Linux Security Modules

Last updated

Linux Security Modules (LSM) is a framework allowing the Linux kernel to support, without bias, a variety of computer security models. LSM is licensed under the terms of the GNU General Public License and is a standard part of the Linux kernel since Linux 2.6. AppArmor, SELinux, Smack, and TOMOYO Linux are the currently approved security modules in the official kernel.

Contents

Design

LSM was designed in order to answer all the requirements for successfully implementing a mandatory access control module, while imposing the fewest possible changes to the Linux kernel. LSM avoids the approach of system call interposition used by Systrace because it doesn't scale to multiprocessor kernels and is subject to TOCTTOU (race) attacks. Instead, LSM inserts "hooks" (upcalls to the module) at every point in the kernel where a user-level system-call is about to result with an access to an important internal kernel-object like inodes and task control blocks.

LSM is narrowly scoped to solve the problem of access control, while not imposing a large and complex change-patch on the mainstream kernel. It isn't intended to be a general "hook" or "upcall" mechanism, nor does it support Operating system-level virtualization.

LSM's access-control goal is very closely related to the problem of system auditing, but is subtly different. Auditing requires that every attempt at access be recorded. LSM cannot deliver this, because it would require a great many more hooks, in order to detect cases where the kernel "short circuits" failing system-calls and returns an error code before getting near significant objects.

The LSM design is described in the paper Linux Security Modules: General Security Support for the Linux Kernel [1] presented at USENIX Security 2002. [2] At the same conference was the paper Using CQUAL for Static Analysis of Authorization Hook Placement [3] which studied automatic static analysis of the kernel code to verify that all of the necessary hooks have actually been inserted into the Linux kernel.

Adoption

History

At the 2001 Linux Kernel Summit, the NSA proposed that SELinux be included in Linux 2.5. [5] Linus Torvalds rejected SELinux at that time, because he observed that there are many different security projects in development, and since they all differ, the security community has not yet formed consensus on the ultimate security model. Instead, Linus charged the security community to "make it a module".

In response, Crispin Cowan proposed [6] LSM: an interface for the Linux kernel that provides sufficient "hooks" (upcalls) from within the Linux kernel to a loadable module so as to allow the module to enforce mandatory access controls. Development of LSM over the next two years was conducted by the LSM community, including substantial contributions from the Immunix Corporation, the NSA, McAfee, IBM, Silicon Graphics, and many independent contributors. LSM was ultimately accepted into the Linux kernel mainstream and was included as a standard part of Linux 2.6 in December 2003.

In 2006, some kernel developers observed that SELinux was the only widely used LSM module included in the mainstream Linux kernel source tree. If there is to be only one widely used LSM module, it was reasoned, then the indirection of LSM is unnecessary, and LSM should be removed and replaced with SELinux itself. However, there are other LSM modules maintained outside of the mainstream kernel tree (AppArmor, Linux Intrusion Detection System, FireFlier, CIPSO, Multi ADM, etc.), so this argument led to two results: 1. that developers of these modules started putting effort into upstreaming their respective modules, and 2. at the 2006 Kernel Summit, Linus once again asserted that LSM would stay because he does not want to arbitrate which is the best security model.

LSM is likely to remain since additional security modules Smack (version 2.6.25), TOMOYO Linux (version 2.6.30, June 2009) and AppArmor (version 2.6.36) were accepted in the mainline kernel.

Related Research Articles

<span class="mw-page-title-main">Security-Enhanced Linux</span> Linux kernel security module

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

<span class="mw-page-title-main">Nils Torvalds</span> Finnish politician (born 1945)

Nils Ole Hilmer Torvalds is a Finnish politician who has been a Member of the European Parliament (MEP) since 2012. He is a member of the Swedish People's Party of Finland, part of the Alliance of Liberals and Democrats for Europe.

Rule-set-based access control (RSBAC) is an open source access control framework for current Linux kernels, which has been in stable production use since January 2000.

Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities. It was developed by Niels Provos and runs on various Unix-like operating systems.

The Flux Advanced Security Kernel (FLASK) is an operating system security architecture that provides flexible support for security policies. It is a joint venture between the National Security Agency, the University of Utah, and the Secure Computing Corporation project designed to provide a framework for a more secure operating system. Development and implementation started with the Mach microkernel, and has since shifted its focus to the Linux operating system. FLASK is a core framework in security-focused operating systems such as NSA's Security-Enhanced Linux (SELinux), OpenSolaris FMAC and TrustedBSD. This means that SELinux can be thought of as an implementation of FLASK.

