torvalds/linux
Security
Purpose
security/ implements the Linux Security Module (LSM) framework and the major in-tree LSMs: SELinux, AppArmor, Smack, TOMOYO, Yama, Landlock, IPE, LoadPin, lockdown, IMA/EVM (integrity), keys (the kernel keyring), capabilities, and SafeSetID. The directory also contains BPF LSM glue.
LSMs hook into many kernel paths and decide whether an operation is allowed.
Directory layout
security/
├── Kconfig, Kconfig.hardening, Makefile
├── security.c # The framework: hook calls, module list
├── lsm.h, lsm_audit.c, lsm_init.c, lsm_notifier.c, lsm_syscalls.c
├── commoncap.c # Capabilities (POSIX caps) — built-in mini-LSM
├── inode.c # Generic security blob handling for inodes
├── min_addr.c # mmap_min_addr enforcement
├── selinux/ # NSA SELinux
├── apparmor/ # AppArmor
├── smack/ # Smack
├── tomoyo/ # TOMOYO
├── yama/ # Ptrace scope (Yama)
├── landlock/ # Landlock (unprivileged sandboxing)
├── ipe/ # IPE (Integrity Policy Enforcement)
├── loadpin/ # LoadPin (kernel module/firmware origin restriction)
├── lockdown/ # Lockdown (restricts root)
├── safesetid/ # SafeSetID
├── integrity/ # IMA (file integrity), EVM (extended verification)
├── keys/ # The kernel keyring framework
└── bpf/ # BPF LSM (programs attached to LSM hooks)Key abstractions
| Symbol | File | Purpose |
|---|---|---|
struct lsm_id |
include/linux/lsm_hooks.h |
LSM identity (name, id). |
static struct security_hook_list ... |
per-LSM | Points each LSM hook at a function. |
call_int_hook(), call_void_hook() |
security/security.c |
The dispatcher that fans a single call out to every active LSM. |
struct cred |
include/linux/cred.h |
The credentials structure carrying uid/gid/caps/security blob. |
How it works
graph LR
CALLER[Kernel call site] -->|"security_<hook>(...)"| FW[security/security.c]
FW -->|stacked| LSM1[selinux]
FW -->|stacked| LSM2[apparmor / smack / tomoyo / landlock / ipe / yama / ...]
FW -->|optional| BPF[BPF LSM programs]
LSM1 --> RES[Allow / deny]
LSM2 --> RES
BPF --> RES
RES --> CALLERLSM stacking
Multiple LSMs can run at once. The order and inclusion are configured by CONFIG_LSM= and the lsm= boot parameter. commoncap (capabilities) is always present. SELinux, AppArmor, and Smack are mutually exclusive in practice (only one labels every object at a time), but minor LSMs (Yama, Landlock, LoadPin, IPE) compose freely.
Capabilities
security/commoncap.c is the mini-LSM that implements POSIX capabilities (CAP*SYS_ADMIN, CAP_NET_ADMIN, etc.). Always-on. The capability bits live in struct cred->cap*\*.
SELinux
security/selinux/. Type-enforcement based on a compiled policy loaded from /sys/fs/selinux/. Each subject and object has a "context" (user:role:type:level); an access-vector cache (avc.c) accelerates per-class permission checks. Used by Fedora, RHEL, Android.
AppArmor
security/apparmor/. Path-based MAC. Profiles compiled from text. Used by Ubuntu, SUSE.
Smack
security/smack/. Simplified Mandatory Access Control Kernel. Less expressive than SELinux but easier to audit. Used in some embedded products.
Landlock
security/landlock/. Unprivileged sandboxing — applications can restrict their own future operations. Reduces the need for a privileged sandbox supervisor. Used by sandboxes in browsers and CI runners.
Yama
security/yama/. Restricts ptrace to direct descendants by default (/proc/sys/kernel/yama/ptrace_scope). Cheap and very effective.
IPE
security/ipe/. Integrity Policy Enforcement. Blocks code execution unless the file came from a verified origin (e.g. dm-verity-protected disk). Newer addition.
Lockdown
security/lockdown/. Restricts even root from operations that could circumvent kernel signing (/dev/mem, kexec without signed kernels, raw MSR access, BPF interpretation of arbitrary memory). Tightly coupled to Secure Boot.
Integrity (IMA/EVM)
security/integrity/ima/ and evm/. IMA hashes files and compares against a measurement list / signed appraisal. EVM signs extended attributes including the IMA hash. Used in measured-boot environments and for runtime attestation.
Keys
security/keys/. The in-kernel keyring framework. Used by NFS, dm-crypt, IMA, fscrypt, and the request-key user-space helper.
BPF LSM
security/bpf/. Lets BPF programs be attached to LSM hooks. Subject to the BPF verifier and to LSM-specific rules. Used for runtime security tools.
LoadPin and SafeSetID
- LoadPin (
security/loadpin/) — kernel modules and firmware must come from a single, locked-after-boot filesystem. - SafeSetID (
security/safesetid/) — restricts which UIDs a process may switch to.
Hook surface
A few representative hooks (from include/linux/lsm_hook_defs.h):
inode_*—inode_create,inode_link,inode_unlink,inode_permission,inode_setxattr.path_*— path-based equivalents.file_*—file_open,file_permission,file_mprotect,file_ioctl.socket_*—socket_create,socket_bind,socket_connect,socket_sendmsg.task_*—task_setrlimit,task_kill,task_prctl,task_setpgid.bprm_*— exec lifecycle.cred_*— credential clone, transfer, free.bpf_*— load, attach, map create.
These hooks are the integration surface between LSMs and the rest of the kernel.
Integration points
- fs/: every path/inode/file operation calls into security_*.
- kernel/:
commit_creds,bprm_*,prctl,seccompinterplay. - net/: socket and packet hooks.
- kernel/bpf/: the BPF LSM interface.
- drivers/: ioctl hooks; LSMs can vet device control paths.
- mm/:
mmap_min_addr,file_mprotecthook on mprotect.
Key source files
| File | Purpose |
|---|---|
security/security.c |
The dispatcher, module registration, hook walking. |
security/lsm_init.c |
Boot-time LSM ordering and initialization. |
security/commoncap.c |
Capabilities. |
security/selinux/hooks.c |
The big SELinux hook table. |
security/apparmor/lsm.c |
AppArmor hook table. |
security/landlock/syscalls.c |
Landlock UAPI. |
security/keys/keyring.c |
Kernel keyring core. |
security/integrity/ima/ima_main.c |
IMA. |
include/linux/lsm_hook_defs.h |
The list of hooks (the "interface"). |
Entry points for modification
- New LSM hook: add to
include/linux/lsm_hook_defs.h, callsecurity_<hook>(...)from the right place, update LSMs that care. - New LSM: new directory under
security/, register viaDEFINE_LSM(...), list hooks. The bar is high — write down what threat model you address. - BPF LSM program: write a BPF program of type
BPF_PROG_TYPE_LSM. SeeDocumentation/bpf/.
Related pages
- Kernel core — credentials, capabilities, BPF.
- Filesystems — most LSM hooks fire from the VFS.
- Networking — socket-level hooks.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.