Skip to content
A place to store my toy linux-security modules.
C Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Create FUNDING.yml Jun 26, 2019
security Final tweaks May 19, 2019
.gitignore Ignore generated-files May 11, 2019

Linux Security Modules

This repository contains a simple collection of linux security modules, which were written as a learning/experimentation-process.


There are three modules contained within this repository, two of which are simple tests and one of which is more "real".

These are test-modules:

  • whitelist
    • Only allow execution of binaries which have a specific xattr present.
  • hashcheck
    • Only allow execution of commands with xattr containing valid SHA1sum of binaries.
    • This builds upon the previous module.

This is the only "real" module:

  • can-exec
    • The the user-space helper /sbin/can-exec is invoked to determine whether a user can execute a specific command.
    • Because user-space controls execution policies can be written/updated dynamically.

Linux Compatibility & Compilation

The code has been tested upon kernels as recent as 5.1

Copy the contents of security/ into your local Kernel-tree, and run make menuconfig to enable the appropriate options.

NOTE: Over time the two files security/Kconfig & security/Makefile might need resyncing with the base versions installed with the Linux source-tree, you can look for mentions of CAN_EXEC, HASH_CHECK, & WHITELIST to see what I've done to add the modules.

For a Debian GNU/Linux host, building a recent kernel, these are the dependencies you'll need to install:

  # apt-get install flex bison bc libelf-dev libssl-dev \
                    build-essential make libncurses5-dev \


I wrote a couple of blog posts which might provide more background, and they are listed below (in order oldest to most recent):

You can’t perform that action at this time.