HOME

TheInfoList



Click Here for Items Related To - Linux Security Module
OR:
Linux Security Module on:   [Wikipedia]   [Google]   [Amazon]

Linux Security Modules (LSM) is a
framework A framework is a generic term commonly referring to an essential supporting structure which other things are built on top of. Framework may refer to: Computing * Application framework, used to implement the structure of an application for an op ...
allowing the
Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...
to support without bias a variety of computer security models. LSM is licensed under the terms of the GNU General Public License and is a standard part of the Linux kernel since Linux 2.6. AppArmor, SELinux, Smack, and TOMOYO Linux are the currently approved security modules in the official kernel.


Design

LSM was designed in order to answer all the requirements for successfully implementing a mandatory access control module, while imposing the fewest possible changes to the Linux kernel. LSM avoids the approach of system call interposition used by
Systrace Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities. It was developed by Ni ...
because it doesn't scale to multiprocessor kernels and is subject to
TOCTTOU In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the ''checking'' of the state of a part of a system (such as a security credential) and the ''use'' ...
(race) attacks. Instead, LSM inserts " hooks" (upcalls to the module) at every point in the kernel where a user-level system-call is about to result with an access to an important internal kernel-object like inodes and task control blocks. LSM is narrowly scoped to solve the problem of
access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
, while not imposing a large and complex change-patch on the mainstream kernel. It isn't intended to be a general "''hook''" or "''upcall''" mechanism, nor does it support Operating system-level virtualization. LSM's access-control goal is very closely related to the problem of
system auditing A system is a group of interacting or interrelated elements that act according to a set of rules to form a unified whole. A system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and expresse ...
, but is subtly different. Auditing requires that every attempt at access be recorded. LSM cannot deliver this, because it would require a great many more hooks, in order to detect cases where the kernel "''short circuits''" failing system-calls and returns an error code before getting near significant objects. The LSM design is described in the paper ''Linux Security Modules: General Security Support for the Linux Kernel'' presented at USENIX Security 2002. At the same conference was the paper ''Using CQUAL for Static Analysis of Authorization Hook Placement'' which studied automatic static analysis of the kernel code to verify that all of the necessary hooks have actually been inserted into the Linux kernel.


Adoption

* AppArmor * SELinux * Smack *
TOMOYO Tomoyo is a feminine Japanese given name. Possible writings Tomoyo can be written using different kanji characters and can mean: * 知世, "wisdom, world" * 友世, "friend, world" * 倫世, "ethics, world" * 智代, "knowledge, world" * 灯代, " ...
*Landlock


History

At the 2001 Linux Kernel Summit, the NSA proposed that SELinux be included in Linux 2.5. Linus Torvalds rejected SELinux at that time, because he observed that there are many different security projects in development, and since they all differ, the security community has not yet formed consensus on the ultimate security model. Instead, Linus charged the security community to "make it a module". In response,
Crispin Cowan Saints Crispin and Crispinian are the Christian patron saints of cobblers, curriers, tanners, and leather workers. They were beheaded during the reign of Diocletian; the date of their execution is given as 25 October 285 or 286. History Born ...
proposed LSM: an interface for the Linux kernel that provides sufficient "hooks" (upcalls) from within the Linux kernel to a loadable module so as to allow the module to enforce mandatory access controls. Development of LSM over the next two years was conducted by the LSM community, including substantial contributions from the Immunix Corporation, the NSA, McAfee, IBM, Silicon Graphics, and many independent contributors. LSM was ultimately accepted into the Linux kernel mainstream and was included as a standard part of Linux 2.6 in December 2003. In 2006, some kernel developers observed that SELinux was the only widely used LSM module included in the mainstream Linux kernel source tree. If there is to be only one widely used LSM module, it was reasoned, then the indirection of LSM is unnecessary, and LSM should be removed and replaced with SELinux itself. However, there are other LSM modules maintained outside of the mainstream kernel tree ( AppArmor, Linux Intrusion Detection System, FireFlier, CIPSO,
Multi ADM Multi is a shortened form of "multiple". It may refer to: * Alternate character, in online gaming * Multi two diamonds, a contract bridge convention * Multirhyme, a synonym for feminine rhyme used in hip hop music * Multi (''To Heart''), a charac ...
, etc.), so this argument led to two results: 1. that developers of these modules started putting effort into upstreaming their respective modules, and 2. at the 2006
Kernel Summit The Linux Kernel Developers Summit is an annual gathering of the top Linux kernel developers. Attendance at the summit is by invitation only, and the conference was first held in San Jose in March, 2001. It was organized by Theodore Ts'o to provid ...
, Linus once again asserted that LSM would stay because he does not want to arbitrate which is the best security model. LSM is likely to remain since additional security modules Smack (version 2.6.25), TOMOYO Linux (version 2.6.30, June 2009) and AppArmor (version 2.6.36) were accepted in the mainline kernel.


References


External links

*
SysAdmin magazine article on BSD Secure Levels

Security Projects based on the Linux kernel
{{Linux Linux kernel Operating system security