linux安全模块lsm外文翻译(编辑修改稿)

linux安全模块lsm外文翻译(编辑修改稿)内容摘要：

: to achieve module stack thus support module function synthesis, or simple return error value to ignore subsequent security module. These functions are provided in the kernel source code file security/security. C. Linux kernel 1e capabilities to POSIX. Now a subset of the support. Linux security module (LSM) design of a demand is put this function the transplant as an optional security module. POSIX 1e capabilities provides division j traditional super user privileges and assigned to a specific process function. Linux security module (LSM) retained used to perform in the kernel of the existing webmasters check the interface, but () () function simplified webmasters for a Linux security module (LSM) hook functions, thereby allowing the packing in security module achieve any need to logic. Linux security module (LSM) still kept the process task_struck structure set (a simple bit vector), and didn39。 t give it moved to a secure domain. Linux kernel capabilities support to also include two system call: capset () and capget (). Linux security module (LSM) also retained the system call but replaced to hook functions for the call, make its basically can through security () system call e to realize. Linux security module (LSM) have been developed and transplantation quite partial capabilities logic to a capabilities security module, but still keep many core capabilities the remnants of the original. These realization method are minimising the impact of Linux kernel modifications, and maximum capabilities of original use retained the application support, while meeting the design of the functional requirements. To make capabilities module after full independence, the only thing left to do is: the main steps bit vector moved to task_struct structure proper security domain, and redefine system call interface. 4. Interface specifications: give kernel development personnel and security researchers use hooks Linux security module (LSM) for the kernel developers and security researchers value lies in: can use its provide interface will existing security enhancements system transplanted into this framework, thus to the form of loading kernel modules can be 滨州学院毕业设计（专业外文翻译） 7 provided to customers use。 Or even can directly write suits your needs security module. Linux security module (LSM) provide interface is hooks, its initially to a virtual function realized the default traditional UNIX super user mechanism, module writers have to achieve these hooks functions to meet its own security strategy. Below is a brief description Linux security module (LSM) provide details please reference hooks, include source code, especially/Linux/security. H header file security_operations structure definition. As for specific how the security strategy according to their own needs to write safety module, can SELinux DTE, LIDS reference, the security of the system module implements etc. First is a mission hooks, Linux security module (LSM) provides a series of tasks hook makes security module can be management process and control process of safety information of the operation. Module can use task_struct structure of security domain to maintain process safety information。 Task hooks provides control interprocess munication of hook, such as know ()。 Also provides control on the current process hooks, such as the privilege operation setuid ()。 Also provides for resource management operation are fine granularity control of hook, for example setrlimit () and nice (). Second is programs to load hooks. Many security module SELinux capabilities, including Linux, DTE will have, in a new program execution ability to change privileges. Therefore Linux security module (LSM) provides a series of programs to load hooks, used in a execve () operation execution of the key point. Linux_binprm structure of security domain allows security module maintenance program load process of security information。 Provides hooks used to allow security module in loading procedures before initialization safety information and execute access control。 Also provides hooks in new program success allowed module after the security update task load information。 Also provides hooks used to control the execution, such as the state inheritance open file descriptors confirmed. Once again, is interprocess munication IPC hooks. Security module can use interprocess munication IPC hook to the security of the System V IPC management, and implementation of information access control. The IPC object data structure 滨州学院毕业设计（专业外文翻译） 8 kern_ipc_perm sharing a substructure, and the substructure only one of ipcperms pointer to the existing () function, therefore Linux security access check module (LSM) in this sharing add a substructural secure domain. In order to support a single news safety information, Linux security module (LSM) is still in msg_msg structure joined a secure domain. Linux security module (LSM) in the existing ipcperms () function by inserting a hook, making security module can be for each existing Linux IPC authority to carry out the inspection. Because for some security module, such a check is not e nough, Linux security module (LSM) also in single IPC operation into the hooks. Another hook to support through the System V message queue to send a single message fine grain access control. Below is the file system hooks. For file operations, defines three hooks: file system hooks, inode node hooks, and file hooks. Linux security module (LSM) in the corresponding three kernel data structures joined the secure domain, it is respectively: super_block structure, inode structure, file structure. Super blocks file system hook makes safety for the entire document to control modules of the system, such as mount, operation, and unloading statfs (). Linux security module (LSM) in permission () function。