Linux Security Modules
A collection of three simple linux security modules, more for learning and experimentation than for serious use.
- Only allow execution of commands with xattr present.
- Only allow execution of commands with xattr containing valid SHA1sum of binaries.
- The only serious module in this repository.
- Invokes the user-space helper
/sbin/can-execto determine whether a user can execute a specific command.
- Allows policies to be written and changed on-demand.
I wrote a couple of blog posts which might provide more background, and they are listed below (in order oldest to most recent):
The code has been tested upon kernels as recent as 4.17.8.
Copy the contents of
security/ into your local Kernel-tree, and run
make menuconfig to enable the appropriate options.
NOTE: Over time the two files
security/Makefile might need resyncing from master - but you can look for mentions of
WHITELIST to see what I've done to add the modules.
For a Debian GNU/Linux host, building a recent kernel, these are the dependencies you'll need to install:
# apt-get install flex bison bc libelf-dev libssl-dev \ build-essential make libncurses5-dev \ git-core