【正文】 helf security function Linux security module (LSM) for the average user39。 On the other hand the existing security enhancements system and hard to use did and. Linux security module (LSM) good solve this problem: on the one hand, to the kernel patch is small and source code changes affect small, brought about by the load is not large also。 ：為什么和是什么 近年來 Linux 系統(tǒng)由于其出色的性能和穩(wěn)定性，開放源代碼特性帶來的靈活 性和可擴(kuò)展性，以及較低廉的成本，而受到計(jì)算機(jī)工業(yè)界的廣泛關(guān)注和應(yīng)用。在 2020 年的 Linux 內(nèi)核峰會(huì)上，美國國家安全局（ NSA）介紹了他們關(guān)于安全增強(qiáng) Linux（ SELinux）的工作，這是一個(gè)靈活的訪問控制體系 Flask 在 Linux 中的實(shí)現(xiàn)，當(dāng)時(shí) Linux 內(nèi)核的創(chuàng)始人 Linus Torvalds 同意 Linux 內(nèi)核確實(shí)需 要一個(gè)通用的安全訪問控制框架，但他指出最好是通過可加載內(nèi)核模塊的方法，這樣可以支持現(xiàn)存的各種不同的安全訪問控制系統(tǒng)。目前已經(jīng)有很多著名的增強(qiáng)訪問控制系統(tǒng)移濱州學(xué)院畢業(yè)設(shè)計(jì)（專業(yè)外文翻譯） 14 植到 Linux 安全模塊（ LSM）上實(shí)現(xiàn)， 包括 capabilities，安全增強(qiáng) Linux（ SELinux），域和類型增強(qiáng)（ DTE），以及 Linux 入侵檢測系統(tǒng)（ LIDS）等等。 為了滿足這些設(shè)計(jì)目標(biāo)， Linux 安全模塊（ LSM）采用了通過在內(nèi)核源代碼中放置鉤子的方法，來仲裁對(duì)內(nèi)核內(nèi)部對(duì)象進(jìn)行的訪問，這些對(duì)象有：任務(wù)， inode結(jié)點(diǎn)，打開的文件等等。 Linux 安全模塊（ LSM）現(xiàn)在主要支持 限制型 的訪 問控制決策：當(dāng) Linux 內(nèi)核給予訪問權(quán)限時(shí)， Linux 安全模塊（ LSM）可能會(huì)拒絕，而當(dāng) Linux 內(nèi)核拒絕訪問時(shí)，就直接跳過 Linux 安全模塊（ LSM）；而對(duì)于相反的 允許型 的訪問控制決策只提供了少量的支持。其本身不提供任何具體的安全策略，而是提供了一個(gè)通用的基礎(chǔ)體系給安全模塊，由安全模塊來實(shí)現(xiàn)具體的安全策略。 Linux 安全模塊（ LSM）提供了兩類對(duì)安全鉤子函數(shù)的調(diào)用：一類管理內(nèi)核對(duì)象的安全域，另一類仲裁對(duì)這些內(nèi)核 對(duì)象的訪問。 安全域是一個(gè) void*類型的指針，它使得安全模塊把安全信息和內(nèi)核內(nèi)部對(duì)象聯(lián)系起來。所有這些設(shè)計(jì)決策可能暫時(shí)影響了Linux 安全模塊（ LSM）的功能和靈活性，但是大大降低了 Linux 安全模塊（ LSM）實(shí)現(xiàn)的復(fù)雜性，減少了對(duì) Linux 內(nèi)核的修改和影響 ，使得其進(jìn)入 Linux 內(nèi)核成為安全機(jī)制標(biāo)準(zhǔn)的可能性大大提高；等成為標(biāo)準(zhǔn)后，可以改變決策，增加功能和靈活性 。 另一方面，為了滿足大多數(shù)現(xiàn)存 Linux 安全增強(qiáng)系統(tǒng)的需要， Linux 安全模塊（ LSM）采取了簡化設(shè)計(jì)的決策。 2. 設(shè)計(jì)思想介紹：得讓兩方面都滿意 Linux 安全模塊（ LSM）的設(shè)計(jì)必須盡量滿足兩方面人的要求：讓不需要它的人盡可能少的因此得到麻煩；同時(shí)讓需要它的人因此得到有用和高效的功能。 Linux 安全模塊（ LSM）是 Linux 內(nèi)核的一個(gè)輕量級(jí)通用訪問控制框架。 有很多安全訪問控制模型和框架已經(jīng)被研究和開發(fā)出來，用以增強(qiáng) Linux 系統(tǒng)的安全性，比較知名的有安全增強(qiáng) Linux（ SELinux），域和類型增強(qiáng)（ DTE），以及Linux 入侵檢測系統(tǒng)（ LIDS）等等。本文介紹 Linux 安全模塊（ LSM）的相關(guān)背景，設(shè)計(jì)思想，實(shí)現(xiàn)方法；并說明如何使用 Linux安全模塊（ LSM）來增強(qiáng) Linux 系統(tǒng)的安全性：一方面是供內(nèi)核開發(fā)人員和安全研究人員使用的接口，另一方面是供普通用戶使用的模塊，以及具體的使用方法。t need from their core user can the function of omitting。 Also provides hooks used to control the execution, such as the state inheritance open file descriptors confirmed. Once again, is interprocess munication IPC hooks. Security module can use interprocess munication IPC hook to the security of the System V IPC management, and implementation of information access control. The IPC object data structure 濱州學(xué)院畢業(yè)設(shè)計(jì)（專業(yè)外文翻譯） 8 kern_ipc_perm sharing a substructure, and the substructure only one of ipcperms pointer to the existing () function, therefore Linux security access check module (LSM) in this sharing add a substructural secure domain. In order to support a single news safety information, Linux security module (LSM) is still in msg_msg structure joined a secure domain. Linux security module (LSM) in the existing