Toggle Menu

<-- Back to schedule

How To Write A Linux Security Module That Makes Sense For You

Project: Linux Security Modules

The traditional Linux security model traces it's fundamental concepts to the mini-computers of the 1970's. It makes a lot of sense when you consider a machine without a network connection that is being shared by a handful of friendly collaborators. Linux security modules (LSM) were introduced at the turn of the century to address the needs of high security environments. A recent and ongoing rework of the LSM infrastructure makes it significantly easier to implement and upstream small, targeted security features.

This talk will teach you want you can accomplish with a Linux security module, and what you can't. You'll learn the difference between a major module and a minor one. Techniques for implementing access controls on files, inter process communications and sockets will be covered, as will the underlying mechanisms required to maintain the data needed. You'll find out what a secid is, how it relates to a security context. and why it matters to CIPSO. The difference between inode based schemes and path name based ones will be made clear.

When the talk is over you'll have the tools you need to create a security module that protects what you care about instead of what seemed like a good idea to a government researcher during the Cold War.

Casey Schaufler

Casey Schaufler started programming Unix kernels at the end of the 1970's, when megabytes were for disc drives and C was still written in K&R style. He started working on system security in the Orange Book era, contributing to SunOS/MLS, Trusted Irix and the POSIX P1003.1e/2c drafts. During this time he implemented access control lists, mandatory access control, extended filesystem attributes, X11 access controls, network protocols and more audit systems than is really healthy. His involvement in Linux began with the Linux Security Module work at the turn of the century, but was off the mainstream until he introduced the Smack LSM in 2007. Casey has worked on MeeGo, Tizen and other lesser known system products. Most recently, he reworked the LSM infrastructure as the initial stage in supporting multiple concurrent modules.
Casey lives on the California coast, just south of San Francisco. He is employed at Intel's Open Source Technology Center.

Geelong 2016

Our Emperor Penguin Sponsors


About Geelong

Geelong is Victoria's second largest city, located on Corio Bay, and within a short drive from popular beach-front communities on the Bellarine Peninsula as well as being the gateway to the famous Great Ocean Road

More Info » is widely regarded by delegates as one of the best community run Linux conferences worldwide and is the largest Linux and Open Source Software conference in the Asia-Pacific.

Read More »



Our Sponsors help make become the awesome conference everyone comes back to year after year. Come see who's on board this year, or find out how to get in contact with us

Sponsorship »