【正文】 Linux 安全模塊（ LSM）提供了兩類對安全鉤子函數(shù)的調(diào)用：一類管理內(nèi)核對象的安全域，另一類仲裁對這些內(nèi)核 對象的訪問。 安全域是一個 void*類型的指針，它使得安全模塊把安全信息和內(nèi)核內(nèi)部對象聯(lián)系起來。其本身不提供任何具體的安全策略，而是提供了一個通用的基礎(chǔ)體系給安全模塊，由安全模塊來實現(xiàn)具體的安全策略。所有這些設(shè)計決策可能暫時影響了Linux 安全模塊（ LSM）的功能和靈活性，但是大大降低了 Linux 安全模塊（ LSM）實現(xiàn)的復(fù)雜性，減少了對 Linux 內(nèi)核的修改和影響 ，使得其進(jìn)入 Linux 內(nèi)核成為安全機制標(biāo)準(zhǔn)的可能性大大提高；等成為標(biāo)準(zhǔn)后，可以改變決策，增加功能和靈活性 。 Linux 安全模塊（ LSM）現(xiàn)在主要支持 限制型 的訪 問控制決策：當(dāng) Linux 內(nèi)核給予訪問權(quán)限時， Linux 安全模塊（ LSM）可能會拒絕，而當(dāng) Linux 內(nèi)核拒絕訪問時，就直接跳過 Linux 安全模塊（ LSM）；而對于相反的 允許型 的訪問控制決策只提供了少量的支持。 另一方面，為了滿足大多數(shù)現(xiàn)存 Linux 安全增強系統(tǒng)的需要， Linux 安全模塊（ LSM）采取了簡化設(shè)計的決策。 為了滿足這些設(shè)計目標(biāo)， Linux 安全模塊（ LSM）采用了通過在內(nèi)核源代碼中放置鉤子的方法，來仲裁對內(nèi)核內(nèi)部對象進(jìn)行的訪問，這些對象有：任務(wù)， inode結(jié)點，打開的文件等等。 2. 設(shè)計思想介紹：得讓兩方面都滿意 Linux 安全模塊（ LSM）的設(shè)計必須盡量滿足兩方面人的要求：讓不需要它的人盡可能少的因此得到麻煩；同時讓需要它的人因此得到有用和高效的功能。目前已經(jīng)有很多著名的增強訪問控制系統(tǒng)移濱州學(xué)院畢業(yè)設(shè)計（專業(yè)外文翻譯） 14 植到 Linux 安全模塊（ LSM）上實現(xiàn)， 包括 capabilities，安全增強 Linux（ SELinux），域和類型增強（ DTE），以及 Linux 入侵檢測系統(tǒng)（ LIDS）等等。 Linux 安全模塊（ LSM）是 Linux 內(nèi)核的一個輕量級通用訪問控制框架。在 2020 年的 Linux 內(nèi)核峰會上，美國國家安全局（ NSA）介紹了他們關(guān)于安全增強 Linux（ SELinux）的工作，這是一個靈活的訪問控制體系 Flask 在 Linux 中的實現(xiàn)，當(dāng)時 Linux 內(nèi)核的創(chuàng)始人 Linus Torvalds 同意 Linux 內(nèi)核確實需 要一個通用的安全訪問控制框架，但他指出最好是通過可加載內(nèi)核模塊的方法，這樣可以支持現(xiàn)存的各種不同的安全訪問控制系統(tǒng)。 有很多安全訪問控制模型和框架已經(jīng)被研究和開發(fā)出來，用以增強 Linux 系統(tǒng)的安全性，比較知名的有安全增強 Linux（ SELinux），域和類型增強（ DTE），以及Linux 入侵檢測系統(tǒng)（ LIDS）等等。 ：為什么和是什么 近年來 Linux 系統(tǒng)由于其出色的性能和穩(wěn)定性，開放源代碼特性帶來的靈活 性和可擴展性，以及較低廉的成本，而受到計算機工業(yè)界的廣泛關(guān)注和應(yīng)用。本文介紹 Linux 安全模塊（ LSM）的相關(guān)背景，設(shè)計思想，實現(xiàn)方法；并說明如何使用 Linux安全模塊（ LSM）來增強 Linux 系統(tǒng)的安全性：一方面是供內(nèi)核開發(fā)人員和安全研究人員使用的接口，另一方面是供普通用戶使用的模塊，以及具體的使用方法。 On the other hand the existing security enhancements system and hard to use did and. Linux security module (LSM) good solve this problem: on the one hand, to the kernel patch is small and source code changes affect small, brought about by the load is not large also。t need from their core user can the function of omitting。 Other documents as FCNTL () to hook ioctl () such with operations to provide fine grain access control. Next is the work hooks. The application layer of work access used a series of socket socket hook to arbitration, these hooks basic covers all socket socket based on the agreement. Since each activation user socket socket with a inode structure there, so in the lower level socket structure or sock structure is no join the secure domain. Socket socket to relevant process hook work access provides a general arbitration, thereby significantly expanded the kernel work access control framework (this in the work layer is already filter by Linux kernel firewall of processing). For example 濱州學(xué)院畢業(yè)設(shè)計（專業(yè)外文翻譯） 9 sock_rcv_skb hooks into the kernel package allows the user space to the appropriate line socket socket, according to its purpose applications before arbitration to its. Another Linux security module (LSM) also for IPv4, UNIX domain, and fine granularity, Netlink protocol realized hooks, later still possible other agreement of hook. Network data packet of form being sealed in the sk_buff structure (socket socket buffer) travel between the protocol stack, Linux security module (LSM) in sk_buff structure joined a security domain, which enable the level in the package of through the work layer data security information management, and also provides a series of sk_buff hooks used to maintain the whole life cycle of the secure domain. Hardware and software work equipment being sealed in a _device structure, a security domain is added to the structure, which enable the level in equipment maintenance safety information. The last is other hooks. Linux security module (LSM) provides two other series of hook: module hooks and top system hooks. Module hooks is used to control the created, initialization, remove the kernel module kernel operation. Used to control the system operation system hook, such as setting a host name, visit the I/O port, as well as configuration process bookkeeping. Although now Linux kernel through the use of these system operation check provides some support, but these check for different operating the difference is very big and did not provide any parameter information. 5. Module explains: give ordinary users use offtheshelf security function Linux security module (LSM) for the average user39。 Also provides hooks used to control the execution, such as the state inheritance open file descriptors confirmed. Once again, is interprocess munication IPC hooks. Security module can use interprocess munication IPC hook to the security of the System V IPC management, and implementation of information access control. The IPC object data structure 濱州學(xué)院畢業(yè)設(shè)計（專業(yè)外文翻譯） 8 kern_ipc_perm sharing a substructure, and the substructure only one of ipcperms pointer to the existing () function, therefore Linux security access check module (LSM) in this sharing add a substructural secure domain. In order to support a single news safety information, Linux security module (LSM) is still in msg_msg structure joined a secure domain. Linux security module (LSM) in the existing ipcperms () function by inserting a hook, making security module can be for each existing Linux IPC authority to carry out the inspection. Because for some security module, such a check is not e nough, Linux security module (LSM) also in single IPC operation into the hooks. Another hook to support through the System V message queue to send a single message fine grain access control. Below is the file system hooks. For file operations, defines three hooks: file system hooks, inode node hooks, and file hooks. Linux security module (LSM) in the corresponding three kernel data structures joined the secure domain, it is respectively: super_block structure, inode structure, file structure. Super blocks file system hook makes safety for the entire document to control modules of the system, such as mount, operation, and unloading statfs (). Linux security module (LSM) in permission () function into the hooks, thus retaining the func