Linux Security Modules General Security Support for the Linux Kernel Chris Wright and Crispin Cowan WireX Communications Inc Stephen Smalley NAI Labs Network Associates Inc James Morris Intercode Pty Ltd Greg Kroah Hartman IBM Linux Technology Center August 17 2002 Abstract 1 The critical role of operating system protection mechanisms in providing system security has been wellunderstood for over thirty years yet the access control mechanisms of existing mainstream operating systems are still inadequate to provide strong security 2 37 27 16 25 6 29 Although many enhanced access control models and frameworks have been proposed and implemented 9 1 4 39 22 10 28 35 mainstream operating systems typically still lack support for these enhancements In part the absence of such enhancements is due to a lack of agreement within the security community on the right general solution The access control mechanisms of existing mainstream operating systems are inadequate to provide strong system security Enhanced access control mechanisms have failed to win acceptance into mainstream operating systems due in part to a lack of consensus within the security community on the right solution Since generalpurpose operating systems must satisfy a wide range of user requirements any access control mechanism integrated into such a system must be capable of supporting many different access control models The Linux Security Modules LSM project has developed a lightweight general purpose access control framework for the mainstream Linux kernel that enables many different access control models to be implemented as loadable kernel modules A number of existing enhanced access control implementations including Linux capabilities SecurityEnhanced Linux SELinux and Domain and Type Enforcement DTE have already been adapted to use the LSM framework This paper presents the design and implementation of LSM and discusses the challenges in providing a truly general solution that minimally impacts the Linux kernel This work supported in part by DARPA Contract N66001 00 C8032 Autonomix This work supported by NSA Contract MDA904 01 C 0926 SELinux This work represents the view of the authors and does not necessarily represent the view of IBM Introduction Like many other general purpose operating systems the Linux kernel only provides discretionary access controls and lacks any direct support for enhanced access control mechanisms However Linux has long supported dynamically loadable kernel modules primarily for device drivers but also for other components such as filesystems In principle enhanced access controls could be implemented as Linux kernel modules permitting many different security models to be supported 1 In practice creating effective security modules is problematic since the kernel does not provide any infrastructure to allow kernel modules to mediate access to kernel objects As a result kernel modules typically resort to system call interposition to control kernel operations 17 19 which has serious limitations as a method for providing access control 39 Furthermore these kernel modules often require re implementing selected kernel functionality 17 19 or require a patch to the kernel to support the module 10 3 14 reducing much of the value of modular composition Hence 2 many projects have implemented enhanced access control frameworks or models for the Linux kernel as kernel patches 28 35 22 31 26 The Problem Constrained Design Space The design of LSM was constrained by the practical and technical concerns of both the Linux kernel developers and the various Linux security projects In email on the topic Linus Torvalds specified that the security framework must be At the Linux Kernel 2 5 Summit the NSA presented their work on Security Enhanced Linux SELinux 28 an implementation of a flexible access control architecture in the Linux kernel and emphasized the need for such support in the mainstream Linux kernel Linus Torvalds appeared to accept that a general access control framework for the Linux kernel is needed but favored a new infrastructure that would provide the necessary support to kernel modules for implementing security This approach would avoid the need to choose among the existing competing projects truly generic where using a different security model is merely a matter of loading a different kernel module conceptually simple minimally invasive and efficient and In response to Linus guidance the Linux Security Modules LSM 43 38 project has developed a lightweight general purpose access control framework for the mainstream Linux kernel that enables many different access control models to be implemented as loadable kernel modules A number of existing enhanced access control implementations including POSIX 1e capabilities 40 SELinux and Domain and Type Enforcement DTE 22 have already been adapted to use the LSM framework able to support the existing POSIX 1e capabilities logic as an optional security module The various Linux security projects were primarily interested in ensuring that the security framework would be adequate to permit them to re implement their existing security functionality as a loadable kernel module The new modular implementation must not cause any significant loss in the security being provided and should have little additional performance overhead The LSM framework meets the goal of enabling many different security models with the same base Linux kernel while minimally impacting the Linux kernel The generality of LSM permits enhanced access controls to be effectively implemented without requiring kernel patches LSM also permits the existing security functionality of POSIX 1e capabilities to be cleanly separated from the base kernel This allows users with specialized needs such as embedded system developers to reduce security features to a minimum for performance It also enables development of POSIX 1e capabilities to proceed with greater independence from the base kernel The core functionality for most of these security projects was access control However a few security projects also desired other kinds of security functionality such as security auditing or virtualized environments Furthermore there were significant differences over the range of flexibility for the access controls Most of the security projects were only interested in further restricting access i e being able to deny accesses that would ordinarily be granted by the existing Linux discretionary access control DAC logic