Linux Security Modules

Linux Security Modules (LSM) is a framework that allows the Linux kernel to support a variety of computer security models while avoiding favoritism toward any single security implementation. The framework is licensed under the terms of the GNU General Public License and is standard part of the Linux kernel since Linux 2.6.

Design

LSM was designed to provide the specific needs of everything needed to successfully implement a mandatory access control module, while imposing the fewest possible changes to the Linux kernel. LSM avoids the approach of system call interposition as used in Systrace because it does not scale to multiprocessor kernels and is subject to TOCTTOU (race) attacks. Instead, LSM inserts "hooks" (upcalls to the module) at every point in the kernel where a user-level system call is about to result in access to an important internal kernel object such as inodes and task control blocks.

The project is narrowly scoped to solve the problem of access control to avoid imposing a large and complex change patch on the mainstream kernel. It is not intended as a general "hook" or "upcall" mechanism, nor does it support virtualization.

LSM's access control goal is very closely related to the problem of system auditing, but is subtly different. Auditing requires that every attempt at access be recorded. LSM cannot deliver that, because it would require a great many more hooks, so as to detect cases where the kernel "short circuits" failing system calls and returns an error code before getting near significant objects.

The LSM design is described in the paper "Linux Security Modules: General Security Support for the Linux Kernel" [cite web|url=http://www.usenix.org/event/sec02/wright.html|title=Linux Security Modules: General Security Support for the Linux Kernel|accessdate = 2007-02-03|year = 2002] presented at USENIX Security 2002. [cite web|url=http://www.usenix.org/event/sec02/|title=11th USENIX Security Symposium|accessdate = 2007-02-03|year = 2002] At the same conference was the paper "Using CQUAL for Static Analysis of Authorization Hook Placement" [cite web|url=http://www.usenix.org/event/sec02/zhang.html|title=Using CQUAL for Static Analysis of Authorization Hook Placement|accessdate = 2007-02-03|year = 2002] which studied automatic static analysis of the kernel code to verify that all of the necessary hooks have actually been inserted into the Linux kernel.

History

At the 2001 Linux Kernel Summit, the NSA proposed that SELinux be included in Linux 2.5. Linus Torvalds rejected SELinux at that time, because he observed that there are many different security projects in development, and since they all differ, the security community has not yet formed consensus on the ultimate security model. Instead, Linus charged the security community to "make it a module".

In response, Crispin Cowan proposed [cite web|url=http://marc.info/?l=linux-kernel&m=98695004126478&w=2|title=Linux Security Module Interface|accessdate=2007-02-03|author=Crispin Cowan|work=linux-kernel mailing list|date=2001-04-11] LSM: an interface for the Linux kernel that provides sufficient "hooks" (upcalls) from within the Linux kernel to a loadable module so as to allow the module to enforce mandatory access controls. Development of LSM over the next two years was conducted by the LSM community, including substantial contributions from the Immunix Corporation, the NSA, McAfee, IBM, Silicon Graphics, and many independent contributors. LSM was ultimately accepted into the Linux kernel mainstream and was included as a standard part of Linux 2.6 in December 2003.

In 2006, some kernel developers observed that SELinux was the only widely used LSM module included in the mainstream Linux kernel source tree. If there is to be only one widely used LSM module, it was reasoned, then the indirection of LSM is unnecessary, and LSM should be removed and replaced with SELinux itself. However, there are other LSM modules maintained outside of the mainstream kernel tree (AppArmor, Linux Intrusion Detection System, FireFlier, CIPSO, Multi ADM, etc.), so this argument led to two results: 1. that developers of these modules started putting effort into upstreaming their respective modules, and 2. at the 2006 Kernel Summit, Linus once again asserted that LSM would stay because he does not want to arbitrate which is the best security model.

Criticism

Some Linux kernel developers dislike LSM for a variety of reasons. LSM strives to impose the least overhead possible, especially in the case where no module is loaded, but this cost is not zero, and some Linux developers object to that cost. LSM is designed to provide only for access control, but does not actually prevent people from using LSM for other reasons, and so some Linux kernel developers dislike that it can be "abused" by being used for other purposes, especially if the purpose is to bypass the Linux kernel's GPL license with a proprietary module to extend Linux kernel functionality.

Some security developers also dislike LSM. The author of Grsecurity dislikes LSM [cite web|url=http://www.grsecurity.net/lsm.php|title=grsecurity|accessdate=2007-02-03|publisher=grsecurity] because of its history, and that LSM exports all of its symbols it facilitates the insertion of malicious modules (rootkits) as well as security modules. The author of RSBAC dislikes LSM [cite web|url=http://www.rsbac.org/documentation/why_rsbac_does_not_use_lsm|title=RSBAC and LSM|accessdate=2007-02-03|publisher=RASBAC] because it is incomplete with respect to the needs of RSBAC. In particular, the author of RSBAC argues that: "LSM is only about additional, restrictive access control. However, the RSBAC system provides a lot of additional functionality, e.g. symlink redirection, secure_delete, partial Linux DAC disabling. All this has to be patched into kernel functions in a separate patch.". The author of Dazuko argues [cite web|url=http://dazuko.org/tgen.shtml#LSM|title=dazuko|accessdate=2007-10-02|publisher=dazuko] that targeting the LSM API is a moving target, as it changes with each kernel release, leading to extra maintenance work.

References

External links

* [http://lsm.immunix.org/ LSM project homepage]
* [http://lsm.bkbits.net/ Source code and project statistics]
* [http://www.samag.com/documents/s=9304/sam0409a/0409a.htm SysAdmin magazine article on BSD Secure Levels]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Linux security modules — Pour les articles homonymes, voir LSM. Linux Security Modules (LSM) est une infrastructure qui permet au noyau Linux de prendre en charge divers modèles formels de sécurité ce qui évite de favoriser une implémentation de sécurité particulière.… …   Wikipédia en Français

  • Linux Security Modules — Pour les articles homonymes, voir LSM. Linux Security Modules (LSM) est une infrastructure qui permet au noyau Linux de prendre en charge divers modèles formels de sécurité ce qui évite de favoriser une implémentation de sécurité particulière.… …   Wikipédia en Français

  • Linux Security Module — Linux Security Modules Pour les articles homonymes, voir LSM. Linux Security Modules (LSM) est une infrastructure qui permet au noyau Linux de prendre en charge divers modèles formels de sécurité ce qui évite de favoriser une implémentation de… …   Wikipédia en Français

  • Security-Enhanced Linux — The SELinux administrator in Fedora 8 Security Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense style mandatory access controls,… …   Wikipedia

  • Linux kernel — Linux Linux kernel 3.0.0 booting Company / developer Linus Torvalds and thousands …   Wikipedia

  • Linux malware — includes viruses, trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and other Unix like computer operating systems are generally regarded as very well protected, but not immune, from computer viruses.… …   Wikipedia

  • LINUX —  Pour l’article homonyme, voir Linux (homonymie).  Linux …   Wikipédia en Français

  • Linux's Not UNIX — Linux  Pour l’article homonyme, voir Linux (homonymie).  Linux …   Wikipédia en Français

  • Linux Is Not UNIX — Linux  Pour l’article homonyme, voir Linux (homonymie).  Linux …   Wikipédia en Français

  • Linux x86 64 — Linux  Pour l’article homonyme, voir Linux (homonymie).  Linux …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.