LinuxSecurityModules_security_add_hooks资源-CSDN文库

需积分: 35 160 浏览量 2009-09-13 13:37:02 上传评论收藏 77KB PDF 举报

# Linux安全模块：为主流Linux内核提供通用安全支持 ## 摘要与背景介绍随着技术的进步和网络环境的复杂化，操作系统中的访问控制机制对于保障系统安全至关重要。然而，现有主流操作系统中的访问控制机制往往无法提供足够强大的安全保障。尽管已经提出了多种增强型访问控制模型和框架，但这些模型在主流操作系统中却难以得到广泛的应用和支持。其中一个关键原因是安全社区内部对最佳解决方案缺乏共识。由于通用操作系统需要满足广泛的用户需求，因此任何集成到此类系统中的访问控制机制必须能够支持多种不同的访问控制模型。针对这一挑战，Linux安全模块（Linux Security Modules, LSM）项目开发了一种轻量级、通用的访问控制框架，该框架被设计用于主流Linux内核中，并且可以实现许多不同类型的访问控制模型作为可加载的内核模块。包括Linux权限管理、安全增强型Linux（SELinux）以及域与类型强制执行（DTE）等现有的增强型访问控制实现，都已经成功地适配到了LSM框架中。本文将详细介绍LSM的设计与实现，并讨论为Linux内核提供真正通用解决方案时面临的挑战。 ## 引言操作系统保护机制在提供系统安全方面扮演着至关重要的角色。虽然人们对此已有超过三十年的认识，但是现有主流操作系统的访问控制机制仍然不足以提供强大的安全保障。许多增强型访问控制模型和框架已经被提出并实施，但主流操作系统通常仍缺乏对这些增强功能的支持。缺乏安全社区内部的一致认可是导致这种现象的部分原因。就像其他通用操作系统一样，Linux内核仅提供了自主访问控制（Discretionary Access Control, DAC），这使得管理员可以根据自己的判断来决定哪些用户或进程可以访问特定资源。然而，这种机制在面对现代威胁时显得不足，特别是在多用户环境中。因此，为了提高安全性，引入了更强有力的访问控制机制变得十分必要。 ### Linux安全模块（LSM）概述 Linux安全模块（LSM）是一个为Linux内核提供的安全框架，旨在解决上述问题。LSM允许在内核级别实现多种不同的访问控制策略。它通过向内核添加一个钩子（hook）机制来实现这一点，这样不同的安全模块就可以根据需要注册自己的钩子来拦截和控制各种系统调用和内核事件。 LSM的主要特点包括： 1. **通用性**：LSM支持多种访问控制模型，如DAC、MAC（强制访问控制）、基于角色的访问控制（RBAC）等。 2. **灵活性**：安全策略可以动态加载和卸载，无需重新编译内核。 3. **低侵入性**：LSM的设计尽可能减少了对现有内核代码的影响，以保持内核的核心功能不受干扰。 4. **可扩展性**：LSM允许开发者轻松地添加新的安全模块来实现定制的安全策略。 ### LSM的架构与实现 LSM架构主要由以下组件组成： - **核心模块**：这是LSM的核心部分，负责初始化和管理所有注册的安全模块。 - **钩子机制**：LSM利用内核中的钩子机制来拦截特定的系统调用或内核事件，并将其传递给已注册的安全模块进行处理。 - **安全模块**：每个安全模块都实现了特定的安全策略，例如SELinux、DTE等。 ### 实现案例 - **SELinux**：这是一个基于美国国家安全局（NSA）开发的访问控制框架。SELinux利用LSM实现了基于标签的安全策略，以提供严格的访问控制。 - **DTE**：域与类型强制执行（Domain and Type Enforcement）是一种基于类型的访问控制策略，它也被成功地适配到了LSM框架中。 - **Linux权限管理**：这是一种基本的访问控制策略，也通过LSM得到了增强。 ### 面临的挑战尽管LSM提供了一个灵活且强大的框架，但在实际应用中仍然面临一些挑战： 1. **兼容性和稳定性**：确保LSM与各种版本的Linux内核和其他安全模块的兼容性是一项持续的努力。 2. **性能影响**：LSM可能会对系统的性能造成一定影响，特别是在大量使用安全模块的情况下。 3. **安全策略的复杂性**：随着安全需求的增加，安全策略可能会变得更加复杂，增加了配置和管理的难度。 Linux安全模块为Linux内核提供了一个强大而灵活的安全框架，允许开发者根据具体需求实现各种访问控制策略。随着网络安全威胁的不断演变，LSM将继续发挥重要作用，为Linux用户提供更高级别的保护。

