Yet another vision of Linux security | Endpoint Security Framework

[Tetsuo Handa]

On 2024/06/20 22:40, Timur Chernykh wrote:
> Questions I'm interested in:
> How does the community feel about this idea? Is it a viable concept?
> If all is OK, what should I, as developer, do further? How much kernel
> code outside the LSM module may be modified to keep further merge
> acceptable? (currently not all LSM hooks meet to intercept all needed
> data).
> 
> The general purpose is to make AV/EDR software development easier,
> more convinient, and stable for Linux-based operating systems. This
> PoC (as far as technology idea) is inspired by MacOS Endpoint Security
> based on MAC policy.

I agree that security hooks for AV/EDR software are missing in Linux.
My experience says that customers cannot afford managing allowlist-based
access control mechanisms (such as SELinux and AppArmor) and they instead
choose AV/EDR software for their systems.

The LSM framework (which is using linked list for registering multiple
LSM modules) is about to be replaced with static calls (which reduces
overhead, at the cost of restricting at build time LSM modules which can
be registered). Use of static calls might make it possible to insert more
hooks into the Linux kernel because the overhead becomes negligible, but
kernel code used by AV/EDR software cannot be built into distributor
kernels due to support problem. Therefore, without ability to load
unlimited number of LSM modules after boot, AV/EDR software won't be
benefited with static calls. Such limitation will lead people to invent
a new set of security hooks (or resort to unofficial hacks such as
rewriting readonly data structure) rather than trying to utilize LSM
framework.

I prefer getting kernel code used by AV/EDR software reviewed (and get
their code tested by fuzzers), by allowing AV/EDR software developers
to submit their kernel code for upstream.