162306a36Sopenharmony_ci======================================================== 262306a36Sopenharmony_ciLinux Security Modules: General Security Hooks for Linux 362306a36Sopenharmony_ci======================================================== 462306a36Sopenharmony_ci 562306a36Sopenharmony_ci:Author: Stephen Smalley 662306a36Sopenharmony_ci:Author: Timothy Fraser 762306a36Sopenharmony_ci:Author: Chris Vance 862306a36Sopenharmony_ci 962306a36Sopenharmony_ci.. note:: 1062306a36Sopenharmony_ci 1162306a36Sopenharmony_ci The APIs described in this book are outdated. 1262306a36Sopenharmony_ci 1362306a36Sopenharmony_ciIntroduction 1462306a36Sopenharmony_ci============ 1562306a36Sopenharmony_ci 1662306a36Sopenharmony_ciIn March 2001, the National Security Agency (NSA) gave a presentation 1762306a36Sopenharmony_ciabout Security-Enhanced Linux (SELinux) at the 2.5 Linux Kernel Summit. 1862306a36Sopenharmony_ciSELinux is an implementation of flexible and fine-grained 1962306a36Sopenharmony_cinondiscretionary access controls in the Linux kernel, originally 2062306a36Sopenharmony_ciimplemented as its own particular kernel patch. Several other security 2162306a36Sopenharmony_ciprojects (e.g. RSBAC, Medusa) have also developed flexible access 2262306a36Sopenharmony_cicontrol architectures for the Linux kernel, and various projects have 2362306a36Sopenharmony_cideveloped particular access control models for Linux (e.g. LIDS, DTE, 2462306a36Sopenharmony_ciSubDomain). Each project has developed and maintained its own kernel 2562306a36Sopenharmony_cipatch to support its security needs. 2662306a36Sopenharmony_ci 2762306a36Sopenharmony_ciIn response to the NSA presentation, Linus Torvalds made a set of 2862306a36Sopenharmony_ciremarks that described a security framework he would be willing to 2962306a36Sopenharmony_ciconsider for inclusion in the mainstream Linux kernel. He described a 3062306a36Sopenharmony_cigeneral framework that would provide a set of security hooks to control 3162306a36Sopenharmony_cioperations on kernel objects and a set of opaque security fields in 3262306a36Sopenharmony_cikernel data structures for maintaining security attributes. This 3362306a36Sopenharmony_ciframework could then be used by loadable kernel modules to implement any 3462306a36Sopenharmony_cidesired model of security. Linus also suggested the possibility of 3562306a36Sopenharmony_cimigrating the Linux capabilities code into such a module. 3662306a36Sopenharmony_ci 3762306a36Sopenharmony_ciThe Linux Security Modules (LSM) project was started by WireX to develop 3862306a36Sopenharmony_cisuch a framework. LSM was a joint development effort by several security 3962306a36Sopenharmony_ciprojects, including Immunix, SELinux, SGI and Janus, and several 4062306a36Sopenharmony_ciindividuals, including Greg Kroah-Hartman and James Morris, to develop a 4162306a36Sopenharmony_ciLinux kernel patch that implements this framework. The work was 4262306a36Sopenharmony_ciincorporated in the mainstream in December of 2003. This technical 4362306a36Sopenharmony_cireport provides an overview of the framework and the capabilities 4462306a36Sopenharmony_cisecurity module. 4562306a36Sopenharmony_ci 4662306a36Sopenharmony_ciLSM Framework 4762306a36Sopenharmony_ci============= 4862306a36Sopenharmony_ci 4962306a36Sopenharmony_ciThe LSM framework provides a general kernel framework to support 5062306a36Sopenharmony_cisecurity modules. In particular, the LSM framework is primarily focused 5162306a36Sopenharmony_cion supporting access control modules, although future development is 5262306a36Sopenharmony_cilikely to address other security needs such as sandboxing. By itself, the 5362306a36Sopenharmony_ciframework does not provide any additional security; it merely provides 5462306a36Sopenharmony_cithe infrastructure to support security modules. The LSM framework is 5562306a36Sopenharmony_cioptional, requiring `CONFIG_SECURITY` to be enabled. The capabilities 5662306a36Sopenharmony_cilogic is implemented as a security module. 5762306a36Sopenharmony_ciThis capabilities module is discussed further in 5862306a36Sopenharmony_ci`LSM Capabilities Module`_. 5962306a36Sopenharmony_ci 6062306a36Sopenharmony_ciThe LSM framework includes security fields in kernel data structures and 6162306a36Sopenharmony_cicalls to hook functions at critical points in the kernel code to 6262306a36Sopenharmony_cimanage the security fields and to perform access control. 6362306a36Sopenharmony_ciIt also adds functions for registering security modules. 6462306a36Sopenharmony_ciAn interface `/sys/kernel/security/lsm` reports a comma separated list 6562306a36Sopenharmony_ciof security modules that are active on the system. 