[linux-2.6] / Documentation / DocBook / lsm.tmpl

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
	"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" []>

<article class="whitepaper" id="LinuxSecurityModule" lang="en">
 <articleinfo>
 <title>Linux Security Modules:  General Security Hooks for Linux</title>
 <authorgroup>
 <author>
 <firstname>Stephen</firstname> 
 <surname>Smalley</surname>
 <affiliation>
 <orgname>NAI Labs</orgname>
 <address><email>ssmalley@nai.com</email></address>
 </affiliation>
 </author>
 <author>
 <firstname>Timothy</firstname> 
 <surname>Fraser</surname>
 <affiliation>
 <orgname>NAI Labs</orgname>
 <address><email>tfraser@nai.com</email></address>
 </affiliation>
 </author>
 <author>
 <firstname>Chris</firstname> 
 <surname>Vance</surname>
 <affiliation>
 <orgname>NAI Labs</orgname>
 <address><email>cvance@nai.com</email></address>
 </affiliation>
 </author>
 </authorgroup>
 </articleinfo>

<sect1 id="Introduction"><title>Introduction</title>

<para>
In March 2001, the National Security Agency (NSA) gave a presentation
about Security-Enhanced Linux (SELinux) at the 2.5 Linux Kernel
Summit.  SELinux is an implementation of flexible and fine-grained
nondiscretionary access controls in the Linux kernel, originally
implemented as its own particular kernel patch.  Several other
security projects (e.g. RSBAC, Medusa) have also developed flexible
access control architectures for the Linux kernel, and various
projects have developed particular access control models for Linux
(e.g. LIDS, DTE, SubDomain).  Each project has developed and
maintained its own kernel patch to support its security needs.
</para>

<para>
In response to the NSA presentation, Linus Torvalds made a set of
remarks that described a security framework he would be willing to
consider for inclusion in the mainstream Linux kernel.  He described a
general framework that would provide a set of security hooks to
control operations on kernel objects and a set of opaque security
fields in kernel data structures for maintaining security attributes.
This framework could then be used by loadable kernel modules to
implement any desired model of security.  Linus also suggested the
possibility of migrating the Linux capabilities code into such a
module.
</para>

<para>
The Linux Security Modules (LSM) project was started by WireX to
develop such a framework.  LSM is a joint development effort by
several security projects, including Immunix, SELinux, SGI and Janus,
and several individuals, including Greg Kroah-Hartman and James
Morris, to develop a Linux kernel patch that implements this
framework.  The patch is currently tracking the 2.4 series and is
targeted for integration into the 2.5 development series.  This
technical report provides an overview of the framework and the example
capabilities security module provided by the LSM kernel patch.
</para>

</sect1>

<sect1 id="framework"><title>LSM Framework</title>

<para>
The LSM kernel patch provides a general kernel framework to support
security modules.  In particular, the LSM framework is primarily
focused on supporting access control modules, although future
development is likely to address other security needs such as
auditing.  By itself, the framework does not provide any additional
security; it merely provides the infrastructure to support security
modules.  The LSM kernel patch also moves most of the capabilities
logic into an optional security module, with the system defaulting
to the traditional superuser logic.  This capabilities module
is discussed further in <xref linkend="cap"/>.
</para>

<para>
The LSM kernel patch adds security fields to kernel data structures
and inserts calls to hook functions at critical points in the kernel
code to manage the security fields and to perform access control.  It
also adds functions for registering and unregistering security
modules, and adds a general <function>security</function> system call
to support new system calls for security-aware applications.
</para>

<para>
The LSM security fields are simply <type>void*</type> pointers.  For
process and program execution security information, security fields
were added to <structname>struct task_struct</structname> and 
<structname>struct linux_binprm</structname>.  For filesystem security
information, a security field was added to 
<structname>struct super_block</structname>.  For pipe, file, and socket
security information, security fields were added to 
<structname>struct inode</structname> and 
<structname>struct file</structname>.  For packet and network device security
information, security fields were added to
<structname>struct sk_buff</structname> and
<structname>struct net_device</structname>.  For System V IPC security
information, security fields were added to
<structname>struct kern_ipc_perm</structname> and
<structname>struct msg_msg</structname>; additionally, the definitions
for <structname>struct msg_msg</structname>, <structname>struct 
msg_queue</structname>, and <structname>struct 
shmid_kernel</structname> were moved to header files
(<filename>include/linux/msg.h</filename> and
<filename>include/linux/shm.h</filename> as appropriate) to allow
the security modules to use these definitions.
</para>

