Linux Security Modules (LSM): A Deep Dive into Kernel-Level Security Frameworks#

The Linux Security Modules (LSM) framework is a cornerstone of Linux kernel security, providing a flexible architecture that allows multiple security models to coexist without kernel modification. This comprehensive guide explores the LSM framework, major implementations, and how to leverage these powerful security mechanisms in modern Linux systems.

Understanding the LSM Framework#

What is LSM?#

Linux Security Modules is a framework that provides a general kernel interface for security modules. Rather than committing to a single security model, LSM allows the Linux kernel to support various security implementations through a clean, well-defined API.

Architecture Overview#

1
// LSM Hook Structure (simplified)
2
struct security_hook_list {
3
    struct hlist_node list;
4
    struct hlist_head *head;
5
    union security_list_options hook;
6
    const char *lsm;
7
};
8

9
// Example LSM hook points
10
static struct security_hook_list my_hooks[] __lsm_ro_after_init = {
11
    LSM_HOOK_INIT(file_open, my_file_open),
12
    LSM_HOOK_INIT(task_create, my_task_create),
13
    LSM_HOOK_INIT(socket_create, my_socket_create),
14
    LSM_HOOK_INIT(inode_permission, my_inode_permission),
15
};

How LSM Works#

Hook Placement: LSM places hooks at critical points in kernel code
DAC First: Discretionary Access Control checks occur before LSM
Module Callbacks: Security modules register callbacks for hooks
Decision Making: Modules return allow/deny decisions
Stacking: Multiple LSMs can be active simultaneously (since Linux 4.2)

Major LSM Implementations#

SELinux (Security-Enhanced Linux)#

SELinux implements Mandatory Access Control (MAC) through Type Enforcement (TE) and Multi-Level Security (MLS).

Core Concepts#

1
# SELinux contexts format: user:role:type:level
2
ls -Z /etc/passwd
3
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd
4

5
# Policy rules example
6
allow httpd_t httpd_content_t:file { read open getattr };
7
allow httpd_t httpd_log_t:file { create write append };

Custom SELinux Policy Module#

1
# myapp.te - Type Enforcement file
2
policy_module(myapp, 1.0.0)
3

4
# Declare types
5
type myapp_t;
6
type myapp_exec_t;
7
type myapp_data_t;
8
type myapp_log_t;
9

10
# Make myapp_t a domain
11
domain_type(myapp_t)
12

13
# Allow transitions
14
domain_entry_file(myapp_t, myapp_exec_t)
15

16
# Define permissions
17
allow myapp_t myapp_data_t:file { read write create unlink };
18
allow myapp_t myapp_log_t:file { append create };
19
allow myapp_t self:tcp_socket { create connect };
20

21
# Network access
22
corenet_tcp_connect_http_port(myapp_t)
23

24
# File contexts
25
/usr/bin/myapp          -- gen_context(system_u:object_r:myapp_exec_t,s0)
26
/var/lib/myapp(/.*)?    gen_context(system_u:object_r:myapp_data_t,s0)
27
/var/log/myapp(/.*)?    gen_context(system_u:object_r:myapp_log_t,s0)

Building and Loading#

1
# Compile the module
2
checkmodule -M -m -o myapp.mod myapp.te
3
semodule_package -o myapp.pp -m myapp.mod
4

5
# Install the module
6
semodule -i myapp.pp
7

8
# Verify installation
9
semodule -l | grep myapp
10

11
# Apply file contexts
12
restorecon -Rv /usr/bin/myapp /var/lib/myapp /var/log/myapp

AppArmor#

AppArmor uses path-based MAC, making it more intuitive but less flexible than SELinux.

