LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

Kernel prepatch 3.9-rc5

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Time to remove LSM?

[Posted May 31, 2005 by corbet]

The first organized kernel summit, held in 2001, included a presentation on the NSA Security-Enhanced Linux project. Linus's response at the time was that there were several projects out there trying to find the best way to harden Linux, and that he did not want to have to choose between them. Instead, he asked for the creation of a generic framework which would allow an arbitrary security module to be plugged into the system. The result, some time later, was the Linux Security Module framework; LSM provides a long list of hooks into kernel operations which allow a security module to veto any action which violates the rules it is implementing.

The LSM patch ran into some difficulties on its way into the kernel, but it is now an established part of the internal API. So some developers were surprised recently when James Morris suggested that perhaps the time has come to remove the LSM framework. His arguments are simple: there is only one serious module using the LSM framework in the intended manner, while unrelated projects are trying to use it in inappropriate ways.

In the years since LSM was included in the mainline kernel, SELinux has been the only significant module implemented and also included in the mainline kernel. So we have a generalized framework for one user, SELinux, which itself is a generalized framework....

It's dead code, an unnecessary abstraction layer between its one real user, SELinux, and the core kernel.

James asks: rather than forcing SELinux to conform to a general-purpose API (of which it is the sole user), why not just wire SELinux directly into the kernel, get rid of LSM, and be done with it?

SELinux is not truly the only security module out there, of course. The kernel includes a couple of other modules: a reimplementation of the capabilities mechanism and "root plug," a module which prevents processes from running as root unless a specific USB device is plugged in. There are out-of-tree modules, such as the BSD securelevels patch and Trustees Linux. The Immunix (now Novell) AppArmor product includes a module which uses the LSM framework. AppArmor is a proprietary offering, but the security module portion of it is GPL-licensed (as is necessary, since the functions for loading security modules are exported GPL-only).

There does not appear to be a groundswell of support for the idea of removing the LSM framework from the kernel at this time. That could change over time, however: increasingly, out-of-tree code is held to be irrelevant when decisions are made. If SELinux remains the only significant in-tree user of the LSM framework, LSM will look like useless baggage to more and more developers. If there are security modules out there which are reasonable alternatives to SELinux, their developers may want to think about getting them into the mainline sometime in the not-too-distant future.

(Log in to post comments)

Time to remove LSM?

Posted Jun 2, 2005 10:55 UTC (Thu) by nix (subscriber, #2304) [Link]

Another free software product that uses the LSM is DigSig (and very useful it is too).

Time to remove LSM?

Posted Jun 2, 2005 11:54 UTC (Thu) by hmh (subscriber, #3838) [Link]

DigSig is available at:
http://sourceforge.net/projects/disec/

It is a security module implementing execute-only-signed-ELF-binaries policies.

Time to remove LSM?

Posted Jun 2, 2005 20:57 UTC (Thu) by nix (subscriber, #2304) [Link]

Yeah, sorry, I should have provided a pointer.

Time to remove LSM?

Posted Jun 2, 2005 16:53 UTC (Thu) by smeg4brains (guest, #207) [Link]

That would be sad.. We love the Trustees Linux module here.. It's out of tree, but it sure would be hard to hook in without lsm. It will probably never become an in tree module though, because some of the kernel security gurus don't like the fact that in some cases Linux Trustees grants permissions that weren't there before instead of only ever taking permissions away.

It sure makes our servers a lot more managable though.. We couldn't live without it.

Many projects use LSM

Posted Jun 3, 2005 12:34 UTC (Fri) by ipqw (guest, #29756) [Link]

The Umbrella Project (http://umbrella.sf.net) uses LSM - and some of the code released by IBM for implementing the Trusted Platform Module technology is dependant on LSM.

Furthermore, I am aware of several, yet unpublished, projects that use LSM to provide more flexible security measures for the kernel.

The work in strengenthing the security in the Linux kernel is just getting started. It developes slowly, as it is a hard topic -- many developers does not even know what mandatory access control is.

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds