linux安全模塊（lsm）外文翻譯

1、<p><b>　　濱州學(xué)院</b></p><p><b>　　專業(yè)外文翻譯</b></p><p><b>　　二〇一一年五月八日</b></p><p>　　Linux security module (LSM)</p><p>　　Linux security

2、 module (LSM) is a lightweight Linux kernel universal access control framework. This paper introduces Linux security module (LSM) related background, design idea and realization method; And instructions on how to use Lin

3、ux security module (LSM) to enhance the security of Linux system: on the one hand is for the kernel development personnel and security researchers used interface, on the other hand is for ordinary users use of modules, a

4、nd the specific use method. If the reader has </p><p>　　1. Related background introduction: why and what </p><p>　　In recent years because of its excellent Linux system performance and stability

5、, open source characteristic brings flexibility and expansibility, and a low cost, by the computer industry wide attention and applications. But in safety, Linux kernel provides only classic UNIX independent access contr

6、ol (root user, the user ID, mode a security mechanism), and parts of the POSIX support 1e capabilities of the draft standards j security mechanism and the security of the system for the Linux is not en</p><p&g

7、t;　　There are many security access control model and the frame has been studied and developed to enhance the security of Linux, compares well-known have security enhancements Linux (SELinux), the domain and type enhancem

8、ent (DTE), and Linux intrusion detection systems (LIDS), etc. But since no one system can get into Linux dominant position kernel become standard; And most of these systems in various forms of the kernel patch provides,

9、use these system needs a compiler and custom kernel ability, for</p><p>　　Linux security module (LSM) is a lightweight Linux kernel universal access control framework. It makes all sorts of different securit

10、y access control model can to Linux kernel module can be loaded the form of come out, the user can realize according to its needs to choose suitable safety modules loaded into the Linux kernel, which greatly improve the

11、Linux security access control mechanism of flexibility and accessibility. At present there are many famous enhance access control system transplant</p><p>　　2. Introduced: let design thinking both satisfacti

12、on </p><p>　　Linux security module (LSM) design must try to meet the requirements of two aspects: let not man who need them as little so getting in trouble; Meanwhile let those who need it so to get useful a

13、nd efficient function. </p><p>　　Linus Torvalds represented by the kernel developers to Linux security module (LSM) proposes three requirements: </p><p>　　True universal, when using a different

14、security model, only need to load a different kernel modules </p><p>　　Concept of Linux kernel, simple, efficient, and minimal effects that can support the existing POSIX 1e capabilities logic, j as an optio

15、nal security module </p><p>　　On the other hand, all sorts of different Linux security enhancements system for Linux security module (LSM) request is: can allow them to the form of loading kernel modules to

16、achieve its security functions, and not in safety brings apparent loss, will also bring extra system overhead. </p><p>　　In order to satisfy the design goal, Linux security module (LSM) adopted in the kernel

17、 code by the method of placing hooks to arbitration for kernel internal objects visit, these objects are: inode node, task, open files, etc. User process execution system, the first travel Linux kernel call of the origin

18、al logic find and allocation of resources, error checking, and after classic UNIX independent access control in Linux kernel, just trying to visit to internal object, before a Linux security mod</p><p>　　On

19、the other hand, in order to satisfy the most existing Linux security enhancements system need, Linux security module (LSM) adopted a simplified design decisions. Linux security module (LSM) now main support most existing

20、 security enhancements the core of the system function: access control; And for some security enhancements system requirements of other security functions, such as safety audit, provides only a small amount of support. L

21、inux security module (LSM) now main support "restricted t</p><p>　　3. Realizing method for Linux kernel introduced: the modification </p><p>　　Linux security module (LSM) at present as a Li

22、nux kernel patch form realized. Its itself does not provide any specific security strategy, but provides a general base system to the security module, by security module to achieve specific security strategy. Its main in

23、 five aspects for Linux kernel change: </p><p>　　In particular the kernel data structures joined the secure domain </p><p>　　In kernel code inserted the different key points of safety hook funct

24、ions calls </p><p>　　Join a general safety system call </p><p>　　Provides functions allow kernel modules for security module, or cancellation of the registration </p><p>　　Most of t

25、he transplant capabilities logic will be for an optional security module </p><p>　　Five aspects to modify them one by one to do briefly introduced. </p><p>　　Security domain is a use void * kind

