CSE544 - Project #1 - LSM Module

Due Date: Tu October 20, 2015 at 11:59pm.

In this assignment, you will complete a Linux Security Module that implements Low-Water Mark (LOMAC) integrity over file operations.

Follow these instructions:

  1. Get the module code from here. This code contains two files: (1) sample.c, which contains an incomplete Linux Security Module that includes stubs for a set of authorization hooks (place in directory linux-2.6.23/security) and (2) Makefile, which enables sample.c to be compiled for the kernel (place in linux-2.6.23/security).

  2. The first major task is to compile your Linux kernel (version 2.6.23) in your experimental environment, so that you can develop and test your sample LSM. Instructions for this task follow:

  3. The goal of this project is to add code to the selected LSM authorization hooks (see the variable sample_ops in sample.c) as necessary to enforce Low-Water Mark (LOMAC) integrity (see the paper by Fraser assigned on 9/10/2015) over file operations. In general, the implementation must perform the following tasks:

  4. I will assign some test programs to run in the future.

  5. A log of the session will be captured in /var/log/messages. The statements identify the files that were authorized and not authorized by has_perm.

  6. NOTE: Currently, the sample LSM only logs authorization decisions, but does not actually block operations. An LSM authorization hook will block an operation if it returns any value other than 0. Be careful that you either return 0 or only block operations you intend to. Otherwise, other processes will stop working (you have the power, so be careful!).

  7. Please submit your sample.c and your log of the run on the test programs.

When you have completed your module, submit it, the output, and the answers to the questions via ANGEL by 11:59pm on Fr September 25, 2015. Make sure that you have tested your submission prior to uploading.

You are to complete this on your own. Any sharing of code or help during the coding of this project is expressly forbidden. Do not discuss this project with anyone.


Trent Jaeger