€•ú]Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ /translations/zh_CN/security/lsm”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/zh_TW/security/lsm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/it_IT/security/lsm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/ja_JP/security/lsm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/ko_KR/security/lsm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/sp_SP/security/lsm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ8Linux Security Modules: General Security Hooks for Linux”h]”hŒ8Linux Security Modules: General Security Hooks for Linux”…””}”(hh¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hh£hžhhŸŒ:/var/lib/git/docbuild/linux/Documentation/security/lsm.rst”h KubhŒ field_list”“”)”}”(hhh]”(hŒfield”“”)”}”(hhh]”(hŒ field_name”“”)”}”(hŒAuthor”h]”hŒAuthor”…””}”(hhÃhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhh¾hŸh¶h KubhŒ field_body”“”)”}”(hŒStephen Smalley”h]”hŒ paragraph”“”)”}”(hhÕh]”hŒStephen Smalley”…””}”(hhÙhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KhhÓubah}”(h]”h ]”h"]”h$]”h&]”uh1hÑhh¾ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h¼hŸh¶h Khh¹hžhubh½)”}”(hhh]”(hÂ)”}”(hŒAuthor”h]”hŒAuthor”…””}”(hhõhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhhòhŸh¶h KubhÒ)”}”(hŒTimothy Fraser”h]”hØ)”}”(hjh]”hŒTimothy Fraser”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1hÑhhòubeh}”(h]”h ]”h"]”h$]”h&]”uh1h¼hŸh¶h Khh¹hžhubh½)”}”(hhh]”(hÂ)”}”(hŒAuthor”h]”hŒAuthor”…””}”(hj#hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhj hŸh¶h KubhÒ)”}”(hŒ Chris Vance ”h]”hØ)”}”(hŒ Chris Vance”h]”hŒ Chris Vance”…””}”(hj5hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Khj1ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÑhj ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h¼hŸh¶h Khh¹hžhubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hh£hžhhŸh¶h KubhŒnote”“”)”}”(hŒ-The APIs described in this book are outdated.”h]”hØ)”}”(hjYh]”hŒ-The APIs described in this book are outdated.”…””}”(hj[hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K hjWubah}”(h]”h ]”h"]”h$]”h&]”uh1jUhh£hžhhŸh¶h Nubh¢)”}”(hhh]”(h§)”}”(hŒ Introduction”h]”hŒ Introduction”…””}”(hjqhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hjnhžhhŸh¶h KubhØ)”}”(hX‡In March 2001, the National Security Agency (NSA) gave a presentation about Security-Enhanced Linux (SELinux) at the 2.5 Linux Kernel Summit. SELinux is an implementation of flexible and fine-grained nondiscretionary access controls in the Linux kernel, originally implemented as its own particular kernel patch. Several other security projects (e.g. RSBAC, Medusa) have also developed flexible access control architectures for the Linux kernel, and various projects have developed particular access control models for Linux (e.g. LIDS, DTE, SubDomain). Each project has developed and maintained its own kernel patch to support its security needs.”h]”hX‡In March 2001, the National Security Agency (NSA) gave a presentation about Security-Enhanced Linux (SELinux) at the 2.5 Linux Kernel Summit. SELinux is an implementation of flexible and fine-grained nondiscretionary access controls in the Linux kernel, originally implemented as its own particular kernel patch. Several other security projects (e.g. RSBAC, Medusa) have also developed flexible access control architectures for the Linux kernel, and various projects have developed particular access control models for Linux (e.g. LIDS, DTE, SubDomain). Each project has developed and maintained its own kernel patch to support its security needs.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KhjnhžhubhØ)”}”(hX]In response to the NSA presentation, Linus Torvalds made a set of remarks that described a security framework he would be willing to consider for inclusion in the mainstream Linux kernel. He described a general framework that would provide a set of security hooks to control operations on kernel objects and a set of opaque security fields in kernel data structures for maintaining security attributes. This framework could then be used by loadable kernel modules to implement any desired model of security. Linus also suggested the possibility of migrating the Linux capabilities code into such a module.”h]”hX]In response to the NSA presentation, Linus Torvalds made a set of remarks that described a security framework he would be willing to consider for inclusion in the mainstream Linux kernel. He described a general framework that would provide a set of security hooks to control operations on kernel objects and a set of opaque security fields in kernel data structures for maintaining security attributes. This framework could then be used by loadable kernel modules to implement any desired model of security. Linus also suggested the possibility of migrating the Linux capabilities code into such a module.