Linux Security Modules (LSM)
Linux Security Modules (LSM) is a framework that allows different security models to be implemented as kernel modules. It provides the necessary hooks within the Linux kernel for implementing access control mechanisms beyond the traditional Unix permissions model. Several LSMs are available, each with different use cases and security policies.
SELinux
Security-Enhanced Linux (SELinux) is one of the most well-known Linux Security Modules. Developed by the NSA, SELinux enforces Mandatory Access Control (MAC) policies, restricting processes and users based on predefined security policies.
Key Features:
- Fine-grained Access Control: SELinux policies define what actions processes can perform on system objects.
- Role-Based Access Control (RBAC): Ensures users and processes have the minimum necessary permissions.
- Security Contexts: Each process and file has a security label determining its permissions.
- Enforcing, Permissive, and Disabled Modes: SELinux can enforce policies, log violations without enforcement, or be disabled entirely.
AppArmor
AppArmor is another LSM that provides MAC-based security but is designed to be simpler than SELinux. It restricts applications based on profiles that specify what files and capabilities a process can access.
Key Features:
- Profile-based Access Control: Applications are confined using predefined security profiles.
- Path-based Rules: AppArmor policies are based on filesystem paths rather than security labels.
- Easier to Configure: Compared to SELinux, AppArmor is considered more user-friendly.
- Supports Enforcing and Complain Modes: Similar to SELinux’s enforcing and permissive modes.
Smack
Simplified Mandatory Access Control Kernel (Smack) is another LSM that enforces MAC policies but with a simpler design than SELinux. It uses labels to control access between subjects (processes) and objects (files, sockets, etc.).
Key Features:
- Label-based Access Control: Every process and object has a Smack label.
- Simplified Policy Management: Focuses on ease of use while enforcing strict security.
- Support for Embedded Systems: Often used in constrained environments like IoT devices.
TOMOYO Linux
TOMOYO is an LSM focused on runtime behavioral analysis and security policy generation. Instead of predefined policies, it builds policies dynamically based on system behavior.
Key Features:
- Learning Mode: Automatically generates security policies based on observed behavior.
- Process-based Access Control: Policies are applied based on executable paths.
- User-friendly Policy Editing: Uses human-readable text policies for easy modifications.
Landlock
Landlock is a relatively new LSM designed to provide sandboxing capabilities for unprivileged applications. It allows applications to create their own security policies without requiring administrative privileges.
Key Features:
- Application-defined Sandboxing: Users can define security restrictions for processes.
- Unprivileged Access Control: Does not require root access to enforce policies.
- Filesystem Restrictions: Processes can be restricted from accessing certain files and directories.
Conclusion
Linux Security Modules provide powerful mechanisms for enforcing security policies beyond traditional discretionary access control models. SELinux and AppArmor are the most widely used, each offering different approaches to security enforcement. Smack and TOMOYO provide alternative MAC-based controls, while Landlock introduces a new paradigm of unprivileged sandboxing. The choice of an LSM depends on the security requirements of the system and the complexity an administrator is willing to manage.