You know, dealing with Linux security can be a real headache. System administrators and developers often struggle to understand the specific security policies applied to running processes. That’s where Linux Security Modules (LSM) come in.

LSM is the framework that makes it all possible, with popular implementations like AppArmor and SELinux.

This article is here to help. I’ll walk you through using the lsm utility to list security modules and, more importantly, inspect the security context of processes and their children. By the end, you’ll be able to check which security policies are active and how they are inherited by child processes.

Trust me, it’s simpler than you think.

What Exactly Are Linux Security Modules (LSM)?

Linux Security Modules, or LSMs, are a framework built into the Linux kernel. They let different security models be plugged in to enforce access control policies.

The core purpose of LSMs is to go beyond the traditional user/group/other permission model. They provide mandatory access control (MAC), which adds an extra layer of security.

• SELinux (used in RHEL/CentOS): Uses a label-based approach.
• AppArmor (used in Ubuntu/Debian): Uses a path-based approach.

Think of standard permissions as a house key. LSMs, on the other hand, are like a security guard who checks your ID and purpose in every single room. This ensures that only authorized actions are allowed, even if you have the key.

You don’t usually choose an LSM; it’s typically determined by your Linux distribution. But you can use the lsm tool to interact with whichever one is active. For example, running lsm ls child will show you the active LSMs and their configurations.

This setup helps in maintaining a secure environment, especially in complex systems where traditional permissions might not be enough.

Using the lsm ls Command to See What’s Active

First, let’s check if the lsm utility is installed. You can do this by running which lsm or lsm --version. If it’s not installed, you can get it with sudo apt-get install lsm-tools.

Now, let’s dive into the basic command: lsm ls --long or lsm ls -l.

Here’s a sample output:

Name       State  Type      Audit
selinux    active exclusive no
apparmor   active stackable yes
cap        active stackable no

The output table has four columns, and each one tells you something important.

• Name: This is the module. For example, selinux, apparmor, and cap.
• State: This shows whether the module is active or inactive.
• Type: Modules can be either exclusive or stackable.
• Audit: This indicates if the module is being audited.

Exclusive modules, like SELinux, mean only one can be active at a time. Stackable modules, such as capabilities, can run alongside others.

Understanding the difference is key. Exclusive modules are like having one security guard on duty; stackable ones are like having multiple guards working together. Etrsnft

Pro tip: Running lsm ls is the first step in any security audit. It helps you confirm which MAC system you’re actually working with on a given server.

Using lsm ls child can give you more detailed information about specific modules. This is especially useful when you need to dig deeper into the configuration.

Inspecting Process and Child Security Attributes

When you type lsm ls child, you might expect a specific subcommand, but it doesn’t exist. Instead, the idea is to inspect a parent process and then its child processes to see how security contexts are inherited.

To inspect a specific process by its Process ID (PID), use the command lsm ls -p <PID>. This shows the security context or ‘label’ assigned to that process by the active Linux Security Module (LSM).

Security context inheritance is a key concept. When a process (parent) forks a new process (child), the child typically inherits the parent’s security context. However, specific policies can dictate a context transition.

1. A web server process runs under the httpd_t context in SELinux.
2. The web server spawns a script.
3. Does the script run as httpd_t or transition to httpd_sys_script_t?

This is the core question to answer when understanding security contexts.

To find child processes of a parent PID, use commands like pstree -p <PID> or ps -o pid,ppid,cmd --forest. These commands help visualize the process tree and set up the next section’s examples.

Why is this critical for security? A compromised parent process could lead to malicious child processes. Understanding their security context helps limit the potential damage.

For instance, if a web server is compromised, knowing the child processes’ contexts can help contain the breach and prevent further exploitation.

Putting It All Together: A Real-World Example

Let’s walk through a complete, practical example. Start by identifying the PID of a common service, like sshd.

Use ps aux | grep sshd to find the main sshd daemon’s PID.

Once you have the PID, use lsm ls -p <sshd_PID> to display its security context. The output might look something like this:

system_u:system_r:sshd_t:s0

Next, simulate a user logging in, which creates a child process of the sshd daemon. Use pstree -p <sshd_PID> to find the PID of this new child process.

With the child process PID, use lsm ls -p to inspect the child’s security context. Compare it to the parent’s. You might notice that the child’s context is different, indicating a transition rather than direct inheritance.