Design
LSM was designed to provide the specific needs of everything needed to successfully implement a mandatory access control module, while imposing the fewest possible changes to the Linux kernel. LSM avoids the approach of system call interposition as used in Systrace because it does not scale to multiprocessor kernels and is subject to TOCTTOU (race) attacks. Instead, LSM inserts "hooks" (upcalls to the module) at every point in the kernel where a user-level system call is about to result in access to an important internal kernel object such as inodes and task control blocks.
The project is narrowly scoped to solve the problem of access control to avoid imposing a large and complex change patch on the mainstream kernel. It is not intended as a general "hook" or "upcall" mechanism, nor does it support Operating system-level virtualization.
LSM's access control goal is very closely related to the problem of system auditing, but is subtly different. Auditing requires that every attempt at access be recorded. LSM cannot deliver that, because it would require a great many more hooks, so as to detect cases where the kernel "short circuits" failing system calls and returns an error code before getting near significant objects.
The LSM design is described in the paper Linux Security Modules: General Security Support for the Linux Kernel presented at USENIX Security 2002. At the same conference was the paper Using CQUAL for Static Analysis of Authorization Hook Placement which studied automatic static analysis of the kernel code to verify that all of the necessary hooks have actually been inserted into the Linux kernel.
Read more about this topic: Linux Security Modules
Famous quotes containing the word design:
“A good scientist is a person with original ideas. A good engineer is a person who makes a design that works with as few original ideas as possible. There are no prima donnas in engineering.”
—Freeman Dyson (b. 1923)
“With wonderful art he grinds into paint for his picture all his moods and experiences, so that all his forces may be brought to the encounter. Apparently writing without a particular design or responsibility, setting down his soliloquies from time to time, taking advantage of all his humors, when at length the hour comes to declare himself, he puts down in plain English, without quotation marks, what he, Thomas Carlyle, is ready to defend in the face of the world.”
—Henry David Thoreau (1817–1862)
“Joe ... you remember I said you wouldn’t be cheated?... Nobody is really. Eventually all things work out. There’s a design in everything.”
—Sidney Buchman (1902–1975)