Skip to content

skx/linux-security-modules

master
Switch branches/tags
1 branch 3 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github
Create FUNDING.yml
Jun 26, 2019
security
13 update (#14)
Feb 18, 2021
.gitignore
Ignore generated-files
May 11, 2019
README.md
13 update (#14)
Feb 18, 2021
Linux Security Modules Included Modules Compilation Tracking Kernel Changes

README.md

Linux Security Modules

This repository contains a small collection of linux security modules, which were written as a part of a learning/experimentation process.

The code present has been compiled and tested against the most recent long-term kernel, at the time of writing that is 5.10.17.

If you want to port this code to a newer kernel, in the future, then the following bug-report is a good overview of how I approach things:

Included Modules

There are three modules contained within this repository, two of which are simple tests and one of which is more "real".

The only real/useful module is:

  • can-exec
    • The user-space helper /sbin/can-exec is invoked to determine whether a user can execute a specific command.
    • Because user-space controls execution policies can be written/updated dynamically.

The following two modules were written as I started the learning-process, and demonstrate creating simple standalone modules, albeit ones which do not actually provide any significant security benefit:

  • whitelist
    • Only allow execution of binaries which have a specific xattr present.
  • hashcheck
    • Only allow execution of commands with xattr containing valid SHA1sum of binaries.
    • This builds upon the previous module.

Compilation

Copy the contents of security/ into your local Kernel-tree, and run make menuconfig to enable the appropriate options.

Further notes are available within the appropriate module subdirectories.

For a Debian GNU/Linux host, these are the kernel build-dependencies you'll need to install, if they're not already present:

  # apt-get install flex bison bc libelf-dev libssl-dev \
                    build-essential make libncurses5-dev \
                    git-core

Tracking Kernel Changes

As new kernels are released it is possible the two files security/Kconfig & security/Makefile might need resyncing with the base versions installed with the Linux source-tree.

You should be able to update them just by running diff and copying any lines referring to the modules CAN_EXEC, HASH_CHECK, & WHITELIST into place.

About

A place to store my toy linux-security modules.

Topics

linux security kernel linux-security-module lsm

Resources

Readme

Stars

74 stars

Watchers

9 watching

Forks

17 forks

Releases 3

linux-5-10-17 Latest
Feb 18, 2021
+ 2 releases

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published

Languages