blob: c20c7c72e2d6693ac187da7cca5c637d183b9809 [file] [log] [blame]
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -03001========================================================
2Linux Security Modules: General Security Hooks for Linux
3========================================================
4
5:Author: Stephen Smalley
6:Author: Timothy Fraser
7:Author: Chris Vance
8
9.. note::
10
11 The APIs described in this book are outdated.
12
13Introduction
14============
15
16In March 2001, the National Security Agency (NSA) gave a presentation
17about Security-Enhanced Linux (SELinux) at the 2.5 Linux Kernel Summit.
18SELinux is an implementation of flexible and fine-grained
19nondiscretionary access controls in the Linux kernel, originally
20implemented as its own particular kernel patch. Several other security
21projects (e.g. RSBAC, Medusa) have also developed flexible access
22control architectures for the Linux kernel, and various projects have
23developed particular access control models for Linux (e.g. LIDS, DTE,
24SubDomain). Each project has developed and maintained its own kernel
25patch to support its security needs.
26
27In response to the NSA presentation, Linus Torvalds made a set of
28remarks that described a security framework he would be willing to
29consider for inclusion in the mainstream Linux kernel. He described a
30general framework that would provide a set of security hooks to control
31operations on kernel objects and a set of opaque security fields in
32kernel data structures for maintaining security attributes. This
33framework could then be used by loadable kernel modules to implement any
34desired model of security. Linus also suggested the possibility of
35migrating the Linux capabilities code into such a module.
36
37The Linux Security Modules (LSM) project was started by WireX to develop
Casey Schauflere2d467d2020-04-21 14:48:34 -070038such a framework. LSM was a joint development effort by several security
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030039projects, including Immunix, SELinux, SGI and Janus, and several
40individuals, including Greg Kroah-Hartman and James Morris, to develop a
Casey Schauflere2d467d2020-04-21 14:48:34 -070041Linux kernel patch that implements this framework. The work was
42incorporated in the mainstream in December of 2003. This technical
43report provides an overview of the framework and the capabilities
44security module.
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030045
46LSM Framework
47=============
48
Casey Schauflere2d467d2020-04-21 14:48:34 -070049The LSM framework provides a general kernel framework to support
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030050security modules. In particular, the LSM framework is primarily focused
51on supporting access control modules, although future development is
Casey Schauflere2d467d2020-04-21 14:48:34 -070052likely to address other security needs such as sandboxing. By itself, the
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030053framework does not provide any additional security; it merely provides
Casey Schauflere2d467d2020-04-21 14:48:34 -070054the infrastructure to support security modules. The LSM framework is
55optional, requiring `CONFIG_SECURITY` to be enabled. The capabilities
56logic is implemented as a security module.
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030057This capabilities module is discussed further in
Brendan Jackman6795b292019-09-25 17:17:44 +070058`LSM Capabilities Module`_.
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030059
Casey Schauflere2d467d2020-04-21 14:48:34 -070060The LSM framework includes security fields in kernel data structures and
61calls to hook functions at critical points in the kernel code to
62manage the security fields and to perform access control.
63It also adds functions for registering security modules.
64An interface `/sys/kernel/security/lsm` reports a comma separated list
65of security modules that are active on the system.
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030066
Casey Schauflere2d467d2020-04-21 14:48:34 -070067The LSM security fields are simply ``void*`` pointers.
68The data is referred to as a blob, which may be managed by
69the framework or by the individual security modules that use it.
70Security blobs that are used by more than one security module are
71typically managed by the framework.
72For process and
73program execution security information, security fields are included in
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030074:c:type:`struct task_struct <task_struct>` and
Casey Schauflere2d467d2020-04-21 14:48:34 -070075:c:type:`struct cred <cred>`.
76For filesystem
77security information, a security field is included in :c:type:`struct
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030078super_block <super_block>`. For pipe, file, and socket security
Casey Schauflere2d467d2020-04-21 14:48:34 -070079information, security fields are included in :c:type:`struct inode
80<inode>` and :c:type:`struct file <file>`.
81For System V IPC security information,
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030082security fields were added to :c:type:`struct kern_ipc_perm
83<kern_ipc_perm>` and :c:type:`struct msg_msg
84<msg_msg>`; additionally, the definitions for :c:type:`struct
85msg_msg <msg_msg>`, struct msg_queue, and struct shmid_kernel
86were moved to header files (``include/linux/msg.h`` and
87``include/linux/shm.h`` as appropriate) to allow the security modules to
88use these definitions.
89
Casey Schauflere2d467d2020-04-21 14:48:34 -070090For packet and
91network device security information, security fields were added to
92:c:type:`struct sk_buff <sk_buff>` and
93:c:type:`struct scm_cookie <scm_cookie>`.
94Unlike the other security module data, the data used here is a
9532-bit integer. The security modules are required to map or otherwise
96associate these values with real security attributes.
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -030097
Casey Schauflere2d467d2020-04-21 14:48:34 -070098LSM hooks are maintained in lists. A list is maintained for each
99hook, and the hooks are called in the order specified by CONFIG_LSM.
100Detailed documentation for each hook is
Randy Dunlap6d2ed652023-04-27 20:09:16 -0700101included in the `security/security.c` source file.
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -0300102
Casey Schauflere2d467d2020-04-21 14:48:34 -0700103The LSM framework provides for a close approximation of
104general security module stacking. It defines
105security_add_hooks() to which each security module passes a
106:c:type:`struct security_hooks_list <security_hooks_list>`,
107which are added to the lists.
108The LSM framework does not provide a mechanism for removing hooks that
109have been registered. The SELinux security module has implemented
110a way to remove itself, however the feature has been deprecated.
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -0300111
Casey Schauflere2d467d2020-04-21 14:48:34 -0700112The hooks can be viewed as falling into two major
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -0300113categories: hooks that are used to manage the security fields and hooks
114that are used to perform access control. Examples of the first category
Casey Schauflere2d467d2020-04-21 14:48:34 -0700115of hooks include the security_inode_alloc() and security_inode_free()
116These hooks are used to allocate
117and free security structures for inode objects.
118An example of the second category of hooks
119is the security_inode_permission() hook.
120This hook checks permission when accessing an inode.
Mauro Carvalho Chehab415008a2017-05-14 11:41:53 -0300121
122LSM Capabilities Module
123=======================
124
Casey Schauflere2d467d2020-04-21 14:48:34 -0700125The POSIX.1e capabilities logic is maintained as a security module
126stored in the file ``security/commoncap.c``. The capabilities
127module uses the order field of the :c:type:`lsm_info` description
128to identify it as the first security module to be registered.
129The capabilities security module does not use the general security
130blobs, unlike other modules. The reasons are historical and are
131based on overhead, complexity and performance concerns.