[RFC PATCH 00/15] LSM: No exclusive LSMs

Casey Schaufler casey at schaufler-ca.com
Sat Jun 21 17:18:35 UTC 2025 

Remove all constraints that require Linux Security Modules to
be marked as "exclusive".

This RFC includes variants of two other patch sets:
https://github.com/cschaufler/lsm-stacking#audit-6.14-rc1-v4
https://github.com/cschaufler/lsm-stacking#mount-opts-6.16-rc1

Based on patches Paul Moore's LSM initialization patchset.
https://lore.kernel.org/all/20250409185019.238841-31-paul@paul-moore.com/v3

There are three components to this change. Patches 01-04
implement a mechanism to provide auxiliary audit records
and uses it to supply new records for multiple subject and
object security contexts. Patches 09-11 allow mount options
to be supported by multiple LSMs. The remaining patches
address mechanisms that cannot be used safely by more than
one LSM.

Testing has been done using SELinux, Smack and AppArmor on
Fedora and using AppArmor and Smack on Ubuntu. Using SELinux
and Smack on Fedora requires a systemd change.

Casey Schaufler (15):
  Audit: Create audit_stamp structure
  LSM: security_lsmblob_to_secctx module selection
  Audit: Add record for multiple task security contexts
  Audit: Add record for multiple object contexts
  LSM: Single calls in secid hooks
  LSM: Exclusive secmark usage
  Audit: Call only the first of the audit rule hooks
  AppArmor: Remove the exclusive flag
  LSM: Add mount opts blob size tracking
  LSM: allocate mnt_opts blobs instead of module specific data
  LSM: Infrastructure management of the mnt_opts security blob
  LSM: Allow reservation of netlabel
  LSM: restrict security_cred_getsecid() to a single LSM
  Smack: Remove LSM_FLAG_EXCLUSIVE
  LSM: Remove exclusive LSM flag

 include/linux/audit.h               |  23 +++
 include/linux/lsm_hooks.h           |   5 +-
 include/linux/security.h            |   6 +-
 include/uapi/linux/audit.h          |   2 +
 kernel/audit.c                      | 274 ++++++++++++++++++++++++----
 kernel/audit.h                      |  13 +-
 kernel/auditsc.c                    |  65 ++-----
 net/netlabel/netlabel_user.c        |   8 +-
 security/apparmor/include/net.h     |   5 +
 security/apparmor/lsm.c             |  12 +-
 security/lsm.h                      |   4 -
 security/lsm_init.c                 |  36 ++--
 security/security.c                 | 103 ++++++++---
 security/selinux/hooks.c            |  82 ++++++---
 security/selinux/include/netlabel.h |   5 +
 security/selinux/netlabel.c         |   4 +-
 security/smack/smack.h              |  10 +
 security/smack/smack_lsm.c          | 107 ++++++++---
 security/smack/smack_netfilter.c    |  10 +-
 security/smack/smackfs.c            |  20 +-
 20 files changed, 585 insertions(+), 209 deletions(-)

-- 
2.47.0

More information about the Linux-security-module-archive mailing list