26、s of Pointers, it makes the safety information security module connected with the kernel internal object. Listed below is modified to join the security domain, the kernel data structures and their respective represents t

27、he kernel internal object: </p><p>　　Task_struct structure: on behalf of the tasks (process) </p><p>　　Linux_binprm structure: on behalf of the program </p><p>　　Super_block structu

28、re: on behalf of the file system </p><p>　　Inode structure: on behalf of the pipeline, documents, or Socket Socket </p><p>　　File structure: on behalf of the open file </p><p>　　Sk_

29、buff structure: on behalf of the network buffer (pack) </p><p>　　Net_device structure: on behalf of the network equipment </p><p>　　Kern_ipc_perm structure: representative Semaphore signals, Sha

30、red memory section, or the message queue </p><p>　　Msg_msg: on behalf of the single message </p><p>　　In addition, msg_msg structure, msg_queue structure, shmid_kernel structure was moved to inc

31、lude/Linux/MSG. H and include/Linux/SHM. H the two header file, make security module can use these definitions. </p><p>　　Linux security module (LSM) provides two kinds of safety hook functions: a kind of ca

32、ll the secure domain object management kernel, another kind of these kernel object arbitration visit. The call for safety hook functions by hook to realize, hook is the global table security_ops function pointer and the

33、global table type is security_operations structure, this structure definition include/Linux/security in j h this header file, this structure contains the object or the kernel subsystem according </p><p>　　Li

34、nux security module (LSM) provides a general safety system calls for safety, allow security module the corresponding applied writing new system call, its style similar to the original Linux system call socketcall (), is

35、a multiple system call. This system call for security (), its parameters for (unsigned int id, unsigned int call, unsigned args), including to * id represents module descriptors, call representative call descriptors, arg

36、s representative argument list. This system call the defau</p><p>　　In the process of kernel guide, Linux security module (LSM) framework is initialized to a series of virtual hook functions, in order to rea

37、lize the traditional UNIX super user mechanism. When loading a security module, must use register_security () function to Linux security module (LSM) framework register this security module: this function will set the gl

38、obal table security_ops, make its pointer to the security module of hook, thus make the kernel function Pointers to the security module ask a</p><p>　　Linux kernel 1e capabilities to POSIX. Now a subset of t

39、he support. Linux security module (LSM) design of a demand is put this function the transplant as an optional security module. POSIX 1e capabilities provides division j traditional super user privileges and assigned to a

40、 specific process function. Linux security module (LSM) retained used to perform in the kernel of the existing webmasters - check the interface, but () () function simplified webmasters for a Linux security module (LSM)

41、hook</p><p>　　4. Interface specifications: give kernel development personnel and security researchers use hooks </p><p>　　Linux security module (LSM) for the kernel developers and security resea

42、rchers value lies in: can use its provide interface will existing security enhancements system transplanted into this framework, thus to the form of loading kernel modules can be provided to customers use; Or even can di

43、rectly write suits your needs security module. Linux security module (LSM) provide interface is hooks, its initially to a virtual function realized the default traditional UNIX super user mechanism, module wr</p>

44、<p>　　First is a mission hooks, Linux security module (LSM) provides a series of tasks hook makes security module can be management process and control process of safety information of the operation. Module can use

45、task_struct structure of security domain to maintain process safety information; Task hooks provides control inter-process communication of hook, such as know (); Also provides control on the current process hooks, such

46、as the privilege operation setuid (); Also provides for resource manage</p><p>　　Second is programs to load hooks. Many security module SELinux capabilities, including Linux, DTE will have, in a new program

47、execution ability to change privileges. Therefore Linux security module (LSM) provides a series of programs to load hooks, used in a execve () operation execution of the key point. Linux_binprm structure of security doma

48、in allows security module maintenance program load process of security information; Provides hooks used to allow security module in loading procedures bef</p><p>　　Once again, is inter-process communication

49、IPC hooks. Security module can use inter-process communication IPC hook to the security of the System V IPC management, and implementation of information access control. The IPC object data structure kern_ipc_perm sharin

50、g a substructure, and the substructure only one of ipcperms pointer to the existing () function, therefore Linux security access check module (LSM) in this sharing add a substructural secure domain. In order to support a

