http://www.ibm.com/developerworks/cn/linux/l-lsm/part1/

1. Related background : Why and what

In recent years Linux Because of its excellent performance and stability , Open source features bring flexibility and scalability , And lower costs , It is widely concerned and applied by the computer industry . But in terms of security ,Linux The kernel only provides the classic UNIX Autonomous access control (root user , user ID, Mode bit security mechanism ), And part of the support POSIX.1e In the draft standard capabilities Security mechanism , This is for Linux The security of the system is not enough , Affected Linux Further development and wider application of the system .

Many security access control models and frameworks have been researched and developed , To enhance Linux Security of the system , The well-known ones are security enhancements Linux(SELinux), Domain and type enhancements (DTE), as well as Linux intrusion detection system (LIDS) wait . But because no system can gain a dominant position and enter Linux The kernel becomes the standard ; And most of these systems are provided in the form of various kernel patches , Using these systems requires the ability to compile and customize the kernel , For ordinary users without kernel development experience , It's difficult to get and use these systems . stay 2001 Year of Linux At the nuclear summit , National security agency (NSA) Introduced them about security enhancement Linux(SELinux) The job of , This is a flexible access control system Flask stay Linux In the implementation of , at that time Linux The founder of the kernel Linus Torvalds agree! Linux The kernel does need a general security access control framework , But he pointed out that the best way is through loadable kernel modules , In this way, we can support various existing security access control systems . therefore ,Linux Security module (LSM) emerge as the times require .

Linux Security module (LSM) yes Linux A lightweight universal access control framework for kernel . It enables various security access control models to Linux It can be implemented in the form of loadable kernel module , Users can choose the appropriate security module to load into Linux The kernel , So as to greatly improve Linux The flexibility and ease of use of secure access control mechanisms . At present, many famous enhanced access control systems have been transplanted to Linux Security module (LSM) Implemented on , Include POSIX.1e capabilities, Security enhancements Linux(SELinux), Domain and type enhancements (DTE), as well as Linux intrusion detection system (LIDS) wait . Although at present Linux Security module (LSM) Still as a Linux In the form of kernel patches , But it also provides Linux 2.4 Stable version of the series and Linux 2.5 Development version of the series , And there's a lot of hope to get into Linux 2.6 Stable version , And then achieve its goal : By Linux The kernel accepts to be Linux Standards for kernel security , In all Linux It's available to users in the distribution .

 

Back to the first page

2. Introduction to design ideas : We have to satisfy both sides

Linux Security module (LSM) We must try our best to meet the requirements of both sides : Let the people who don't need it get as little trouble as possible ; At the same time, people who need it get useful and efficient functions .

With Linus Torvalds To represent the kernel developers on Linux Security module (LSM) Three requirements are put forward :

  • Real universal , When using a different security model , Just load a different kernel module
  • Conceptually simple , Yes Linux The kernel has the least impact , Efficient , also
  • Be able to support existing POSIX.1e capabilities Logic , As an optional security module

On the other hand , All kinds of different Linux Security enhancement system for Linux Security module (LSM) The request is : It allows them to re implement their security functions in the form of loadable kernel modules , And there's no obvious loss in security , And there's no extra overhead .

To meet these design goals ,Linux Security module (LSM) The method of placing hooks in kernel source code is adopted , To arbitrate access to objects inside the kernel , These objects are : Mission ,inode node , Open files, etc . User processes perform system calls , First of all, travel Linux The original logic of the kernel finds and allocates resources , Error checking , And through the classic UNIX Autonomous access control , It happens to be Linux Before the kernel attempts to access internal objects , One Linux Security module (LSM) To make a call to the function that the security module must provide , Thus, the problem of security module is put forward " Whether to allow access to execute ?", The security module makes decisions according to its security policy , Answer : allow , Or refuse and return an error .

