Skip to content

A place to store my toy linux-security modules.

Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



53 Commits

Repository files navigation

Linux Security Modules

This repository contains a small collection of linux security modules, which were written as a part of a learning/experimentation process.

The code present has been compiled and tested against the most recent long-term kernel, at the time of writing that is 5.10.17.

If you want to port this code to a newer kernel, in the future, then the following bug-report is a good overview of how I approach things:

Included Modules

There are three modules contained within this repository, two of which are simple tests and one of which is more "real".

The only real/useful module is:

  • can-exec
    • The user-space helper /sbin/can-exec is invoked to determine whether a user can execute a specific command.
    • Because user-space controls execution policies can be written/updated dynamically.

The following two modules were written as I started the learning-process, and demonstrate creating simple standalone modules, albeit ones which do not actually provide any significant security benefit:

  • whitelist
    • Only allow execution of binaries which have a specific xattr present.
  • hashcheck
    • Only allow execution of commands with xattr containing valid SHA1sum of binaries.
    • This builds upon the previous module.


Copy the contents of security/ into your local Kernel-tree, and run make menuconfig to enable the appropriate options.

Further notes are available within the appropriate module subdirectories.

For a Debian GNU/Linux host, these are the kernel build-dependencies you'll need to install, if they're not already present:

  # apt-get install flex bison bc libelf-dev libssl-dev \
                    build-essential make libncurses5-dev \

Tracking Kernel Changes

As new kernels are released it is possible the two files security/Kconfig & security/Makefile might need resyncing with the base versions installed with the Linux source-tree.

You should be able to update them just by running diff and copying any lines referring to the modules CAN_EXEC, HASH_CHECK, & WHITELIST into place.