Snet and the LSM API

Please consider subscribing to LWN

Subscriptions are the lifeblood of LWN.net. If you appreciate this content and would like to see more of it, your subscription will help to ensure that LWN continues to thrive. Please visit this page to join up and keep LWN on the net.

By Jake Edge
January 28, 2009

A new security module, called snet (which is short for "security for network syscalls") was recently posted as an RFC on the linux-security-module mailing list. Its purpose is rather simple—much simpler than the two current mainline users of the LSM interface—intercept system calls for networking and call out to user space to determine if they are to be allowed. The idea is to be able to create Linux versions of the "personal firewall" that is popular on Windows machines. Reaction to snet was mixed, partially because of a disdain for that type of security tool, but also because it is implemented using LSM.

Snet, developed by Samir Bellabes, consists of a kernel piece which uses LSM to hook the "interesting" socket-related system calls (socket(), bind(), connect(), listen(), and accept()), as well as a user space library that can be used to accept or deny those calls. Communication between the kernel and user space is handled by a netlink socket using libnl. The decisions are then cached in the kernel to reduce the number of calls required to user space. That last part is important because personal firewalls typically pop up a request on the user's display asking them to decide whether to allow the system call. Timeouts can be established for the user-space calls, along with a default response if the timeout is reached.

This "user request" feature of personal firewalls is one thing that many find objectionable. As Paul Moore puts it: "my opinion is that it is a poor option for security and typically only results in training the user to click the 'allow' button when the pfwall [dialog] box pops up on his/her screen". Yet it is a "feature" of other operating systems and not completely unreasonable for Linux to support. From that perspective, snet seems like a reasonable starting point.

There are a few other problems, though, stemming from the decision to use the LSM API. Peter Dolding seems to think this capability should be added to netfilter, rather than built as a standalone solution. Others pointed out that netfilter is sufficiently low-level that any context about users or processes that are performing these operations is not available. That could change, but it would take a concerted effort to change the netfilter code, which doesn't seem likely near-term, if ever.

A larger problem comes from the inability to stack LSM modules. If a user is interested in the kinds of protection that snet can provide, they must forgo any other LSM-implemented security solution (i.e. SELinux, Smack, AppArmor, TOMOYO, etc.). A parallel discussion about LSM stacking is also occurring on linux-security-module, partially motivated by the needs of snet and other "smaller" security solutions. Those tools do not implement a full-scale security solution a la SELinux or Smack, but instead try to handle a smaller subset of the problem.

LSM stacking also came up at the LCA security panel, so it is certainly on the minds of Linux security developers. Casey Schaufler sums up the current state of affairs along with a look to a possible future:

Stacking of special purpose LSMs would be a great idea. One reason that we don't have special purpose LSMs is that you can't stack them, you have to provide the entire "solution" in the one LSM. Of course, complete solutions don't stack.

I would be very interested to see an LSM that does nothing but multiplex other LSMs. That would make multiple unrelated LSMs feasible without trying to create something that could deal with SELinux's and Smack's different notions of network access control model. You could revive the notion of loadable modules while you're at it. The LSM Multiplexer LSM could put any restrictions on the LSMs it is willing to support.

It seems likely that someone will try to build an LSM-multiplexer before too long. In addition to snet, the TuxGuardian project appears to be reawakening after a period of quiet. It is similar to snet, and also uses LSM to trap network accesses. Other projects are also mentioned in the threads on linux-security-module. In the end, it is just too limiting to require that all security modules implement a full-scale security solution, and since LSM is the only accepted way to implement some of these hooks, some middle ground will likely be found.

In another related thread, Schaufler notes that a lot of what is being described for personal firewalls could be implemented using SELinux—at least as a starting point. One sticking point to that particular solution is the user interaction required. It is hard to see how an SELinux-derived solution could interact with the user for some decisions, but not others. It also is clearly outside of the scope of what SELinux is intended for.

While snet may implement "bad security" in some minds, the discussion about it, especially with regard to LSM stacking has been very valuable. It may turn out that there is no sane way to stack arbitrary security modules in a way that a) makes sense and b) doesn't drive all of the security developers insane. But there are some reasonable use cases for that capability so it would seem that an investigation of those possibilities is warranted. With luck we will soon see where it leads.

Index entries for this article
Kernel	Security/Security modules
Security	Linux Security Modules (LSM)

(Log in to post comments)

Stacking LSM

Posted Jan 29, 2009 3:29 UTC (Thu) by dwheeler (guest, #1216) [Link]

Stacking is NOT a new idea. Back in 2002 I developed a small stacker for LSM as it existed at the time (http://www.dwheeler.com/misc/stacker.c).

Serge E. Hallyn took up the idea and ran with it. His work is here:

http://sourceforge.net/projects/lsm-stacker

LSM stacking still makes sense. Sure, there are cases where you can't reasonably combine components, but it's still useful.

Snet and the LSM API

Posted Jan 29, 2009 4:12 UTC (Thu) by pragmatine (guest, #39557) [Link]

Interestingly a few years ago I started work on a more general framework to allow userspace to allow / deny different security decisions using the LSM API called PULSE: A Pluggable User-space Linux Security Environment - and to demo the framework I implemented a basic personal firewall - so this looks quite similar to that. When doing this work I also identified similar concerns to those raised about snet (ie. training users to just click allow) - more info is available in the following paper: http://crpit.com/abstracts/CRPITV81Murray.html - source is online at sourceforge: http://sourceforge.net/projects/pulse-lsm/

Unfortunately I haven't been able work on this since then so its a bit outdated but some of the ideas could be useful for the snet developer and for others developing custom LSM modules.

Incidentally, I believe the ability to stack LSM modules would greatly improve their adoption, this way you could have a number of modules which each do one thing well - ie. AppArmor for file access control and perhaps snet for network access control, rather than trying to have something like SELinux for everything.

Snet and the LSM API

Posted Jan 29, 2009 4:18 UTC (Thu) by pragmatine (guest, #39557) [Link]

One more comment about PULSE - the thing I want to emphasise is this is a general framework for allowing normal users to exercise mandatory access controls over their own processes, and so it is much more flexible than all the existing frameworks (SELinux, AppArmor, SMACK etc) which only allow the system administrator to define access controls for ALL users. PULSE allows different users to give their applications different permissions, since it is user-specific, and user-centric. It is also highly dynamic (allowing decisions to be made on the fly and also revoked on the fly), compared to SELinux etc which are based upon static security policies - hence it is much more oriented to desktop usage compared to SELinux etc which are more suited to servers which perform well-defined, static operations.