51、 single news safe</p><p>　　Below is the file system hooks. For file operations, defines three hooks: file system hooks, inode node hooks, and file hooks. Linux security module (LSM) in the corresponding thre

52、e kernel data structures joined the secure domain, it is respectively: super_block structure, inode structure, file structure. Super blocks file system hook makes safety for the entire document to control modules of the

53、system, such as mount, operation, and unloading statfs (). Linux security module (LSM) in permission</p><p>　　Next is the network hooks. The application layer of network access used a series of socket socket

54、 hook to arbitration, these hooks basic covers all socket socket based on the agreement. Since each activation user socket socket with a inode structure there, so in the lower level socket structure or sock structure is

55、no join the secure domain. Socket socket to relevant process hook network access provides a general arbitration, thereby significantly expanded the kernel network access control frame</p><p>　　The last is ot

56、her hooks. Linux security module (LSM) provides two other series of hook: module hooks and top system hooks. Module hooks is used to control the created, initialization, remove the kernel module kernel operation. Used to

57、 control the system operation system hook, such as setting a host name, visit the I/O port, as well as configuration process bookkeeping. Although now Linux kernel through the use of these system operation - check provid

58、es some support, but these check for different</p><p>　　5. Module explains: give ordinary users use off-the-shelf security function </p><p>　　Linux security module (LSM) for the average user'

59、;s value lies in: can provide various security module, choose to suit oneself by the user needs to be loaded into the kernel, meet certain safety functions. Linux security module (LSM) itself only provide enhanced access

60、 control strategy, and the mechanism of various security module implements specific specific security strategy. Below is a brief introduce some has been achieved security module. </p><p>　　SELinux. This is a

61、 Flask flexible access control system in the implementation, and on Linux provides type enhancement, role-based access control, and optional multilevel security strategy. SELinux turned out to be as a kernel patch implem

62、entation, now USES Linux security module (LSM) to realize for a security module. SELinux can be used to limit for minimal privileges, protect the process of progress and the integrity of the data and confidentiality, and

63、 support application security needs. </p><p>　　DTE Linux. This is a domain and type in the realization of enhanced on Linux. Like, like SELinux DTE Linux is originally as a kernel patch implementation, now U

64、SES Linux security module (LSM) to realize for a security module. When the security module is added to the kernel, type to be assigned to object, domain was assigned to a process. DTE strategy restricted zone and between

65、 from domain to type of access. </p><p>　　The ability of LSM transplantation Openwall kernel patch. Openwall kernel patch provides a series of safety feature set to protect the system against such as buffer

66、overflow and temporary files competition such attacks. A security module is being developed to support a subset of the Openwall patch. </p><p>　　POSIX 1e capabilities j. Linux kernel already exists a POSIX.

67、1e capabilities logic, but Linux security module (LSM) put this logic division to a security module. Such modification makes don't need from their core user can the function of omitting; Also makes the development of

68、 capabilities logic can leave the kernel development gain greater independence. </p><p>　　LIDS. This is the Chinese XieHuaGang launch projects. Started as an intrusion detection system development, then grad

69、ually evolved into use access control system form, it through intrusion prevention described a given program can visit files to access control. Similarly, LIDS turned out to be as a kernel patch with realized and some ma

70、nagement tools, now already use Linux security module (LSM) to realize for a security module. </p><p>　　And of course the default traditional super user mechanism. This security module is Linux security modu

71、le (LSM) by default, realize the traditional UNIX super user privileges mechanism. </p><p>　　6. Specific usage explains: step by step </p><p>　　Linux security module (LSM) at present as a Linux

72、kernel patch form in the GPL license realization, for users to freely use released under. </p><p>　　First http://lsm.immunix.org/lsm_download.html users can download to correspond to Linux 2.4 stable version

73、 and Linux 2.5 development version of the ability of LSM patch, on a list, for example is a catalogue/path/to/Linux - 2.4. X, through the command to execute the following role in Linux kernel patch LSM on: </p>&l

74、t;p>　　# CD/path/to/Linux - 2.4. X </p><p>　　# zcat/path/to/patch - 2.4. X - LSM. Patch - | gz p1 </p><p>　　Then users can connect to have http://lsm.immunix.org/lsm_modules.html realizing saf

