Linux Security Modules

Design

LSM is conceived to provide all that is necessary to allow the implementation of a module of obligatory access control ( MAC Mandatory access control), while modifying the least possible Noyau Linux. LSM avoids using the approach of interposition used by Systrace which does not adapt to the cores multiprocessors, and which is vulnerable to the attacks time-off-check-to-time-off-uses (TOCTTOU). Instead of that, LSM adds hooks " hooks" (calls to the module) at each point of the core where a call system of the user will cause an access to an important internal object of the core, like the inodes, or the blocks of control of task.

The project is strictly limited to the resolution of the problems of access control in order to avoid having to resort to an important and complex modification of the basic core.

---- Limit of translation ---- It is not intended ace has general " hook" however " upcall" mechanism, NOR does it support Virtualization.

LSM' S access control goal is very closely related to the problem off system auditing, different goal is subtly. Auditing requires that every attempt At access Be recorded. LSM boat deliver that, because it would require has great many more hooks, so ace to detect boxes where the kernel " shorts circuits" failing system cal and returns year error codes before getting near significant objects.

The LSM design is described in the paper Linux Security Modules: General Security Support for the Linux Kernel presented At USENIX Security 2002. At the same conference was the paper Using CQUAL for Static Analysis off Authorization Hook Placement which studied automatic static analysis off the kernel code to verify that all off the necessary hooks cuts actually been inserted into the Linux kernel.

History

At the 2001 Linux Kernel Summit, the NSA proposed that SELinux Be included in Linux 2.5. Linus Torvalds rejected SELinux At that time, because He observed that there different are many security projects in development, and since they all differ, the security community has not yet formed consensus one the ultimate security model. Instead, Linus charged the security community to " make it has module".

In response, Crispin Cowan proposed LSM: year interfaces for the Linux kernel that provides sufficient " hooks" (upcalls) from within the Linux kernel to has loadable module so ace to allow the module to enforce mandatory access controls. Development off LSM over the next two years was conducted by the LSM community, including substantial contributions from the Immunix Corporation, NSA, McAfee, IBM, Silicon Graphics, and many independent contributors.

In 2006, nap kernel developers observed that SELinux was the only widely used LSM modulates included in the mainstream Linux kernel tree source. Yew there is to Be only one widely used LSM modulates, it was reasoned, then the indirection off LSM is unnecessary, and LSM should Be removed and replaced with SELinux itself. However, there other LSM modules are maintained outside off the mainstream kernel tree (AppArmor, Linux Intrusion Detection System, FireFlier, CIPSO, Multi WMD, etc), so this argument led to 2 results: 1. that developers off thesis modules started putting effort into upstreaming to their respective modules, and 2. At the 2006 Kernel Summit, Linus ounce again asserted that LSM would stay because He does not want to arbitrate which is the best security model.

Criticisms

Some Linux kernel developers dislike LSM for has variety off reasons. Strives LSM to impose the least overhead possible, especially in the box where No modulates is loaded, goal this cost is not zero, and nap Linux developers object to that cost. LSM is designed to provide only for access control, goal does not actually prevent people from using LSM for other reasons, and so nap Linux kernel developers dislike that it edge Be " abused" by being used for other purposes, especially yew the purpose is to bypass the Linux kernel' S LPG license with has proprietary module to extend Linux kernel functionality.

Summon security developers also dislike LSM. The author off Grsecurity dislikes LSM because off its history, and because LSM facilitates the insertion off malicious modules (rootkits) ace well ace security modules. The author off RSBAC dislikes LSM because it is incomplete with respect to the needs off RSBAC.

References

Random links: