【正文】 nclude/Linux/SHM. H the two header file, make security module can use these definitions. Linux security module (LSM) provides two kinds of safety hook functions: a kind of call the secure domain object management kernel, another kind of these kernel object 濱州學(xué)院畢業(yè)設(shè)計(jì)（專業(yè)外文翻譯） 5 arbitration visit. The call for safety hook functions by hook to realize, hook is the global table security_ops function pointer and the global table type is security_operations structure, this structure definition include/Linux/security in j h this header file, this structure contains the object or the kernel subsystem according to the kernel of grouping of hook for system and some of the substructure operating penthouse hooks. In kernel code to hook functions is easy to find the call: the prefix is security_ops . Detailed instructions to hook functions leave behind. Linux security module (LSM) provides a general safety system calls for safety, allow security module the corresponding applied writing new system call, its style similar to the original Linux system call socketcall (), is a multiple system call. This system call for security (), its parameters for (unsigned int id, unsigned int call, unsigned args), including to * id represents module descriptors, call representative call descriptors, args representative argument list. This system call the default provides a sys_security () function: its simple entrance with parameters sys_security () () function call hook. If security module does not provide new system call, you can define the ENOSYS return sys_security () hook functions, but most security module can define the realization of the system calls. In the process of kernel guide, Linux security module (LSM) framework is initialized to a series of virtual hook functions, in order to realize the traditional UNIX super user mechanism. When loading a security module, must use register_security () function to Linux security module (LSM) framework register this security module: this function will set the global table security_ops, make its pointer to the security module of hook, thus make the kernel function Pointers to the security module ask access control decisionmaking. Once a security module is loaded, will bee a system security strategy decisionmaking center, and won39。 Task hooks provides control interprocess munication of hook, such as know ()。 Also provides hooks in new program success allowed module after the security update task load information。s value lies in: can provide various security module, choose to suit oneself by the user needs to be loaded into the kernel, meet certain safety functions. Linux security module (LSM) itself only provide enhanced access control strategy, and the mechanism of various security module implements specific specific security strategy. Below is a brief introduce some has been achieved security module. SELinux. This is a Flask flexible access control system in the implementation, and on Linux provides type enhancement, rolebased access control, and optional multilevel security strategy. SELinux turned out to be as a kernel patch implementation, now USES 濱州學(xué)院畢業(yè)設(shè)計(jì)（專業(yè)外文翻譯） 10 Linux security module (LSM) to realize for a security module. SELinux can be used to limit for minimal privileges, protect the process of progress and the integrity of the data and confidentiality, and support application security needs. DTE Linux. This is a domain and type in the realization of enhanced on Linux. Like, like SELinux DTE Linux is originally as a kernel patch implementation, now USES Linux security module (LSM) to realize for a security module. When the security module is added to the kernel, type to be assigned to object, domain was assigned to a process. DTE strategy restricted zone and between from domain to type of access. The ability of LSM transplantation Openwall kernel patch. Openwall kernel patch provides a series of safety feature set to protect the system against such as buffer overflow and temporary files petition such attacks. A security module is being developed to support a subset of the Openwall patch. POSIX 1e capabilities j. Linux kernel already exists a POSIX. 1e capabilities logic, but Linux security module (LSM) put this logic division to a security module. Such modification makes don39。 On the other hand to existing security enhancements system provides better interface support, and has many good security 濱州學(xué)院畢業(yè)設(shè)計(jì)（專業(yè)外文翻譯） 12 module can use. Linux security module (LSM) is still as a Linux kernel patch form, but it also provides provide Linux stable version of the series and Linux development version of the series, and hopefully into Linux stable version. We look forward to that day: Linux security module (LSM) is Linux kernel accepted as Linux kernel security mechanism standard, in every Linux release in which provide more and more users. Linux 安全模塊（ LSM） Linux 安全模塊（ LSM）是 Linux 內(nèi)核的一個(gè)輕 量級(jí)通用訪問控制框架。但在安全性方面， Linux 內(nèi)核只提供了經(jīng)典的 UNIX 自主訪問控制（ root 用戶，用戶 ID，模式位安全機(jī)制），以及部分的支持了 標(biāo)準(zhǔn)草案中的 capabilities 安全機(jī)制，這對(duì)于 Linux 系統(tǒng)的安全性是不足夠的，影響了 Linux 系統(tǒng)的進(jìn)一步發(fā)展和更廣泛的應(yīng)用。因此， Linux安全模塊（ LSM）應(yīng)運(yùn)而生。雖然目前 Linux 安全模塊（ LSM）仍然是作為一個(gè) Linux 內(nèi)核補(bǔ)丁的形式提供，但是其同時(shí)提供 Linux 穩(wěn)定版本的系列和 Linux 開發(fā)版本的系列，并且很有希望進(jìn)入 Linux 穩(wěn)定版本，進(jìn)而實(shí)現(xiàn)其目標(biāo)：被 Linux 內(nèi)核接受成為 Linux 內(nèi)核安全機(jī)制的標(biāo)準(zhǔn)，在各個(gè) Linux 發(fā)行版中提供給用戶使用 。用戶進(jìn)程執(zhí)行系統(tǒng)調(diào)用，首先游歷 Linux 內(nèi)核原有的邏輯找到并分配資源，進(jìn)行錯(cuò)誤檢查，并經(jīng)過經(jīng)典的 UNIX 自主訪問控制，恰好就在 Linux內(nèi)核試圖對(duì)內(nèi)部對(duì)象進(jìn)行訪問之前，一個(gè) Linux 安全 模塊（ LSM）的鉤子對(duì)安全模塊所必須提供的函數(shù)進(jìn)行一個(gè)調(diào)用，從而對(duì)安全模塊提出這樣的問題 是否允許訪問執(zhí)行？ ，安全模塊根據(jù)其安全策略進(jìn)行決策，作出回答：允許，或者拒絕進(jìn)而返回一個(gè)錯(cuò)誤。對(duì)于模塊功能合成，Linux 安全模塊（ LSM）允許模塊堆棧，但是把主要的工作留給了模塊自身：由第一個(gè)加載的模塊進(jìn)行模塊功能合成的最終決策。其主要在五個(gè)方面對(duì) Linux 內(nèi)核進(jìn)行了修改： 在特定的內(nèi)核數(shù)據(jù)結(jié)構(gòu)中加入了安全域 在內(nèi)核源代碼中不同的關(guān)鍵點(diǎn)插入了對(duì)安全鉤子函數(shù)的調(diào)用 加入了一個(gè)通用的安全系統(tǒng)調(diào)用 提供了函數(shù)允許內(nèi)核 模塊注冊(cè)為安全模塊或者注銷 將 capabilities 邏輯的大部分移植為一個(gè)可選的安全模塊 下面對(duì)這五個(gè)方面的修改逐個(gè)做簡要的介紹。對(duì)安全鉤子函數(shù)的調(diào)用通過鉤子來實(shí)現(xiàn)，鉤子是全局表 security_ops 中的函數(shù)指針，這個(gè)全局表的類型是security_operations 結(jié)構(gòu)，這個(gè)結(jié)構(gòu)