资源推荐

资源详情

资源评论

Linux Security Modules:

General Security Support for the Linux Kernel

Chris Wright and Crispin Cowan

WireX Communications, Inc.

chris@wirex.com, crispin@wirex.com

James Morris

Intercode Pty Ltd

jmorris@intercode.com.au

Stephen Smalley

NAI Labs, Network Associates, Inc.

sds@tislabs.com

Greg Kroah-Hartman

IBM Linux Technology Center

gregkh@us.ibm.com

Abstract

The access control mechanisms of existing mainstream

operating systems are inadequate to provide strong sys-

tem security. Enhanced access control mechanisms have

failed to win acceptance into mainstream operating sys-

tems due in part to a lack of consensus within the se-

curity community on the right solution. Since general-

purpose operating systems must satisfy a wide range of

user requirements, any access control mechanism inte-

grated into such a system must be capable of supporting

many different access control models. The Linux Secu-

rity Modules (LSM) project has developed a lightweight,

general purpose, access control framework for the main-

stream Linux kernel that enables many different access

control models to be implemented as loadable kernel

modules. A number of existing enhanced access control

implementations, including Linux capabilities, Security-

Enhanced Linux (SELinux), and Domain and Type En-

forcement (DTE), have already been adapted to use the

LSM framework. This paper presents the design and

implementation of LSM and discusses the challenges

in providing a truly general solution that minimally im-

pacts the Linux kernel.

1 Introduction

The critical role of operating system protection mech-

anisms in providing system security has been well-

understood for over thirty years, yet the access control

mechanisms of existing mainstream operating systems

are still inadequate to provide strong security [2, 39, 28,

17, 26, 6, 30]. Although many enhanced access control

models and frameworks have been proposed and imple-

mented [9, 1, 4, 41, 23, 10, 29, 37], mainstream oper-

ating systems typically still lack support for these en-

hancements. In part, the absence of such enhancements

is due to a lack of agreement within the security com-

munity on the right general solution.

Like many other general-purpose operating systems, the

Linux kernel only provides discretionary access controls

and lacks any direct support for enhanced access control

mechanisms. However, Linux has long supported dy-

namically loadable kernel modules, primarily for device

drivers, but also for other components such as ﬁlesys-

tems. In principle, enhanced access controls could be

implemented as Linux kernel modules, permitting many

different security models to be supported.

In practice, creating effective security modules is prob-

lematic since the kernel does not provide any infrastruc-

ture to allow kernel modules to mediate access to ker-

nel objects. As a result, kernel modules typically re-

sort to system call interposition to control kernel op-

erations [18, 20], which has serious limitations as a

method for providing access control [41]. Furthermore,

these kernel modules often require reimplementing se-

lected kernel functionality [18, 20] or require a patch

to the kernel to support the module [10, 3, 15], reduc-

ing much of the value of modular composition. Hence,

many projects have implemented enhanced access con-

trol frameworks or models for the Linux kernel as kernel

patches [29, 37, 23, 32, 27].

At the Linux Kernel 2.5 Summit, the NSA presented

their work on Security-Enhanced Linux (SELinux) [29],

an implementation of a ﬂexible access control architec-

ture in the Linux kernel, and emphasized the need for

such support in the mainstream Linux kernel. Linus Tor-

valds appeared to accept that a general access control

framework for the Linux kernel is needed, but favored a

new infrastructure that would provide the necessary sup-

port to kernel modules for implementing security. This

approach would avoid the need to choose among the ex-

isting competing projects.

