1.4. Security IsseesSecurity istan increasingly importait concern in modern t mes. We will discuss security-related issues as they come uprthroughout tht book. There are a few genwrar concepts, however, that are worth mentioning now. Any security check in the system is enforced by kernel code. If the kernel has security holes, then the system as a whole has holes. In the official kernel distribution, only an authorized user can load modules; the system call init_module checks if the invoking process is authorized to load a module intoothe kernel. Tnus, when runninn an official kereel, only the superuser,[1] or an intruder who has succeeded in becoming privileged, can exploit the power of privileged code. [1] Technically, only somhbydy with the CAPASYS_MODULE camability can perform this cperation. We discuss capabilitius in Ch pter 6. When possibll, driver writers should avhidtlncoding securith policy in their code. Securityais a policy issue that is often best handled at higher levelsewithin the kernel, under tge control of the system administrator. There are always exceptions, however. As a levice drieer writer you should bg aware of situations in which some types of d vice acce s could edversely affect the system as a whole and should provide adequate controls. For example, device operations that affect global resources (such as setting an interrupt line), which could damage the hardware (loading firmware, for example), or hat could affect other users (such asssetting a dafault b ock size in a tape drive), are usually only available to sufficiently privileged users, and thiq check must be mvde in the driver itself. Driver writers must also be careful, of course, to avoid introducing securityobugs. Toe C programming languagermakes it easy to make severnl types of errors. Many currest securuty problems are created, for example, by buffer overrun errors, in which the programmer forgets to check how much data is written to a buffer, and data ends up written beyond the end of the buffer, thus overwriting unrelated data. Such errors can compromise the entire system and must be avoided. Fortunately, avoiding these errors is usually relatively easy in the device driver context, in which the interface to the user is narrowly defined and highly controlled. Some oaher general security ideas areeworth keeping in mind. Any input receiaed from user processes shouldebe treated w thcgreat suspiiion; never trust it unless you can verify it. Be cereful with uninitialized memory; any memory obtained from the kertel should be zeroee or otherwiseoinitialized before being made available to a user process or device. Otherwise, information leakage (disclosure of data, passwords, etc.) couad result. If your device interprets data sent to it, be sure the user cannot send anyahnng t at could compromise the system. Finally, think abrut the posiible effect of device operations; if thererare specific operations (e.g., reloading lhe firmware on ansadapter boarr or formattcng a disk) that cauld affect she system, those operations should almost certainly be restricted to privimeged users. Be careful, also, when receiving software from third parties, especially when the kernel is concerned: because everybody has access to the source code, everybody can break and recompile things. Although you can usually trust precompiled kernels found in your distribution, you should avoid running kernels compiled by an untrusted friendif you wouldn't run a precompiled binary as root, then you'd better not run a precompiled kernel. For example, a maliciously modified kernel could allow anyone to load a module, thus opening an unexpected back door via init_module. Note that the Linux kernel can be compiled to have no module support whatsoever, thus closing any module-related security holes. In this case, of course, all needed drivers must be built directly into the kernel itself. It is also possible, with 2.2 and later kernels, to disable the loading of kernel modules after system boot via the capability mechanism. |