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KhjnhžhubhØ)”}”(hXñThe Linux Security Modules (LSM) project was started by WireX to develop such a framework. LSM was a joint development effort by several security projects, including Immunix, SELinux, SGI and Janus, and several individuals, including Greg Kroah-Hartman and James Morris, to develop a Linux kernel patch that implements this framework. The work was incorporated in the mainstream in December of 2003. This technical report provides an overview of the framework and the capabilities security module.”h]”hXñThe Linux Security Modules (LSM) project was started by WireX to develop such a framework. LSM was a joint development effort by several security projects, including Immunix, SELinux, SGI and Janus, and several individuals, including Greg Kroah-Hartman and James Morris, to develop a Linux kernel patch that implements this framework. The work was incorporated in the mainstream in December of 2003. This technical report provides an overview of the framework and the capabilities security module.”…””}”(hj›hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K%hjnhžhubeh}”(h]”Œ introduction”ah ]”h"]”Œ introduction”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Kubh¢)”}”(hhh]”(h§)”}”(hŒ LSM Framework”h]”hŒ LSM Framework”…””}”(hj´hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hj±hžhhŸh¶h K/ubhØ)”}”(hXaThe LSM framework provides a general kernel framework to support security modules. In particular, the LSM framework is primarily focused on supporting access control modules, although future development is likely to address other security needs such as sandboxing. By itself, the framework does not provide any additional security; it merely provides the infrastructure to support security modules. The LSM framework is optional, requiring `CONFIG_SECURITY` to be enabled. The capabilities logic is implemented as a security module. This capabilities module is discussed further in `LSM Capabilities Module`_.”h]”(hX¸The LSM framework provides a general kernel framework to support security modules. In particular, the LSM framework is primarily focused on supporting access control modules, although future development is likely to address other security needs such as sandboxing. By itself, the framework does not provide any additional security; it merely provides the infrastructure to support security modules. The LSM framework is optional, requiring ”…””}”(hjÂhžhhŸNh NubhŒtitle_reference”“”)”}”(hŒ`CONFIG_SECURITY`”h]”hŒCONFIG_SECURITY”…””}”(hjÌhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÊhjÂubhŒ} to be enabled. The capabilities logic is implemented as a security module. This capabilities module is discussed further in ”…””}”(hjÂhžhhŸNh NubhŒ reference”“”)”}”(hŒ`LSM Capabilities Module`_”h]”hŒLSM Capabilities Module”…””}”(hjàhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒLSM Capabilities Module”Œrefid”Œlsm-capabilities-module”uh1jÞhjÂŒresolved”KubhŒ.”…””}”(hjÂhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K1hj±hžhubhØ)”}”(hXvThe LSM framework includes security fields in kernel data structures and calls to hook functions at critical points in the kernel code to manage the security fields and to perform access control. It also adds functions for registering security modules. An interface `/sys/kernel/security/lsm` reports a comma separated list of security modules that are active on the system.”h]”(hX The LSM framework includes security fields in kernel data structures and calls to hook functions at critical points in the kernel code to manage the security fields and to perform access control. It also adds functions for registering security modules. An interface ”…””}”(hjýhžhhŸNh NubjË)”}”(hŒ`/sys/kernel/security/lsm`”h]”hŒ/sys/kernel/security/lsm”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÊhjýubhŒR reports a comma separated list of security modules that are active on the system.”