Linux Security Modules (LSM) is a

framework A framework is a generic term commonly referring to an essential supporting structure which other things are built on top of. Framework may refer to: Computing * Application framework, used to implement the structure of an application for an op ...

allowing the

Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...

to support without bias a variety of

computer security model A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as programs. These progra ...

s. LSM is licensed under the terms of the

GNU General Public License The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the Four Freedoms (Free software), four freedoms to run, study, share, and modify the software. The license was th ...

and is a standard part of the Linux kernel since Linux 2.6.

AppArmor AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the ...

SELinux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space t ...

, Smack, and TOMOYO Linux are the currently approved security modules in the official kernel.

Design

LSM was designed in order to answer all the requirements for successfully implementing a

mandatory access control In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on a ...

module, while imposing the fewest possible changes to the Linux kernel. LSM avoids the approach of system call interposition used by Systrace because it doesn't scale to

multiprocessor Multiprocessing is the use of two or more central processing units (CPUs) within a single computer system. The term also refers to the ability of a system to support more than one processor or the ability to allocate tasks between them. There ar ...

kernels and is subject to TOCTTOU (race) attacks. Instead, LSM inserts " hooks" (upcalls to the module) at every point in the kernel where a user-level system-call is about to result with an access to an important internal kernel-object like inodes and task control blocks. LSM is narrowly scoped to solve the problem of

access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...

, while not imposing a large and complex change-patch on the mainstream kernel. It isn't intended to be a general "''hook''" or "''upcall''" mechanism, nor does it support

Operating system-level virtualization OS-level virtualization is an operating system (OS) paradigm in which the Kernel (computer science), kernel allows the existence of multiple isolated user space instances, called ''containers'' (LXC, Solaris Containers, Solaris containers, Docker ...

. LSM's access-control goal is very closely related to the problem of

system auditing A system is a group of interacting or interrelated elements that act according to a set of rules to form a unified whole. A system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and expresse ...

, but is subtly different. Auditing requires that every attempt at access be recorded. LSM cannot deliver this, because it would require a great many more hooks, in order to detect cases where the kernel "''short circuits''" failing system-calls and returns an error code before getting near significant objects. The LSM design is described in the paper ''Linux Security Modules: General Security Support for the Linux Kernel'' presented at USENIX Security 2002. At the same conference was the paper ''Using CQUAL for Static Analysis of Authorization Hook Placement'' which studied automatic static analysis of the kernel code to verify that all of the necessary hooks have actually been inserted into the Linux kernel.

Adoption

* Smack *

TOMOYO Tomoyo is a feminine Japanese given name. Possible writings Tomoyo can be written using different kanji characters and can mean: * 知世, "wisdom, world" * 友世, "friend, world" * 倫世, "ethics, world" * 智代, "knowledge, world" * 灯代, " ...

*Landlock

History

At the 2001 Linux Kernel Summit, the

NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

proposed that

be included in Linux 2.5.

Linus Torvalds Linus Benedict Torvalds ( , ; born 28 December 1969) is a Finnish software engineer who is the creator and, historically, the lead developer of the Linux kernel, used by Linux distributions and other operating systems such as Android. He also c ...

rejected SELinux at that time, because he observed that there are many different security projects in development, and since they all differ, the security community has not yet formed consensus on the ultimate security model. Instead, Linus charged the security community to "make it a module". In response,

Crispin Cowan Saints Crispin and Crispinian are the Christian patron saints of cobblers, curriers, tanners, and leather workers. They were beheaded during the reign of Diocletian; the date of their execution is given as 25 October 285 or 286. History Born ...

proposed LSM: an interface for the Linux kernel that provides sufficient "hooks" (upcalls) from within the Linux kernel to a loadable module so as to allow the module to enforce mandatory access controls. Development of LSM over the next two years was conducted by the LSM community, including substantial contributions from the Immunix Corporation, the

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...

, IBM,

Silicon Graphics Silicon Graphics, Inc. (stylized as SiliconGraphics before 1999, later rebranded SGI, historically known as Silicon Graphics Computer Systems or SGCS) was an American high-performance computing manufacturer, producing computer hardware and soft ...

, and many independent contributors. LSM was ultimately accepted into the Linux kernel mainstream and was included as a standard part of Linux 2.6 in December 2003. In 2006, some kernel developers observed that SELinux was the only widely used LSM module included in the mainstream Linux kernel source tree. If there is to be only one widely used LSM module, it was reasoned, then the indirection of LSM is unnecessary, and LSM should be removed and replaced with SELinux itself. However, there are other LSM modules maintained outside of the mainstream kernel tree (

Linux Intrusion Detection System In computer security, the Linux Intrusion Detection System (LIDS) is a patch to the Linux kernel and associated administrative tools that enhances the kernel's security by implementing mandatory access control (MAC). When LIDS is in effect all syst ...

, FireFlier, CIPSO,

Multi ADM Multi is a shortened form of "multiple". It may refer to: * Alternate character, in online gaming * Multi two diamonds, a contract bridge convention * Multirhyme, a synonym for feminine rhyme used in hip hop music * Multi (''To Heart''), a charac ...

, etc.), so this argument led to two results: 1. that developers of these modules started putting effort into upstreaming their respective modules, and 2. at the 2006

Kernel Summit The Linux Kernel Developers Summit is an annual gathering of the top Linux kernel developers. Attendance at the summit is by invitation only, and the conference was first held in San Jose in March, 2001. It was organized by Theodore Ts'o to provid ...

, Linus once again asserted that LSM would stay because he does not want to arbitrate which is the best security model. LSM is likely to remain since additional security modules Smack (version 2.6.25), TOMOYO Linux (version 2.6.30, June 2009) and

(version 2.6.36) were accepted in the mainline kernel.

References

External links

*
SysAdmin magazine article on BSD Secure Levels

Security Projects based on the Linux kernel
{{Linux Linux kernel Operating system security