Profile Development#

1
#include <tunables/global>
2

3
/usr/bin/myapp {
4
  #include <abstractions/base>
5
  #include <abstractions/nameservice>
6

7
  # Capabilities
8
  capability net_bind_service,
9
  capability setuid,
10

11
  # Network access
12
  network inet tcp,
13
  network inet udp,
14

15
  # File access
16
  /usr/bin/myapp r,
17
  /etc/myapp/** r,
18
  /var/lib/myapp/** rw,
19
  /var/log/myapp/** w,
20

21
  # Library access
22
  /usr/lib/x86_64-linux-gnu/** mr,
23

24
  # Temp files
25
  /tmp/myapp-* rw,
26

27
  # System access
28
  @{PROC}/sys/net/core/somaxconn r,
29
  @{PROC}/[0-9]*/stat r,
30

31
  # Child profiles
32
  /usr/bin/helper Cx -> helper,
33

34
  profile helper {
35
    #include <abstractions/base>
36

37
    /usr/bin/helper r,
38
    /tmp/helper-* rw,
39

40
    # Limited permissions for helper
41
    deny network,
42
    deny capability,
43
  }
44
}

Profile Management#

1
# Parse and load profile
2
apparmor_parser -r /etc/apparmor.d/usr.bin.myapp
3

4
# Set to complain mode (logging only)
5
aa-complain /usr/bin/myapp
6

7
# Set to enforce mode
8
aa-enforce /usr/bin/myapp
9

10
# Generate profile from logs
11
aa-genprof /usr/bin/myapp
12

13
# Update profile based on logs
14
aa-logprof

SMACK (Simplified Mandatory Access Control Kernel)#

SMACK provides a simpler alternative to SELinux with label-based access control.

SMACK Rules#

1
# SMACK rule format: subject object access
2
# Set labels
3
attr -S -s SMACK64 -V "WebApp" /usr/bin/webapp
4
attr -S -s SMACK64 -V "WebData" /var/www/data
5

6
# Define rules
7
echo "WebApp WebData rwx" > /sys/fs/smackfs/load2
8
echo "WebApp Network w" > /sys/fs/smackfs/load2
9
echo "WebApp _ r" > /sys/fs/smackfs/load2  # Read any unlabeled
10

11
# Network labels
12
echo "192.168.1.0/24 WebNet" > /sys/fs/smackfs/netlabel

TOMOYO#

TOMOYO provides pathname-based MAC with learning mode capabilities.

1
<kernel>
2
use_profile 3
3

4
<kernel> /usr/sbin/sshd
5
use_profile 2
6
allow_read /etc/ssh/sshd_config
7
allow_read /etc/passwd
8
allow_read /etc/shadow
9
allow_create /var/run/sshd.pid 0600
10
allow_network TCP bind 0.0.0.0 22
11
allow_network TCP listen 0.0.0.0 22

Yama#

Yama provides additional DAC restrictions, particularly for ptrace.

1
// Yama ptrace scope settings
2
// 0 - classic ptrace permissions
3
// 1 - restricted ptrace
4
// 2 - admin-only attach
5
// 3 - no attach
6
echo 1 > /proc/sys/kernel/yama/ptrace_scope

Implementing a Custom LSM#

Basic LSM Structure#

1
// my_lsm.c - Custom LSM implementation
2
#include <linux/lsm_hooks.h>
3
#include <linux/security.h>
4
#include <linux/slab.h>
5
#include <linux/file.h>
6
#include <linux/mm.h>
7
#include <linux/mman.h>
8
#include <linux/pagemap.h>
9
#include <linux/swap.h>
10
#include <linux/spinlock.h>
11
#include <linux/init.h>
12
#include <linux/sched.h>
13

14
#define MY_LSM_NAME "my_lsm"
15

16
/* Security blob for storing custom data */
17
struct my_task_security {
18
    u32 security_level;
19
    bool privileged;
20
    struct list_head permissions;
21
};
22

23
/* Global security state */
24
static struct kmem_cache *my_task_security_cache;
25

26
/* Hook implementations */
27
static int my_task_alloc(struct task_struct *task, unsigned long clone_flags)
28
{
29
    struct my_task_security *tsec;
30

31
    tsec = kmem_cache_zalloc(my_task_security_cache, GFP_KERNEL);
32
    if (!tsec)
33
        return -ENOMEM;
34

35
    INIT_LIST_HEAD(&tsec->permissions);
36
    tsec->security_level = current->security_level;
37
    tsec->privileged = false;
38

39
    task->security = tsec;
40
    return 0;
41
}
42

43
static void my_task_free(struct task_struct *task)
44
{
45
    struct my_task_security *tsec = task->security;
46

