Security in Linux Kernel - Part 2

 

In the previous part of this series, we saw role of LSMs in kernel security. As mentioned earlier, there are eight LSMs available today in the modern Linux kernel. In this part, let's have a look at different main stream LSMs.

SMACK

Simplified Mandatory Access Control Kernel (SMACK) is designed primarily for embedded linux systems with an intention to make it easier for administrators. This was the second LSM (after SELinux) to be accepted in the linux kernel. It appeared in the 2.6.25 kernel release. This is an attribute (label) based simple LSM, and is the default for Linux implementations tuned for Automotive industry.

Yama

Yama collects system-wide DAC security restrictions that are not handled by the core kernel itself. It offers control over scope of ptrace() system call to control ptrace attachment by processes. Build time configuration option CONFIG_SECURITY_YAMA and runtime option through sysctls can be used to enable this LSM. The ptrace restrictions can be controlled using ptrace_scope value as follows.

kernel.yama.ptrace value
  Debug restrictions
0
All processes with same uid
1
Only parent process
2
Only admin can use ptrace
3
No processes can be debugged. Reboot is required to enable it again

TOMOYO

TOMOYO is pathname-based LSM, which forms trees by recording process invocations. It was developed by NTT Data Corporation of Japan. Tomoyo is based on declarations of behaviours and resources that processes need to use and then it restricts each process to those behaviours and resources only.

LoadPin

LoadPin is a "minor" LSM that ensures all kernel loaded files originate from the same filesystem. This LSM can be enabled using the CONFIG_SECRITY_LOADPIN configuration option.

SELinux

SELinux is the default LSM on RedHad-based Linux distributions. This is an attribute based LSM which stores security identifiers for files as extended file attributes in the filesystem. Though powerful, this is a complex LSM to configure and debug. Administrator needs to tailor policies which define which actions the subjects can take on objects protected by SELinux.

AppArmor

AppArmor allows restricting program's capabilities using per-program profiles. It was integrated in 2.6.36 kernel and is the default LSM for Debian-based Linux distributions. This LSM is path-based and loads profiles created in user-space. Selection of this LSM is controlled by CONFIG_SECURITY_APPARMOR configuration flag.

SafeSetID

SafeSetID derives its name from it's reliance on the ability to gate the setid family of syscalls to restrict UID/GID transitions. It allows only those transitions which are approved by a system-wide whitelist. This LSM hooks the setid syscalls to ensure the transitions are allowed against an applicable restriction policy only. These policies can be configured through securityfs.

LockDown

LockDown LSM adds kernel lockdown feature to Linux. When this feature is enabled, command line option to kernel can be used to lock the kernel to maintain its integrity or confidentiality. In "integrity" mode, userspace features which allow modifications to kernel are disabled. When "confidentiality" mode is enabled, all integrity mode protections are enabled, and in addition to that, those userspace features are disabled, which allow extraction of potentially confidential information from running kernel (such as kcore, kprobes, etc.) and use of tracefs.



Additional References


Title image used from: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSNoKWDkJDrj5KLCWWlL3qX4NWajG8242HckA&usqp=CAU

Comments

Post a Comment

Popular posts from this blog

Trusted Platform Module

Image
In the previous article, we discussed end device security and various factors affecting it. There was a fleeting mention about TPM - the Trusted Platform Module. In this installment we will discuss mode about the TPM. Generally, for any device, the safest way to ensure it's integrity is to make sure it always boots from a secured, verified and unalterable source. This forms the logical "root" of the entire boot process. Once the device boots from a trusted source, it further uses it to verify each and every software component it utilizes. Every module checks and verifies integrity of the next module to be loaded thus forming a "chain of trust" which if broken can be easily detected. This chain of trust then can be extended to encompass other devices across and upstream the network hierarchy. In this installment, let's have a deeper look at TPM. What is TPM? TPM is (generally) a chip designed to provide security related functions. It provides functiona
Read more

Common Git Tips

Image
Obtain list of commits git reflog --oneline git log --oneline These commands will also print commit ID - a.k.a. commit hash. Obtain list of branches created by a user git for-each-ref --format=' %(authorname) %09 %(refname)' --sort=authorname | grep <username> Obtain branch hash git show-ref branch_name Delete a local/remote branch Assume that a branch "bugfix/114355" is created to fix a bug. To delete the local branch: git branch -d bugfix/114355 git branch -D bugfix/114355 '-D' is same as specifying "--delete --force" . To remove the remote branch as well: git push origin --delete bugfix/114355 Undo last commit git reset --soft HEAD~1 Roll back repo to a commit To roll-back the repository to a particular commit, follow these steps. find the hash corresponding to the particular commit by checking the commit logs: git log --oneline roll back the repository by resetting the HEAD pointer: git reset --hard <commit_hash> Remove the latest co
Read more