Linux - LSM

"Traditional" Linux Security Module

SELinux

SELinux: an implementation of Mandatory Access Control (MAC)

As contrasted to the standard Unix model of Discretionary Access Control (DAC).

SELinux comes installed by default on Red Hat distributions.

To check your SELinux mode, run sestatus and check the output. For example:

$ sestatus
SELinux status:                 disabled

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing

Mode from config file:          error (Success)
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

concepts:

Multi-Level Security (MLS)
Multi-Category Security (MCS)

Permissive vs Enforcing Mode:

Permissive Mode: SELinux will log access control infringements but will not enforce them
Enforcing Mode: enforce!

AppArmor

Ubuntu Server's Mandatory Access Control (MAC) system. Equivelant to Redhat's SELinux.

AppArmor vs SELinux

SELinux identifies file system objects by inode number; difficult for administrators to set up and maintain.
AppArmor relies on path.

Under AppArmor an inaccessible file may become accessible if a hard link to it is created. SELinux's inode-based model has always inherently denied access through newly created hard links because the hard link would be pointing to an inaccessible inode.

eBPF-based Linux Security Module (LSM)

KRSI (Kernel Runtime Security Instrumentation) is Google’s new Linux Security Module – LSM. Unlike other LSMs, such as AppArmor and SELinux, you can customize KRSI with a scripting language called eBPF.

The core idea behind KRSI—using eBPF programs to attach to LSM hooks for dynamic security policies—has been successfully integrated into the Linux kernel under the name BPF-LSM.

BPF-LSM is a "stackable" LSM, which means it can be enabled and used alongside other, more traditional LSMs like SELinux and AppArmor. This is a powerful feature because it allows you to combine the strengths of different security models. For example, you can have a general, system-wide policy from SELinux and then use a more dynamic, specific BPF-LSM policy to add fine-grained security checks for a particular application.