Linux Security Modules (LSM) is aframework allowing theLinux kernel to support, without bias, a variety ofcomputer security models. LSM is licensed under the terms of theGNU General Public License and is a standard part of the Linux kernel since Linux 2.6. As of 2025,^[update]AppArmor,LoadPin,SELinux,Smack,TOMOYO,Yama,SafeSetID,Integrity Policy Enforcement (IPE), andLandlock are the currently approved security modules in the official kernel.^[1][2]

LSM was designed in order to answer all the requirements for successfully implementing amandatory access control module, while imposing the fewest possible changes to the Linux kernel. LSM avoids the approach ofsystem call interposition used bySystrace because it doesn't scale tomultiprocessor kernels and is subject toTOCTTOU (race) attacks. Instead, LSM inserts "hooks" (upcalls to the module) at every point in the kernel where a user-level system-call is about to result with an access to an important internal kernel-object likeinodes andprocess control blocks.

LSM is narrowly scoped to solve the problem ofaccess control, while not imposing a large and complex change-patch on the mainstream kernel. It isn't intended to be a general "hook" or "upcall" mechanism, nor does it supportOperating system-level virtualization.

LSM's access-control goal is very closely related to the problem ofsystem auditing, but is subtly different. Auditing requires that every attempt at access be recorded. LSM cannot deliver this, because it would require a great many more hooks, in order to detect cases where the kernel "short circuits" failing system-calls and returns an error code before getting near significant objects.

The LSM design is described in the paperLinux Security Modules: General Security Support for the Linux Kernel^[3] presented at USENIX Security 2002.^[4] At the same conference was the paperUsing CQUAL for Static Analysis of Authorization Hook Placement^[5] which studied automatic static analysis of the kernel code to verify that all of the necessary hooks have actually been inserted into the Linux kernel.

• AppArmor
• Integrity Policy Enforcement (IPE)^[6]
• Landlock^[7][8]
• LoadPin^[9]
• SafeSetID^[10]
• SELinux
• Smack
• TOMOYO
• Yama^[11]

At the 2001 Linux Kernel Summit, theNSA proposed thatSELinux be included in Linux 2.5.^[12]Linus Torvalds rejected SELinux at that time, because he observed that there are many different security projects in development, and since they all differ, the security community has not yet formed consensus on the ultimate security model. Instead, Linus charged the security community to "make it a module".

In response,Crispin Cowan proposed^[13] LSM: an interface for the Linux kernel that provides sufficient "hooks" (upcalls) from within the Linux kernel to aloadable module so as to allow the module to enforce mandatory access controls. Development of LSM over the next two years was conducted by the LSM community, including substantial contributions from theImmunix Corporation, theNSA,McAfee,IBM,Silicon Graphics, and many independent contributors. LSM was ultimately accepted into the Linux kernel mainstream and was included as a standard part of Linux 2.6 in December 2003.

In 2006, some kernel developers observed that SELinux was the only widely used LSM module included in the mainstream Linux kernel source tree. If there is to be only one widely used LSM module, it was reasoned, then the indirection of LSM is unnecessary, and LSM should be removed and replaced with SELinux itself. However, there are other LSM modules maintained outside of the mainstream kernel tree (AppArmor,Linux Intrusion Detection System,FireFlier,CIPSO,Multi ADM, etc.), so this argument led to two results: 1. that developers of these modules started putting effort into upstreaming their respective modules, and 2. at the 2006Kernel Summit, Linus once again asserted that LSM would stay because he does not want to arbitrate which is the best security model.

LSM is likely to remain since additional security modulesSmack (version 2.6.25),TOMOYO Linux (version 2.6.30, June 2009) andAppArmor (version 2.6.36) were accepted in the mainline kernel.

• "Source code and project statistics". Archived fromthe original on 2005-03-07. Retrieved2006-02-08.
• SysAdmin magazine article on BSD Secure Levels
• Security Projects based on the Linux kernel

• Linux kernel
• Operating system security

• Articles with short description
• Short description is different from Wikidata
• Articles containing potentially dated statements from 2025
• All articles containing potentially dated statements