Linux Security Modules (LSM) is a
framework allowing the
Linux kernel
The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...
to support, without bias, a variety of
computer security models. LSM is licensed under the terms of the
GNU General Public License
The GNU General Public Licenses (GNU GPL or simply GPL) are a series of widely used free software licenses, or ''copyleft'' licenses, that guarantee end users the freedom to run, study, share, or modify the software. The GPL was the first ...
and is a standard part of the Linux kernel since Linux 2.6.
AppArmor,
LoadPin,
SELinux,
Smack,
TOMOYO,
Yama
Yama (), also known as Kāla and Dharmarāja, is the Hindu god of death and justice, responsible for the dispensation of law and punishment of sinners in his abode, Naraka. He is often identified with Dharmadeva, the personification of ''Dharm ...
,
SafeSetID,
Integrity Policy Enforcement (IPE), and
Landlock are the currently approved security modules in the official kernel.
Design
LSM was designed in order to answer all the requirements for successfully implementing a
mandatory access control
In computer security, mandatory access control (MAC) refers to a type of access control by which a secured environment (e.g., an operating system or a database) constrains the ability of a ''subject'' or ''initiator'' to access or modify on an ' ...
module, while imposing the fewest possible changes to the Linux kernel. LSM avoids the approach of
system call interposition used by
Systrace because it doesn't scale to
multiprocessor
Multiprocessing (MP) is the use of two or more central processing units (CPUs) within a single computer system. The term also refers to the ability of a system to support more than one processor or the ability to allocate tasks between them. The ...
kernels and is subject to
TOCTTOU (race) attacks. Instead, LSM inserts "
hooks" (upcalls to the module) at every point in the kernel where a user-level system-call is about to result with an access to an important internal kernel-object like
inodes and
process control blocks.
LSM is narrowly scoped to solve the problem of
access control
In physical security and information security, access control (AC) is the action of deciding whether a subject should be granted or denied access to an object (for example, a place or a resource). The act of ''accessing'' may mean consuming ...
, while not imposing a large and complex change-patch on the mainstream kernel. It isn't intended to be a general "''hook''" or "''upcall''" mechanism, nor does it support
Operating system-level virtualization
OS-level virtualization is an operating system (OS) virtualization paradigm in which the Kernel (operating system), kernel allows the existence of multiple isolated user space and kernel space, user space instances, including containers (LXC, Sol ...
.
LSM's access-control goal is very closely related to the problem of
system auditing, but is subtly different. Auditing requires that every attempt at access be recorded. LSM cannot deliver this, because it would require a great many more hooks, in order to detect cases where the kernel "''short circuits''" failing system-calls and returns an error code before getting near significant objects.
The LSM design is described in the paper ''Linux Security Modules: General Security Support for the Linux Kernel'' presented at USENIX Security 2002. At the same conference was the paper ''Using CQUAL for Static Analysis of Authorization Hook Placement'' which studied automatic static analysis of the kernel code to verify that all of the necessary hooks have actually been inserted into the Linux kernel.
Adoption
*
AppArmor
*
Integrity Policy Enforcement (IPE)
*
Landlock
*
LoadPin
*
SafeSetID
*
SELinux
*
Smack
*
TOMOYO
*
Yama
Yama (), also known as Kāla and Dharmarāja, is the Hindu god of death and justice, responsible for the dispensation of law and punishment of sinners in his abode, Naraka. He is often identified with Dharmadeva, the personification of ''Dharm ...
History
At the 2001 Linux Kernel Summit, the
NSA proposed that
SELinux be included in Linux 2.5.
Linus Torvalds
Linus Benedict Torvalds ( , ; born 28 December 1969) is a Finnish software engineer who is the creator and lead developer of the Linux kernel. He also created the distributed version control system Git.
He was honored, along with Shinya Yam ...
rejected SELinux at that time, because he observed that there are many different security projects in development, and since they all differ, the security community has not yet formed consensus on the ultimate security model. Instead, Linus charged the security community to "make it a module".
In response,
Crispin Cowan proposed
LSM: an interface for the Linux kernel that provides sufficient "hooks" (upcalls) from within the Linux kernel to a
loadable module so as to allow the module to enforce mandatory access controls. Development of LSM over the next two years was conducted by the LSM community, including substantial contributions from the
Immunix Corporation, the
NSA,
McAfee
McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American proprietary software company focused on online ...
,
IBM
International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...
,
Silicon Graphics
Silicon Graphics, Inc. (stylized as SiliconGraphics before 1999, later rebranded SGI, historically known as Silicon Graphics Computer Systems or SGCS) was an American high-performance computing manufacturer, producing computer hardware and soft ...
, and many independent contributors. LSM was ultimately accepted into the Linux kernel mainstream and was included as a standard part of Linux 2.6 in December 2003.
In 2006, some kernel developers observed that SELinux was the only widely used LSM module included in the mainstream Linux kernel source tree. If there is to be only one widely used LSM module, it was reasoned, then the indirection of LSM is unnecessary, and LSM should be removed and replaced with SELinux itself. However, there are other LSM modules maintained outside of the mainstream kernel tree (
AppArmor,
Linux Intrusion Detection System,
FireFlier,
CIPSO,
Multi ADM, etc.), so this argument led to two results: 1. that developers of these modules started putting effort into upstreaming their respective modules, and 2. at the 2006
Kernel Summit, Linus once again asserted that LSM would stay because he does not want to arbitrate which is the best security model.
LSM is likely to remain since additional security modules
Smack (version 2.6.25),
TOMOYO Linux (version 2.6.30, June 2009) and
AppArmor (version 2.6.36) were accepted in the mainline kernel.
References
External links
*
SysAdmin magazine article on BSD Secure LevelsSecurity Projects based on the Linux kernel{{Linux
Linux kernel
Operating system security