinary users, and specific use. If the reader has a background knowledge of the Linux kernel and security can contribute to the understanding of this article.
1. Related Background: Why and what is
In recent years, Linux systems because of its excellent performance and stability characteristics of open source to bring the flexibility and scalability, as well as relatively low cost and widespread attention and application of computer industry. But in terms of security, Linux kernel provides only the classic UNIX discretionary access control (root user, the user ID, mode bit security mechanism), and the draft POSIX.1e standard security mechanisms supported by some of the capabilities of this system for Linux security is not enough, affecting the further development of Linux systems and more widely used.
There are many security access control model and framework have been studied and developed to enhance the security of Linux systems, more well-known security enhanced Linux (SELinux), domain and Type Enforcement (DTE), and the Linux Intrusion Detection System (LIDS )and many more. But the absence of a system to obtain dominant position and into a standard Linux kernel; and these systems are mostly in the form of a variety of different kernel patches provided, the use of these systems need to have the ability to compile a custom kernel and for no kernel development experience of ordinary users, access to and use of these systems is difficult. In the 2001 Linux kernel summit, US National Security Agency (NSA) presented their work on security-enhanced Linux (SELinux), which is a flexible access control system in the Flask implemented in Linux, then Linux kernel founder Linux kernel Linus Torvalds agreed to do need a common security framework for access control, but he pointed out that the best method is through loadable kernel modules, which can support a variety of existing security access control systems. Therefore, Linux Security Module (LSM) came into being.
Linux Security Module (LSM) is a lightweight general-purpose Linux kernel access control framework. It makes a variety of security access control model can be loaded Linux kernel modules to achieve them, the user can load to choose according to their needs security module Linux kernel, thus greatly improving the flexibility of Linux security access control mechanisms and ease of use. There are already many well-known enhanced access control system migration to Linux Security Module (LSM) on the implementation, including POSIX.1e capabilities, security-enhanced Linux (SELinux), domain and Type Enforcement (DTE), and the Linux Intrusion Detection System (LIDS) and many more. Although the Linux Security Module (LSM) is still used as a form of Linux kernel patches, but it also provides stable version of Linux 2.4 and Linux 2.5 series of development versions of the series, and hopefully into the Linux 2.6 stable version, and thus to achieve its goal: to be accepted as a standard Linux kernel Linux kernel security mechanisms available to users in various Linux distributions.
2. Design description: gotta get two parties satisfied
Linux Security Module (LSM) of the design must try to satisfy both the requirements of people: people who do not need it to make as little as possible so get in trouble; while allowing those who need it so get a useful and efficient features.
With Linus Torvalds as the representative of the core developers of the Linux Security Module (LSM) proposed three requirements:
True universal, when using a different security model, you can just load a different kernel module
Conceptually simple, minimal impact on the Linux kernel, efficient, and
POSIX.1e capabilities to support the existing logic, as an optional security module
On the other hand, requires a variety of different security-enhanced Linux system on Linux Security Module (LSM) that is: to allow them to form a loadable kernel module to re-implement its security features, and will not cause significant in terms of safety loss will not bring additional system overhead.
To meet these design goals, Linux Security Module (LSM) by using a method of placing in the kernel source code hook, to arbitrate access to the internal kernel objects, and these objects are: task, inode node, open files, etc. . User process executes a system call, the first Linux kernel traveled the logic of the original find and allocate resources, error checking, and after the classic UNIX discretionary access control, just in the Linux kernel before attempting to access the internal objects, a Linux security module ( LSM) hooks for security module must provide the function call, and thus the security module asked the question "whether to allow access to the Executive?", the security module to make decisions according to their security policy, to answer: allow, or refuse and then return a mistake.
On the other hand, in order to meet the needs of most of the existing Linux security-enhanced systems, Linux Security Module (LSM) to simplify the design decisions taken. Linux Security Module (LSM) is now the main support most of the existing security features enhance the core of the system: access control; and a number of other security features to enhance system security requirements, such as security audits, only a small amount of support. Linux Security Module (LSM) is now major support "restrictive" access control decisions: when the Linux kernel to give access permissions, Linux Security Module (LSM) may be refused, and when the Linux kernel refused to visit, to skip Linux Security module (LSM); while for the opposite "allow type" of the access control decision-making only a small amount of support. For the module function synthesis, Linux Security Module (LSM) to allow the module stack, but the major work left to its own module: the module function synthesis of the final decision by the first load module. All of these design decisions may temporarily affect the Linux Security Module (LSM) of the power and flexibility, but it greatly reduces the Linux Security Module (LSM) to achieve the complexity and reduce the impact on the modification of the Linux kernel, making it into the Linux kernel become a security standard greatly improved possibilities; Once a standard, you can change the decision-making, increased functionality and flexibility.
