0001 ========================================================
0002 Linux Security Modules: General Security Hooks for Linux
0003 ========================================================
0004
0005 :Author: Stephen Smalley
0006 :Author: Timothy Fraser
0007 :Author: Chris Vance
0008
0009 .. note::
0010
0011 The APIs described in this book are outdated.
0012
0013 Introduction
0014 ============
0015
0016 In March 2001, the National Security Agency (NSA) gave a presentation
0017 about Security-Enhanced Linux (SELinux) at the 2.5 Linux Kernel Summit.
0018 SELinux is an implementation of flexible and fine-grained
0019 nondiscretionary access controls in the Linux kernel, originally
0020 implemented as its own particular kernel patch. Several other security
0021 projects (e.g. RSBAC, Medusa) have also developed flexible access
0022 control architectures for the Linux kernel, and various projects have
0023 developed particular access control models for Linux (e.g. LIDS, DTE,
0024 SubDomain). Each project has developed and maintained its own kernel
0025 patch to support its security needs.
0026
0027 In response to the NSA presentation, Linus Torvalds made a set of
0028 remarks that described a security framework he would be willing to
0029 consider for inclusion in the mainstream Linux kernel. He described a
0030 general framework that would provide a set of security hooks to control
0031 operations on kernel objects and a set of opaque security fields in
0032 kernel data structures for maintaining security attributes. This
0033 framework could then be used by loadable kernel modules to implement any
0034 desired model of security. Linus also suggested the possibility of
0035 migrating the Linux capabilities code into such a module.
0036
0037 The Linux Security Modules (LSM) project was started by WireX to develop
0038 such a framework. LSM was a joint development effort by several security
0039 projects, including Immunix, SELinux, SGI and Janus, and several
0040 individuals, including Greg Kroah-Hartman and James Morris, to develop a
0041 Linux kernel patch that implements this framework. The work was
0042 incorporated in the mainstream in December of 2003. This technical
0043 report provides an overview of the framework and the capabilities
0044 security module.
0045
0046 LSM Framework
0047 =============
0048
0049 The LSM framework provides a general kernel framework to support
0050 security modules. In particular, the LSM framework is primarily focused
0051 on supporting access control modules, although future development is
0052 likely to address other security needs such as sandboxing. By itself, the
0053 framework does not provide any additional security; it merely provides
0054 the infrastructure to support security modules. The LSM framework is
0055 optional, requiring `CONFIG_SECURITY` to be enabled. The capabilities
0056 logic is implemented as a security module.
0057 This capabilities module is discussed further in
0058 `LSM Capabilities Module`_.
0059
0060 The LSM framework includes security fields in kernel data structures and
0061 calls to hook functions at critical points in the kernel code to
0062 manage the security fields and to perform access control.
0063 It also adds functions for registering security modules.
0064 An interface `/sys/kernel/security/lsm` reports a comma separated list
0065 of security modules that are active on the system.
0066
0067 The LSM security fields are simply ``void*`` pointers.
0068 The data is referred to as a blob, which may be managed by
0069 the framework or by the individual security modules that use it.
0070 Security blobs that are used by more than one security module are
0071 typically managed by the framework.
0072 For process and
0073 program execution security information, security fields are included in
0074 :c:type:`struct task_struct <task_struct>` and
0075 :c:type:`struct cred <cred>`.
0076 For filesystem
0077 security information, a security field is included in :c:type:`struct
0078 super_block <super_block>`. For pipe, file, and socket security
0079 information, security fields are included in :c:type:`struct inode
0080 <inode>` and :c:type:`struct file <file>`.
0081 For System V IPC security information,
0082 security fields were added to :c:type:`struct kern_ipc_perm
0083 <kern_ipc_perm>` and :c:type:`struct msg_msg
0084 <msg_msg>`; additionally, the definitions for :c:type:`struct
0085 msg_msg <msg_msg>`, struct msg_queue, and struct shmid_kernel
0086 were moved to header files (``include/linux/msg.h`` and
0087 ``include/linux/shm.h`` as appropriate) to allow the security modules to
0088 use these definitions.
0089
0090 For packet and
0091 network device security information, security fields were added to
0092 :c:type:`struct sk_buff <sk_buff>` and
0093 :c:type:`struct scm_cookie <scm_cookie>`.
0094 Unlike the other security module data, the data used here is a
0095 32-bit integer. The security modules are required to map or otherwise
0096 associate these values with real security attributes.
0097
0098 LSM hooks are maintained in lists. A list is maintained for each
0099 hook, and the hooks are called in the order specified by CONFIG_LSM.
0100 Detailed documentation for each hook is
0101 included in the `include/linux/lsm_hooks.h` header file.
0102
0103 The LSM framework provides for a close approximation of
0104 general security module stacking. It defines
0105 security_add_hooks() to which each security module passes a
0106 :c:type:`struct security_hooks_list <security_hooks_list>`,
0107 which are added to the lists.
0108 The LSM framework does not provide a mechanism for removing hooks that
0109 have been registered. The SELinux security module has implemented
0110 a way to remove itself, however the feature has been deprecated.
0111
0112 The hooks can be viewed as falling into two major
0113 categories: hooks that are used to manage the security fields and hooks
0114 that are used to perform access control. Examples of the first category
0115 of hooks include the security_inode_alloc() and security_inode_free()
0116 These hooks are used to allocate
0117 and free security structures for inode objects.
0118 An example of the second category of hooks
0119 is the security_inode_permission() hook.
0120 This hook checks permission when accessing an inode.
0121
0122 LSM Capabilities Module
0123 =======================
0124
0125 The POSIX.1e capabilities logic is maintained as a security module
0126 stored in the file ``security/commoncap.c``. The capabilities
0127 module uses the order field of the :c:type:`lsm_info` description
0128 to identify it as the first security module to be registered.
0129 The capabilities security module does not use the general security
0130 blobs, unlike other modules. The reasons are historical and are
0131 based on overhead, complexity and performance concerns.