47
    if (tsec) {
48
        /* Clean up permissions list */
49
        cleanup_permissions(&tsec->permissions);
50
        kmem_cache_free(my_task_security_cache, tsec);
51
    }
52
}
53

54
static int my_file_open(struct file *file)
55
{
56
    struct my_task_security *tsec = current->security;
57
    struct inode *inode = file_inode(file);
58

59
    /* Example policy: high security processes can't access world-writable files */
60
    if (tsec->security_level >= 3) {
61
        if (inode->i_mode & S_IWOTH) {
62
            pr_info("MY_LSM: Denied access to world-writable file\n");
63
            return -EACCES;
64
        }
65
    }
66

67
    return 0;
68
}
69

70
static int my_task_setpgid(struct task_struct *p, pid_t pgid)
71
{
72
    struct my_task_security *tsec = current->security;
73

74
    /* Example policy: only privileged tasks can change process groups */
75
    if (!tsec->privileged && pgid != task_pid_nr(p)) {
76
        pr_info("MY_LSM: Denied setpgid for unprivileged task\n");
77
        return -EPERM;
78
    }
79

80
    return 0;
81
}
82

83
static int my_socket_create(int family, int type, int protocol, int kern)
84
{
85
    struct my_task_security *tsec = current->security;
86

87
    /* Example policy: restrict raw sockets */
88
    if (type == SOCK_RAW && !tsec->privileged) {
89
        pr_info("MY_LSM: Denied raw socket creation\n");
90
        return -EPERM;
91
    }
92

93
    return 0;
94
}
95

96
/* LSM hook list */
97
static struct security_hook_list my_hooks[] __lsm_ro_after_init = {
98
    LSM_HOOK_INIT(task_alloc, my_task_alloc),
99
    LSM_HOOK_INIT(task_free, my_task_free),
100
    LSM_HOOK_INIT(file_open, my_file_open),
101
    LSM_HOOK_INIT(task_setpgid, my_task_setpgid),
102
    LSM_HOOK_INIT(socket_create, my_socket_create),
103
};
104

105
/* Initialize the module */
106
static int __init my_lsm_init(void)
107
{
108
    pr_info("MY_LSM: Initializing...\n");
109

110
    /* Create cache for security blobs */
111
    my_task_security_cache = kmem_cache_create("my_task_security",
112
                                              sizeof(struct my_task_security),
113
                                              0, SLAB_PANIC, NULL);
114

115
    /* Register hooks */
116
    security_add_hooks(my_hooks, ARRAY_SIZE(my_hooks), MY_LSM_NAME);
117

118
    pr_info("MY_LSM: Initialized successfully\n");
119
    return 0;
120
}
121

122
/* Define the LSM */
123
DEFINE_LSM(my_lsm) = {
124
    .name = MY_LSM_NAME,
125
    .init = my_lsm_init,
126
};

Advanced LSM Features#

1
// Extended LSM with policy engine
2
struct my_policy_rule {
3
    char *subject_label;
4
    char *object_label;
5
    u32 allowed_operations;
6
    struct list_head list;
7
};
8

9
static LIST_HEAD(policy_rules);
10
static DEFINE_RWLOCK(policy_lock);
11

12
/* Policy parsing and enforcement */
13
static int parse_policy_rule(const char *rule_string)
14
{
15
    struct my_policy_rule *rule;
16
    char *subject, *object, *perms;
17

18
    rule = kzalloc(sizeof(*rule), GFP_KERNEL);
19
    if (!rule)
20
        return -ENOMEM;
21

22
    /* Parse rule format: "subject object permissions" */
23
    if (sscanf(rule_string, "%ms %ms %ms", &subject, &object, &perms) != 3) {
24
        kfree(rule);
25
        return -EINVAL;
26
    }
27

28
    rule->subject_label = subject;
29
    rule->object_label = object;
30
    rule->allowed_operations = parse_permissions(perms);
31

32
    write_lock(&policy_lock);
33
    list_add_tail(&rule->list, &policy_rules);
34
    write_unlock(&policy_lock);
35

