Check out the new USENIX Web site. next up previous
Next: LSM Design: Mediate Access Up: Linux Security Modules: General Previous: Introduction


The Problem: Constrained Design Space

The design of LSM was constrained by the practical and technical concerns of both the Linux kernel developers and the various Linux security projects. In email on the topic, Linus Torvalds specified that the security framework must be:

The various Linux security projects were primarily interested in ensuring that the security framework would be adequate to permit them to reimplement their existing security functionality as a loadable kernel module. The new modular implementation must not cause any significant loss in the security being provided and should have little additional performance overhead.

The core functionality for most of these security projects was access control. However, a few security projects also desired other kinds of security functionality, such as security auditing or virtualized environments. Furthermore, there were significant differences over the range of flexibility for the access controls. Most of the security projects were only interested in further restricting access, i.e. being able to deny accesses that would ordinarily be granted by the existing Linux discretionary access control (DAC) logic. However, a few projects wanted the ability to grant accesses that would ordinarily be denied by the existing DAC logic; some degree of this permissive behavior was needed to support the capabilities logic as a module. Some security projects wanted to migrate the DAC logic into a security module so that they could replace it.

The ``LSM problem'' is to unify the functional needs of as many security projects as possible, while minimizing the impact on the Linux kernel. The union set of desired features would be highly functional, but also so invasive as to be unacceptable to the mainstream Linux community. Section 3 presents the compromises LSM made to simultaneously balance these conflicting goals.


next up previous
Next: LSM Design: Mediate Access Up: Linux Security Modules: General Previous: Introduction
Chris Wright 2002-05-13