75、ety module site, download the needed security module, will security module to Linux kernel loaded, so that users need security strategy can effect, thus improving the security of the system. Specific safety module instal

76、lation method here will skip, each security module will provide detailed installation instructions files, users can refer to these documents, such as SELinux security module installation instructi</p><p>　　I

77、f users have Linux kernel and safety related background knowledge and development experience, according to their own needs to write safety module security policy. At HTTP: / / can immunix org/j j LSM lsm_bk. HTML trackin

78、g check Linux security module (LSM) source code and existing security module of source code, reference its realization methods writing their own security module. So that to satisfy his safety requirements in the meanwhil

79、e, can also for Linux security module (LSM) development mak</p><p>　　7. The concrete use instructions: step by step </p><p>　　Linux security module (LSM) cause is: on the one hand Linux kernel e

80、xisting security mechanism is not enough; On the other hand the existing security enhancements system and hard to use did and. Linux security module (LSM) good solve this problem: on the one hand, to the kernel patch is

81、small and source code changes affect small, brought about by the load is not large also; On the other hand to existing security enhancements system provides better interface support, and has many good security mo</p&g

82、t;<p>　　Linux安全模塊（LSM）</p><p>　　Linux安全模塊（LSM）是Linux內(nèi)核的一個輕量級通用訪問控制框架。本文介紹Linux安全模塊（LSM）的相關(guān)背景，設(shè)計思想，實(shí)現(xiàn)方法；并說明如何使用Linux安全模塊（LSM）來增強(qiáng)Linux系統(tǒng)的安全性：一方面是供內(nèi)核開發(fā)人員和安全研究人員使用的接口，另一方面是供普通用戶使用的模塊，以及具體的使用方法。如果讀者具有Linux

83、內(nèi)核和安全的相關(guān)背景知識，可以有助于對本文的理解；如果不具有，可以先閱讀本文最后參考資料中列出的IBM dW上的三篇文章。</p><p>　　1.相關(guān)背景介紹：為什么和是什么</p><p>　　近年來Linux系統(tǒng)由于其出色的性能和穩(wěn)定性，開放源代碼特性帶來的靈活性和可擴(kuò)展性，以及較低廉的成本，而受到計算機(jī)工業(yè)界的廣泛關(guān)注和應(yīng)用。但在安全性方面，Linux內(nèi)核只提供了經(jīng)典的UNIX自主

84、訪問控制（root用戶，用戶ID，模式位安全機(jī)制），以及部分的支持了POSIX.1e標(biāo)準(zhǔn)草案中的capabilities安全機(jī)制，這對于Linux系統(tǒng)的安全性是不足夠的，影響了Linux系統(tǒng)的進(jìn)一步發(fā)展和更廣泛的應(yīng)用。</p><p>　　有很多安全訪問控制模型和框架已經(jīng)被研究和開發(fā)出來，用以增強(qiáng)Linux系統(tǒng)的安全性，比較知名的有安全增強(qiáng)Linux（SELinux），域和類型增強(qiáng)（DTE），以及Linux入侵檢

85、測系統(tǒng)（LIDS）等等。但是由于沒有一個系統(tǒng)能夠獲得統(tǒng)治性的地位而進(jìn)入Linux內(nèi)核成為標(biāo)準(zhǔn)；并且這些系統(tǒng)都大多以各種不同的內(nèi)核補(bǔ)丁的形式提供，使用這些系統(tǒng)需要有編譯和定制內(nèi)核的能力，對于沒有內(nèi)核開發(fā)經(jīng)驗(yàn)的普通用戶，獲得并使用這些系統(tǒng)是有難度的。在 2001年的Linux內(nèi)核峰會上，美國國家安全局（NSA）介紹了他們關(guān)于安全增強(qiáng)Linux（SELinux）的工作，這是一個靈活的訪問控制體系 Flask在Linux中的實(shí)現(xiàn)，當(dāng)時Linux