…””}”(hjýhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K` and :c:type:`struct cred `. For filesystem security information, a security field is included in :c:type:`struct super_block `. For pipe, file, and socket security information, security fields are included in :c:type:`struct inode ` and :c:type:`struct file `. For System V IPC security information, security fields were added to :c:type:`struct kern_ipc_perm ` and :c:type:`struct msg_msg `; additionally, the definitions for :c:type:`struct msg_msg `, struct msg_queue, and struct shmid_kernel were moved to header files (``include/linux/msg.h`` and ``include/linux/shm.h`` as appropriate) to allow the security modules to use these definitions.”h]”(hŒ#The LSM security fields are simply ”…””}”(hjhžhhŸNh NubhŒliteral”“”)”}”(hŒ ``void*``”h]”hŒvoid*”…””}”(hj'hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j%hjubhXE pointers. The data is referred to as a blob, which may be managed by the framework or by the individual security modules that use it. Security blobs that are used by more than one security module are typically managed by the framework. For process and program execution security information, security fields are included in ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ*:c:type:`struct task_struct `”h]”j&)”}”(hj;h]”hŒstruct task_struct”…””}”(hj=hžhhŸNh Nubah}”(h]”h ]”(Œxref”Œc”Œc-type”eh"]”h$]”h&]”uh1j%hj9ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œ security/lsm”Œ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰Œ reftarget”Œ task_struct”uh1hhŸh¶h KChjubhŒ and ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ:c:type:`struct cred `”h]”j&)”}”(hjbh]”hŒ struct cred”…””}”(hjdhžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hj`ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒcred”uh1hhŸh¶h KChjubhŒG. For filesystem security information, a security field is included in ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ*:c:type:`struct super_block `”h]”j&)”}”(hj…h]”hŒstruct super_block”…””}”(hj‡hžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hjƒubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒ super_block”uh1hhŸh¶h KChjubhŒS. For pipe, file, and socket security information, security fields are included in ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ:c:type:`struct inode `”h]”j&)”}”(hj¨h]”hŒ struct inode”…””}”(hjªhžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hj¦ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒinode”uh1hhŸh¶h KChjubhŒ and ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ:c:type:`struct file `”h]”j&)”}”(hjËh]”hŒ struct file”…””}”(hjÍhžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hjÉubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒfile”uh1hhŸh¶h KChjubhŒG. For System V IPC security information, security fields were added to ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ.:c:type:`struct kern_ipc_perm `”h]”j&)”}”(hjîh]”hŒstruct kern_ipc_perm”…””}”(hjðhžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hjìubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒ kern_ipc_perm”uh1hhŸh¶h KChjubhŒ and ”…””}”hjsbh)”}”(hŒ":c:type:`struct msg_msg `”h]”j&)”}”(hjh]”hŒstruct msg_msg”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hjubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒmsg_msg”uh1hhŸh¶h KChjubhŒ$; additionally, the definitions for ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ":c:type:`struct msg_msg `”h]”j&)”}”(hj4h]”hŒstruct msg_msg”…””}”(hj6hžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hj2ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒmsg_msg”uh1hhŸh¶h KChjubhŒH, struct msg_queue, and struct shmid_kernel were moved to header files (”…””}”(hjhžhhŸNh Nubj&)”}”(hŒ``include/linux/msg.h``”h]”hŒinclude/linux/msg.h”…””}”(hjUhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j%hjubhŒ and ”…””}”hjsbj&)”}”(hŒ``include/linux/shm.h``”h]”hŒinclude/linux/shm.h”…””}”(hjghžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j%hjubhŒH as appropriate) to allow the security modules to use these definitions.”