Linux Security — LSM (Linux Security Modules)

Shlomi Boutnaru, Ph.D.
2 min readSep 13, 2022

--

“Linux Security Modules” is a framework which allows the kernel to support various security modules. It was mainly designed to allow implementation of MAC (Mandatory Access Control) with minimal changes to the Linux kernel. For now, you should know that MAC is an organizational-wide security policy that users can’t override (I am going to post about MAC and DAC in more detail separately).

Despite the name containing “Modules” it is not implemented as loadable kernel modules (“.ko” files). The LSM framework is of course optional and needs to be enabled by the CONFIG_SECURITY variable.

If we want to get a list of the running LSMs we just need to read “/sys/kernel/security/lsm” — see the screenshot below (taken from Ubuntu 22.04.01 LTS). It is a comma separated list, at minimum it includes the “capabilities system” (I have started a series on capabilities you can read the 1st part — https://medium.com/@boutnaru/linux-security-capabilities-part-1-63c6d2ceb8bf). The reason for seeing “capabilities” is due to the fact it was implemented as a “security module”. You can also see the source code for capabilities including “lsm_hooks.h” (https://elixir.bootlin.com/linux/latest/source/security/commoncap.c#L9) and thus using different LSM’s enums, macros and functions.

One of the biggest design goals of LSM is to avoid manipulation of the syscall table in order to implement the “security modules’’. It is done in order to avoid issues of race conditions and scale problems. Having said that, LSM was not created in order to provide a generic instrumentation/tracing/hooking mechanism for the Linux kernel. For more information it is suggested to watch this presentation — https://www.youtube.com/watch?v=RKBBPsp-TZ0.

There are a couple of security features which are implemented as “security modules” like: AppArmor, SELinux, TOMOYO, LoadPin, LandLock and Smack — part of them appear in the screenshot below. A detailed explanation about them will be posted separately.

See you in the next write-up ;-)

You can follow me — @boutnaru (https://twitter.com/boutnaru).

--

--