On the other hand , In order to satisfy most of the existing Linux The need for security enhancement systems ,Linux Security module (LSM) The decision to simplify the design .Linux Security module (LSM) Now it mainly supports the core functions of most existing security enhancement systems : Access control ; And other security functions required for some security enhancement systems , Like security audit , Only a small amount of support is provided .Linux Security module (LSM) Now the main support is " Restricted type " Access control decisions for : When Linux When the kernel gives access ,Linux Security module (LSM) May refuse , And when Linux When the kernel denies access , Just skip it Linux Security module (LSM); And for the opposite " Permissive " Only a small amount of support is provided for the access control decision of . For module function synthesis ,Linux Security module (LSM) Allow the module stack , But the main work is left to the module itself : The final decision of module function composition is made by the first loaded module . All these design decisions may temporarily affect Linux Security module (LSM) Function and flexibility , But it's greatly reduced Linux Security module (LSM) The complexity of implementation , Less right Linux Kernel modification and impact , Make it into Linux The possibility of kernel becoming the standard of security mechanism is greatly improved ; When it becomes the standard , You can change decisions , Add functionality and flexibility .

 

Back to the first page

3. Introduction to the implementation method : Yes Linux Kernel modification

Linux Security module (LSM) Now as a Linux The kernel patch is implemented in the form of . It itself does not provide any specific security policy , Instead, it provides a common infrastructure for security modules , The specific security policy is implemented by the security module . It is mainly in five aspects Linux The kernel has been modified :

  • Security domains are added to specific kernel data structures
  • In the kernel source code, different key points are inserted to call the security hook function
  • Added a general security system call
  • Functions are provided to allow kernel modules to register as security modules or log off
  • take capabilities Most of the logic is ported as an optional security module

The following is a brief introduction to the changes in these five aspects one by one .

Security domain is a void* Pointer to type , It enables the security module to connect the security information with the internal objects of the kernel . The following is a list of the kernel data structures that have been modified and added to the security domain , And the kernel internal objects they represent :

  • task_struct structure : On behalf of the mission ( process )
  • linux_binprm structure : On behalf of the program
  • super_block structure : Represents the file system
  • inode structure : It's for pipes , file , perhaps Socket Socket
  • file structure : Represents an open file
  • sk_buff structure : Represents the network buffer ( package )
  • net_device structure : On behalf of network devices
  • kern_ipc_perm structure : representative Semaphore The signal , Shared memory segment , Or message queuing
  • msg_msg: Represents a single message

in addition ,msg_msg structure ,msg_queue structure ,shmid_kernel The structure was moved to include/linux/msg.h and include/linux/shm.h In these two header files , Enable the security module to use these definitions .

Linux Security module (LSM) Two types of calls to secure hook functions are provided : A security domain that manages kernel objects , Another type of arbitration is access to these kernel objects . The call to the safe hook function is realized through the hook , Hooks are global tables security_ops Function pointer in , The type of this global table is security_operations structure , This structure is defined in include/linux/security.h In this header file , This structure contains a substructure composed of hooks grouped by kernel objects or kernel subsystems , And some top-level hooks for system operation . It's easy to find calls to hook functions in kernel source code : Its prefix is security_ops->. Leave a detailed description of the hook function behind .

Linux Security module (LSM) Provides a general security system call , Allow the security module to write new system calls for security related applications , Its style is similar to the original Linux system call socketcall(), Is a multiple system call . The system call is security(), Its parameter is (unsigned int id, unsigned int call, unsigned long *args), among id Represents the module descriptor ,call Represents the call descriptor ,args Represents a list of parameters . By default, this system call provides a sys_security() Entry function : It is simply called as a parameter sys_security() Hook function . If the security module does not provide new system calls , You can define the return -ENOSYS Of sys_security() Hook function , But most security modules can define the implementation of the system call themselves .

During kernel boot ,Linux Security module (LSM) The framework is initialized as a series of virtual hook functions , In order to realize the traditional UNIX Super user mechanism . When loading a security module , You have to use register_security() Functional direction Linux Security module (LSM) The framework registers this security module : This function sets the global table security_ops, Make it point to the hook function pointer of this security module , So that the kernel asks the security module for access control decisions . Once a security module is loaded , It becomes the security policy decision center of the system , And not by the back register_security() Function override , Until this security module is used unregister_security() Function logs out to the frame : This simply replaces the hook function with the default value , The system goes back to UNIX Super user mechanism . in addition ,Linux Security module (LSM) The framework also provides functions mod_reg_security() And the function mod_unreg_security(), So that subsequent security modules can register and unregister with the first registered main module , But its strategy implementation is decided by the main module : Is to provide some strategy to implement the module stack to support the module function synthesis , Or simply return the error value to ignore the subsequent security module . These functions are provided in the kernel source code file security/security.c in .