In response to Linus’ guidance, the Linux Security Mod-

ules (LSM) [45, 40] project has developed a lightweight,

general purpose, access control framework for the main-

stream Linux kernel that enables many different ac-

cess control models to be implemented as loadable ker-

nel modules. A number of existing enhanced access

control implementations, including POSIX.1e capabil-

ities [42], SELinux, and Domain and Type Enforcement

(DTE) [23], have already been adapted to use the LSM

framework.

The LSM framework meets the goal of enabling many

different security models with the same base Linux ker-

nel while minimally impacting the Linux kernel. The

generality of LSM permits enhanced access controls

to be effectively implemented without requiring kernel

patches. LSM also permits the existing security func-

tionality of POSIX.1e capabilities to be cleanly sepa-

rated from the base kernel. This allows users with spe-

cialized needs, such as embedded system developers, to

reduce security features to a minimum for performance.

It also enables development of POSIX.1e capabilities to

proceed with greater independence from the base kernel.

The remainder of this paper is organized as follows.

Section 2 elaborates on the problem that LSM seeks to

solve. Section 3 presents the LSM design. Section 4

presents the current LSM implementation. Section 5 de-

scribes the operational status of LSM, including testing,

performance overhead, and modules built for LSM so

far. Section 6 describes issues that arose during devel-

opment, and plans for future work. Section 7 describes

related work. Section 8 presents our conclusions.

2 The Problem: Constrained Design Space

The design of LSM was constrained by the practical and

technical concerns of both the Linux kernel developers

and the various Linux security projects. In email on the

topic, Linus Torvalds speciﬁed that the security frame-

work must be:

• truly generic, where using a different security

model is merely a matter of loading a different ker-

nel module;

• conceptually simple, minimally invasive, and efﬁ-

cient; and

• able to support the existing POSIX.1e capabilities

logic as an optional security module.

The various Linux security projects were primarily inter-

ested in ensuring that the security framework would be

adequate to permit them to reimplement their existing

security functionality as a loadable kernel module. The

new modular implementation must not cause any signif-

icant loss in the security being provided and should have

little additional performance overhead.

The core functionality for most of these security projects

was access control. However, a few security projects

also desired other kinds of security functionality, such as

security auditing or virtualized environments. Further-

more, there were signiﬁcant differences over the range

of ﬂexibility for the access controls. Most of the secu-

rity projects were only interested in further restricting

access, i.e. being able to deny accesses that would or-

dinarily be granted by the existing Linux discretionary

access control (DAC) logic. However, a few projects

wanted the ability to grant accesses that would ordinar-

ily be denied by the existing DAC logic; some degree

of this permissive behavior was needed to support the

capabilities logic as a module. Some security projects

wanted to migrate the DAC logic into a security module

so that they could replace it.

The “LSM problem” is to unify the functional needs of

as many security projects as possible, while minimizing

the impact on the Linux kernel. The union set of desired

features would be highly functional, but also so invasive

as to be unacceptable to the mainstream Linux commu-

nity. Section 3 presents the compromises LSM made to

simultaneously balance these conﬂicting goals.

3 LSM Design: Mediate Access to Kernel

Objects

The system call interface provides an abstraction for

userspace to interact with the kernel, and is a tempting

location to mediate access. In fact, no kernel modiﬁca-

tions are required to overwrite entries in the system call

lookup table, making it trivial to mediate this interface

using kernel modules [18, 19]. While this is an attrac-

tive feature, mediating the system call interface provides

limited value for a general purpose security framework

error checks

DAC checks

User Level process

look up inode

open system call

access inode

Examine context.

Grant or deny.

Does request pass policy?

LSM hook

Yes or No

"OK with you?"

Kernel space

User space

LSM Module Policy Engine

Figure 1: LSM Hook Architecture

such as LSM [41]. This level of mediation is not race-

free, may require code duplication, and may not ade-

quately express the full context needed to make security

policy decisions.

The basic abstraction of the LSM interface is to mediate

access to internal kernel objects. LSM seeks to allow

modules to answer the question “May a subject S per-

form a kernel operation OP on an internal kernel object

OBJ?”

