Skip to content

Kernel programming: This is a simple kernel module implementation for enforcing access control policies using Linux Security Module framework.

Notifications You must be signed in to change notification settings

node3/Linux-Security-Module

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Overview

This project uses LSM hooks to enforce a simple access control policy. The implementation associates the path of a binary file which is allowed to access a protected file. The path of the binary file is stored in the extended attribute (XAttr) of the inode of the protected file. When a process tries to access this file, the path of the binary which was loaded during the exec() call of the process is checked against the XAttr attribute ("security.pindown" in this case). If the path matches then the process is allowed to access the file. Otherwise, access is denied.

PinDOWN LSM implementation

Pindown module that implements the four hooks listed below which are exposed by the Linux Security Modules framework:

  • task_alloc_security
  • task_free_security
  • bprm_set_security
  • inode_permission

This implementation is tested for the linux kernel version 2.6.23. The diagram below shows how the implementation control access to files using LSM hooks. Access Control using Pindown LSM

Commands to load the module

  • Download the kernel linux-2.6.23. Older distros of linux such as ubuntu 8.04 LTS can be used because it allows loading kernel modules without reboot.
  • Copy pindown.c and Makefile to linux-2.6.23/security directory.
  • Run make all in the root directory of the kernel repository. This generates the kernel object security/pindown.ko.
  • To insert the module, run insmod security/pindown.ko. The hooks provided in the module should enforce access control.
  • Logs can be accessed in the file /var/log/kern.log. Check if the modules is loaded using lsmod command.

Setting the access control for policy

Following example limits the acces to file /foo/bar/protected_file to the program /usr/bin/vi only. Any other program, trying to access the file would be denied access to the protected file.

  • Set the XAttr attribute on the protected file.
    sudo setfattr -n security.pindown -v '/usr/bin/vi' /foo/bar/protected_file
  • Check the XAttr attribute
    sudo getfattr -n security.pindown /foo/bar/protected_file
  • Load the pindown.ko module as shown in the previous section.

With that, only vi program should be have access to the file. Any other program attempting to access the file would be denied the permission.

References

The project is inspired from the PinUP paper.
Linux Security Module Framework

About

Kernel programming: This is a simple kernel module implementation for enforcing access control policies using Linux Security Module framework.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published