kernel-based implementation

The first NetAuth implementation has been integrated into the Linux kernel. Our implementation has three key components:

• kernel extensions (code integrated into the mainline kernel) implementing networking support for processes with per-user privileges and providing the new system calls pre_accept, set_net_user and accept_by_user.

• a loadable kernel module implementing netAuth authorizations, uses the Linux Security Module (LSM) framework [41].

  The LSM framework segregates the placement of hooks (scattered through the Linux kernel) from the enforcement of access controls (centralized in an LSM module). Thus changes in the mainline kernel (mostly) do not affect LSM modules.

• Three user-space daemons which (1) download the networking policy into the kernel using the netlink facility (2) sign authenticators and (3) verify authenticators.

The kernel implementation currently consists of about 3,700 lines of C code (3,000 (approx.) in the kernel module and 700 (approx.) in the kernel extensions).