]>
Commit | Line | Data |
---|---|---|
504f231c KC |
1 | =========================== |
2 | Linux Security Module Usage | |
3 | =========================== | |
e163bc8e KC |
4 | |
5 | The Linux Security Module (LSM) framework provides a mechanism for | |
6 | various security checks to be hooked by new kernel extensions. The name | |
7 | "module" is a bit of a misnomer since these extensions are not actually | |
8 | loadable kernel modules. Instead, they are selectable at build-time via | |
9 | CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the | |
504f231c | 10 | ``"security=..."`` kernel command line argument, in the case where multiple |
e163bc8e KC |
11 | LSMs were built into a given kernel. |
12 | ||
13 | The primary users of the LSM interface are Mandatory Access Control | |
14 | (MAC) extensions which provide a comprehensive security policy. Examples | |
15 | include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger | |
16 | MAC extensions, other extensions can be built using the LSM to provide | |
17 | specific changes to system operation when these tweaks are not available | |
18 | in the core functionality of Linux itself. | |
19 | ||
a3c3cde2 CS |
20 | The Linux capabilities modules will always be included. For more details |
21 | on capabilities, see ``capabilities(7)`` in the Linux man-pages project. | |
22 | ||
23 | Security modules that do not use the security data blobs maintained | |
24 | by the LSM infrastructure are considered "minor" modules. These may be | |
25 | included at compile time and stacked explicitly. Security modules that | |
26 | use the LSM maintained security blobs are considered "major" modules. | |
27 | These may only be stacked if the CONFIG_LSM_STACKED configuration | |
28 | option is used. If this is chosen all of the security modules selected | |
29 | will be used. | |
e163bc8e | 30 | |
d69dece5 | 31 | A list of the active security modules can be found by reading |
504f231c | 32 | ``/sys/kernel/security/lsm``. This is a comma separated list, and |
d69dece5 CS |
33 | will always include the capability module. The list reflects the |
34 | order in which checks are made. The capability module will always | |
35 | be first, followed by any "minor" modules (e.g. Yama) and then | |
36 | the one "major" module (e.g. SELinux) if there is one configured. | |
229fd05c | 37 | |
9eee8d63 CS |
38 | Process attributes associated with "major" security modules should |
39 | be accessed and maintained using the special files in ``/proc/.../attr``. | |
40 | A security module may maintain a module specific subdirectory there, | |
41 | named after the module. ``/proc/.../attr/smack`` is provided by the Smack | |
42 | security module and contains all its special files. The files directly | |
43 | in ``/proc/.../attr`` remain as legacy interfaces for modules that provide | |
44 | subdirectories. | |
45 | ||
a3c3cde2 CS |
46 | The files named "context" in the attr directories contain the |
47 | same information as the "current" files, but formatted to | |
48 | identify the module it comes from. | |
49 | ||
50 | if selinux is the active security module: | |
51 | /proc/self/attr/context could contain selinux='unconfined_t' | |
52 | /proc/self/attr/selinux/context could contain selinux='unconfined_t' | |
53 | ||
229fd05c KC |
54 | .. toctree:: |
55 | :maxdepth: 1 | |
56 | ||
26fccd9e | 57 | apparmor |
30da4f77 | 58 | LoadPin |
229fd05c | 59 | SELinux |
a5606ced | 60 | Smack |
5ea672c7 | 61 | tomoyo |
90bb7664 | 62 | Yama |