[PATCH v2 4/5] security: add Rust LSM sample (CONFIG_SECURITY_RUST_LSM)

Jamie Lindsey jamie at matrixforgelabs.com
Wed Mar 11 05:09:07 UTC 2026 

Add a minimal reference LSM written in Rust using the kernel::lsm
abstraction layer introduced in the preceding patch.  The module:

- Implements all three v1 hooks (file_open, task_alloc, task_free).
- Logs each invocation via pr_info() and returns 0 (allow) for every
  operation.  It enforces no policy.

Purposes:
1. Compile-test vehicle for kernel::lsm.
2. API demonstration: shows exactly what an LSM author writes.
3. Boot-test reference: if /sys/kernel/security/lsm lists
   "rust_lsm_sample" after boot, hook registration works end-to-end.

LSM_ID_UNDEF is used as the identity constant; a permanent LSM_ID_*
value from include/uapi/linux/lsm.h will be requested as part of the
upstream patch series.

Activated via lsm= kernel command-line parameter or CONFIG_LSM Kconfig
string.  Requires CONFIG_SECURITYFS=y for /sys/kernel/security/lsm to
be visible.

Compiled and boot-tested on Linux 7.0-rc2 (commit 4ae12d8bd9a8).

Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Jamie Lindsey <jamie at matrixforgelabs.com>
---
 security/Kconfig              |  2 ++
 security/Makefile             |  1 +
 security/rust_lsm/Kconfig     | 14 ++++++++
 security/rust_lsm/Makefile    |  2 ++
 security/rust_lsm/rust_lsm.rs | 66 +++++++++++++++++++++++++++++++++++
 5 files changed, 85 insertions(+)
 create mode 100644 security/rust_lsm/Kconfig
 create mode 100644 security/rust_lsm/Makefile
 create mode 100644 security/rust_lsm/rust_lsm.rs

diff --git a/security/Kconfig b/security/Kconfig
index 6a4393fce9a1..fbd1ad4d36e8 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -301,6 +301,8 @@ config SECURITY_COMMONCAP_KUNIT_TEST
 
 	  If unsure, say N.
 
+source "security/rust_lsm/Kconfig"
+
 source "security/Kconfig.hardening"
 
 endmenu
diff --git a/security/Makefile b/security/Makefile
index 4601230ba442..f04f10a1592f 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -26,6 +26,7 @@ obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
 obj-$(CONFIG_BPF_LSM)			+= bpf/
 obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
 obj-$(CONFIG_SECURITY_IPE)		+= ipe/
+obj-$(CONFIG_SECURITY_RUST_LSM)		+= rust_lsm/
 
 # Object integrity file lists
 obj-$(CONFIG_INTEGRITY)			+= integrity/
diff --git a/security/rust_lsm/Kconfig b/security/rust_lsm/Kconfig
new file mode 100644
index 000000000000..e2c3c45b9f7f
--- /dev/null
+++ b/security/rust_lsm/Kconfig
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-2.0
+config SECURITY_RUST_LSM
+	bool "Rust LSM sample"
+	depends on SECURITY && RUST
+	help
+	  A minimal Linux Security Module written in Rust that demonstrates
+	  the kernel::lsm abstractions.  It logs file_open, task_alloc, and
+	  task_free events via pr_info().
+
+	  This module serves as a reference implementation and compile-test
+	  vehicle for the Rust LSM abstraction layer.  It imposes no policy
+	  — all hook implementations return 0 (allow) after logging.
+
+	  If unsure, say N.
diff --git a/security/rust_lsm/Makefile b/security/rust_lsm/Makefile
new file mode 100644
index 000000000000..26a2319da08e
--- /dev/null
+++ b/security/rust_lsm/Makefile
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: GPL-2.0
+obj-$(CONFIG_SECURITY_RUST_LSM) += rust_lsm.o
diff --git a/security/rust_lsm/rust_lsm.rs b/security/rust_lsm/rust_lsm.rs
new file mode 100644
index 000000000000..3afba383ef65
--- /dev/null
+++ b/security/rust_lsm/rust_lsm.rs
@@ -0,0 +1,66 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! Rust LSM sample — reference implementation of the kernel::lsm abstractions.
+//!
+//! This module demonstrates how a Linux Security Module is written in Rust.
+//! It registers three hooks (file_open, task_alloc, task_free), logs each
+//! invocation via pr_info!(), and allows every operation.
+//!
+//! It is not a policy module — it enforces nothing.  Its purpose is to:
+//!
+//! 1. Serve as a compile-test vehicle for the kernel::lsm abstraction layer.
+//! 2. Demonstrate the API surface that upstream-bound LSMs should target.
+//! 3. Provide a boot-test reference: if the kernel boots with this LSM
+//!    enabled and /sys/kernel/security/lsm lists "rust_lsm_sample", the
+//!    hook registration machinery is working end-to-end.
+//!
+//! Assisted-by: Claude:claude-sonnet-4-6
+
+// The build system injects #![no_std] for all kernel Rust objects; do not repeat it.
+
+// Required by pr_info! and other kernel logging macros.
+const __LOG_PREFIX: &[u8] = b"rust_lsm_sample\0";
+
+use kernel::bindings;
+use kernel::lsm;
+use kernel::prelude::*;
+
+/// The Rust LSM sample implementation.
+struct RustLsmSample;
+
+impl lsm::Hooks for RustLsmSample {
+    fn file_open(file: &kernel::fs::File) -> Result {
+        pr_info!("rust_lsm: file_open flags={:#x}\n", file.flags());
+        Ok(())
+    }
+
+    fn task_alloc(task: &kernel::task::Task, clone_flags: u64) -> Result {
+        pr_info!(
+            "rust_lsm: task_alloc pid={} clone_flags={:#x}\n",
+            task.pid(),
+            clone_flags
+        );
+        Ok(())
+    }
+
+    fn task_free(task: &kernel::task::Task) {
+        pr_info!("rust_lsm: task_free pid={}\n", task.pid());
+    }
+}
+
+// Register RustLsmSample with the kernel LSM framework.
+//
+// This macro generates:
+//   - A static `lsm_id` identifying this module as "rust_lsm_sample".
+//   - A static `security_hook_list[3]` array (filled by C shims via LSM_HOOK_INIT).
+//   - An `unsafe extern "C"` init function that calls security_add_hooks().
+//   - A static `lsm_info` in the `.lsm_info.init` ELF section so that
+//     security_init() discovers and calls the init function at boot.
+//
+// LSM_ID_UNDEF is used during development.  A permanent LSM_ID_* value from
+// include/uapi/linux/lsm.h will be requested as part of the upstream patch series.
+kernel::define_lsm!(
+    RustLsmSample,
+    "rust_lsm_sample\0",
+    bindings::LSM_ID_UNDEF as u64
+);
-- 
2.53.0

More information about the Linux-security-module-archive mailing list