Design
LSM was designed to provide the specific needs of everything needed to successfully implement a mandatory access control module, while imposing the fewest possible changes to the Linux kernel. LSM avoids the approach of system call interposition as used in Systrace because it does not scale to multiprocessor kernels and is subject to TOCTTOU (race) attacks. Instead, LSM inserts "hooks" (upcalls to the module) at every point in the kernel where a user-level system call is about to result in access to an important internal kernel object such as inodes and task control blocks.
The project is narrowly scoped to solve the problem of access control to avoid imposing a large and complex change patch on the mainstream kernel. It is not intended as a general "hook" or "upcall" mechanism, nor does it support Operating system-level virtualization.
LSM's access control goal is very closely related to the problem of system auditing, but is subtly different. Auditing requires that every attempt at access be recorded. LSM cannot deliver that, because it would require a great many more hooks, so as to detect cases where the kernel "short circuits" failing system calls and returns an error code before getting near significant objects.
The LSM design is described in the paper Linux Security Modules: General Security Support for the Linux Kernel presented at USENIX Security 2002. At the same conference was the paper Using CQUAL for Static Analysis of Authorization Hook Placement which studied automatic static analysis of the kernel code to verify that all of the necessary hooks have actually been inserted into the Linux kernel.
Read more about this topic: Linux Security Modules
Famous quotes containing the word design:
“If I commit suicide, it will not be to destroy myself but to put myself back together again. Suicide will be for me only one means of violently reconquering myself, of brutally invading my being, of anticipating the unpredictable approaches of God. By suicide, I reintroduce my design in nature, I shall for the first time give things the shape of my will.”
—Antonin Artaud (1896–1948)
“Humility is often only the putting on of a submissiveness by which men hope to bring other people to submit to them; it is a more calculated sort of pride, which debases itself with a design of being exalted; and though this vice transform itself into a thousand several shapes, yet the disguise is never more effectual nor more capable of deceiving the world than when concealed under a form of humility.”
—François, Duc De La Rochefoucauld (1613–1680)
“Delay always breeds danger; and to protract a great design is often to ruin it.”
—Miguel De Cervantes (1547–1616)