| Kees Cook | 504f231 | 2017-05-13 04:51:43 -0700 | [diff] [blame] | 1 | =========================== |
| 2 | Linux Security Module Usage |
| 3 | =========================== |
| Kees Cook | e163bc8 | 2011-11-01 17:20:01 -0700 | [diff] [blame] | 4 | |
| 5 | The Linux Security Module (LSM) framework provides a mechanism for |
| 6 | various security checks to be hooked by new kernel extensions. The name |
| 7 | "module" is a bit of a misnomer since these extensions are not actually |
| 8 | loadable kernel modules. Instead, they are selectable at build-time via |
| 9 | CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the |
| Kees Cook | 504f231 | 2017-05-13 04:51:43 -0700 | [diff] [blame] | 10 | ``"security=..."`` kernel command line argument, in the case where multiple |
| Kees Cook | e163bc8 | 2011-11-01 17:20:01 -0700 | [diff] [blame] | 11 | LSMs were built into a given kernel. |
| 12 | |
| 13 | The primary users of the LSM interface are Mandatory Access Control |
| 14 | (MAC) extensions which provide a comprehensive security policy. Examples |
| 15 | include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger |
| 16 | MAC extensions, other extensions can be built using the LSM to provide |
| 17 | specific changes to system operation when these tweaks are not available |
| 18 | in the core functionality of Linux itself. |
| 19 | |
| Casey Schaufler | 6d9c939 | 2018-09-21 17:16:59 -0700 | [diff] [blame] | 20 | The Linux capabilities modules will always be included. This may be |
| 21 | followed by any number of "minor" modules and at most one "major" module. |
| Kees Cook | 504f231 | 2017-05-13 04:51:43 -0700 | [diff] [blame] | 22 | For more details on capabilities, see ``capabilities(7)`` in the Linux |
| Kees Cook | e163bc8 | 2011-11-01 17:20:01 -0700 | [diff] [blame] | 23 | man-pages project. |
| 24 | |
| Casey Schaufler | d69dece5 | 2017-01-18 17:09:05 -0800 | [diff] [blame] | 25 | A list of the active security modules can be found by reading |
| Kees Cook | 504f231 | 2017-05-13 04:51:43 -0700 | [diff] [blame] | 26 | ``/sys/kernel/security/lsm``. This is a comma separated list, and |
| Casey Schaufler | d69dece5 | 2017-01-18 17:09:05 -0800 | [diff] [blame] | 27 | will always include the capability module. The list reflects the |
| 28 | order in which checks are made. The capability module will always |
| 29 | be first, followed by any "minor" modules (e.g. Yama) and then |
| 30 | the one "major" module (e.g. SELinux) if there is one configured. |
| Kees Cook | 229fd05 | 2017-05-13 04:51:44 -0700 | [diff] [blame] | 31 | |
| Casey Schaufler | 6d9c939 | 2018-09-21 17:16:59 -0700 | [diff] [blame] | 32 | Process attributes associated with "major" security modules should |
| 33 | be accessed and maintained using the special files in ``/proc/.../attr``. |
| 34 | A security module may maintain a module specific subdirectory there, |
| 35 | named after the module. ``/proc/.../attr/smack`` is provided by the Smack |
| 36 | security module and contains all its special files. The files directly |
| 37 | in ``/proc/.../attr`` remain as legacy interfaces for modules that provide |
| 38 | subdirectories. |
| 39 | |
| Kees Cook | 229fd05 | 2017-05-13 04:51:44 -0700 | [diff] [blame] | 40 | .. toctree:: |
| 41 | :maxdepth: 1 |
| 42 | |
| Kees Cook | 26fccd9 | 2017-05-13 04:51:45 -0700 | [diff] [blame] | 43 | apparmor |
| Kees Cook | 30da4f7 | 2017-05-13 04:51:48 -0700 | [diff] [blame] | 44 | LoadPin |
| Kees Cook | 229fd05 | 2017-05-13 04:51:44 -0700 | [diff] [blame] | 45 | SELinux |
| Kees Cook | a5606ce | 2017-05-13 04:51:49 -0700 | [diff] [blame] | 46 | Smack |
| Kees Cook | 5ea672c | 2017-05-13 04:51:46 -0700 | [diff] [blame] | 47 | tomoyo |
| Kees Cook | 90bb766 | 2017-05-13 04:51:47 -0700 | [diff] [blame] | 48 | Yama |
| Micah Morton | aeca4e2 | 2019-01-16 07:46:06 -0800 | [diff] [blame] | 49 | SafeSetID |