Paper (14 December 2007) pdf | TeX
In this project we attempt to maintain state for running processes on the system using the LSM framework. Our initial implementation keeps simple counters and updates files upon creation only. The goal of the project is to show that state can be maintained relatively cheaply thanks to LSM. This code relies heavily on the well documented source of SELinux. Our module is called lsmlgi. Upon compiling and inserting lsmlgi.ko, a proc file is created and the law of the system is set as uninitialized.
[root@lsmlgi ~]# cat /proc/lsmlgi sid: 1197237533 law: law not initializedWe load a law using the helper application from userland, lawloader.
[root@lsmlgi ~]# lawloader -f visitor.law
[root@lsmlgi ~]# cat /proc/lsmlgi
sid: 1197237533
law:
law initialized: 1 rules
500:-1:7:2:15:2
This example law looks like the following before being "compiled" by lawloader:
[root@lsmlgi ~]# cat visitor.law
user thomas del { tsid != tsid }
In this example the user "thomas" is not permitted to delete files that were created in another session. Only files that have been created during this session are permitted to be deleted. A law like this could be used to allow several users to share a guest or visitor account on the system without fear of the users deleting each others files.
Files
lsmlgi.hlsmlgi.c
Makefile
lawloader.h
lawloader.c
lsmlgi_def.h