36
    kfree(perms);
37
    return 0;
38
}
39

40
static bool check_policy(const char *subject, const char *object, u32 operation)
41
{
42
    struct my_policy_rule *rule;
43
    bool allowed = false;
44

45
    read_lock(&policy_lock);
46
    list_for_each_entry(rule, &policy_rules, list) {
47
        if (strcmp(rule->subject_label, subject) == 0 &&
48
            strcmp(rule->object_label, object) == 0) {
49
            if (rule->allowed_operations & operation) {
50
                allowed = true;
51
                break;
52
            }
53
        }
54
    }
55
    read_unlock(&policy_lock);
56

57
    return allowed;
58
}
59

60
/* securityfs interface for policy management */
61
static struct dentry *my_lsm_dir;
62
static struct dentry *policy_file;
63

64
static ssize_t policy_write(struct file *file, const char __user *buf,
65
                           size_t count, loff_t *ppos)
66
{
67
    char *policy_line;
68
    int ret;
69

70
    if (count > PAGE_SIZE)
71
        return -E2BIG;
72

73
    policy_line = memdup_user_nul(buf, count);
74
    if (IS_ERR(policy_line))
75
        return PTR_ERR(policy_line);
76

77
    ret = parse_policy_rule(policy_line);
78
    kfree(policy_line);
79

80
    return ret ?: count;
81
}
82

83
static const struct file_operations policy_fops = {
84
    .write = policy_write,
85
};
86

87
static int __init my_lsm_fs_init(void)
88
{
89
    my_lsm_dir = securityfs_create_dir(MY_LSM_NAME, NULL);
90
    if (IS_ERR(my_lsm_dir))
91
        return PTR_ERR(my_lsm_dir);
92

93
    policy_file = securityfs_create_file("policy", 0600, my_lsm_dir,
94
                                        NULL, &policy_fops);
95
    if (IS_ERR(policy_file)) {
96
        securityfs_remove(my_lsm_dir);
97
        return PTR_ERR(policy_file);
98
    }
99

100
    return 0;
101
}

LSM Stacking and Modern Features#

BPF-LSM Integration#

1
// BPF-LSM program example
2
#include <linux/bpf.h>
3
#include <bpf/bpf_helpers.h>
4
#include <bpf/bpf_tracing.h>
5

6
SEC("lsm/file_open")
7
int BPF_PROG(restrict_file_open, struct file *file, int ret)
8
{
9
    if (ret != 0)
10
        return ret;
11

12
    char filename[256];
13
    struct dentry *dentry = BPF_CORE_READ(file, f_path.dentry);
14

15
    bpf_d_path(&file->f_path, filename, sizeof(filename));
16

17
    /* Policy: Block access to specific files */
18
    if (bpf_strncmp(filename, 10, "/etc/shadow") == 0) {
19
        u32 pid = bpf_get_current_pid_tgid() >> 32;
20
        u32 uid = bpf_get_current_uid_gid() & 0xFFFFFFFF;
21

22
        if (uid != 0) {
23
            bpf_printk("Blocked access to /etc/shadow by PID %d UID %d\n",
24
                      pid, uid);
25
            return -EPERM;
26
        }
27
    }
28

29
    return ret;
30
}
31

32
SEC("lsm/socket_connect")
33
int BPF_PROG(monitor_socket_connect, struct socket *sock,
34
             struct sockaddr *address, int addrlen, int ret)
35
{
36
    if (ret != 0)
37
        return ret;
38

39
    if (address->sa_family == AF_INET) {
40
        struct sockaddr_in *addr = (struct sockaddr_in *)address;
41
        u32 dest_ip = addr->sin_addr.s_addr;
42
        u16 dest_port = bpf_ntohs(addr->sin_port);
43

44
        /* Policy: Log all outbound connections */
45
        bpf_printk("Connection to %pI4:%d\n", &dest_ip, dest_port);
46

47
        /* Block connections to specific ports */
48
        if (dest_port == 25 || dest_port == 587) {  /* SMTP */
49
            bpf_printk("Blocked SMTP connection attempt\n");
50
            return -ECONNREFUSED;
51
        }
52
    }
53

