Leveraging IPSec for Mandatory Access Control of Linux Network Communications

We present an implementation of mandatory access control for Linux network communications that restricts socket access to labelled IPSec security associations. The Linux Security Modules (LSM) framework defines a reference monitor interface that enables security modules (e.g., SELinux) to enforce comprehensive mandatory access control (MAC) for Linux version 2.6. The current LSM control over network communication is limited, however. The LSM interface enables control of process access to sockets, but socket communications can only be restricted by network interfaces and IP addresses. We cannot use LSMs to control access to particular applications on remote machines or reliably associate request processing with the appropriate remote principals. The original proposal based on IP Security Options (IPSO) was found to be too expensive for unlabelled communications, so an alternative mechanism is necessary. Prior work on the Flask security architecture showed that IPSec can be used to enableMAC control on network communication. In this paper, we translate this approach into the Linux system, version 2.6.12. We describe our design for enforcement, which is based on the Linux 2.6 IPSec implementation called the XFRM subsystem (pronounced "transform"). We detail the modifications necessary to the kernel and user-level ipsec-tools to support IPSec policy specification and negotiation. Finally, we show how security function can be enabled using these LSM hooks with the SELinux LSM.