Check out the new USENIX Web site. next up previous
Next: Calls to Security Hook Up: Implementation Overview Previous: Implementation Overview


Opaque Security Fields


Table: Kernel data structures modified by the LSM kernel patch and the corresponding abstract objects.
STRUCTURE OBJECT
task_struct Task (Process)
linux_binprm Program
super_block Filesystem
inode Pipe, File, or Socket
file Open File
sk_buff Network Buffer (Packet)
net_device Network Device
kern_ipc_perm Semaphore, Shared Memory Segment,
or Message Queue
msg_msg Individual Message


The opaque security fields are void* pointers, which enable security modules to associate security information with kernel objects. Table 1 shows the kernel data structures that are modified by the LSM kernel patch and the corresponding abstract object.

The setting of these security fields and the management of the associated security data is handled by the security modules. LSM merely provides the fields and a set of calls to security hooks that can be implemented by the module to manage the security fields as desired. For most kinds of objects, an alloc_security hook and a free_security hook are defined that permit the security module to allocate and free security data when the corresponding kernel data structure is allocated and freed. Other hooks are provided to permit the security module to update the security data as necessary, e.g. a post_lookup hook that can be used to set security data for an inode after a successful lookup operation. It is important to note that LSM does not provide any locking for the security fields; such locking must be performed by the security module.

Since some objects will exist prior to the initialization of a security module, even if the module is built into the kernel, a security module must handle pre-existing objects. Several approaches are possible. The simplest approach is to ignore such objects, treating them as being outside of the control of the module. These objects would then only be controlled by the base Linux access control logic. A second approach is to traverse the kernel data structures during module initialization, setting the security fields for all pre-existing objects at this time. This approach would require great care to ensure that all objects are updated (e.g. an open file might be on a UNIX domain socket awaiting receipt by a process) and to ensure that appropriate locking is performed. A third approach is to test for pre-existing objects on each use and to then set the security field for pre-existing objects when needed.


next up previous
Next: Calls to Security Hook Up: Implementation Overview Previous: Implementation Overview
Chris Wright 2002-05-13