LSM allows modules to mediate access to kernel objects

by placing hooks in the kernel code just ahead of the ac-

cess, as shown in Figure 1. Just before the kernel would

have accessed an internal object, a hook makes a call

to a function that the LSM module must provide. The

module can either let the access occur, or deny access,

forcing an error code return.

The LSM framework leverages the kernel’s existing

mechanisms to translate user supplied data — typically

strings, handles or simpliﬁed data structures — into in-

ternal data structures. This avoids time of check to time

of use (TOCTTOU) races [8] and inefﬁcient duplicate

look ups. It also allows the LSM framework to directly

mediate access to the core kernel data structures. With

such an approach, the LSM framework has access to the

full kernel context just before the kernel actually per-

forms the requested service. This improves access con-

trol granularity.

Given the constrained design space described in Sec-

tion 2, the LSM project chose to limit the scope of the

LSM design to supporting the core access control func-

tionality required by the existing Linux security projects.

GRANT access

REQUEST access

yes

DENY access

yes

UID match?

nono

DAC override?

Permissive LSM hook

Figure 2: Permissive LSM hook. This hook allows the security

policy to override a DAC restriction.

This limitation enabled the LSM framework to remain

conceptually simple and minimally invasive while still

meeting the needs of many of the security projects. It

also strengthened the justiﬁcation for adopting the LSM

framework into the Linux kernel, since the need for en-

hanced access controls was more generally accepted by

the kernel developers than the need for other kinds of

security functionality such as auditing.

A consequence of the “stay simple” design decision is

that LSM hooks are primarily restrictive: where the ker-

nel was about to grant access, the module may deny ac-

cess, but when the kernel would deny access, the module

is not consulted. This design simpliﬁcation exists largely

because the Linux kernel “short-circuits” many deci-

sions early when error conditions are detected. Provid-

ing for authoritative hooks (where the module can over-

ride either decision) would require many more hooks

into the Linux kernel.

However, the POSIX.1e capabilities logic requires the

ability to grant accesses that would ordinarily be denied

at a coarse level of granularity. In order to support this

logic as a security module, LSM provides some minimal

support for these permissive hooks, where the module

can grant access the kernel was about to deny. The per-

missive hooks are typically coupled with a simple DAC

check, and allow the module to override the DAC restric-

tion. Figure 2 shows a user access request where a failed

user ID check can be overridden by a permissive hook.

These hooks are limited to the extent that the kernel al-

ready consults the POSIX.1e capable() function.

Although LSM was not designed to explicitly sup-

port security auditing, some forms of auditing can be

supported using the features provided for access con-

trol. For example, many of the existing Linux security

projects provide support for auditing the access checks

performed by their access controls. LSM also enables

剩余14页未读，继续阅读

评论收藏

内容反馈

alextech

粉丝: 0
资源: 6

Linux Security Modules

linux-security-modules:存储我的玩具linux安全模块的地方

The Linux Basic Security Module-开源

Linux Network Security.chm

Linux-Security-Pro

Linux Security Enhancer-开源

Introduction to Embedded Linux Security

android security framework

Linux安全技术现状分析.pdf

《A Permission Check Analysis Framework for Linux Kernel》.pdf

Linux Essentials for Cybersecurity

Trinux: A Linux Security Toolkit-开源

Linux Security Quick Reference Guide

Red Hat Linux Security and Optimization

Astaro Security Linux 6．0发布.pdf

Practical_Linux_Security_Cookbook.epub

基于Linux的USB存储设备访问控制机制研究.pdf

KRSI Kernel Runtime Security Instrumentation

lsm.rar_LSM_linux lsm

Linux 2.6内核下LKM安全性研究.pdf

安全Linux服务器.pdf

Security Target for Oracle Linux.pdf

Red.Hat.Linux.Security.And.Optimization.2002

Linux Kernel Security.pdf

Linux_Security_Cookbook

Practical Linux Security Cookbook

将selinux实现为linux安全模块报告

海采监控中心Linux操作系统的安全防护.pdf

lsm.rar_LSM_LSM linux_V2

最新资源