Linux The kernel is right now POSIX.1e capabilities A subset of .Linux Security module (LSM) One of the design requirements is to transplant this function into an optional security module .POSIX.1e capabilities It provides the function of dividing traditional super user privileges and assigning them to specific processes .Linux Security module (LSM) Reserved for execution in the kernel capability Check the existing capable() Interface , But put capable() The function is reduced to a Linux Security module (LSM) The wrapper of hook function , This allows any required logic to be implemented in the security module .Linux Security module (LSM) And kept task_struck The process in the structure capability Set ( A simple bit vector ), Instead of moving it to a secure domain .Linux Kernel pair capabilities There are also two system calls :capset() and capget().Linux Security module (LSM) These system calls are also retained, but replaced with calls to hook functions , Make it basically through security() System calls are used to reimplement .Linux Security module (LSM) We have developed and transplanted quite a few of capabilities Logic to a capabilities In the security module , But the kernel still retains a lot of the original capabilities The remains of . All of these implementation methods minimize the impact on Linux The impact of kernel changes , And the maximum extent of retention of the original use capabilities Application support for , At the same time, it meets the functional requirements of the design . In the future capabilities Module completely independent , The main remaining steps are : Move the bit vector to task_struct In the appropriate security domain in the structure , And relocating the system call interface .

 

Back to the first page

4. Interface specification : Hooks for kernel developers and security researchers

Linux Security module (LSM) The value for kernel developers and security researchers is : The existing security enhancement system can be ported to this framework by using its interface , So it can be provided to users in the form of loadable kernel module ; Or you can even write security modules that suit your needs .Linux Security module (LSM) The interface provided is the hook , The virtual function it points to when it is initialized implements the default traditional UNIX Super user mechanism , Module writers must re implement these hook functions to meet their own security policies . Here is a brief introduction Linux Security module (LSM) Hook provided , Please refer to the source code for details , especially include/linux/security.h Header file security_operations Definition of structure . As for how to write the security module according to the security policy you need , You can refer to SELinux,DTE,LIDS And so on .

First, the task hook ,Linux Security module (LSM) A series of task hooks are provided to enable the security module to manage the security information of the process and control the operation of the process . Modules can be used task_struct Structure to maintain process security information ; Task hooks provide hooks to control inter process communication , for example kill(); It also provides hooks to control privileged operations on the current process , for example setuid(); It also provides hooks for fine-grained control of resource management operations , for example setrlimit() and nice().

Next is the program loading hook . A lot of security modules , Include Linux capabilities,SELinux,DTE You need to have the ability to change privileges when a new program is executed . therefore Linux Security module (LSM) Provides a series of program loading hooks , Used in a execve() The key point of the operation execution process .linux_binprm The security domain in the structure allows the security module to maintain the security information during program loading ; A hook is provided to allow the security module to initialize security information and perform access control before loading the program ; A hook is also provided to allow the module to update the security information of the task after the new program is loaded successfully ; Hooks are also provided to control state inheritance during program execution , For example, confirm the open file descriptor .

Again, interprocess communication IPC hook . The security module can use interprocess communication IPC Hook, right System V IPC To manage the security information of , And access control .IPC Object data structures share a substructure kern_ipc_perm, And only one pointer in this substructure is passed to the existing ipcperms() Function to check permissions , therefore Linux Security module (LSM) A security domain is added to the shared substructure . To support the security information of a single message ,Linux Security module (LSM) still msg_msg A security domain is added to the structure .Linux Security module (LSM) In the existing ipcperms() A hook is inserted into the function , Make the security module available to every existing Linux IPC Permission execution check . Because for some security modules , This kind of inspection is not enough ,Linux Security module (LSM) Also in a single IPC Hook inserted in operation . In addition, there is hook support for passing System V Message queue sends a single message for fine-grained access control .