86、內(nèi)核的創(chuàng)始人Linus Torvalds同意Linux內(nèi)核確實(shí)需要一個通用的安全訪問控制框架，但他指出最好是通過可加載內(nèi)核模塊的方法，這樣可以支持現(xiàn)存的各種不同的安全訪問控制系統(tǒng)。因此，Linux安全模塊（LSM）應(yīng)運(yùn)而生。</p><p>　　Linux安全模塊（LSM）是Linux內(nèi)核的一個輕量級通用訪問控制框架。它使得各種不同的安全訪問控制模型能夠以Linux可加載內(nèi)核模塊的形式實(shí)現(xiàn)出來，用戶可以根據(jù)其需求

87、選擇適合的安全模塊加載到Linux內(nèi)核中，從而大大提高了Linux安全訪問控制機(jī)制的靈活性和易用性。目前已經(jīng)有很多著名的增強(qiáng)訪問控制系統(tǒng)移植到Linux安全模塊（LSM）上實(shí)現(xiàn)，包括POSIX.1e capabilities，安全增強(qiáng)Linux（SELinux），域和類型增強(qiáng)（DTE），以及Linux入侵檢測系統(tǒng)（LIDS）等等。雖然目前 Linux安全模塊（LSM）仍然是作為一個Linux內(nèi)核補(bǔ)丁的形式提供，但是其同時提供Linux

88、2.4穩(wěn)定版本的系列和Linux 2.5開發(fā)版本的系列，并且很有希望進(jìn)入Linux 2.6穩(wěn)定版本，進(jìn)而實(shí)現(xiàn)其目標(biāo)：被Linux內(nèi)核接受成為Linux內(nèi)核安全機(jī)制的標(biāo)準(zhǔn)，在各個Linux發(fā)行版中提供給用戶使用。</p><p>　　2. 設(shè)計思想介紹：得讓兩方面都滿意</p><p>　　Linux安全模塊（LSM）的設(shè)計必須盡量滿足兩方面人的要求：讓不需要它的人盡可能少的因此得到麻煩；同

89、時讓需要它的人因此得到有用和高效的功能。 </p><p>　　以Linus Torvalds為代表的內(nèi)核開發(fā)人員對Linux安全模塊（LSM）提出了三點(diǎn)要求：</p><p>　　真正的通用，當(dāng)使用一個不同的安全模型的時候，只需要加載一個不同的內(nèi)核模塊</p><p>　　概念上簡單，對Linux內(nèi)核影響最小，高效，并且能夠支持現(xiàn)存的POSIX.1e capabi

90、lities邏輯，作為一個可選的安全模塊</p><p>　　另一方面，各種不同的Linux安全增強(qiáng)系統(tǒng)對Linux安全模塊（LSM）提出的要求是：能夠允許他們以可加載內(nèi)核模塊的形式重新實(shí)現(xiàn)其安全功能，并且不會在安全性方面帶來明顯的損失，也不會帶來額外的系統(tǒng)開銷。</p><p>　　為了滿足這些設(shè)計目標(biāo)，Linux安全模塊（LSM）采用了通過在內(nèi)核源代碼中放置鉤子的方法，來仲裁對內(nèi)核內(nèi)部

91、對象進(jìn)行的訪問，這些對象有：任務(wù)，inode結(jié)點(diǎn)，打開的文件等等。用戶進(jìn)程執(zhí)行系統(tǒng)調(diào)用，首先游歷Linux內(nèi)核原有的邏輯找到并分配資源，進(jìn)行錯誤檢查，并經(jīng)過經(jīng)典的UNIX自主訪問控制，恰好就在Linux內(nèi)核試圖對內(nèi)部對象進(jìn)行訪問之前，一個Linux安全模塊（LSM）的鉤子對安全模塊所必須提供的函數(shù)進(jìn)行一個調(diào)用，從而對安全模塊提出這樣的問題"是否允許訪問執(zhí)行？"，安全模塊根據(jù)其安全策略進(jìn)行決策，作出回答：允許，或者拒絕

92、進(jìn)而返回一個錯誤。</p><p>　　另一方面，為了滿足大多數(shù)現(xiàn)存Linux安全增強(qiáng)系統(tǒng)的需要，Linux安全模塊（LSM）采取了簡化設(shè)計的決策。Linux安全模塊（LSM）現(xiàn)在主要支持大多數(shù)現(xiàn)存安全增強(qiáng)系統(tǒng)的核心功能：訪問控制；而對一些安全增強(qiáng)系統(tǒng)要求的其他安全功能，比如安全審計，只提供了的少量的支持。Linux安全模塊（LSM）現(xiàn)在主要支持"限制型"的訪問控制決策：當(dāng)Linux內(nèi)核給予訪