3. Implementation Introduction: changes to the Linux kernel
Linux Security Module (LSM) as a Linux kernel patch is currently implemented in the form. Which itself does not provide any specific security policy, but rather provide a common foundation system to the security module, the security module to implement specific security policies. The main Linux kernel in five aspects were modified:
Joined the security domain specific kernel data structures
Different in the kernel source code, insert a call to the key security hook function
Adding a common security system call
Allows the kernel module provides functions for the security module or cancellation of registration
The most logical migration capabilities as an optional security module
The following five aspects of this modification by one brief introduction.
Security domain is a pointer of type void *, it makes the security module to the internal security information and kernel objects linked. Listed below are added to modify the security domain of kernel data structures, and internal kernel objects each represent:
task_struct structure: on behalf of the task (process)
linux_binprm structure: on behalf of program
super_block structure: on behalf of the file system
inode structure: on behalf of pipeline, documents, or Socket socket
file structure: on behalf of open files
sk_buff structure: on behalf of the network buffer (packet)
net_device structure: on behalf of network equipment
kern_ipc_perm structure: on behalf of Semaphore signals, shared memory segment or message queue
msg_msg: represents a single message
In addition, msg_msg structure, msg_queue structure, shmid_kernel structure was moved to include / linux / msg.h and include / linux / shm.h two header files, so security module can use these definitions.
Linux Security Module (LSM) provides two types of calls the security hook function for: one kernel object management security domain, and the other arbitration access these kernel objects. Security hook function call to be achieved by the hook, the hook is the global table security_ops function pointer, the global table type is security_operations structure, which is defined in include / linux / security.h this header file, this structure contains in accordance with the sub-structure kernel object or kernel subsystem grouping consisting of hooks, as well as some top hooks for system operations. In the kernel source code it is easy to find on the hook function call: the prefix is security_ops->. Detailed description of the function of the left hook to the back.
Linux Security Module (LSM) provides a common security system call that allows security modules related applications to write new system calls for the security, its style is similar to the original Linux system calls socketcall (), is a multi-channel system calls . This system calls for the security (), its parameters (unsigned int id, unsigned int call, unsigned long * args), in which representatives of the module descriptor id, call on behalf of call descriptors, args on behalf of the argument list. This system call provides a default sys_security () entry function: the simple order parameter called its sys_security () hook function. If the security module does not provide new system calls, we can define the return -ENOSYS of sys_security () hook function, but most of the security module can define its own to achieve this system call.
In the process of the kernel boot, Linux Security Module (LSM) framework is initialized to a series of virtual hook function to achieve the traditional UNIX superuser mechanism. When loading a security module, you must use register_security () function to the Linux Security Module (LSM) framework for registration of this security module: This function will set the global table security_ops, to point to the security module hook function pointer, allowing the kernel to this asked security module access control decisions. Once a security module is loaded, it becomes a security policy decision-making center of the system, but will not be back register_security () function is covered, until the security module is used unregister_security () function to the framework of cancellation: This simple hook function will be replaced The default value, the system back to UNIX superuser mechanism. In addition, Linux Security Module (LSM) framework also provides a function mod_reg_security () function and mod_unreg_security (), so that after the security module to have first registered on the main module and cancellation of registration, but its strategy to achieve the decision by the main module : to provide a strategy to implement the module stack to support the synthesis module function, or simply return an error value to ignore the subsequent security module. These functions are available in the kernel source code file security / security.c in.
Linux kernel now a subset POSIX.1e capabilities provide support. Linux Security Module (LSM) is a design requirement is to transplant this feature as an optional security module. POSIX.1e capabilities provides the traditional division superuser privileges assigned to specific processes and functions. Linux Security Module (LSM) to retain the capability to perform the checks in the kernel of existing capable () interface, but the capable () function is simplified as a Linux Security Module (LSM) hook function of packaging, allowing in the security module implement any desired logic. Linux Security Module (LSM) also retains task_struck structure process capability set (a simple bit vector), but did not move it to a secure domain. Linux kernel support for capabilities also include two system calls: capset () and capget (). Linux Security Module (LSM) also reserve these system calls, but to replace it with a call to the hook function, it basically by security () system call to re-implement. Linux Security Module (LSM) has been developed and ported capabilities to a considerable part of the logic capabilities security module, but the kernel still retains many of its original capabilities of the residue. These implementations are the greatest degree of reduction of the effects on the Linux kernel, and the maximum extent to retain the support of the original using the capabilities of the application, while meeting the functional requirements of the design. For module fully independent capabilities later, that remains the main steps are: the bit vector move task_struct structure suitable security domain, as well as relocating the system call interface.