<para>
Each LSM hook is a function pointer in a global table,
security_ops. This table is a
<structname>security_operations</structname> structure as defined by
<filename>include/linux/security.h</filename>.  Detailed documentation
for each hook is included in this header file.  At present, this
structure consists of a collection of substructures that group related
hooks based on the kernel object (e.g. task, inode, file, sk_buff,
etc) as well as some top-level hook function pointers for system
operations.  This structure is likely to be flattened in the future
for performance.  The placement of the hook calls in the kernel code
is described by the "called:" lines in the per-hook documentation in
the header file.  The hook calls can also be easily found in the
kernel code by looking for the string "security_ops->".

</para>

<para>
Linus mentioned per-process security hooks in his original remarks as a
possible alternative to global security hooks.  However, if LSM were
to start from the perspective of per-process hooks, then the base
framework would have to deal with how to handle operations that
involve multiple processes (e.g. kill), since each process might have
its own hook for controlling the operation.  This would require a
general mechanism for composing hooks in the base framework.
Additionally, LSM would still need global hooks for operations that
have no process context (e.g. network input operations).
Consequently, LSM provides global security hooks, but a security
module is free to implement per-process hooks (where that makes sense)
by storing a security_ops table in each process' security field and
then invoking these per-process hooks from the global hooks.
The problem of composition is thus deferred to the module.
</para>

<para>
The global security_ops table is initialized to a set of hook
functions provided by a dummy security module that provides
traditional superuser logic.  A <function>register_security</function>
function (in <filename>security/security.c</filename>) is provided to
allow a security module to set security_ops to refer to its own hook
functions, and an <function>unregister_security</function> function is
provided to revert security_ops to the dummy module hooks.  This
mechanism is used to set the primary security module, which is
responsible for making the final decision for each hook.
</para>

<para>
LSM also provides a simple mechanism for stacking additional security
modules with the primary security module.  It defines
<function>register_security</function> and
<function>unregister_security</function> hooks in the
<structname>security_operations</structname> structure and provides
<function>mod_reg_security</function> and
<function>mod_unreg_security</function> functions that invoke these
hooks after performing some sanity checking.  A security module can
call these functions in order to stack with other modules.  However,
the actual details of how this stacking is handled are deferred to the
module, which can implement these hooks in any way it wishes
(including always returning an error if it does not wish to support
stacking).  In this manner, LSM again defers the problem of
composition to the module.
</para>

<para>
Although the LSM hooks are organized into substructures based on
kernel object, all of the hooks can be viewed as falling into two
major categories: hooks that are used to manage the security fields
and hooks that are used to perform access control.  Examples of the
first category of hooks include the
<function>alloc_security</function> and
<function>free_security</function> hooks defined for each kernel data
structure that has a security field.  These hooks are used to allocate
and free security structures for kernel objects.  The first category
of hooks also includes hooks that set information in the security
field after allocation, such as the <function>post_lookup</function>
hook in <structname>struct inode_security_ops</structname>.  This hook
is used to set security information for inodes after successful lookup
operations.  An example of the second category of hooks is the
<function>permission</function> hook in 
<structname>struct inode_security_ops</structname>.  This hook checks
permission when accessing an inode.
</para>

</sect1>

<sect1 id="cap"><title>LSM Capabilities Module</title>

<para>
The LSM kernel patch moves most of the existing POSIX.1e capabilities
logic into an optional security module stored in the file
<filename>security/capability.c</filename>.  This change allows
users who do not want to use capabilities to omit this code entirely
from their kernel, instead using the dummy module for traditional
superuser logic or any other module that they desire.  This change
also allows the developers of the capabilities logic to maintain and
enhance their code more freely, without needing to integrate patches
back into the base kernel.
</para>

