Your Location is: Home > Linux-kernel

Dynamically loadable Linux security modules

From: Lesotho View: 1523 Melab 


I have seen many articles on LWN about allowing for dynamically loadable Linux security modules (LSM), but it is impossible to find concrete information on how it can be done. The LSM hooks (I don't know if this is the right term) aren't exported in the kernel anymore, but their addresses can be retrieved with kallsyms_lookup_name and then assigned to function declarations.

There are some mentions of LSM hooks not being unloadable, but is this true? What does it even mean? If a Linux loadable kernel module registers some hooks, is it unable to unregister them later? Why is this case? Is there a workaround or a way to force them to unload?

Do dynamically loadable LSMs have to be written differently than built-in LSMs? Or do both use the same conventions and interfaces?

Best answer