Implementing SELinux as a Linux Security Module Stephen Smalley NSA [email protected] Chris Vance NAI Labs [email protected] Wayne Salamon NAI Labs [email protected] This work supported by NSA contract MDA904-01-C-0926 (SELinux) Initial: December 2001, Last revised: Feb 2006 NAI Labs Report #01-043 Table of Contents 1. Introduction............................................................................................................................................5 2. Acknowledgements ................................................................................................................................6 3. LSM Overview .......................................................................................................................................6 4. SELinux Basic Concepts .......................................................................................................................7 5. Changes from the Original SELinux Kernel Patch............................................................................8 5.1. General Changes .........................................................................................................................8 5.1.1. Adding a New Level of Indirection ................................................................................8 5.1.2. Dynamically Allocating Security Fields ........................................................................9 5.1.3. Stacking with the Capabilities Module...........................................................................9 5.1.4. Redesigning the SELinux API........................................................................................9 5.1.5. Leveraging Linux Permission Functions........................................................................9 5.2. Program Execution Changes.....................................................................................................10 5.2.1. File execute_no_trans Permission..........................................................................10 5.2.2. Inheritance of State.......................................................................................................10 5.3. Filesystem Changes...................................................................................................................11 1 Implementing SELinux as a Linux Security Module 5.3.1. Labeling of Persistent Files ..........................................................................................11 5.3.2. Pseudo Filesystem Labeling.........................................................................................11 5.3.3. Leveraging permission .............................................................................................12 5.3.4. File Descriptor Permissions..........................................................................................12 5.3.5. Pipe Security Class.......................................................................................................13 5.4. Socket IPC and Networking Changes.......................................................................................13 5.4.1. Redesigning Network Access Controls ........................................................................13 5.4.2. Storing Socket Security Data........................................................................................13 5.4.3. Minimally Invasive Hooks............................................................................................13 5.4.4. File Descriptor Transfer................................................................................................14 5.4.5. Omitting Low-Level ioctl Controls...........................................................................14 5.4.6. Extended Socket Calls..................................................................................................14 5.5. System V IPC Changes .............................................................................................................14 5.5.1. Storing IPC Security Data ............................................................................................15 5.5.2. Leveraging ipcperms..................................................................................................15 5.6. Miscellaneous Changes.............................................................................................................15 6. Internal Architecture...........................................................................................................................15 7. Initialization .........................................................................................................................................17 7.1. selinux_init................................................................................................................................17 7.2. selinux_nf_ip_init .....................................................................................................................17 7.3. sel_netif_init..............................................................................................................................17 7.4. selnl_init....................................................................................................................................17 7.5. init_sel_fs ..................................................................................................................................18 7.6. selinux_complete_init ...............................................................................................................18 8. Stacking with Other Modules.............................................................................................................18 9. SELinux API ........................................................................................................................................19 10. Helper Functions for Hook Functions .............................................................................................20 10.1. Primitive Allocation Helper Functions ...................................................................................20 10.2. Initialization Helper Functions................................................................................................20 10.3. Permission Checking Helper Functions..................................................................................21 11. Task Hook Functions.........................................................................................................................21 11.1. Managing Task Security Fields...............................................................................................21 11.1.1. Task Security Structure...............................................................................................21 11.1.2. task_alloc_security and task_free_security ................................................................22 11.1.3. selinux_task_reparent_to_init.....................................................................................22 11.1.4. selinux_task_post_setuid............................................................................................22 11.1.5. selinux_task_to_inode ................................................................................................22 11.1.6. selinux_getprocattr .....................................................................................................22 11.1.7. selinux_setprocattr......................................................................................................22 11.2. Controlling Task Operations ...................................................................................................23 11.2.1. Helper Functions for Checking Task Permissions......................................................23 11.2.2. Hook Functions for Controlling Task Operations ......................................................24 2 Implementing SELinux as a Linux Security Module 12. Program Loading Hook Functions...................................................................................................25 12.1. Managing Binprm Security Fields ..........................................................................................25 12.1.1. Binprm Security Structure..........................................................................................25 12.1.2. selinux_bprm_alloc_security and selinux_bprm_free_security.................................26 12.1.3. selinux_bprm_set_security.........................................................................................26 12.1.4. selinux_bprm_apply_creds.........................................................................................27 12.1.5. selinux_bprm_post_apply_creds ................................................................................27 12.1.6. selinux_bprm_secureexec...........................................................................................28 13. Superblock Hook Functions..............................................................................................................29 13.1. Managing Superblock Security Fields ....................................................................................29 13.1.1. Superblock Security Structure....................................................................................29 13.1.2. superblock_alloc_security and superblock_free_security..........................................30 13.1.3. superblock_doinit .......................................................................................................30