<para>
In addition to moving the capabilities logic, the LSM kernel patch
could move the capability-related fields from the kernel data
structures into the new security fields managed by the security
modules.  However, at present, the LSM kernel patch leaves the
capability fields in the kernel data structures.  In his original
remarks, Linus suggested that this might be preferable so that other
security modules can be easily stacked with the capabilities module
without needing to chain multiple security structures on the security field.
It also avoids imposing extra overhead on the capabilities module
to manage the security fields.  However, the LSM framework could
certainly support such a move if it is determined to be desirable,
with only a few additional changes described below.
</para>

<para>
At present, the capabilities logic for computing process capabilities
on <function>execve</function> and <function>set*uid</function>,
checking capabilities for a particular process, saving and checking
capabilities for netlink messages, and handling the
<function>capget</function> and <function>capset</function> system
calls have been moved into the capabilities module.  There are still a
few locations in the base kernel where capability-related fields are
directly examined or modified, but the current version of the LSM
patch does allow a security module to completely replace the
assignment and testing of capabilities.  These few locations would
need to be changed if the capability-related fields were moved into
the security field.  The following is a list of known locations that
still perform such direct examination or modification of
capability-related fields:
<itemizedlist>
<listitem><para><filename>fs/open.c</filename>:<function>sys_access</function></para></listitem>
<listitem><para><filename>fs/lockd/host.c</filename>:<function>nlm_bind_host</function></para></listitem>
<listitem><para><filename>fs/nfsd/auth.c</filename>:<function>nfsd_setuser</function></para></listitem>
<listitem><para><filename>fs/proc/array.c</filename>:<function>task_cap</function></para></listitem>
</itemizedlist>
</para>

