index.rst 1.7 KB

1234567891011121314151617181920212223242526272829303132333435363738394041
  1. ===========================
  2. Linux Security Module Usage
  3. ===========================
  4. The Linux Security Module (LSM) framework provides a mechanism for
  5. various security checks to be hooked by new kernel extensions. The name
  6. "module" is a bit of a misnomer since these extensions are not actually
  7. loadable kernel modules. Instead, they are selectable at build-time via
  8. CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the
  9. ``"security=..."`` kernel command line argument, in the case where multiple
  10. LSMs were built into a given kernel.
  11. The primary users of the LSM interface are Mandatory Access Control
  12. (MAC) extensions which provide a comprehensive security policy. Examples
  13. include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger
  14. MAC extensions, other extensions can be built using the LSM to provide
  15. specific changes to system operation when these tweaks are not available
  16. in the core functionality of Linux itself.
  17. Without a specific LSM built into the kernel, the default LSM will be the
  18. Linux capabilities system. Most LSMs choose to extend the capabilities
  19. system, building their checks on top of the defined capability hooks.
  20. For more details on capabilities, see ``capabilities(7)`` in the Linux
  21. man-pages project.
  22. A list of the active security modules can be found by reading
  23. ``/sys/kernel/security/lsm``. This is a comma separated list, and
  24. will always include the capability module. The list reflects the
  25. order in which checks are made. The capability module will always
  26. be first, followed by any "minor" modules (e.g. Yama) and then
  27. the one "major" module (e.g. SELinux) if there is one configured.
  28. .. toctree::
  29. :maxdepth: 1
  30. apparmor
  31. LoadPin
  32. SELinux
  33. Smack
  34. tomoyo
  35. Yama