54
    return ret;
55
}

LSM Stacking Configuration#

1
// Kernel configuration for LSM stacking
2
CONFIG_SECURITY=y
3
CONFIG_SECURITYFS=y
4
CONFIG_SECURITY_NETWORK=y
5
CONFIG_SECURITY_PATH=y
6
CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
7

8
// Runtime configuration
9
// /sys/kernel/security/lsm shows active LSMs
10
cat /sys/kernel/security/lsm
11
lockdown,capability,yama,selinux,bpf
12

13
// Configure LSM order at boot
14
kernel command line: lsm=capability,yama,apparmor,bpf

Performance Considerations#

Benchmarking LSM Overhead#

1
// Benchmark tool for LSM performance
2
#include <stdio.h>
3
#include <time.h>
4
#include <fcntl.h>
5
#include <unistd.h>
6

7
#define ITERATIONS 1000000
8

9
void benchmark_file_open(const char *path)
10
{
11
    struct timespec start, end;
12
    double elapsed;
13
    int fd;
14

15
    clock_gettime(CLOCK_MONOTONIC, &start);
16

17
    for (int i = 0; i < ITERATIONS; i++) {
18
        fd = open(path, O_RDONLY);
19
        if (fd >= 0)
20
            close(fd);
21
    }
22

23
    clock_gettime(CLOCK_MONOTONIC, &end);
24

25
    elapsed = (end.tv_sec - start.tv_sec) +
26
              (end.tv_nsec - start.tv_nsec) / 1e9;
27

28
    printf("File open benchmark: %d iterations in %.3f seconds\n",
29
           ITERATIONS, elapsed);
30
    printf("Average time per operation: %.3f microseconds\n",
31
           (elapsed * 1e6) / ITERATIONS);
32
}
33

34
int main()
35
{
36
    printf("LSM Performance Benchmark\n");
37
    printf("=========================\n");
38

39
    /* Test with different LSM configurations */
40
    benchmark_file_open("/etc/passwd");
41

42
    return 0;
43
}

Optimization Strategies#

1
// Optimized LSM hook implementation
2
static int optimized_file_permission(struct file *file, int mask)
3
{
4
    struct inode *inode = file_inode(file);
5
    struct my_inode_security *isec;
6

7
    /* Fast path: skip checks for kernel threads */
8
    if (current->flags & PF_KTHREAD)
9
        return 0;
10

11
    /* Use RCU for lock-free reads */
12
    rcu_read_lock();
13
    isec = rcu_dereference(inode->i_security);
14

15
    /* Cache security decisions */
16
    if (isec && isec->cached_result_valid &&
17
        isec->cached_mask == mask) {
18
        int result = isec->cached_result;
19
        rcu_read_unlock();
20
        return result;
21
    }
22
    rcu_read_unlock();
23

24
    /* Slow path: full security check */
25
    return perform_full_check(file, mask);
26
}

Security Policy Development#

Policy Generation Tools#

1
#!/usr/bin/env python3
2
# generate_policy.py - Generate LSM policies from audit logs
3

4
import re
5
import sys
6
from collections import defaultdict
7

8
class PolicyGenerator:
9
    def __init__(self):
10
        self.rules = defaultdict(set)
11
        self.file_contexts = defaultdict(set)
12

13
    def parse_audit_log(self, logfile):
14
        with open(logfile, 'r') as f:
15
            for line in f:
16
                self.parse_line(line)
17

18
    def parse_line(self, line):
19
        # Parse SELinux denials
20
        if 'denied' in line and 'scontext=' in line:
21
            m = re.search(r'scontext=(\S+).*tcontext=(\S+).*tclass=(\S+).*\{(\S+)\}', line)
22
            if m:
23
                scontext = m.group(1).split(':')[2]
24
                tcontext = m.group(2).split(':')[2]
25
                tclass = m.group(3)
26
                perm = m.group(4)
27

28
                self.rules[(scontext, tcontext, tclass)].add(perm)
29

30
        # Parse AppArmor denials
31
        elif 'DENIED' in line and 'profile=' in line:
32
            m = re.search(r'profile="([^"]+)".*operation="([^"]+)".*name="([^"]+)"', line)
33
            if m:
34
                profile = m.group(1)
35
                operation = m.group(2)
36
                name = m.group(3)
37