</sect1>

</article>
Commit	Line	Data
1da177e4 LT	1	<?xml version="1.0" encoding="UTF-8"?>
	2	<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" []>
	4
	5	<article class="whitepaper" id="LinuxSecurityModule" lang="en">
	6	<articleinfo>
	7	<title>Linux Security Modules: General Security Hooks for Linux</title>
	8	<authorgroup>
	9	<author>
	10	<firstname>Stephen</firstname>
	11	<surname>Smalley</surname>
	12	<affiliation>
	13	<orgname>NAI Labs</orgname>
	14	<address><email>ssmalley@nai.com</email></address>
	15	</affiliation>
	16	</author>
	17	<author>
	18	<firstname>Timothy</firstname>
	19	<surname>Fraser</surname>
	20	<affiliation>
	21	<orgname>NAI Labs</orgname>
	22	<address><email>tfraser@nai.com</email></address>
	23	</affiliation>
	24	</author>
	25	<author>
	26	<firstname>Chris</firstname>
	27	<surname>Vance</surname>
	28	<affiliation>
	29	<orgname>NAI Labs</orgname>
	30	<address><email>cvance@nai.com</email></address>
	31	</affiliation>
	32	</author>
	33	</authorgroup>
	34	</articleinfo>
	35
90ad38b7	36	<sect1 id="Introduction"><title>Introduction</title>
1da177e4 LT	37
	38	<para>
	39	In March 2001, the National Security Agency (NSA) gave a presentation
	40	about Security-Enhanced Linux (SELinux) at the 2.5 Linux Kernel
	41	Summit. SELinux is an implementation of flexible and fine-grained
	42	nondiscretionary access controls in the Linux kernel, originally
	43	implemented as its own particular kernel patch. Several other
	44	security projects (e.g. RSBAC, Medusa) have also developed flexible
	45	access control architectures for the Linux kernel, and various
	46	projects have developed particular access control models for Linux
	47	(e.g. LIDS, DTE, SubDomain). Each project has developed and
	48	maintained its own kernel patch to support its security needs.
	49	</para>
	50
	51	<para>
	52	In response to the NSA presentation, Linus Torvalds made a set of
	53	remarks that described a security framework he would be willing to
	54	consider for inclusion in the mainstream Linux kernel. He described a
	55	general framework that would provide a set of security hooks to
	56	control operations on kernel objects and a set of opaque security
	57	fields in kernel data structures for maintaining security attributes.
	58	This framework could then be used by loadable kernel modules to
	59	implement any desired model of security. Linus also suggested the
	60	possibility of migrating the Linux capabilities code into such a
	61	module.
	62	</para>
	63
	64	<para>
	65	The Linux Security Modules (LSM) project was started by WireX to
	66	develop such a framework. LSM is a joint development effort by
	67	several security projects, including Immunix, SELinux, SGI and Janus,
	68	and several individuals, including Greg Kroah-Hartman and James
	69	Morris, to develop a Linux kernel patch that implements this
	70	framework. The patch is currently tracking the 2.4 series and is
	71	targeted for integration into the 2.5 development series. This
	72	technical report provides an overview of the framework and the example
	73	capabilities security module provided by the LSM kernel patch.
	74	</para>
	75
	76	</sect1>
	77
	78	<sect1 id="framework"><title>LSM Framework</title>
	79
	80	<para>
	81	The LSM kernel patch provides a general kernel framework to support
	82	security modules. In particular, the LSM framework is primarily
	83	focused on supporting access control modules, although future
	84	development is likely to address other security needs such as
	85	auditing. By itself, the framework does not provide any additional
	86	security; it merely provides the infrastructure to support security
	87	modules. The LSM kernel patch also moves most of the capabilities
	88	logic into an optional security module, with the system defaulting
	89	to the traditional superuser logic. This capabilities module
	90	is discussed further in <xref linkend="cap"/>.
	91	</para>
	92
	93	<para>
	94	The LSM kernel patch adds security fields to kernel data structures
	95	and inserts calls to hook functions at critical points in the kernel
	96	code to manage the security fields and to perform access control. It
	97	also adds functions for registering and unregistering security
	98	modules, and adds a general <function>security</function> system call
	99	to support new system calls for security-aware applications.
	100	</para>
101
102	<para>
103	The LSM security fields are simply <type>void*</type> pointers. For
104	process and program execution security information, security fields
105	were added to <structname>struct task_struct</structname> and
106	<structname>struct linux_binprm</structname>. For filesystem security
107	information, a security field was added to
108	<structname>struct super_block</structname>. For pipe, file, and socket
109	security information, security fields were added to
110	<structname>struct inode</structname> and
111	<structname>struct file</structname>. For packet and network device security
112	information, security fields were added to
113	<structname>struct sk_buff</structname> and
114	<structname>struct net_device</structname>. For System V IPC security
115	information, security fields were added to
116	<structname>struct kern_ipc_perm</structname> and
117	<structname>struct msg_msg</structname>; additionally, the definitions
118	for <structname>struct msg_msg</structname>, <structname>struct
119	msg_queue</structname>, and <structname>struct
120	shmid_kernel</structname> were moved to header files
121	(<filename>include/linux/msg.h</filename> and
122	<filename>include/linux/shm.h</filename> as appropriate) to allow
123	the security modules to use these definitions.
124	</para>
125
126	<para>
127	Each LSM hook is a function pointer in a global table,
128	security_ops. This table is a
129	<structname>security_operations</structname> structure as defined by
130	<filename>include/linux/security.h</filename>. Detailed documentation
131	for each hook is included in this header file. At present, this
132	structure consists of a collection of substructures that group related
133	hooks based on the kernel object (e.g. task, inode, file, sk_buff,
134	etc) as well as some top-level hook function pointers for system
135	operations. This structure is likely to be flattened in the future
136	for performance. The placement of the hook calls in the kernel code
137	is described by the "called:" lines in the per-hook documentation in
138	the header file. The hook calls can also be easily found in the
139	kernel code by looking for the string "security_ops->".
140
141	</para>
142
143	<para>
144	Linus mentioned per-process security hooks in his original remarks as a