Here are the file system hooks . For file operations , Three kinds of hooks are defined : File system hook ,inode Node hook , And file hooks .Linux Security module (LSM) The security domain is added to the corresponding three kernel data structures , Namely :super_block structure ,inode structure ,file structure . The super block file system hook enables the security module to control the operation of the entire file system , For example, mount , uninstall , also statfs().Linux Security module (LSM) stay permission() A hook is inserted into the function , So we keep this function , But there are a lot of other inode Node hook to single inode Node operation for fine-grained access control . Some of the file hooks allow the security module to read() and write() Such file operations do additional checking ; There are also file hooks that allow the security module to control through socket IPC Receive open file descriptor ; Other file hook objects fcntl() and ioctl() Such operations provide fine-grained access control .

Next is the network hook . Application layer access to the network uses a series of socket Socket hook to arbitrate , These hooks basically cover all the links based on socket Socket protocol . Because every active user socket The socket is accompanied by a inode structure , So in socket Structure or lower level sock There is no security domain in the structure .socket Socket hook provides a general arbitration for network access of related processes , Thus, the network access control framework of the kernel is significantly extended ( This has been done in the network layer by Linux Kernel firewall netfilter Processed ). for example sock_rcv_skb Hooks allow packets entering the kernel to be queued to the corresponding user space socket Before socket , Arbitrate it according to its purpose . in addition Linux Security module (LSM) Also for the IPv4,UNIX Domain , as well as Netlink The protocol implements fine-grained hooks , Other protocol hooks may be implemented in the future . Network data is encapsulated in packets sk_buff structure (socket Socket buffer ) Travel protocol stack ,Linux Security module (LSM) stay sk_buff A security domain is added to the structure , It makes it possible to manage the security information of the data passing through the network layer at the packet level , And a series of sk_buff Hooks are used to maintain the entire life cycle of this security domain . Hardware and software network devices are packaged in a net_device In structure , A security domain is added to the structure , Make it possible to maintain security information at the device level .

Finally, the other hooks .Linux Security module (LSM) Two other series of hooks are available : Module hooks and top-level system hooks . Module hooks are used to control the creation of , initialization , Clear kernel operation of kernel module . System hook is used to control system operation , For example, set the host name , visit I/O port , And configure process accounting . Although the present Linux The kernel uses capability Inspection provides some support for these system operations , But these checks are very different for different operations and do not provide any parameter information .

 

Back to the first page

5. The module specification : Ready made security features for ordinary users

Linux Security module (LSM) The value for ordinary users is : Can provide a variety of security modules , The user can choose to load it into the kernel , Meet specific security functions .Linux Security module (LSM) It only provides a mechanism to enhance access control policies , Each security module implements specific security policies . Here is a brief introduction to some of the implemented security modules .

SELinux. This is a Flask Flexible access control system in Linux The realization of , And provides type enhancement , Role-based access control , And optional multilevel security policies .SELinux It was originally implemented as a kernel patch , Now it has been used Linux Security module (LSM) Reimplement as a security module .SELinux Can be used to limit the process to the minimum privilege , Protect the integrity and confidentiality of processes and data , And support application security requirements .

DTE Linux. This is a domain and type enhancement in Linux The realization of . It's like SELinux equally ,DTE Linux It was originally implemented as a kernel patch , Now it has been used Linux Security module (LSM) Reimplement as a security module . When this security module is loaded into the kernel , Types are assigned to objects , The domain is assigned to the process .DTE Policies restrict access between domains and from domain to type .

Openwall The kernel patch is LSM transplant .Openwall Kernel patches provide a set of security features to protect the system from attacks such as buffer overflow and temporary file contention . There are security modules being developed to support Openwall A subset of patches .

POSIX.1e capabilities.Linux There are already... In the kernel POSIX.1e capabilities Logic , however Linux Security module (LSM) Divide this logic into a security module . This modification allows unwanted users to leave this feature out of their kernel ; It also makes capabilities Logic development can get more independence from kernel development .