ipcperms () function by inserting a hook, making security module can be for each existing Linux IPC authority to carry out the inspection. Because for some security module, such a check is not e nough, Linux security module (LSM) also in single IPC operation into the hooks. Another hook to support through the System V message queue to send a single message fine grain access control. Below is the file system hooks. For file operations, defines three hooks: file system hooks, inode node hooks, and file hooks. Linux security module (LSM) in the corresponding three kernel data structures joined the secure domain, it is respectively: super_block structure, inode structure, file structure. Super blocks file system hook makes safety for the entire document to control modules of the system, such as mount, operation, and unloading statfs (). Linux security module (LSM) in permission () function into the hooks, thus retaining the function, but also provides many other inode nodes to a single hook to inode node operations were fine grain access control. Some of the documents hooks to allow security module for () and write () such documents operation conduct additional inspection。 Also provides control on the current process hooks, such as the privilege operation setuid ()。t be back register_security () function of covering, until this security module unregister_security () function is used to frame cancellation: this simple will hook functions to replace the default, the system back to UNIX super user mechanism. In addition, Linux security module (LSM) framework also provides function mod_reg_security () and function mod_unreg_security (), make 濱州學(xué)院畢業(yè)設(shè)計(jì)（專業(yè)外文翻譯） 6 subsequent security module can be to have the first registration or cancellation of registration the main module, but its strategy achieved by the main module is to provide some strategy decision: to achieve module stack thus support module function synthesis, or simple return error value to ignore subsequent security module. These functions are provided in the kernel source code file security/security. C. Linux kernel 1e capabilities to POSIX. Now a subset of the support. Linux security module (LSM) design of a demand is put this function the transplant as an optional security module. POSIX 1e capabilities provides division j traditional super user privileges and assigned to a specific process function. Linux security module (LSM) retained used to perform in the kernel of the existing webmasters check the interface, but () () function simplified webmasters for a Linux security module (LSM) hook functions, thereby allowing the packing in security module achieve any need to logic. Linux security module (LSM) still kept the process task_struck structure set (a simple bit vector), and didn39。 Meanwhile let those who need it so to get useful and efficient function. Linus Torvalds represented by the kernel developers to Linux security module (LSM) proposes three requirements: True universal, when using a different security model, only need to load a different kernel modules Concept of Linux kernel, simple, efficient, and minimal effects that can support the existing POSIX 1e capabilities logic, j as an o