Securing Linux with Mandatory Access Control

Security is a growing problem for any software. Now and then new software vulnerabilities even in Linux kernel are reported. 

Effective use of access control provided by the operating system can assist to mitigate software vulnerabilities. Mostly, people are familiar with Discretionary Access Control (DAC) available in UNIX like operating systems. 

DAC restricts access to resources based on users and/or groups they belong. E.g. owner of a file can set read, write and execute permissions and so a user is in control of who can access and modify a resource. In other words, access to a resource is at the user’s discretion. 

This creates a problem where a compromised program inherits access controls of the user and so can-do things that users can do. If a compromised process happens to be running with effective superuser privileges, an attacker can take full control of the system. This is undesired, to say the least.

Instead of deciding what a program can and cannot do based on DAC measures, it is more secure to let programs only do what they need to perform their tasks. So even if a program runs with effective root privileges, it cannot do anything other than it is allowed to do. This type of control over capabilities and permissions is called Mandatory Access Control (MAC). 

Mandatory Access Control (MAC) uses Linux Security Modules (LSM) integrated into the kernel. LSM is a generic framework such that different MAC extensions can be implemented by loading a different kernel module. Modules rely on kernel hooks which in turn allow them to extend kernel’s behavior.

System call executed by a user process traverses through kernel’s existing logic for resource lookup, error check, and DAC check. Given all checks are passed, before kernel grants access to the resource, LSM hook makes a call to active security policy to consult if access should be denied or granted.

Some of the hooks provided by LSM are,

  1. Module hooks – to provide control over module loading and unloading
  2. Network hooks – to provide control over sockets, transport layer, network layer etc.
  3. Task Hooks – to provide control over the lifecycle of a task
  4.  Virtual File system hooks – to provide control over superblock, inode, and actual file operations. 
  5.  IPC hooks – to provide control over IPC mechanisms like message queues, shared memory, and semaphores

MAC extension developers can then use these hooks to implement the logic to extend/implement access control.

Some of the accepted official Linux kernel MAC extensions are Security Enhanced Linux (SELinux), Simplified Mandatory Access Control Kernel (SMACK), Application Armor (AppArmor), etc.

In the next blog post, I will write about my experiences with SELinux. 

Best Regards,

Abhijeet Shirolikar, Senior Software Developer