93、問權(quán)限時，Linux安全模塊（LSM）可能會拒絕，而當(dāng)Linux內(nèi)核拒絕訪問時，就直接跳過Linux安全模塊（LSM）；而對于相反的"允許型"的訪問控制決策只提供了少量的支持。對于模塊功能合成，Linux安全模塊（LSM）允許模塊堆棧，但是把主要的工作留給了模塊自身：由第一個加載的模塊進(jìn)行模塊功能合成的最終決策。所有這些設(shè)計決策可能暫時影響了Linux安全模塊（LSM）的功能和靈活性，但是大大降低了Linux安全模塊

94、（LSM）實(shí)現(xiàn)的復(fù)雜性，減少了對Linux內(nèi)核的修改和影響，使得其進(jìn)入Linux 內(nèi)核成為安全機(jī)制標(biāo)準(zhǔn)的可能性大大提高；等成為標(biāo)準(zhǔn)后，可以改變決策，增加功能和靈活性。</p><p>　　3. 實(shí)現(xiàn)方法介紹：對Linux內(nèi)核的修改</p><p>　　Linux安全模塊（LSM）目前作為一個Linux內(nèi)核補(bǔ)丁的形式實(shí)現(xiàn)。其本身不提供任何具體的安全策略，而是提供了一個通用的基礎(chǔ)體系給安全模塊

95、，由安全模塊來實(shí)現(xiàn)具體的安全策略。其主要在五個方面對Linux內(nèi)核進(jìn)行了修改：</p><p>　　在特定的內(nèi)核數(shù)據(jù)結(jié)構(gòu)中加入了安全域</p><p>　　在內(nèi)核源代碼中不同的關(guān)鍵點(diǎn)插入了對安全鉤子函數(shù)的調(diào)用</p><p>　　加入了一個通用的安全系統(tǒng)調(diào)用</p><p>　　提供了函數(shù)允許內(nèi)核模塊注冊為安全模塊或者注銷</p>

96、<p>　　將capabilities邏輯的大部分移植為一個可選的安全模塊</p><p>　　下面對這五個方面的修改逐個做簡要的介紹。</p><p>　　安全域是一個void*類型的指針，它使得安全模塊把安全信息和內(nèi)核內(nèi)部對象聯(lián)系起來。下面列出被修改加入了安全域的內(nèi)核數(shù)據(jù)結(jié)構(gòu)，以及各自所代表的內(nèi)核內(nèi)部對象：</p><p>　　task_struc

97、t結(jié)構(gòu)：代表任務(wù)（進(jìn)程）</p><p>　　linux_binprm結(jié)構(gòu)：代表程序</p><p>　　super_block結(jié)構(gòu)：代表文件系統(tǒng)</p><p>　　inode結(jié)構(gòu)：代表管道，文件，或者Socket套接字</p><p>　　file結(jié)構(gòu)：代表打開的文件</p><p>　　sk_buff結(jié)構(gòu)：代表網(wǎng)

98、絡(luò)緩沖區(qū)（包）</p><p>　　net_device結(jié)構(gòu)：代表網(wǎng)絡(luò)設(shè)備</p><p>　　kern_ipc_perm結(jié)構(gòu)：代表Semaphore信號，共享內(nèi)存段，或者消息隊列</p><p>　　msg_msg：代表單個的消息</p><p>　　另外，msg_msg結(jié)構(gòu)，msg_queue結(jié)構(gòu)，shmid_kernel結(jié)構(gòu)被移到inc

99、lude/linux/msg.h和include/linux/shm.h這兩個頭文件中，使得安全模塊可以使用這些定義。</p><p>　　Linux安全模塊（LSM）提供了兩類對安全鉤子函數(shù)的調(diào)用：一類管理內(nèi)核對象的安全域，另一類仲裁對這些內(nèi)核對象的訪問。對安全鉤子函數(shù)的調(diào)用通過鉤子來實(shí)現(xiàn)，鉤子是全局表security_ops中的函數(shù)指針，這個全局表的類型是security_operations結(jié)構(gòu)，這個結(jié)構(gòu)定