The Linux Security Module (LSM) lets us extend Linux to use additional access control with modules like SELinux, LIDS, SMAC, and AppArmor. It is loadable, and decouples enforcement from policy. The LSM has *opaque function pointers*, which are hooks that invoke loadable module functions at appropriate locations (like subject/object creation). ### Access control - LSM Hook - Perform basic [[Authorization#Discretionary access control|DAC]] permission check. - If denied, return error result. - Else, check if the security operations module is loaded. - If loaded, transfer control to the security module, using associated pointer. - Else, return last result. ![[attachments/Screenshot 2023-06-27 at 5.39.31 PM.png]] ### Access control - DAC & LSM ![[attachments/6E652927-20FC-4CE1-BA89-4593ED6D5F03.jpeg]]