6662306a36Sopenharmony_ci 6762306a36Sopenharmony_ciThe LSM security fields are simply ``void*`` pointers. 6862306a36Sopenharmony_ciThe data is referred to as a blob, which may be managed by 6962306a36Sopenharmony_cithe framework or by the individual security modules that use it. 7062306a36Sopenharmony_ciSecurity blobs that are used by more than one security module are 7162306a36Sopenharmony_citypically managed by the framework. 7262306a36Sopenharmony_ciFor process and 7362306a36Sopenharmony_ciprogram execution security information, security fields are included in 7462306a36Sopenharmony_ci:c:type:`struct task_struct <task_struct>` and 7562306a36Sopenharmony_ci:c:type:`struct cred <cred>`. 7662306a36Sopenharmony_ciFor filesystem 7762306a36Sopenharmony_cisecurity information, a security field is included in :c:type:`struct 7862306a36Sopenharmony_cisuper_block <super_block>`. For pipe, file, and socket security 7962306a36Sopenharmony_ciinformation, security fields are included in :c:type:`struct inode 8062306a36Sopenharmony_ci<inode>` and :c:type:`struct file <file>`. 8162306a36Sopenharmony_ciFor System V IPC security information, 8262306a36Sopenharmony_cisecurity fields were added to :c:type:`struct kern_ipc_perm 8362306a36Sopenharmony_ci<kern_ipc_perm>` and :c:type:`struct msg_msg 8462306a36Sopenharmony_ci<msg_msg>`; additionally, the definitions for :c:type:`struct 8562306a36Sopenharmony_cimsg_msg <msg_msg>`, struct msg_queue, and struct shmid_kernel 8662306a36Sopenharmony_ciwere moved to header files (``include/linux/msg.h`` and 8762306a36Sopenharmony_ci``include/linux/shm.h`` as appropriate) to allow the security modules to 8862306a36Sopenharmony_ciuse these definitions. 8962306a36Sopenharmony_ci 9062306a36Sopenharmony_ciFor packet and 9162306a36Sopenharmony_cinetwork device security information, security fields were added to 9262306a36Sopenharmony_ci:c:type:`struct sk_buff <sk_buff>` and 9362306a36Sopenharmony_ci:c:type:`struct scm_cookie <scm_cookie>`. 9462306a36Sopenharmony_ciUnlike the other security module data, the data used here is a 9562306a36Sopenharmony_ci32-bit integer. The security modules are required to map or otherwise 9662306a36Sopenharmony_ciassociate these values with real security attributes. 9762306a36Sopenharmony_ci 9862306a36Sopenharmony_ciLSM hooks are maintained in lists. A list is maintained for each 9962306a36Sopenharmony_cihook, and the hooks are called in the order specified by CONFIG_LSM. 10062306a36Sopenharmony_ciDetailed documentation for each hook is 10162306a36Sopenharmony_ciincluded in the `security/security.c` source file. 10262306a36Sopenharmony_ci 10362306a36Sopenharmony_ciThe LSM framework provides for a close approximation of 10462306a36Sopenharmony_cigeneral security module stacking. It defines 10562306a36Sopenharmony_cisecurity_add_hooks() to which each security module passes a 10662306a36Sopenharmony_ci:c:type:`struct security_hooks_list <security_hooks_list>`, 10762306a36Sopenharmony_ciwhich are added to the lists. 10862306a36Sopenharmony_ciThe LSM framework does not provide a mechanism for removing hooks that 10962306a36Sopenharmony_cihave been registered. The SELinux security module has implemented 11062306a36Sopenharmony_cia way to remove itself, however the feature has been deprecated. 11162306a36Sopenharmony_ci 11262306a36Sopenharmony_ciThe hooks can be viewed as falling into two major 11362306a36Sopenharmony_cicategories: hooks that are used to manage the security fields and hooks 11462306a36Sopenharmony_cithat are used to perform access control. Examples of the first category 11562306a36Sopenharmony_ciof hooks include the security_inode_alloc() and security_inode_free() 11662306a36Sopenharmony_ciThese hooks are used to allocate 11762306a36Sopenharmony_ciand free security structures for inode objects. 11862306a36Sopenharmony_ciAn example of the second category of hooks 11962306a36Sopenharmony_ciis the security_inode_permission() hook. 12062306a36Sopenharmony_ciThis hook checks permission when accessing an inode. 12162306a36Sopenharmony_ci 12262306a36Sopenharmony_ciLSM Capabilities Module 12362306a36Sopenharmony_ci======================= 12462306a36Sopenharmony_ci 12562306a36Sopenharmony_ciThe POSIX.1e capabilities logic is maintained as a security module 12662306a36Sopenharmony_cistored in the file ``security/commoncap.c``. The capabilities 12762306a36Sopenharmony_cimodule uses the order field of the :c:type:`lsm_info` description 12862306a36Sopenharmony_cito identify it as the first security module to be registered. 12962306a36Sopenharmony_ciThe capabilities security module does not use the general security 13062306a36Sopenharmony_ciblobs, unlike other modules. The reasons are historical and are 13162306a36Sopenharmony_cibased on overhead, complexity and performance concerns. 132