Linux Security Modules

Last updated January 01, 2024

Linux Security Modules (LSM) is a framework allowing the Linux kernel to support without bias a variety of computer security models. LSM is licensed under the terms of the GNU General Public License and is a standard part of the Linux kernel since Linux 2.6. AppArmor, SELinux, Smack, and TOMOYO Linux are the currently approved security modules in the official kernel.

Design

LSM was designed in order to answer all the requirements for successfully implementing a mandatory access control module, while imposing the fewest possible changes to the Linux kernel. LSM avoids the approach of system call interposition used by Systrace because it doesn't scale to multiprocessor kernels and is subject to TOCTTOU (race) attacks. Instead, LSM inserts "hooks" (upcalls to the module) at every point in the kernel where a user-level system-call is about to result with an access to an important internal kernel-object like inodes and task control blocks.

LSM is narrowly scoped to solve the problem of access control, while not imposing a large and complex change-patch on the mainstream kernel. It isn't intended to be a general "hook" or "upcall" mechanism, nor does it support Operating system-level virtualization.

LSM's access-control goal is very closely related to the problem of system auditing, but is subtly different. Auditing requires that every attempt at access be recorded. LSM cannot deliver this, because it would require a great many more hooks, in order to detect cases where the kernel "short circuits" failing system-calls and returns an error code before getting near significant objects.

The LSM design is described in the paper Linux Security Modules: General Security Support for the Linux Kernel^[1] presented at USENIX Security 2002.^[2] At the same conference was the paper Using CQUAL for Static Analysis of Authorization Hook Placement^[3] which studied automatic static analysis of the kernel code to verify that all of the necessary hooks have actually been inserted into the Linux kernel.

Adoption

History

At the 2001 Linux Kernel Summit, the NSA proposed that SELinux be included in Linux 2.5.^[5] Linus Torvalds rejected SELinux at that time, because he observed that there are many different security projects in development, and since they all differ, the security community has not yet formed consensus on the ultimate security model. Instead, Linus charged the security community to "make it a module".

In response, Crispin Cowan proposed^[6] LSM: an interface for the Linux kernel that provides sufficient "hooks" (upcalls) from within the Linux kernel to a loadable module so as to allow the module to enforce mandatory access controls. Development of LSM over the next two years was conducted by the LSM community, including substantial contributions from the Immunix Corporation, the NSA, McAfee, IBM, Silicon Graphics, and many independent contributors. LSM was ultimately accepted into the Linux kernel mainstream and was included as a standard part of Linux 2.6 in December 2003.

In 2006, some kernel developers observed that SELinux was the only widely used LSM module included in the mainstream Linux kernel source tree. If there is to be only one widely used LSM module, it was reasoned, then the indirection of LSM is unnecessary, and LSM should be removed and replaced with SELinux itself. However, there are other LSM modules maintained outside of the mainstream kernel tree (AppArmor, Linux Intrusion Detection System, FireFlier, CIPSO, Multi ADM, etc.), so this argument led to two results: 1. that developers of these modules started putting effort into upstreaming their respective modules, and 2. at the 2006 Kernel Summit, Linus once again asserted that LSM would stay because he does not want to arbitrate which is the best security model.

LSM is likely to remain since additional security modules Smack (version 2.6.25), TOMOYO Linux (version 2.6.30, June 2009) and AppArmor (version 2.6.36) were accepted in the mainline kernel.

Related Research Articles

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

In computer security, an access-control list (ACL) is a list of permissions associated with a system resource. An ACL specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resources. Each entry in a typical ACL specifies a subject and an operation. For instance,

Nils Ole Hilmer Torvalds is a Finnish politician who has been a Member of the European Parliament (MEP) since 2012. He is a member of the Swedish People's Party of Finland, part of the Alliance of Liberals and Democrats for Europe.

In computing, a loadable kernel module (LKM) is an object file that contains code to extend the running kernel, or so-called base kernel, of an operating system. LKMs are typically used to add support for new hardware and/or filesystems, or for adding system calls. When the functionality provided by an LKM is no longer required, it can be unloaded in order to free memory and other resources.

Rule-set-based access control (RSBAC) is an open source access control framework for current Linux kernels, which has been in stable production use since January 2000.

Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities. It was developed by Niels Provos and runs on various Unix-like operating systems.

The Flux Advanced Security Kernel (FLASK) is an operating system security architecture that provides flexible support for security policies. It is a joint venture between the National Security Agency, the University of Utah, and the Secure Computing Corporation project designed to provide a framework for a more secure operating system. Development and implementation started with the Mach microkernel, and has since shifted its focus to the Linux operating system. FLASK is a core framework in security-focused operating systems such as NSA's Security-Enhanced Linux (SELinux), OpenSolaris FMAC and TrustedBSD. This means that SELinux can be thought of as an implementation of FLASK.

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In the case of operating systems, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The isolation metaphor is taken from the idea of children who do not play well together, so each is given his or her own sandbox to play in alone. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

AppArmor is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been partially included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.