4. Interface Description: hook to the kernel developers and security researchers to use
Linux Security Module (LSM) to the value of the core developers and security researchers is that: You can use the interface they provide will enhance the existing security system ported to this framework, it is possible to form a loadable kernel modules available to users use; or can even write their own needs security module. Interface Linux Security Module (LSM) hooks is provided, which points to the initialization function implements the default virtual traditional UNIX superuser mechanism module writer must re-implement these hooks to meet their security policies. Brief hook Linux Security Module (LSM) provides the following details, please refer to the source code, in particular the definition include / linux / security.h header file security_operations structure. As to the specifics of how to write secure modules according to their needs security policy, you can refer to the security module SELinux, DTE, LIDS systems implementation.
The first is the task of the hook, Linux Security Module (LSM) provides a series of tasks such that the hook safety module can manage the information security processes and controls the operation of the process. Modules can use task_struct structure of the security domain to maintain process safety information; task hook is provided between the control process hook communications, such as kill (); also provides control over the current process be privileged operations hooks, for example setuid (); also It provides fine-grained control resource management operations hooks, such as setrlimit () and nice ().
Followed by the program loaded hook. Many security modules, including Linux capabilities, SELinux, DTE needs to have a new program execution when the ability to change the privileges. Therefore, Linux Security Module (LSM) provides a series of procedures to load hook for use on a key point execve () operation of the process execution. linux_binprm security domain structure allows the security module maintenance procedures during loading safety information; provide a hook for allowing the security module before loading the program initialization information and perform security access control; also provides a hook allows modules to be loaded in a new program after the successful update security information for the task; also provides hooks to control program execution state succession, such as the recognition of open file descriptors.
Once again, interprocess communication IPC hook. The security module may use inter-process communication IPC hook to the management of the System V IPC safety information, and the implementation of access control. IPC object data structure share a substructure kern_ipc_perm, and this is only a sub-structure pointer passed to existing ipcperms () function permission checks, so the Linux Security Module (LSM) in the shared sub-structure is added to a security zone. To support the security information for a single message, Linux Security Module (LSM) is still msg_msg structure added to a security zone. Linux Security Module (LSM) in existing ipcperms () function to insert a hook, so that the security module can perform the check for each existing Linux IPC permissions. Due to some security module, this check is not enough, Linux Security Module (LSM) is also a single IPC operation to insert the hook. Another hook support for fine-grained single message System V message queues sending access control.
Here is a file system hook. For file operations, it defines three hooks: hook the file system, inode node hooks, and file hook. Linux Security Module (LSM) joined the security domain in the corresponding three-core data structures, namely: super_block structure, inode structure, file structure. Superblock file system hook so that the security module is able to control the operation of the entire file system, for example, mounting, unmounting, and statfs (). Linux Security Module (LSM) is inserted in the permission () function in the hook, so as to preserve this function, but also provides many other inode nodes hook to a single inode node operation fine-grained access control. Some files hook allows the security module to read () and write () file operations such additional checks; hook them document allows the security module controls open file descriptors received through the socket IPC; other files on the hook like fcntl ( ) and ioctl () operation provides such fine-grained access control.
Next is the network hooks. The network application layer access using a series of socket socket hook for arbitration, the basic coverage of all these hooks socket socket-based protocol. Because each user has activated socket socket accompanied by an inode structure, so the structure of the socket sock or more underlying structures are not added to the security domain. Socket socket hook on the network to access information about the process provides a common arbitration, which significantly expands the network access control framework kernel (which is already carried out by the network layer of the Linux kernel netfilter firewall processing). For example sock_rcv_skb hooks allow packets queued in the kernel to user space before the corresponding socket socket, in accordance with the purpose of its application to arbitration. Also Linux Security Module (LSM) for IPv4, UNIX domain, and Netlink protocol implements fine-grained hook after hook may also implement other protocols. In the form of network data packets are encapsulated in sk_buff structure (socket socket buffer) traveled in the protocol stack, Linux Security Module (LSM) joined a security zone in sk_buff structure makes it possible at the level of packets through the network safety information layer data management, and provides a series of sk_buff hook for maintaining the security domain of the entire life cycle. Hardware and software network devices are packaged in a net_device structure, a security domain is added to this structure, making it possible to maintain the security of information at the level of the device.
