Open-Source Wikis

/

Linux

/

Subsystems

/

Security

torvalds/linux

Security

Purpose

security/ implements the Linux Security Module (LSM) framework and the major in-tree LSMs: SELinux, AppArmor, Smack, TOMOYO, Yama, Landlock, IPE, LoadPin, lockdown, IMA/EVM (integrity), keys (the kernel keyring), capabilities, and SafeSetID. The directory also contains BPF LSM glue.

LSMs hook into many kernel paths and decide whether an operation is allowed.

Directory layout

security/
├── Kconfig, Kconfig.hardening, Makefile
├── security.c             # The framework: hook calls, module list
├── lsm.h, lsm_audit.c, lsm_init.c, lsm_notifier.c, lsm_syscalls.c
├── commoncap.c            # Capabilities (POSIX caps) — built-in mini-LSM
├── inode.c                # Generic security blob handling for inodes
├── min_addr.c             # mmap_min_addr enforcement
├── selinux/               # NSA SELinux
├── apparmor/              # AppArmor
├── smack/                 # Smack
├── tomoyo/                # TOMOYO
├── yama/                  # Ptrace scope (Yama)
├── landlock/              # Landlock (unprivileged sandboxing)
├── ipe/                   # IPE (Integrity Policy Enforcement)
├── loadpin/               # LoadPin (kernel module/firmware origin restriction)
├── lockdown/              # Lockdown (restricts root)
├── safesetid/             # SafeSetID
├── integrity/             # IMA (file integrity), EVM (extended verification)
├── keys/                  # The kernel keyring framework
└── bpf/                   # BPF LSM (programs attached to LSM hooks)

Key abstractions

Symbol File Purpose
struct lsm_id include/linux/lsm_hooks.h LSM identity (name, id).
static struct security_hook_list ... per-LSM Points each LSM hook at a function.
call_int_hook(), call_void_hook() security/security.c The dispatcher that fans a single call out to every active LSM.
struct cred include/linux/cred.h The credentials structure carrying uid/gid/caps/security blob.

How it works

graph LR
    CALLER[Kernel call site] -->|"security_<hook>(...)"| FW[security/security.c]
    FW -->|stacked| LSM1[selinux]
    FW -->|stacked| LSM2[apparmor / smack / tomoyo / landlock / ipe / yama / ...]
    FW -->|optional| BPF[BPF LSM programs]
    LSM1 --> RES[Allow / deny]
    LSM2 --> RES
    BPF --> RES
    RES --> CALLER

LSM stacking

Multiple LSMs can run at once. The order and inclusion are configured by CONFIG_LSM= and the lsm= boot parameter. commoncap (capabilities) is always present. SELinux, AppArmor, and Smack are mutually exclusive in practice (only one labels every object at a time), but minor LSMs (Yama, Landlock, LoadPin, IPE) compose freely.

Capabilities

security/commoncap.c is the mini-LSM that implements POSIX capabilities (CAP*SYS_ADMIN, CAP_NET_ADMIN, etc.). Always-on. The capability bits live in struct cred->cap*\*.

SELinux

security/selinux/. Type-enforcement based on a compiled policy loaded from /sys/fs/selinux/. Each subject and object has a "context" (user:role:type:level); an access-vector cache (avc.c) accelerates per-class permission checks. Used by Fedora, RHEL, Android.

AppArmor

security/apparmor/. Path-based MAC. Profiles compiled from text. Used by Ubuntu, SUSE.

Smack

security/smack/. Simplified Mandatory Access Control Kernel. Less expressive than SELinux but easier to audit. Used in some embedded products.

Landlock

security/landlock/. Unprivileged sandboxing — applications can restrict their own future operations. Reduces the need for a privileged sandbox supervisor. Used by sandboxes in browsers and CI runners.

Yama

security/yama/. Restricts ptrace to direct descendants by default (/proc/sys/kernel/yama/ptrace_scope). Cheap and very effective.

IPE

security/ipe/. Integrity Policy Enforcement. Blocks code execution unless the file came from a verified origin (e.g. dm-verity-protected disk). Newer addition.

Lockdown

security/lockdown/. Restricts even root from operations that could circumvent kernel signing (/dev/mem, kexec without signed kernels, raw MSR access, BPF interpretation of arbitrary memory). Tightly coupled to Secure Boot.

Integrity (IMA/EVM)

security/integrity/ima/ and evm/. IMA hashes files and compares against a measurement list / signed appraisal. EVM signs extended attributes including the IMA hash. Used in measured-boot environments and for runtime attestation.

Keys

security/keys/. The in-kernel keyring framework. Used by NFS, dm-crypt, IMA, fscrypt, and the request-key user-space helper.

BPF LSM

security/bpf/. Lets BPF programs be attached to LSM hooks. Subject to the BPF verifier and to LSM-specific rules. Used for runtime security tools.

LoadPin and SafeSetID

  • LoadPin (security/loadpin/) — kernel modules and firmware must come from a single, locked-after-boot filesystem.
  • SafeSetID (security/safesetid/) — restricts which UIDs a process may switch to.

Hook surface

A few representative hooks (from include/linux/lsm_hook_defs.h):

  • inode_*inode_create, inode_link, inode_unlink, inode_permission, inode_setxattr.
  • path_* — path-based equivalents.
  • file_*file_open, file_permission, file_mprotect, file_ioctl.
  • socket_*socket_create, socket_bind, socket_connect, socket_sendmsg.
  • task_*task_setrlimit, task_kill, task_prctl, task_setpgid.
  • bprm_* — exec lifecycle.
  • cred_* — credential clone, transfer, free.
  • bpf_* — load, attach, map create.

These hooks are the integration surface between LSMs and the rest of the kernel.

Integration points

  • fs/: every path/inode/file operation calls into security_*.
  • kernel/: commit_creds, bprm_*, prctl, seccomp interplay.
  • net/: socket and packet hooks.
  • kernel/bpf/: the BPF LSM interface.
  • drivers/: ioctl hooks; LSMs can vet device control paths.
  • mm/: mmap_min_addr, file_mprotect hook on mprotect.

Key source files

File Purpose
security/security.c The dispatcher, module registration, hook walking.
security/lsm_init.c Boot-time LSM ordering and initialization.
security/commoncap.c Capabilities.
security/selinux/hooks.c The big SELinux hook table.
security/apparmor/lsm.c AppArmor hook table.
security/landlock/syscalls.c Landlock UAPI.
security/keys/keyring.c Kernel keyring core.
security/integrity/ima/ima_main.c IMA.
include/linux/lsm_hook_defs.h The list of hooks (the "interface").

Entry points for modification

  • New LSM hook: add to include/linux/lsm_hook_defs.h, call security_<hook>(...) from the right place, update LSMs that care.
  • New LSM: new directory under security/, register via DEFINE_LSM(...), list hooks. The bar is high — write down what threat model you address.
  • BPF LSM program: write a BPF program of type BPF_PROG_TYPE_LSM. See Documentation/bpf/.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Security – Linux wiki | Factory