38
                self.file_contexts[profile].add((operation, name))
39

40
    def generate_selinux_policy(self):
41
        print("# Generated SELinux policy")
42
        for (scontext, tcontext, tclass), perms in sorted(self.rules.items()):
43
            perms_str = ' '.join(sorted(perms))
44
            print(f"allow {scontext} {tcontext}:{tclass} {{ {perms_str} }};")
45

46
    def generate_apparmor_policy(self):
47
        print("# Generated AppArmor policy")
48
        for profile, accesses in sorted(self.file_contexts.items()):
49
            print(f"\nprofile {profile} {{")
50
            for operation, name in sorted(accesses):
51
                mode = self.operation_to_mode(operation)
52
                print(f"  {name} {mode},")
53
            print("}")
54

55
    def operation_to_mode(self, operation):
56
        mode_map = {
57
            'open': 'r',
58
            'create': 'w',
59
            'mkdir': 'w',
60
            'unlink': 'd',
61
            'exec': 'x',
62
        }
63
        return mode_map.get(operation, 'r')
64

65
if __name__ == '__main__':
66
    if len(sys.argv) != 2:
67
        print(f"Usage: {sys.argv[0]} <audit.log>")
68
        sys.exit(1)
69

70
    generator = PolicyGenerator()
71
    generator.parse_audit_log(sys.argv[1])
72

73
    print("=== SELinux Policy ===")
74
    generator.generate_selinux_policy()
75

76
    print("\n=== AppArmor Policy ===")
77
    generator.generate_apparmor_policy()

Policy Testing Framework#

1
#!/bin/bash
2
# test_policy.sh - Test security policies
3

4
set -e
5

6
POLICY_FILE=$1
7
TEST_SUITE=$2
8

9
echo "=== Security Policy Testing Framework ==="
10

11
# Function to test SELinux policy
12
test_selinux() {
13
    echo "Testing SELinux policy..."
14

15
    # Load policy in permissive mode
16
    semodule -DB
17
    setenforce 0
18
    semodule -i $POLICY_FILE
19

20
    # Run test suite
21
    $TEST_SUITE 2>&1 | tee selinux_test.log
22

23
    # Check for denials
24
    ausearch -m AVC -ts recent | grep -q "denied"
25
    if [ $? -eq 0 ]; then
26
        echo "FAIL: SELinux denials found"
27
        ausearch -m AVC -ts recent
28
        return 1
29
    else
30
        echo "PASS: No SELinux denials"
31
        return 0
32
    fi
33
}
34

35
# Function to test AppArmor policy
36
test_apparmor() {
37
    echo "Testing AppArmor policy..."
38

39
    # Load policy in complain mode
40
    apparmor_parser -C -r $POLICY_FILE
41

42
    # Run test suite
43
    $TEST_SUITE 2>&1 | tee apparmor_test.log
44

45
    # Check for denials
46
    grep -q "DENIED" /var/log/audit/audit.log
47
    if [ $? -eq 0 ]; then
48
        echo "FAIL: AppArmor denials found"
49
        grep "DENIED" /var/log/audit/audit.log
50
        return 1
51
    else
52
        echo "PASS: No AppArmor denials"
53
        return 0
54
    fi
55
}
56

57
# Determine policy type and test
58
if [[ $POLICY_FILE == *.pp ]]; then
59
    test_selinux
60
elif [[ $POLICY_FILE == *.apparmor ]]; then
61
    test_apparmor
62
else
63
    echo "Unknown policy type"
64
    exit 1
65
fi

Best Practices for LSM Deployment#

1. Start with Audit/Complain Mode#

1
# SELinux
2
setenforce 0  # Set to permissive
3
audit2allow -a -M myapp  # Generate policy from audit logs
4

5
# AppArmor
6
aa-complain /usr/bin/myapp  # Set to complain mode
7
aa-logprof  # Generate policy from logs

2. Use Policy Modules#

1
# SELinux modules
2
cat > myapp.fc << EOF
3
/opt/myapp/bin(/.*)?    system_u:object_r:myapp_exec_t:s0
4
/opt/myapp/etc(/.*)?    system_u:object_r:myapp_config_t:s0
5
/opt/myapp/data(/.*)?   system_u:object_r:myapp_data_t:s0
6
EOF
7

