Linux Security Modules (LSM)

1 LKM (Linux Kernel Modules)

"Modules" of code that are needed in some installations and not in others. If needed always, compile/build as built-ins.
Object code file, .ko extension; see /lib/modules/
insmod loads a module; kernel address space expands, now includes the methods of the module; some of them are syscalls.
rmmod unload the module; kernel no longer has the module and its methods.
lsmod list the kernel module currently in the kernel
Path name of where the modules are:

root@Sutherland:~# ls /lib/modules/4.12.0-12-generic/ -R | wc -l

8164

Goal: Modularize security as much as possible. An LSM is an LKM.
http://elixir.free-electrons.com/linux/latest/source/include/linux/security.h
hooks := upcalls to a module's methods at security-critical points within the kernel
An LSM author can control functions called by these hooks to enforce policies
Linux also adds an opaque security pointer that LSM can use to store security info they need in processes, inodes, sockets, etc.
LSM hooks are placed so that the Linux DAC checks are performed first, and only if they succeed, is LSM code invoked.

Figure 1: Access Control with LSM Module

https://www.kernel.org/doc/htmldocs/lsm/ General Security Hooks for Linux
Despite LSM being developed as a security API, LSM provides hooks that could be used by rootkits. http://grsecurity.net/lsm.php

Additional hooks were provided for working with tasks (nice, kill, setuid)
for program loading and controlling inheritance of state across program executions (such as file descriptors)
for IPC
for file ops (read, write, sockets)
for network ops (devices, syscalls, sk-buffs)
for module operations (create, register, delete)
for sytem operations (hostname, accessing I/O ports, process accounting)