| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame^] | 1 | BSD Secure Levels Linux Security Module |
| 2 | Michael A. Halcrow <mike@halcrow.us> |
| 3 | |
| 4 | |
| 5 | Introduction |
| 6 | |
| 7 | Under the BSD Secure Levels security model, sets of policies are |
| 8 | associated with levels. Levels range from -1 to 2, with -1 being the |
| 9 | weakest and 2 being the strongest. These security policies are |
| 10 | enforced at the kernel level, so not even the superuser is able to |
| 11 | disable or circumvent them. This hardens the machine against attackers |
| 12 | who gain root access to the system. |
| 13 | |
| 14 | |
| 15 | Levels and Policies |
| 16 | |
| 17 | Level -1 (Permanently Insecure): |
| 18 | - Cannot increase the secure level |
| 19 | |
| 20 | Level 0 (Insecure): |
| 21 | - Cannot ptrace the init process |
| 22 | |
| 23 | Level 1 (Default): |
| 24 | - /dev/mem and /dev/kmem are read-only |
| 25 | - IMMUTABLE and APPEND extended attributes, if set, may not be unset |
| 26 | - Cannot load or unload kernel modules |
| 27 | - Cannot write directly to a mounted block device |
| 28 | - Cannot perform raw I/O operations |
| 29 | - Cannot perform network administrative tasks |
| 30 | - Cannot setuid any file |
| 31 | |
| 32 | Level 2 (Secure): |
| 33 | - Cannot decrement the system time |
| 34 | - Cannot write to any block device, whether mounted or not |
| 35 | - Cannot unmount any mounted filesystems |
| 36 | |
| 37 | |
| 38 | Compilation |
| 39 | |
| 40 | To compile the BSD Secure Levels LSM, seclvl.ko, enable the |
| 41 | SECURITY_SECLVL configuration option. This is found under Security |
| 42 | options -> BSD Secure Levels in the kernel configuration menu. |
| 43 | |
| 44 | |
| 45 | Basic Usage |
| 46 | |
| 47 | Once the machine is in a running state, with all the necessary modules |
| 48 | loaded and all the filesystems mounted, you can load the seclvl.ko |
| 49 | module: |
| 50 | |
| 51 | # insmod seclvl.ko |
| 52 | |
| 53 | The module defaults to secure level 1, except when compiled directly |
| 54 | into the kernel, in which case it defaults to secure level 0. To raise |
| 55 | the secure level to 2, the administrator writes ``2'' to the |
| 56 | seclvl/seclvl file under the sysfs mount point (assumed to be /sys in |
| 57 | these examples): |
| 58 | |
| 59 | # echo -n "2" > /sys/seclvl/seclvl |
| 60 | |
| 61 | Alternatively, you can initialize the module at secure level 2 with |
| 62 | the initlvl module parameter: |
| 63 | |
| 64 | # insmod seclvl.ko initlvl=2 |
| 65 | |
| 66 | At this point, it is impossible to remove the module or reduce the |
| 67 | secure level. If the administrator wishes to have the option of doing |
| 68 | so, he must provide a module parameter, sha1_passwd, that specifies |
| 69 | the SHA1 hash of the password that can be used to reduce the secure |
| 70 | level to 0. |
| 71 | |
| 72 | To generate this SHA1 hash, the administrator can use OpenSSL: |
| 73 | |
| 74 | # echo -n "boogabooga" | openssl sha1 |
| 75 | abeda4e0f33defa51741217592bf595efb8d289c |
| 76 | |
| 77 | In order to use password-instigated secure level reduction, the SHA1 |
| 78 | crypto module must be loaded or compiled into the kernel: |
| 79 | |
| 80 | # insmod sha1.ko |
| 81 | |
| 82 | The administrator can then insmod the seclvl module, including the |
| 83 | SHA1 hash of the password: |
| 84 | |
| 85 | # insmod seclvl.ko |
| 86 | sha1_passwd=abeda4e0f33defa51741217592bf595efb8d289c |
| 87 | |
| 88 | To reduce the secure level, write the password to seclvl/passwd under |
| 89 | your sysfs mount point: |
| 90 | |
| 91 | # echo -n "boogabooga" > /sys/seclvl/passwd |
| 92 | |
| 93 | The September 2004 edition of Sys Admin Magazine has an article about |
| 94 | the BSD Secure Levels LSM. I encourage you to refer to that article |
| 95 | for a more in-depth treatment of this security module: |
| 96 | |
| 97 | http://www.samag.com/documents/s=9304/sam0409a/0409a.htm |