Weekly Edition
Return to the Kernel page
| |||||||||||||
The future of the Linux Security Module API
Back in 2001, the very
first Linux kernel summit included a discussion on security policies.
At that meeting, it was decided that there was no interest in patching in
the several competing implementations which were available at that time.
Instead, developers interested in security were asked to create a generic
interface which could be used by any security policy. The result was the
Linux Security Modules (LSM) API - a long list of hooks which can be used
to intercept almost any operation of interest within the kernel.
Last year, some developers were heard to mumble that perhaps LSM should be removed from the kernel. Since LSM was merged, there has been only one serious security mechanism using it to emerge: SELinux. Since there is only one LSM user, and since SELinux can be thought of as a fairly generic security framework in its own right, it is not clear that there is a need for the LSM interface. The discussion died down last year, however, and there has been little talk of yanking out LSM. Until now. In response to a current discussion on LSM hooks, James Morris has posted a patch adding LSM to the "feature removal" schedule. The end of LSM is not a distant event either: the proposed date is this coming June - the 2.6.18 kernel, in other words. If this patch goes through, LSM will be gone in the very near future. The early indications suggested that it could go through: several kernel developers have argued in favor of the removal of LSM, while none asked for it to be retained. The only disagreement - mild - was over the removal date, with some arguing that 2.6.18 is too soon. Those in favor of an early removal, however, claim that last year's discussion should count as the usual one-year warning for this sort of change, and that there is no need to wait any longer. One might well wonder what the hurry is to remove this API from the kernel. There is, in fact, more than just the "only one user" argument in circulation. James's patch includes this text:
[LSM] also attracts a regular stream of misconceived and broken
security module submissions to mainline, such as BSD Security
Levels, and developers are seeing LSM as the answer to everything
rather than really thinking about what they need and how to
architect the code properly and generally.
So LSM becomes a general temptation to solve problems in the wrong way. Beyond the security levels module (which, among other things, is seen as having open vulnerabilities and no maintainer interest), the developers may be thinking of past episodes like the debate over the realtime security module or the Integrity Measurement Architecture, neither of which is best implemented as a security module. The real issue, however, may be this one:
There is also a growing number of proprietary modules hooking into
LSM in unsafe ways, not necessarily even for security purposes. The
LSM interface semantics are too weak and such an API does not
belong in the mainline kernel.
The 2.6 kernel - intentionally - does not give loadable modules access to the system call table. But the LSM interface is almost as good - it gives a loadable module the opportunity to intercept almost any operation that the kernel may attempt to perform. The LSM hooks are supposed to limit themselves to internal record keeping and returning an allow/deny status to the kernel - but there is no way to enforce that sort of restriction. The GPL-only status of the LSM API does not help much either. The people involved are wary of publicly pointing fingers at companies suspected of misusing the LSM interface. One example which can be found, however, is the kernel generalized event management module which was posted to the kernel-mentors list last year. When KGEM was loaded, it would shove aside any currently-loaded security policy and install itself in its place. It would then feed security-related events through to a (proprietary) user-space application, which would make decisions aimed at protecting Linux users from the pressing threat of virus attacks. There were a lot of issues over how this module was implemented, but using LSM to override existing security policies and provide hooks for proprietary code was considered especially distasteful. These reasons and strong developer pressure notwithstanding, it is not clear that LSM will actually go away anytime soon. There is not yet a consensus that SELinux should be seen as the One True Security Policy; many potential users find its complexity hard to deal with and often simply turn it off. The power of SELinux is unquestioned, but its usability is another story. There are other users of the LSM API out there, they just have not been submitted for inclusion into the mainline. These include:
Given that security is something other than a completely solved problem, it would be surprising if there were any single approach which was suitable for all users. So something may well emerge and qualify as the second user which keeps the LSM API in place. Or, at least, which keeps some sort of API in place. If LSM stays around, the kernel developers will probably make changes which make the API harder to abuse. These might include finding ways to restrict what LSM hooks can do and providing compile-time options to wire in a single security policy at kernel build time. So, while there is a reasonable chance that future kernels will include an LSM interface, it might be a rather different interface than the one there today. Any security module developers who want to have a say in how the interface evolves would be well advised to join the discussion soon. (Log in to post comments)
The future of the Linux Security Module API Posted Apr 20, 2006 5:17 UTC (Thu) by HappyCamp (guest, #29230) [Link] I know that the Trustees ACL project uses LSM too.
The future of the Linux Security Module API Posted Apr 20, 2006 5:54 UTC (Thu) by drag (subscriber, #31333) [Link] And realtime-lsm is critical for low-latency audio applications and to get the most out of realtime applicatiosn without having to run as root.
http://sourceforge.net/projects/realtime-lsm/
There are several userspace applications that support this, including jackd low-latency audio daemon and artsd. Personally I couldn't care much about artsd, but jackd is very nessicary for audio production on Linux. It strings many application audio PCM/midi I/O together in a virtual network and it, with Alsa drivers and realtime-lsm it provides similar (and probably superior) functionality as the ASIO audio drivers in Windows and MacOS.
Removing LSM support would certainly hurt people that like to do audio production on Linux.
The future of the Linux Security Module API Posted Apr 20, 2006 6:13 UTC (Thu) by mingo (subscriber, #31122) [Link] 2.6.13 and later kernels support RT priority rlimits (RLIMIT_RTPRIO), which can be used as a replacement for the realtime-lsm.
The future of the Linux Security Module API Posted Apr 20, 2006 13:45 UTC (Thu) by jamesm (guest, #2273) [Link] This is an example where the code was not really suitable to be implemented as an LSM, and in fact, as you can see in mingo's response, has since been reimplemented more appropriately.
