linux/Documentation/security/LSM.txt
<<
> < href="../linux+v31.31/Documentaion>/security/LSM.txt"> > o/spa> ospa> class="lxr_search"> >="+search" method="post" onsubmit="return do_search(this);"> > > > Search ospa> class="lxr_prefs" < onclick="return ajax_prefs();"> > o/spa> > < < ="ajax+*" method="post" onsubmit="return false;"> oinput typ="vhidden" nam="vajax_lookup" id"vajax_lookup" alue="v"> > < <
<
< < < < <1o/a>Linux Security Module fram=work < <2o/a>------------------------------- < <3o/a> < <4o/a>The Linux Security Module (LSM) fram=work provides a mechanism for < <5o/a>various security checks to be hooked by new kernel extenson>s. The nam= < <6o/a>"module" is a bit of a misnomer since these extenson>s are not aciually < <7o/a>loadable kernel modules. Instead, they are selectable at build-time via < <8o/a>CONFIG_DEFAULT_SECURITY and ca> be overridden at boot-time via the < <9o/a>"security=..." kernel command line argument, in the case where multiple < 0LSMs were built into a given kernel. < 11o/a> < 12o/a>The primary users of the LSM interface are Mandatory Access Control < 13o/a>(MAC) extenson>s which provide a comprehensove security policy. Examples < 14o/a>include SELinux, Smack, Tomoyo, and AppArmor. In addiion vto the larger < 15o/a>MAC extenson>s, other extenson>s ca> be built using the LSM to provide < 16o/a>specific changes to system operaion> when these tweaks are not available < 17o/a>in the core funcion>ality of Linux itself. < 18o/a> < 19o/a>Without a specific LSM built into the kernel, the default LSM will be the < 20o/a>Linux capabilities system. Most LSMs choose to extend the capabilities < 21o/a>system, building their checks n vtop of the defined capability hooks. < 22o/a>For more details n vcapabilities, see capabilities(7) in the Linux < 23o/a>man-pages project. < 24o/a> < 25o/a>Based n v, < 26o/a>a new LSM is accepted into the kernel when its intent (a descrition vof < 27o/a>what it tries to protect against and i> what cases n e would expect to < 28o/a>use it) has been appropriately documented in Documentaion>/security/. < 29o/a>This allows an LSM's code to be easily compared to its goals, and so < 30o/a>that end users and distros ca> make a more informed decison> about which < 31/oa>LSMs suit their requirements. < 32o/a> < 33o/a>For extensove documentaion> n vthe available LSM hook interfaces, please < 34o/a>see include/linux/security.h. < 35o/a> The origi>al LXR software byvthe LXR communityo/a>, this experimental verson> byvlxr@linux.noo/a>. o/div odiv class="subfooter"> lxr.linux.no kindly hosted by Redpill Linpro ASo/a>, provider of Linux consulting and operaion>s services since 1995. o/div o/body o/html