LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

BSD security levels for Linux

[Posted November 24, 2003 by corbet]

The Linux Security Module (LSM) patch was intended to enable the creation of a wide variety of security regimes for Linux systems. So far, the main user of the LSM functionality has been the NSA SELinux module. But there are signs that other security-oriented developers are beginning to make use of LSM to implement different approaches.

The latest such is the BSD Secure Levels patch posted by Michael Halcrow. This patch is intended to create something resembling BSD's secure level capability for Linux. Thus it implements an integer security level, which has useful values of zero to two. At level zero, the system functions as always - as if the module were not present at all. Zero is the default level, but the level can be raised (but not lowered) by writing the new value to /proc/seclvl.

At level one, a number of actions become disallowed, including:

  • Tracing the init process.
  • Modifying an immutable file.
  • Anything involving raw I/O to a device.
  • Network administration tasks.
  • Changing the user ID of a process.
  • Loading or unloading modules.
  • Writing directly to a mounted block device.
  • Writing to /dev/mem or /dev/kmem.
  • Changing the setuid or setgid bits of a file.

At security level two, a few additional actions are prohibited:

  • Changing the system time - but only if you are trying to set it backward.
  • Writing to any block device, whether mounted or not.
  • Unmounting a filesystem.

The "secure level" patch is thus a way of raising the bar for any potential attacker. At the higher levels, even a process with root privileges cannot make certain kinds of changes to the system. Normally, higher levels are forever; the only way to lower the secure level is to reboot the system. Note, however, that this module allows the administrator to include a small back door by specifying an executable that, when run, causes the secure level to be reset to zero. This feature may be useful for administrators who are converting a system over to secure level operation. Leaving the "emergency reset" option enabled permanently would be dangerously counterproductive, however.

(Log in to post comments)

BSD security levels for Linux

Posted Nov 26, 2003 9:17 UTC (Wed) by hch (guest, #5625) [Link]

So back to the good old times? We already had xsecurelevels in 2.0,
but then decided to replace them with more fine-grained capability
bounding sets. Now he needs the whole LSM bloat to reimplement the
whole thing in a complicated way, well if that isn't progress..

Not just SELinux, also LIDS (and it uses full capability system)

Posted Nov 26, 2003 14:40 UTC (Wed) by linuxbox (subscriber, #6928) [Link]

Just FYI, in addition to SELinux, and a much finer-grained system-hardening regime than BSD securelevels (not to disparage them), is Huagang Xie's LIDS system (http://www.lids.org).

LIDS has fine-grained ACLs based on the the full range of Linux capabilities, process and file hiding, etc, etc, using an ACL language vaguely inspired by that of iptables. (The 2.6 LIDS adds an "auto learn" mode that builds ACLs automatically, but I haven't tried it.)

LIDS was already in pretty wide use as a source patch for Linux 2.2 and 2.4 kernels, but the 2.6 series LIDS is layered on the Linux Security Module.

LIDS works, works with essentially any Linux (I recently ported the patch to the 2.4.21 kernel source tree used by SuSE 9.0), has proved its worth for me on several occasions.

Matt Benjamin <matt@linuxbox.com>

(Not that it's perfect--a few patch versions over the last two years had memory leaks or other issues. The LSM implementation should reduce the maintenance overhead of the kernel patch, substantially.)

LSM Not Suitable for Most Security Projects

Posted Nov 27, 2003 1:58 UTC (Thu) by skarkkai (subscriber, #4128) [Link]

LSM appears to not be suitable for most of existing security projects. For instance, see statements by authors of RSBAC at http://www.rsbac.org/lsm.htm and grsecurity at http://grsecurity.net/lsm.php.

LSM Not Suitable for Most Security Projects

Posted Dec 9, 2003 18:14 UTC (Tue) by TRauMa (guest, #16483) [Link]

Enlightening read, thanks for the pointer. I wasn't aware of that.

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds