A place to store my toy linux-security modules.
C Makefile
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
security security: mark LSM hooks as __ro_after_init Jun 12, 2018
README.md The code compiles against 4.17.8. Jul 22, 2018


Linux Security Modules

A collection of three simple linux security modules, more for learning and experimentation than for serious use.

  • whitelist
    • Only allow execution of commands with xattr present.
  • hashcheck
    • Only allow execution of commands with xattr containing valid SHA1sum of binaries.
  • can-exec
    • The only serious module in this repository.
    • Invokes the user-space helper /sbin/can-exec to determine whether a user can execute a specific command.
    • Allows policies to be written and changed on-demand.


I wrote a couple of blog posts which might provide more background, and they are listed below (in order oldest to most recent):


The code has been tested upon kernels as recent as 4.17.8.

Copy the contents of security/ into your local Kernel-tree, and run make menuconfig to enable the appropriate options.

NOTE: Over time the two files security/Kconfig & security/Makefile might need resyncing from master - but you can look for mentions of CAN_EXEC, HASH_CHECK, & WHITELIST to see what I've done to add the modules.

For a Debian GNU/Linux host, building a recent kernel, these are the dependencies you'll need to install:

  # apt-get install flex bison bc libelf-dev libssl-dev \
                    build-essential make libncurses5-dev \