LIDS. This is a project initiated by Xie Huagang, a Chinese . Started as an intrusion detection system , Later gradually evolved into the use of access control system in the form of intrusion prevention , It controls access by describing which files a given program can access . alike ,LIDS It was originally implemented as a kernel patch with some management tools , Now it has been used Linux Security module (LSM) Reimplement as a security module .

Of course, there is the default traditional super user mechanism . This security module is Linux Security module (LSM) Default , Realized the traditional UNIX Super user privilege mechanism .

 

Back to the first page

6. How to use it :step by step

Linux Security module (LSM) Now as a Linux The kernel patch is implemented in the form of , stay GPL Issued under license for free use by users .

First of all, users can http://lsm.immunix.org/lsm_download.html Download to the corresponding Linux 2.4 Stable version and Linux 2.5 Development version of LSM Patch , Put it in a directory , For example, the directory /path/to/linux-2.4.x, Make sure that by executing the following command LSM The patch works on Linux On the kernel :

# cd /path/to/linux-2.4.x
# zcat /path/to/patch-2.4.x-lsm.gz | patch -p1

Then the user can go to http://lsm.immunix.org/lsm_modules.html Connect to the site where the security module has been implemented , Download to the required security module , Load the security module into Linux The kernel , In this way, the security policies that users need can work , So as to enhance the security of the system . The specific installation method of security module is omitted here , Each security module will provide detailed installation instructions , Users can refer to these files , for example SELinux The installation instructions for the security module are in :http://www.nsa.gov/selinux/doc/readme.html, And so on LIDS The installation instructions for the security module are in :http://www.lids.org/install.html.

If the user has Linux Kernel and security related background knowledge and development experience , I want to write a security module according to the security policy I need . Can be in http://lsm.immunix.org/lsm_bk.html Follow up Linux Security module (LSM) And the source code of the existing security module , Refer to its implementation method to write their own security module . In this way, while meeting their own security needs , It can also be for Linux Security module (LSM) Make some contribution to the development of , So that it can be Linux The kernel accepts to be Linux Standards for kernel security , Make more users benefit .

 

Back to the first page

7. Conclusion : The standard of the future

Linux Security module (LSM) The reason for this is : One side Linux The existing security mechanism of the kernel is not enough ; On the other hand, the existing security enhancement systems are different and difficult to use .Linux Security module (LSM) It solves this problem better : On the one hand, the patch is relatively small , Changes to the kernel source code have little impact , The load is also small ; On the other hand, it provides better interface support for the existing security enhancement system , And there are many good security modules that can be used .Linux Security module (LSM) It's still as a Linux In the form of kernel patches , But it also provides Linux 2.4 Stable version of the series and Linux 2.5 Development version of the series , And there's a lot of hope to get into Linux 2.6 Stable version . We're looking forward to that day :Linux Security module (LSM) By Linux The kernel accepts to be Linux Standards for kernel security , In all Linux Distribution is available to more and more users .

How to enhance Linux Security of the system , The first part : Linux Security module (LSM) More related articles in the introduction

  1. Linux System beginners - The third class Linux The network configuration 1

    Linux System beginners - The third class Linux The network configuration 1. dynamic IP To configure Profile path /etc/sysconfig/network-scripts/ ls View NIC eth0, among HWADDR It's worth getting :ifco ...

  2. linux Basic structure of the system -《 Step by step linux》

    1.linux Console linux The system consists of desktop console (X -Window window ) And character console . The character console is linux At the heart of , Default linux There are 6 A character console . Character console --〉X-Window Next :ctr ...

  3. Linux Systematic understanding and learning Linux Core experience

    Assignment list      ( Click homework to jump ) linux Kernel analysis job : In a simple way C Program, for example , Analyze assembly code to understand how a computer works linux Kernel analysis job : How the operating system works : Complete a simple time slice rotation multiprogramming kernel ...

  4. see linux Common system commands ,Linux View common system configuration commands

    One .linux CPU size   cat /proc/cpuinfo |grep "model name" && cat /proc/cpuinfo |grep &qu ...

  5. Linux System status monitoring tool - Linux Dash

    Linux Dash It's an easy to use Linux System status monitoring tools , Project address :https://github.com/afaqurk/linux-dash 1. install Apache service : [root@local ...

