[RFC PATCH 9/9] Loadpol LSM: add a minimal documentation

Simon THOBY git at nightmared.fr
Wed May 21 14:01:13 UTC 2025 

Introduce a minimal documentation for Loadpol, presenting the policy
format and the two user interfaces: the securityfs policy file and the
sysctl.

Signed-off-by: Simon THOBY <git at nightmared.fr>
---
 Documentation/admin-guide/LSM/Loadpol.rst | 81 +++++++++++++++++++++++
 Documentation/admin-guide/LSM/index.rst   |  1 +
 2 files changed, 82 insertions(+)
 create mode 100644 Documentation/admin-guide/LSM/Loadpol.rst

diff --git a/Documentation/admin-guide/LSM/Loadpol.rst b/Documentation/admin-guide/LSM/Loadpol.rst
new file mode 100644
index 000000000000..0aa24a8d393c
--- /dev/null
+++ b/Documentation/admin-guide/LSM/Loadpol.rst
@@ -0,0 +1,81 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+=======
+Loadpol
+=======
+
+Loadpol is a Linux Security Module that enforces a user-provided policy
+when decided whether a dynamic module can be loaded or not.
+
+The policy can be read and rewritten at ``/sys/kernel/security/loadpol/policy``.
+
+A default policy is created that contains the current list of blacklisted modules,
+and a catch-all entry that allow loading any module.
+
+Policy format
+=============
+
+The policy is defined as a set of line-separated entries.
+Each entry define the conditions for a match (the origin of the load request and
+the name of the kernel module), and the action to take when the load request
+matches the entry.
+
+
+Entry syntax: ``[origin=(userspace|kernel|kernel,userspace)] [module=<module_name>] action=(allow|deny)``
+
+There are two matching conditions:
+
+``origin``:
+    Load Requests can come from two origins:
+
+    * ``userspace`` (ie. a program in userspace called modprobe/insmod)
+    * ``kernel`` (the kernel requested the module directly by calling
+      ``request_module(...)``, e.g. loading a filesystem when performing a
+      ``-o loop`` mount).
+
+    When unspecified, the condition defaults to ``kernel,userspace`` (which means
+    that both origins match).
+
+``module``:
+    Name of the kernel module being matched. The name can contain wilcards.
+    Beware, module aliases do not work!
+
+There are two possible actions:
+
+* ``allow``: permit the load of the kernel module.
+* ``deny``: reject the load of the kernel module and emit an audit log.
+
+The policy is not greedy: as soon as a match is found, the evaluation terminates
+with the result of that match. So be very careful with the order of your entries.
+
+The main use cases of the policy will probably be to define an allowlist
+(here, we allow ``module_a`` and any module starting with ``module_b`` loaded
+by the user)::
+
+	module==module_a action=allow
+	origin==user module==module_b* action=deny
+	action=deny
+
+But other mechanisms are possible, like a denylist
+(here we block ``module_a``, ``module_b`` if it is loaded by the kernel and
+any module starting with ``module_c`` loaded by the user)::
+
+	module==module_a action=deny
+	origin==kernel module==module_b action=deny
+	origin==user module==module_c* action=deny
+	action=allow
+
+Policy lock
+===========
+
+In order to protect the policy from tampering, a sysctl is provided to
+lock-in-place the currently-loaded policy.
+
+The ``security.loadpol.locked`` can take 2 values:
+
+0 - default:
+    the policy can be reloaded at runtime by any administrator.
+
+1 - locked:
+    the policy cannot be updated or modified, and loadpol cannot be disabled
+    without rebooting.
diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
index b44ef68f6e4d..01d36670d8ad 100644
--- a/Documentation/admin-guide/LSM/index.rst
+++ b/Documentation/admin-guide/LSM/index.rst
@@ -42,6 +42,7 @@ subdirectories.
 
    apparmor
    LoadPin
+   Loadpol
    SELinux
    Smack
    tomoyo
-- 
2.49.0

More information about the Linux-security-module-archive mailing list