Posts

Showing posts from July, 2023

Security in Linux Kernel - Part 2

Image
  In the previous part of this series, we saw role of LSMs in kernel security. As mentioned earlier, there are eight LSMs available today in the modern Linux kernel. In this part, let's have a look at different main stream LSMs. SMACK Simplified Mandatory Access Control Kernel ( SMACK ) is designed primarily for embedded linux systems with an intention to make it easier for administrators. This was the second LSM (after SELinux) to be accepted in the linux kernel. It appeared in the 2.6.25 kernel release. This is an attribute (label) based simple LSM, and is the default for Linux implementations tuned for Automotive industry. Yama Yama collects system-wide DAC security restrictions that are not handled by the core kernel itself. It offers control over scope of ptrace() system call to control ptrace attachment by processes. Build time configuration option CONFIG_SECURITY_YAMA and runtime option through sysctls can be used to enable this LSM. The ptrace restrictions can be controll...

Security in Linux Kernel - Part 1

Image
  User-land security in Linux is pretty robust and finely ingrained into the design philosophy of the OS and inherited from the UNIX legacy. Beating at the centre of this robust OS is the equally robust heart of the OS - the Kernel. Linux User has various tools and types of security at her disposal - such as enforcement of different roles and groups with varying levels of privileges, authorisations, access control using authentications, policy enforcement and logging, secure memory and process management techniques, secure protocols and of course, trust-worthy kernel. Roughly these techniques can also be described as DACs (Discretionary Access Controls) and MACs (Mandatory Access Controls). Example of DACs is the file and directory permissions in Linux (rwx for ugo) using which access to user data can be controlled. What is the need? But how does Linux Kernel ensures and enforces security in the Kernel-land? The Kernel relies on different MAC techniques like security modules, secur...