  6. Book notes Linux System programming and deep understanding Linux kernel

    Preface Let me look at it again and understand it deeply Linux I found it difficult to understand the kernel , I saw Linux After system programming , Think Linux System programming is easier to understand , And both books are about Linux Compare things at the bottom , It's just that the focus is different , This article is based on Linu ...

  7. Linux System operation and Maintenance Notes ( Two ),Linux File editing command

    Linux System operation and Maintenance Notes Linux File editing command First we use the command vi filename Open a file , This is the command mode   Next we press i, And then the keyboard just type in and write .  Then press ESC Reenter the command ...

  8. see linux System version information (Oracle Linux、Centos Linux、Redhat Linux、Debian、Ubuntu)

    One . see Linux System version command (3 Methods ) 1.cat /etc/issue, This command also applies to all Linux Distribution version . [root@S-CentOS home]# cat /etc/issue Cen ...

  9. 【 see linux To configure 】 see linux Common system commands ,Linux View common system configuration commands

    One .linux CPU size   cat /proc/cpuinfo |grep "model name" && cat /proc/cpuinfo |grep &qu ...

Random recommendation

  1. The state pattern of eleven behavior patterns (State Pattern)

    Definition : When an object has multiple states , And there are different behaviors in each state , You can use state patterns to change its behavior as it changes state inside , And the client doesn't notice the state change , Still using the same method or interface to interact with objects . chart : Context ...

  2. asp.net Project release packaging research

    There are several ideas : 1.[ recommend ] Direct release , And then manually package it into a compressed package , Upload directly to the server when needed , Or decompress it locally and upload it to the virtual space manually ( Support for most virtual spaces , High degree of freedom ,DZ It's the same packaging ,FTP Upload operation comparison ...

  3. CentOS 7 Minimize installed network configuration

    The default minimal installation CentOS 7 After the system , It's not ipconfig This order is , Depend on net-tools tool kit . One .nmtui This is a graphical command ( and setup similar ) Through this component window, you can set each ...

  4. by SpringMvc Project installation BootStrap and AngularJs The front frame

    In us " use SpringMVC Write a little registered Demo" Before , Let's learn how to install Bootstrap and AngularJs Front-end frame , So we can easily typeset a beautiful login interface . We take ...

  5. Day 295 how can i insist

    Bought a millet phone card , Let's send it on Saturday and Sunday , It has to be delivered today , wasted 1 Yuan . I can't activate it yet , this .. I almost died yesterday , I feel much better today , But it's cold today , It's freezing to death . Today , The year-end bonus is set , It's not as high as you think ah , It's a little bit of a loss ...

  6. linux Delete directory

    stay linux It's very easy to delete a directory in , Many people are still used to using rmdir, But once the directory is not empty , I was in deep distress , Now use rm -rf Command can solve . direct rm That's all right. , But we have to add two parameters -rf namely :rm -rf Objective ...

  7. ios Created sqlite How do database files get from ios In the simulator

    To verify the structure of the database , Sometimes you need to use some management tools to directly view sqlite The content of the database , stay windows There are sqlite3 Download special tools for , And in the ios You can also use the plug-in of the Firefox browser sqlitemanager ...

  8. SQL Server 2012 Enterprise Edition Installation process details ( Contains the meaning of each step )

    One . Start setup , Click on “ install ” tab , choice “ new SQL Server Install separately or add features to an existing installation ”.( Installing a database system for the first time or adding features to an existing database system , Select this option ) Two . And then , The setup program does “ Setup supports ...

  9. 「JavaScript」 Sync 、 asynchronous 、 The classic closure of callback execution order setTimeout analysis

    Talk about synchronization . Asynchronous and callback Sync , asynchronous , Callback , We don't know , one day , You find a new programmer in the company T, Tell him :“ We need to add a demand , You put down what you're doing and support it first , I'll wait until you're done ”. Small T He agreed with a smile , The corners of my eyes are slippery ...

  10. Array.reduce() Study

    A problem I met yesterday :1234567890 => 1,234,567,890 In fact, the requirement is to use a comma as a thousandth to separate the numbers . I didn't think of any way at that time , But I've seen it before , Very impressive , I just looked for it today . See, actually ...