In computer security, mandatory access control (MAC) refers to a type of access control by which a secured environment constrains the ability of a subject or initiator to access or modify on an object or target. In the case of operating systems, the subject is a process or thread, while objects are files, directories, TCP/UDP ports, shared memory segments, or IO devices. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, the operating system kernel examines these security attributes, examines the authorization rules in place, and decides whether to grant access. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The sandbox metaphor derives from the concept of a child's sandbox—a play area where kids can build, destroy, and experiment without causing any real-world damage. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

<span class="mw-page-title-main">AppArmor</span> Linux kernel security module

AppArmor is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been partially included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.

The concept of type enforcement (TE), in the field of information technology, is an access control mechanism for regulating access in computer systems. Implementing TE gives priority to mandatory access control (MAC) over discretionary access control (DAC). Access clearance is first given to a subject accessing objects based on rules defined in an attached security context. A security context in a domain is defined by a domain security policy. In the Linux security module (LSM) in SELinux, the security context is an extended attribute. Type enforcement implementation is a prerequisite for MAC, and a first step before multilevel security (MLS) or its replacement multi categories security (MCS). It is a complement of role-based access control (RBAC).

In the context of free and open-source software, proprietary software only available as a binary executable is referred to as a blob or binary blob. The term usually refers to a device driver module loaded into the kernel of an open-source operating system, and is sometimes also applied to code running outside the kernel, such as system firmware images, microcode updates, or userland programs. The term blob was first used in database management systems to describe a collection of binary data stored as a single entity.

<span class="mw-page-title-main">Linux kernel</span> Free Unix-like operating system kernel

The Linux kernel is a free and open source, UNIX-like kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the kernel for the GNU operating system (OS) which was created to be a free replacement for Unix. Since the late 1990s, it has been included in many operating system distributions, many of which are called Linux. One such Linux kernel operating system is Android which is used in many mobile and embedded devices.

<span class="mw-page-title-main">Tomoyo Linux</span> Linux kernel security module

Tomoyo Linux is a Linux kernel security module which implements mandatory access control (MAC).

In computer security, the Linux Intrusion Detection System (LIDS) was a patch to the Linux kernel and associated administrative tools that enhanced the kernel's security by implementing mandatory access control (MAC). When LIDS was in effect all system network administration operations, chosen file access, any capability use, raw device, memory, and I/O access could be made impossible, even for root. One could define which programs can access specific files. It used and extended the system capabilities bounding set to control the whole system and added some network and filesystem security features to the kernel to enhance the security. One could finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more. LIDS supported Linux kernel 2.6, 2.4. LIDS was released under the terms of the GNU General Public License (GPL).

<span class="mw-page-title-main">Smack (software)</span> Linux kernel security module

Smack is a Linux kernel security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control (MAC) rules, with simplicity as its main design goal. It has been officially merged since the Linux 2.6.25 release, it was the main access control mechanism for the MeeGo mobile Operating System. It is also used to sandbox HTML5 web applications in the Tizen architecture, in the commercial Wind River Linux solutions for embedded device development, in Philips Digital TV products., and in Intel's Ostro OS for IoT devices.

<span class="mw-page-title-main">Snap (software)</span> Software deployment system for Linux by Canonical

Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel and the systemd init system. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap was originally released for cloud applications but was later ported to also work for Internet of Things devices and desktop applications.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

<span class="mw-page-title-main">Genode</span> Free and open-source software operating system

Genode is a free and open-source software operating system (OS) framework consisting of a microkernel abstraction layer and a set of user space components. The framework is notable as one of the few open-source operating systems not derived from a proprietary OS, such as Unix. The characteristic design philosophy is that a small trusted computing base is of primary concern in a security-oriented OS.

eBPF Safe dynamic programs and tools

eBPF is a technology that can run programs in a privileged context such as the operating system kernel. It is the successor to the Berkeley Packet Filter filtering mechanism in Linux and is also used in non-networking parts of the Linux kernel as well.

Russell Coker is an Australian computer programmer based in Melbourne. He has been actively involved in the free and open-source software community and is a long time Debian developer. He has also made contributions to Security-Enhanced Linux (SELinux) in the forms of creating reference policy and integrating SELinux to the wider free software ecosystem. In 2003, Coker was awarded a grant from the James and Charlotte Griffin Foundation for his work on SELinux.

References

  1. "Linux Security Modules: General Security Support for the Linux Kernel". 2002. Retrieved 2007-02-03.
  2. "11th USENIX Security Symposium". 2002. Retrieved 2007-02-03.
  3. "Using CQUAL for Static Analysis of Authorization Hook Placement". 2002. Retrieved 2007-02-03.
  4. Landlock: unprivileged access control
  5. Stephen Smalley; Timothy Fraser; Chris Vance. "Linux Security Modules: General Security Hooks for Linux" . Retrieved 2015-10-26.
  6. Crispin Cowan (2001-04-11). "Linux Security Module Interface". linux-kernel mailing list. Retrieved 2007-02-03.