145	possible alternative to global security hooks. However, if LSM were
146	to start from the perspective of per-process hooks, then the base
147	framework would have to deal with how to handle operations that
148	involve multiple processes (e.g. kill), since each process might have
149	its own hook for controlling the operation. This would require a
150	general mechanism for composing hooks in the base framework.
151	Additionally, LSM would still need global hooks for operations that
152	have no process context (e.g. network input operations).
153	Consequently, LSM provides global security hooks, but a security
154	module is free to implement per-process hooks (where that makes sense)
155	by storing a security_ops table in each process' security field and
156	then invoking these per-process hooks from the global hooks.
157	The problem of composition is thus deferred to the module.
158	</para>
159
160	<para>
161	The global security_ops table is initialized to a set of hook
162	functions provided by a dummy security module that provides
163	traditional superuser logic. A <function>register_security</function>
164	function (in <filename>security/security.c</filename>) is provided to
165	allow a security module to set security_ops to refer to its own hook
166	functions, and an <function>unregister_security</function> function is
167	provided to revert security_ops to the dummy module hooks. This
168	mechanism is used to set the primary security module, which is
169	responsible for making the final decision for each hook.
170	</para>
171
172	<para>
173	LSM also provides a simple mechanism for stacking additional security
174	modules with the primary security module. It defines
175	<function>register_security</function> and
176	<function>unregister_security</function> hooks in the
177	<structname>security_operations</structname> structure and provides
178	<function>mod_reg_security</function> and
179	<function>mod_unreg_security</function> functions that invoke these
180	hooks after performing some sanity checking. A security module can
181	call these functions in order to stack with other modules. However,
182	the actual details of how this stacking is handled are deferred to the
183	module, which can implement these hooks in any way it wishes
184	(including always returning an error if it does not wish to support
185	stacking). In this manner, LSM again defers the problem of
186	composition to the module.
187	</para>
188
189	<para>
190	Although the LSM hooks are organized into substructures based on
191	kernel object, all of the hooks can be viewed as falling into two
192	major categories: hooks that are used to manage the security fields
193	and hooks that are used to perform access control. Examples of the
194	first category of hooks include the
195	<function>alloc_security</function> and
196	<function>free_security</function> hooks defined for each kernel data
197	structure that has a security field. These hooks are used to allocate
198	and free security structures for kernel objects. The first category
199	of hooks also includes hooks that set information in the security
200	field after allocation, such as the <function>post_lookup</function>
201	hook in <structname>struct inode_security_ops</structname>. This hook
202	is used to set security information for inodes after successful lookup
203	operations. An example of the second category of hooks is the
204	<function>permission</function> hook in
205	<structname>struct inode_security_ops</structname>. This hook checks
206	permission when accessing an inode.
207	</para>
208
209	</sect1>
210
211	<sect1 id="cap"><title>LSM Capabilities Module</title>
212
213	<para>
214	The LSM kernel patch moves most of the existing POSIX.1e capabilities
215	logic into an optional security module stored in the file
216	<filename>security/capability.c</filename>. This change allows
217	users who do not want to use capabilities to omit this code entirely
218	from their kernel, instead using the dummy module for traditional
219	superuser logic or any other module that they desire. This change
220	also allows the developers of the capabilities logic to maintain and
221	enhance their code more freely, without needing to integrate patches
222	back into the base kernel.
223	</para>
224
225	<para>
226	In addition to moving the capabilities logic, the LSM kernel patch
227	could move the capability-related fields from the kernel data
228	structures into the new security fields managed by the security
229	modules. However, at present, the LSM kernel patch leaves the
230	capability fields in the kernel data structures. In his original
231	remarks, Linus suggested that this might be preferable so that other
232	security modules can be easily stacked with the capabilities module
233	without needing to chain multiple security structures on the security field.
234	It also avoids imposing extra overhead on the capabilities module
235	to manage the security fields. However, the LSM framework could
236	certainly support such a move if it is determined to be desirable,
237	with only a few additional changes described below.
238	</para>
239
240	<para>
241	At present, the capabilities logic for computing process capabilities
242	on <function>execve</function> and <function>set*uid</function>,
243	checking capabilities for a particular process, saving and checking
244	capabilities for netlink messages, and handling the
245	<function>capget</function> and <function>capset</function> system
246	calls have been moved into the capabilities module. There are still a
247	few locations in the base kernel where capability-related fields are
248	directly examined or modified, but the current version of the LSM
249	patch does allow a security module to completely replace the
250	assignment and testing of capabilities. These few locations would
251	need to be changed if the capability-related fields were moved into
252	the security field. The following is a list of known locations that
253	still perform such direct examination or modification of
254	capability-related fields:
255	<itemizedlist>
256	<listitem><para><filename>fs/open.c</filename>:<function>sys_access</function></para></listitem>
257	<listitem><para><filename>fs/lockd/host.c</filename>:<function>nlm_bind_host</function></para></listitem>
258	<listitem><para><filename>fs/nfsd/auth.c</filename>:<function>nfsd_setuser</function></para></listitem>
259	<listitem><para><filename>fs/proc/array.c</filename>:<function>task_cap</function></para></listitem>
260	</itemizedlist>
261	</para>
262
263	</sect1>
264
265	</article>