Time to remove LSM?
The LSM patch ran into some difficulties on its way into the kernel, but it is now an established part of the internal API. So some developers were surprised recently when James Morris suggested that perhaps the time has come to remove the LSM framework. His arguments are simple: there is only one serious module using the LSM framework in the intended manner, while unrelated projects are trying to use it in inappropriate ways.
It's dead code, an unnecessary abstraction layer between its one real user, SELinux, and the core kernel.
James asks: rather than forcing SELinux to conform to a general-purpose API (of which it is the sole user), why not just wire SELinux directly into the kernel, get rid of LSM, and be done with it?
SELinux is not truly the only security module out there, of course. The kernel includes a couple of other modules: a reimplementation of the capabilities mechanism and "root plug," a module which prevents processes from running as root unless a specific USB device is plugged in. There are out-of-tree modules, such as the BSD securelevels patch and Trustees Linux. The Immunix (now Novell) AppArmor product includes a module which uses the LSM framework. AppArmor is a proprietary offering, but the security module portion of it is GPL-licensed (as is necessary, since the functions for loading security modules are exported GPL-only).
There does not appear to be a groundswell of support for the idea of
removing the LSM framework from the kernel at this time. That could change
over time, however: increasingly, out-of-tree code is held to be irrelevant
when decisions are made. If SELinux remains the only significant in-tree
user of the LSM framework, LSM will look like useless baggage to more and
more developers. If there are security modules out there which are
reasonable alternatives to SELinux, their developers may want to think
about getting them into the mainline sometime in the not-too-distant
future.
| Index entries for this article | |
|---|---|
| Kernel | Security/Security modules |
Posted Jun 2, 2005 10:55 UTC (Thu)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Jun 2, 2005 11:54 UTC (Thu)
by hmh (subscriber, #3838)
[Link] (1 responses)
It is a security module implementing execute-only-signed-ELF-binaries policies.
Posted Jun 2, 2005 20:57 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Jun 2, 2005 16:53 UTC (Thu)
by smeg4brains (guest, #207)
[Link]
It sure makes our servers a lot more managable though.. We couldn't live without it.
Posted Jun 3, 2005 12:34 UTC (Fri)
by ipqw (guest, #29756)
[Link]
Furthermore, I am aware of several, yet unpublished, projects that use LSM to provide more flexible security measures for the kernel.
The work in strengenthing the security in the Linux kernel is just getting started. It developes slowly, as it is a hard topic -- many developers does not even know what mandatory access control is.
Another free software product that uses the LSM is DigSig (and very useful it is too).Time to remove LSM?
DigSig is available at:Time to remove LSM?
http://sourceforge.net/projects/disec/
Yeah, sorry, I should have provided a pointer.Time to remove LSM?
That would be sad.. We love the Trustees Linux module here.. It's out of tree, but it sure would be hard to hook in without lsm. It will probably never become an in tree module though, because some of the kernel security gurus don't like the fact that in some cases Linux Trustees grants permissions that weren't there before instead of only ever taking permissions away.Time to remove LSM?
The Umbrella Project (http://umbrella.sf.net) uses LSM - and some of the code released by IBM for implementing the Trusted Platform Module technology is dependant on LSM.Many projects use LSM
