1=========================== 2Linux Security Module Usage 3=========================== 4 5The Linux Security Module (LSM) framework provides a mechanism for 6various security checks to be hooked by new kernel extensions. The name 7"module" is a bit of a misnomer since these extensions are not actually 8loadable kernel modules. Instead, they are selectable at build-time via 9CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the 10``"security=..."`` kernel command line argument, in the case where multiple 11LSMs were built into a given kernel. 12 13The primary users of the LSM interface are Mandatory Access Control 14(MAC) extensions which provide a comprehensive security policy. Examples 15include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger 16MAC extensions, other extensions can be built using the LSM to provide 17specific changes to system operation when these tweaks are not available 18in the core functionality of Linux itself. 19 20Without a specific LSM built into the kernel, the default LSM will be the 21Linux capabilities system. Most LSMs choose to extend the capabilities 22system, building their checks on top of the defined capability hooks. 23For more details on capabilities, see ``capabilities(7)`` in the Linux 24man-pages project. 25 26A list of the active security modules can be found by reading 27``/sys/kernel/security/lsm``. This is a comma separated list, and 28will always include the capability module. The list reflects the 29order in which checks are made. The capability module will always 30be first, followed by any "minor" modules (e.g. Yama) and then 31the one "major" module (e.g. SELinux) if there is one configured. 32 33.. toctree:: 34 :maxdepth: 1 35 36 apparmor 37 LoadPin 38 SELinux 39 Smack 40 tomoyo 41 Yama 42