The Linux Security Module (LSM) patch was intended to enable the creation
of a wide variety of security regimes for Linux systems. So far, the main
user of the LSM functionality has been the NSA SELinux module. But there
are signs that other security-oriented developers are beginning to make use
of LSM to implement different approaches.
The latest such is the BSD Secure Levels
patch posted by Michael Halcrow. This patch is intended to create
something resembling BSD's secure level capability for Linux. Thus it
implements an integer security level, which has useful values of zero to
two. At level zero, the system functions as always - as if the module were
not present at all. Zero is the default level, but the level can be raised
(but not lowered) by writing the new value to /proc/seclvl.
At level one, a number of actions become disallowed, including:
- Tracing the init process.
- Modifying an immutable file.
- Anything involving raw I/O to a device.
- Network administration tasks.
- Changing the user ID of a process.
- Loading or unloading modules.
- Writing directly to a mounted block device.
- Writing to /dev/mem or /dev/kmem.
- Changing the setuid or setgid bits of a file.
At security level two, a few additional actions are prohibited:
- Changing the system time - but only if you are trying to set it
- Writing to any block device, whether mounted or not.
- Unmounting a filesystem.
The "secure level" patch is thus a way of raising the bar for any potential
attacker. At the higher levels, even a process with root privileges cannot
make certain kinds of changes to the system. Normally, higher levels are
forever; the only way to lower the secure level is to reboot the system.
Note, however, that this module allows the administrator to include a small
back door by specifying an executable that, when run, causes the secure
level to be reset to zero. This feature may be useful for administrators
who are converting a system over to secure level operation. Leaving the
"emergency reset" option enabled permanently would be dangerously
to post comments)