The concept of type enforcement (TE), in the field of information technology, is an access control mechanism for regulating access in computer systems. Implementing TE gives priority to mandatory access control (MAC) over discretionary access control (DAC). Access clearance is first given to a subject accessing objects based on rules defined in an attached security context. A security context in a domain is defined by a domain security policy. In the Linux security module (LSM) in SELinux, the security context is an extended attribute. Type enforcement implementation is a prerequisite for MAC, and a first step before multilevel security (MLS) or its replacement multi categories security (MCS). It is a complement of role-based access control (RBAC).

In the context of free and open-source software, proprietary software only available as a binary executable is referred to as a blob or binary blob. The term usually refers to a device driver module loaded into the kernel of an open-source operating system, and is sometimes also applied to code running outside the kernel, such as system firmware images, microcode updates, or userland programs. The term blob was first used in database management systems to describe a collection of binary data stored as a single entity.

<span class="mw-page-title-main">Linux kernel</span> Operating system kernel

The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally written in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU operating system, which was written to be a free (libre) replacement for Unix.

<span class="mw-page-title-main">Tomoyo Linux</span> Linux kernel security module

Tomoyo Linux is a Linux kernel security module which implements mandatory access control (MAC).

In computer security, the Linux Intrusion Detection System (LIDS) was a patch to the Linux kernel and associated administrative tools that enhanced the kernel's security by implementing mandatory access control (MAC). When LIDS was in effect all system network administration operations, chosen file access, any capability use, raw device, memory, and I/O access could be made impossible, even for root. One could define which programs can access specific files. It used and extended the system capabilities bounding set to control the whole system and added some network and filesystem security features to the kernel to enhance the security. One could finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more. LIDS supported Linux kernel 2.6, 2.4. LIDS was released under the terms of the GNU General Public License (GPL).

<span class="mw-page-title-main">Smack (software)</span> Linux kernel security module

Smack is a Linux kernel security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control (MAC) rules, with simplicity as its main design goal. It has been officially merged since the Linux 2.6.25 release, it was the main access control mechanism for the MeeGo mobile Operating System. It is also used to sandbox HTML5 web applications in the Tizen architecture, in the commercial Wind River Linux solutions for embedded device development, in Philips Digital TV products., and in Intel's Ostro OS for IoT devices.

Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel and the systemd init system. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap was originally released for cloud applications but was later ported to also work for Internet of Things devices and desktop applications.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

<span class="mw-page-title-main">Genode</span> Free and open-source software operating system

Genode is a free and open-source software operating system (OS) framework consisting of a microkernel abstraction layer and a set of user space components. The framework is notable as one of the few open-source operating systems not derived from a proprietary OS, such as Unix. The characteristic design philosophy is that a small trusted computing base is of primary concern in a security-oriented OS.

References

↑ "Linux Security Modules: General Security Support for the Linux Kernel". 2002. Retrieved 2007-02-03.
↑ "11th USENIX Security Symposium". 2002. Retrieved 2007-02-03.
↑ "Using CQUAL for Static Analysis of Authorization Hook Placement". 2002. Retrieved 2007-02-03.
↑ Landlock: unprivileged access control
↑ Stephen Smalley; Timothy Fraser; Chris Vance. "Linux Security Modules: General Security Hooks for Linux" . Retrieved 2015-10-26.
↑ Crispin Cowan (2001-04-11). "Linux Security Module Interface". linux-kernel mailing list. Retrieved 2007-02-03.

External links

"Source code and project statistics". Archived from the original on 2005-03-07. Retrieved 2006-02-08.
SysAdmin magazine article on BSD Secure Levels
Security Projects based on the Linux kernel

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Linux Security Modules: General Security Support for the Linux Kernel". 2002. Retrieved 2007-02-03.

[2] "11th USENIX Security Symposium". 2002. Retrieved 2007-02-03.

[3] "Using CQUAL for Static Analysis of Authorization Hook Placement". 2002. Retrieved 2007-02-03.

[4] Landlock: unprivileged access control

[5] Stephen Smalley; Timothy Fraser; Chris Vance. "Linux Security Modules: General Security Hooks for Linux" . Retrieved 2015-10-26.

[6] Crispin Cowan (2001-04-11). "Linux Security Module Interface". linux-kernel mailing list. Retrieved 2007-02-03.

[1]

[2]

[3]

[4]

[5]

[6]

v t e Linux
Linux kernel	History Linus's law Linux-libre Booting process Kernel oops Tux more…
Controversies	Criticism of Linux Criticism of desktop Linux GNU/Linux naming controversy Tanenbaum–Torvalds debate SCO and Linux
Distributions	General comparison Distributions list Netbook-specific comparison Distributions that run from RAM Lightweight Security-focused operating system Package manager Package format List of software package managers
Organizations	LinuxChix Linux Counter Linux Documentation Project Linux Foundation Linux Mark Institute Linux User Group (LUG)
Adoption	Adopters Desktop Embedded Gaming Mobile Range of use Linux malware
Media	DistroWatch Free Software Magazine Full Circle Linux.com Linux Format Linux Gazette Linux Journal Linux Magazine LinuxUser Ubuntu User Linux Outlaws Linux Voice LugRadio LWN.net Phoronix Revolution OS The Code
Professional related certifications	CompTIA Linux+ Linux Foundation Red Hat Ubuntu
Linuxportal Free and open-source softwareportal Category