Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/skx/linux-security-modules

A place to store my toy linux-security modules.
https://github.com/skx/linux-security-modules

kernel linux linux-security-module lsm security

Last synced: about 2 months ago
JSON representation

A place to store my toy linux-security modules.

Host: GitHub
URL: https://github.com/skx/linux-security-modules
Owner: skx
Created: 2017-06-29T04:49:31.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2021-02-18T17:56:59.000Z (almost 4 years ago)
Last Synced: 2024-10-26T22:22:20.546Z (2 months ago)
Topics: kernel, linux, linux-security-module, lsm, security
Language: C
Size: 54.7 KB
Stars: 91
Watchers: 10
Forks: 20
Open Issues: 0
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- Security: security/Kconfig

Awesome Lists containing this project

README

# Linux Security Modules

This repository contains a small collection of linux security modules, which were written as a part of a learning/experimentation process.

The code present has been compiled and tested against the most recent long-term kernel, at the time of writing that is __5.10.17__.

If you want to port this code to a newer kernel, in the future, then the following bug-report is a good overview of how I approach things:

* https://github.com/skx/linux-security-modules/issues/13

## Included Modules

There are three modules contained within this repository, two of which are simple tests and one of which is more "real".

The only real/useful module is:

* [can-exec](security/can-exec)
* The user-space helper `/sbin/can-exec` is invoked to determine whether a user can execute a specific command.
* Because user-space controls execution policies can be written/updated dynamically.

The following two modules were written as I started the learning-process, and demonstrate creating simple standalone modules, albeit ones which do not actually provide any significant security benefit:

* [whitelist](security/whitelist/)
* Only allow execution of binaries which have a specific `xattr` present.
* [hashcheck](security/hashcheck/)
* Only allow execution of commands with `xattr` containing valid SHA1sum of binaries.
* This builds upon the previous module.

## Compilation

Copy the contents of `security/` into your local Kernel-tree, and run `make menuconfig` to enable the appropriate options.

Further notes are available within the appropriate module subdirectories.

For a Debian GNU/Linux host, these are the kernel build-dependencies you'll need to install, if they're not already present:

# apt-get install flex bison bc libelf-dev libssl-dev \
build-essential make libncurses5-dev \
git-core

### Tracking Kernel Changes

As new kernels are released it is possible the two files `security/Kconfig` & `security/Makefile` might need resyncing with the base versions installed with the Linux source-tree.

You should be able to update them just by running `diff` and copying any lines referring to the modules `CAN_EXEC`, `HASH_CHECK`, & `WHITELIST` into place.