The future of the Linux Security Module API Posted Apr 20, 2006 12:13 UTC (Thu) by nix (subscriber, #2304) [Link] The AppArmor hardlink stuff is actually a *feature*; you can hardlink binaries to different names to change the security policy applicable to them, and constrain apps which should not be allowed to do such things so that they can't create links from directories containing binaries controlled by AppArmor policies.
Regarding multiple namespaces, well, I'd be more scared of that if *any* distribution used them for anything except chroot(). Right now, they don't, and even though multiple namespace support has been in Linux for five years or so they've shown no sign of being used for much (a shame, as they're a neat idea). Right now AppArmor-policy-covered apps simply can't call chroot(), mount() and friends; this could be changed in the future but will take some thought.
AppArmor has no problem with symlinks at all.
The future of the Linux Security Module API Posted Apr 20, 2006 12:22 UTC (Thu) by nix (subscriber, #2304) [Link] Another LSM user is digsig, found at <http://disec.sf.net/>.
There seem to be quite a lot of LSM users: it's just that nobody submits them to the kernel, because they've seen what happens when anyone tries: a bunch of SELinux hackers pop up and say 'oh it sucks because you can do it with SELinux in {fiendishly complex way}.'
The latest victim of this is, as you said, AppArmor...
The future of the Linux Security Module API Posted Apr 20, 2006 13:43 UTC (Thu) by jamesm (guest, #2273) [Link] This is a misrepresentation of the upstream review process, which will naturally include a challenge as to why a new patch should be accepted into the kernel, particularly if it is duplicating a subset or near-subset of existing code.
No SELinux developer has ever just said "it sucks", but instead would have probably spent a considerable amount of time reviewing the code and then posting a detailed response. It is very often the case that there are serious implementation and design flaws in submissions to the kernel. In the case of LSM in particular, the API has problems which foster the development of modules which are not appropriate as LSMs, and would often be better implemented as distinct kernel components to be called by other LSMs, or simply integrated into what was then the only significant LSM in the tree.
The future of the Linux Security Module API Posted Apr 20, 2006 19:30 UTC (Thu) by hingo (guest, #14792) [Link] So you are saying that according to the upstream review process, you cannot get another LSM user included if it does roughly the same thing as SELinux or a subset of it and also that if SELinux is the only LSM user in the kernel mainline it will be removed... nice logic.(Nothing personal, I just realised that what you described might actually be close to reality.)
The future of the Linux Security Module API Posted Apr 20, 2006 19:41 UTC (Thu) by jamesm (guest, #2273) [Link] No, I am not saying that.
All code being submitted to the mainline kernel needs to be reviewed and justified before acceptance. One of the challenges is to demonstrate why the new code is needed, which reasonably includes asking things like "why partially duplicate something which is already there?"
The future of the Linux Security Module API Posted Apr 20, 2006 20:55 UTC (Thu) by nix (subscriber, #2304) [Link] You're right, that was a misremembering on my part. The SELinux developers didn't say it sucks.
Christoph Hellwig did (actually he called it bullshit).
(Mind you, he seems to be trying for the Al Viro Insult Award, although he seems to have missed the bit in the rulebook that says that the insults have to be *unusual*; insults in obscure dialects or dead languages gain extra credit. The ideal insult is one so obscure that the recipient doesn't have a clue he's been insulted, but clear enough that everyone else on the list knows perfectly well.)
The future of the Linux Security Module API Posted Apr 21, 2006 21:58 UTC (Fri) by bronson (subscriber, #4806) [Link] This article seems to say that if LSM is removed, other modules like AppArmor would be left out in the cold.
Back in 2001, it was thought that a single security module could never be generally useful. An indirection layer would make it easy for developers to create a wealth of task-specific modules, easing the pressure on the kernel developers to merge oddball security patches. 5 years later, it's clear that nobody needs (or even cares about) task-specific security modules.
If LSM is removed, AppArmor and friends just need to to patch the kernel directly. It's mildly painful but, ultimately, it's a much better way of achieving the same result.
The future of the Linux Security Module API Posted Apr 27, 2006 10:42 UTC (Thu) by Fredo (guest, #37386) [Link] Hi,
It seems that the LSM were implemented for SELINUX, without being interested in the other solutions : http://www.grsecurity.net/lsm.php
The future of the Linux Security Module API Posted May 1, 2006 14:36 UTC (Mon) by etbe (subscriber, #17516) [Link] Throughout the LSM development process it has been possible to submitpatches for extra functionality. Members of some other projects chose not to submit patches for the LSM functionality that they would need and not complain.
They can still submit LSM patches now if they want, it hasn't been
Dazuko Posted Apr 27, 2006 16:46 UTC (Thu) by rvfh (subscriber, #31018) [Link] I believe that KlamAV could just as well use Inotify rather than Dazuko to know when a file is accessed or created. Inotify is part of the Vanilla Kernel. I don't know of any other big Dazuko user...
The future of the Linux Security Module API Posted Apr 29, 2006 9:31 UTC (Sat) by anton (guest, #25547) [Link] Rlocate, a version of locate that is always up-to-date, uses LSM to hook into the appropriate system calls (open() etc.).Why hasn't this been submitted to the mainline? I don't know, but I guess if it were included in the mainline, it would not use LSM. Doesn't inotify cover the functionality that the rlocate kernel module provides? Unfortunately not, because inotify only supports watching specific directories, not whole file systems or the whole file hierarchy. Even if you watched all directories currently in the file hierarchy (which is probably a performance problem), you would get a race condition when a new directory is created: there might be files created between the time when the directory is created, and the time when the directory is registered with inotify, so the database would miss some files; this is very likely to happen when unpacking a tar or zip archive.
|
|||||||||||||