8
# Build and install
9
make -f /usr/share/selinux/devel/Makefile myapp.pp
10
semodule -i myapp.pp

3. Monitor Performance Impact#

1
// Kernel module for LSM performance monitoring
2
static struct kprobe kp = {
3
    .symbol_name = "security_file_open",
4
};
5

6
static void measure_hook_time(struct kprobe *p, struct pt_regs *regs)
7
{
8
    ktime_t start = ktime_get();
9
    jprobe_return();
10
    ktime_t end = ktime_get();
11

12
    u64 delta = ktime_to_ns(end - start);
13
    if (delta > threshold_ns) {
14
        pr_warn("LSM hook took %llu ns\n", delta);
15
    }
16
}

4. Implement Gradual Rollout#

1
# Kubernetes example with security policies
2
apiVersion: v1
3
kind: Pod
4
metadata:
5
  name: myapp
6
  annotations:
7
    container.apparmor.security.beta.kubernetes.io/myapp: localhost/myapp-profile
8
spec:
9
  securityContext:
10
    seLinuxOptions:
11
      level: "s0:c123,c456"
12
      type: "myapp_t"
13
  containers:
14
    - name: myapp
15
      image: myapp:latest
16
      securityContext:
17
        allowPrivilegeEscalation: false
18
        capabilities:
19
          drop:
20
            - ALL
21
          add:
22
            - NET_BIND_SERVICE

Troubleshooting Common Issues#

SELinux Troubleshooting#

1
# Check SELinux status
2
sestatus -v
3

4
# View recent denials
5
ausearch -m AVC -ts recent
6

7
# Analyze denials
8
sealert -a /var/log/audit/audit.log
9

10
# Common fixes
11
# Wrong context
12
restorecon -Rv /path/to/files
13

14
# Missing permissions
15
audit2allow -a -M local
16
semodule -i local.pp
17

18
# Boolean toggles
19
getsebool -a | grep httpd
20
setsebool -P httpd_can_network_connect on

AppArmor Troubleshooting#

1
# Check AppArmor status
2
aa-status
3

4
# View denials
5
journalctl -xe | grep DENIED
6

7
# Common fixes
8
# Update profile
9
aa-logprof
10

11
# Reload profile
12
apparmor_parser -r /etc/apparmor.d/usr.bin.myapp
13

14
# Debug mode
15
echo "profile myapp flags=(complain,debug) {" > /etc/apparmor.d/usr.bin.myapp

Future of LSM#

Emerging Trends#

eBPF Integration: Dynamic security policies without kernel modules
Container-Specific LSMs: Tailored for container security
Hardware-Backed Security: Integration with TPM and secure enclaves
AI/ML Policy Generation: Automated policy creation and optimization

Upcoming Features#

1
// Proposed LSM API extensions
2
struct security_operations_v2 {
3
    /* Async security decisions */
4
    int (*file_open_async)(struct file *file,
5
                          void (*callback)(int result));
6

7
    /* Hardware security integration */
8
    int (*validate_with_tpm)(struct file *file,
9
                            struct tpm_measurement *measurement);
10

11
    /* Container-aware hooks */
12
    int (*container_create)(struct container_struct *container);
13
    int (*container_escape_attempt)(struct task_struct *task);
14
};

Conclusion#

Linux Security Modules provide a powerful framework for implementing mandatory access control and enhancing system security. Whether using established modules like SELinux and AppArmor or developing custom solutions, LSM offers the flexibility and control needed for modern security requirements.

Key takeaways:

LSM provides a vendor-neutral security framework
Multiple LSMs can work together through stacking
Choose the right LSM based on your security model
Start with audit mode and gradually enforce policies
Monitor performance impact in production
Leverage modern features like BPF-LSM for dynamic policies

As threats evolve and systems become more complex, LSM continues to adapt, providing the foundation for Linux security in cloud-native, container, and traditional environments.

Resources#

Next: Linux Kernel Hardening Techniques - KASLR, KPTI, and Modern Mitigation Strategies