Finally, the other hook. Linux Security Module (LSM) provides two additional series of hooks: hook and top-level module system hooks. Module hooks to control the creation, initialization, clear kernel operating kernel modules. Hook is used to control system operation, such as setting the hostname, access to I / O port, and configure process accounting. Although the Linux kernel using the capability to check for these operating systems provide some support, but for very different operating these checks did not provide any difference and parameter information.
5. Module Description: ordinary users to use existing security features
Linux Security Module (LSM) to the value of the average user is that: provide various security modules, selected by the user to suit your needs to be loaded into the kernel, to meet specific security features. Linux Security Module (LSM) itself only provides a mechanism for enhanced access control policies, and the achievement of specific specific security policies by each security module. Briefly describes some of the security module that has been achieved below.
SELinux. This is a flexible access control system in the Flask on Linux implementations, and provides enhanced type, access control, and optional multilevel security policy based on role. SELinux was originally implemented as a kernel patch now use Linux Security Module (LSM) re-implemented as a security module. SELinux can be used to limit the process of least privilege, the protection process and the integrity and confidentiality of data, and support the application security requirements.
DTE Linux. This is a field and type enhancement implementation on Linux. Like Like SELinux, DTE Linux was originally implemented as a kernel patch now use Linux Security Module (LSM) re-implemented as a security module. When the security module is loaded into the kernel, the type is assigned to an object, the domain is assigned to the process. And access from the domain to the type of policy restrictions between DTE domain.
Openwall LSM kernel patch transplant. Openwall kernel patch provides a range of security features to protect the system from a collection such as buffer overflow and temporary files competition such attacks. Security module is being developed to support a subset of Openwall patch.
POSIX.1e capabilities. Linux kernel already exists POSIX.1e capabilities logic, but the Linux Security Module (LSM) this is logically divided into a security module. This eliminates the need for users to modify their kernel from this function is omitted; also makes logical development capabilities from the kernel development can gain greater independence.
LIDS. This is the Chinese people Xie Huagang projects initiated. Beginning as an intrusion detection system development, and later evolved into the use of the access control system in the form of intrusion prevention, it is a given program can be accessed by describing which files for access control. The same, LIDS was originally implemented as a kernel patch and comes with some management tools, we are now using the Linux Security Module (LSM) re-implemented as a security module.
Of course, there is the traditional default superuser mechanism. The security module is a Linux Security Module (LSM) by default, to achieve the traditional UNIX superuser privileges mechanism.
6. Specific use instructions: step by step
Linux Security Module (LSM) as a Linux kernel patch is currently implemented in the form, released under the GPL license for the user is free to use.
First, users can download http://lsm.immunix.org/lsm_download.html corresponding to the stable version of Linux 2.4 and Linux 2.5 development version of the LSM patch, placed under a directory, for example, the directory / path / to / linux -2.4.x, by executing the following command to make the LSM patch applied to the Linux kernel:
# Cd /path/to/linux-2.4.x
# Zcat /path/to/patch-2.4.x-lsm.gz | patch -p1
Users can then connect to has been achieved in the security module http://lsm.immunix.org/lsm_modules.html site to download the required security module, the security module is loaded into the Linux kernel, so that users need a security policy on It can play a role to enhance the security of the system. Installation specific safety module here a little over, each security module will provide detailed installation instructions file, the user can refer to these documents, for example, SELinux security module installation documentation at: http: //www.nsa.gov/selinux /doc/readme.html, and if LIDS security module installation documentation at: http: //www.lids.org/install.html.
If you have relevant background knowledge and experience in the development of the Linux kernel and security, I want to write the security module security policy according to their own needs. You can track who viewed the Linux Security Module (LSM) source code and existing security module source code http://lsm.immunix.org/lsm_bk.html, with reference to the implementation method to write your own security module. So that meet their security needs, but also for Linux Security Module (LSM) to make some contribution to the development of so early was accepted as a standard Linux kernel Linux kernel security mechanisms, so that more users benefit.
7. Conclusion: future standards
Causes Linux Security Module (LSM) is: on the one hand the existing Linux kernel security mechanisms are not enough; the other hand, the existing system and the fragmented nature of the security enhancements and difficult to use. Linux Security Module (LSM) a better solution to this problem: one patch is relatively small, not much impact on the modification of the kernel source code, brought the load is not large; on the other hand, the existing system provides enhanced security better interface support, and has a lot of good security module can be used. Linux Security Module (LSM) is still used as a Linux kernel patch is provided in the form, but it also provides stable version of Linux 2.4 and Linux 2.5 series of development versions of the series, and hopefully into the Linux 2.6 stable version. We look forward to that day: Linux Security Module (LSM) has been accepted as a standard Linux kernel Linux kernel security mechanisms, to the growing number of users in each of the Linux distributions.