Re: LSM quick start, file_permission

From: Chris Wright (chrisw@private)
Date: Mon Feb 23 2004 - 11:01:14 PST

  • Next message: Chandra Seetharaman: "task_post_setgid ?"

    * Everett Anderson (eea1@private) wrote:
    > I'm trying to start a quick project to evaluate the performance
    > implications of adding security checks during read/write/seeks.  I'd like
    > to use LSM for this, but I'm having a hard time figuring out what I need
    > to get up and running using it.
    
    Sounds nice.
    
    > If I have a Debian installation, grab the stock 2.4.20 kernel from
    > kernel.org, and use the latest stable 2.4 patch from lsm.immunix.org, is
    > that sufficient to write a kernel module which can provide an
    > implementation for LSM's file_permission hook?
    
    You could use 2.6 as well (it has LSM in it already).  Or the 2.4.25
    patch will be up shortly, if you prefer to use something a little newer.
    But, aside from the a kernel with the LSM framework, you only need to
    code up your own module and load it.
    
    > Do I need to also pick up the Traditional Super User module or an SELinux
    > implementation?
    
    It really depends on what you plan to do.  Both of those are in the
    patch, so you don't need to get them separately.  In most cases the
    superuser module's functions are no-ops.  So it might be useful to give
    it a quick read to see which hooks it cares about.  You'll need to do
    something to make sure you care for the capable() hook.  Most permission
    checks start with a standard DAC modebit test, which if fails can be
    overridden by something like, UID==0, or CAP_FOO capability is set.  So,
    if you don't implement something there, you will leave the system less
    secure than when you started.
    
    > Does anyone have recommendations for howtos or guides to getting started?
    
    There aren't any howtos (patches accpeted ;-)  Best docs are the papers
    and then the per hook docs in security.h.
    
    thanks
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    



    This archive was generated by hypermail 2b30 : Mon Feb 23 2004 - 11:01:58 PST