[RFC PATCH 0/3] LSM: Hook registration exculsivity

Casey Schaufler casey at schaufler-ca.com
Wed Feb 25 19:21:40 UTC 2026 

This patch set represents a reasonably radical change to the LSM
stacking model. The notion of an "exclusive" LSM begins to give
way to exclusive LSM hooks. Instead of disallowing more than one
exclusive LSM, individual hooks are marked as exclusive and only
one is allowed to be registered. Subsequent LSMs that attempt to
register these hooks are denied them. This can have consequences.
The hooks relative to secmarks have been used here to demonstrate
that the scheme can work, and that it isn't always as clean as
one might like.

Please comment fully. Quite a bit of tinkering went into devising
this approach, which is intended to address a number of concerns.

Add a flags field to the LSM hook definition.

The first LSM that requests a hook with the LSM_FLAG_EXCLUSIVE flag
will be the only LSM that can register any hook thus marked.
Attempts by other LSMs to register such hooks are ignored.

Direct access to skb->secmark within LSMs are wrapped with a
helper function lsm_secmark_from_skb(). This function checks to see
if the secmark related LSM hooks, which are marked LSM_FLAG_EXCLUSIVE,
are registered by the calling LSM. If they are, the secmark value is
returned. Otherwise, the invalid secmark value 0 is returned.

Future implementations of lsm_secmark_from_skb() could use some
form of secmark encoding that would allow more than one LSM to
use secmarks at the same time.

The LSMs that currently support use of secmarks are taught how to
identify if they are allowed use of the secmark. Each sets secmark values
differently. At initialization the LSMs have the opportunity to
take steps to ensure correct behavior if they don't have secmark access.

https://github.com/cschaufler/lsm-stacking#secmark-6.19-rc8-v1

Casey Schaufler (3):
  LSM: add a flags field to the LSM hook definitions
  LSM: Enforce exclusive hooks
  LSM: Reserve use of secmarks

 include/linux/bpf_lsm.h          |   2 +-
 include/linux/lsm_hook_defs.h    | 614 ++++++++++++++++---------------
 include/linux/lsm_hooks.h        |   4 +-
 include/linux/security.h         |   3 +
 kernel/bpf/bpf_lsm.c             |  10 +-
 security/apparmor/lsm.c          |  24 +-
 security/bpf/hooks.c             |   2 +-
 security/lsm_init.c              |  66 ++++
 security/security.c              |  21 +-
 security/selinux/hooks.c         |  35 +-
 security/selinux/ss/services.c   |   3 +
 security/smack/smack_lsm.c       |   6 +-
 security/smack/smack_netfilter.c |   6 +
 13 files changed, 473 insertions(+), 323 deletions(-)

-- 
2.52.0

More information about the Linux-security-module-archive mailing list