[rsbac] How does RSBAC relate to the Linux Security Module framework (LSM)?

Amon Ott ao at rsbac.org
Fri Aug 8 13:57:10 MEST 2003


On Friday, 8. August 2003 11:08, Christian Schuhegger wrote:
> i was trying to find some information via google on how RSBAC and LSM 
> are related. does RSBAC use LSM, does it use a competing infrastructure 
> to LSM, or ...

LSM provides a set of low-level hooks in kernel functions, which use pointers 
to kernel internal structures as parameters.
RSBAC currently implements a separate set of hooks, which use a kernel 
version independent abstraction of the type of access and the target to be 
accessed.

In contrary to LSM, RSBAC has a full infrastructure for fast and efficient 
security model implementations, which is also mostly independent of the 
kernel version.

Based on v1.2.2, I have started porting RSBAC to kernel 2.6.0. LSM hooks will 
be used where they are useful. However, the registered LSM functions will be 
simple translations into the RSBAC abstraction, thus introducing another code 
layer.

The port is far from finished, so I cannot yet tell how many LSM hooks can be 
used and how many are missing for RSBAC. If only few are missing, I will try 
to get them included into LSM. In any case, there will be some patch places 
left for init, mount notifications, secure delete, RSBAC data file lookup (in 
protected rsbac.dat dirs) etc.

If the LSM extra layer does not help much, RSBAC might not use it at all to 
keep its code cleaner and maybe a bit faster. I just cannot tell now, so I 
will first try it out. LSM will NOT be used in 2.4 kernels, because it is not 
part of the official tree, and there is no LSM patch for 2.2 kernels.

Please do not forget that most of the RSBAC code (everything in the tar 
balls) is shared for all kernel versions from 2.2, 2.4 and 2.6 series, with a 
bunch of #if's at all the places where the kernel interfaces have changed 
once again.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


More information about the rsbac mailing list