Andreas Christoforou         home     posts

Introduction to LSM Linux security Module Framework

The Linux Security Module framework provides a mechanism for various security checks to be hooked by new kernel extensions.
The LSM are not actually loadable kernel modules, instead are selectable at build time via CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the “security=…” in case that more than LSM built in to the kernel. Linux Mandatory Access Control (MAC) or policy based access control used to enable addition checks base on a policy describing what kind of operations are allowed for which process in which context. Examples of LSM interface are SELinux, Smack, Tomoyo, and AppArmor. Without enabling a specific LSM to the kernel the Linux capabilities will be a default LSM.

To see the enabled and active security modules use the following command.

cat /sys/kernel/security/lsm

Example of Linux Security Module.

YAMA

Yama is a Linux Security Module that collects system-wide DAC security protections that are not handle by the core kernel itself. It does Discretionary Access Control of some kernel related functions, like defining if process tracing (prace) is allowed. Linux DAC permissions are classical unix checks compare the current process with UID GID versus the UID and GID of the file being accessed with the checks of which modes are been set “read/write/execute”.

To enable YAMA use CONFIG_SECURITY_YAMA=y on kernel config.

kernel.yama.ptrace_scope this parameter helps system administrators to select what processes can be debugged with ptrace.

To determine the active value of yama ptrace scooe we can use sysctl or check pseudo file system /proc and find the related key.

sysctl kernel.yama.ptrace_scope

or

cat /proc/sys/kernel/yama/ptrace_scope


kernel.yama.ptrace_scope = 0: all processes can be debugged, as long as they have same uid. This is the classical way of how ptracing worked.
kernel.yama.ptrace_scope = 1: only a parent process can be debugged.
kernel.yama.ptrace_scope = 2: Only admin can use ptrace, as it required CAP_SYS_PTRACE capability.
kernel.yama.ptrace_scope = 3: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.

Examples of the two most popular MAC extensions are below.

Apparmor

AppArmor is MAC style security extension for the Linux kernel. It implements a task centered policy, with task “profiles” being created and loaded from user space. Tasks on the system that do not have a profile defined for them run in an unconfined state which is equivalent to standard Linux DAC permissions.

To enable apparmor use CONFIG_SECURITY_APPARMOR=y on kernel config

Check apparmor status

apparmor_status

Selinux

Selinux is MAC style security extension built into the Linux kernel and defines the access and transition rights of each user, applications, processs and files on the system. The decision making process when you try to access an object example file the policy enforcement server in the kernel will checks an access vector cache AVC and checks if you can access the file or not.

To enable selinux use CONFIG_SECURITY_SELINUX=y on kernel config.	

There are three modes on Selinux enforcing which will check and deny or grant an access, permissive where AVC will check and log the attemp if is denied and selinux will not enforce the policy and last mode is disabled where the selinux is fully disabled.

Check Selinux status

sestatus -v

Sources

https://www.kernel.org/doc/html/v4.16/admin-guide/LSM/index.html
https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/