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KChj±hžhubhØ)”}”(hX]For packet and network device security information, security fields were added to :c:type:`struct sk_buff ` and :c:type:`struct scm_cookie `. Unlike the other security module data, the data used here is a 32-bit integer. The security modules are required to map or otherwise associate these values with real security attributes.”h]”(hŒRFor packet and network device security information, security fields were added to ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ":c:type:`struct sk_buff `”h]”j&)”}”(hj‰h]”hŒstruct sk_buff”…””}”(hj‹hžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hj‡ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒsk_buff”uh1hhŸh¶h KZhjubhŒ and ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ(:c:type:`struct scm_cookie `”h]”j&)”}”(hj¬h]”hŒstruct scm_cookie”…””}”(hj®hžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hjªubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒ scm_cookie”uh1hhŸh¶h KZhjubhŒ¼. Unlike the other security module data, the data used here is a 32-bit integer. The security modules are required to map or otherwise associate these values with real security attributes.”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KZhj±hžhubhØ)”}”(hŒàLSM hooks are maintained in lists. A list is maintained for each hook, and the hooks are called in the order specified by CONFIG_LSM. Detailed documentation for each hook is included in the `security/security.c` source file.”h]”(hŒ¾LSM hooks are maintained in lists. A list is maintained for each hook, and the hooks are called in the order specified by CONFIG_LSM. Detailed documentation for each hook is included in the ”…””}”(hjÓhžhhŸNh NubjË)”}”(hŒ`security/security.c`”h]”hŒsecurity/security.c”…””}”(hjÛhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÊhjÓubhŒ source file.”…””}”(hjÓhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Kbhj±hžhubhØ)”}”(hXÄThe LSM framework provides for a close approximation of general security module stacking. It defines security_add_hooks() to which each security module passes a :c:type:`struct security_hooks_list `, which are added to the lists. The LSM framework does not provide a mechanism for removing hooks that have been registered. The SELinux security module has implemented a way to remove itself, however the feature has been deprecated.”h]”(hŒ¡The LSM framework provides for a close approximation of general security module stacking. It defines security_add_hooks() to which each security module passes a ”…””}”(hjóhžhhŸNh Nubh)”}”(hŒ::c:type:`struct security_hooks_list `”h]”j&)”}”(hjýh]”hŒstruct security_hooks_list”…””}”(hjÿhžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hjûubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”ˆŒrefwarn”‰jZŒsecurity_hooks_list”uh1hhŸh¶h KghjóubhŒé, which are added to the lists. The LSM framework does not provide a mechanism for removing hooks that have been registered. The SELinux security module has implemented a way to remove itself, however the feature has been deprecated.”…””}”(hjóhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Kghj±hžhubhØ)”}”(hXáThe hooks can be viewed as falling into two major categories: hooks that are used to manage the security fields and hooks that are used to perform access control. Examples of the first category of hooks include the security_inode_alloc() and security_inode_free() These hooks are used to allocate and free security structures for inode objects. An example of the second category of hooks is the security_inode_permission() hook. This hook checks permission when accessing an inode.”h]”hXáThe hooks can be viewed as falling into two major categories: hooks that are used to manage the security fields and hooks that are used to perform access control. Examples of the first category of hooks include the security_inode_alloc() and security_inode_free() These hooks are used to allocate and free security structures for inode objects. An example of the second category of hooks is the security_inode_permission() hook. This hook checks permission when accessing an inode.”…””}”(hj$hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Kphj±hžhubeh}”(h]”Œ lsm-framework”ah ]”h"]”Œ lsm framework”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K/ubh¢)”}”(hhh]”(h§)”}”(hŒLSM Capabilities Module”h]”hŒLSM Capabilities Module”…””}”(hj=hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hj:hžhhŸh¶h K{ubhØ)”}”(hX»The POSIX.1e capabilities logic is maintained as a security module stored in the file ``security/commoncap.c``. The capabilities module uses the order field of the :c:type:`lsm_info` description to identify it as the first security module to be registered. The capabilities security module does not use the general security blobs, unlike other modules. The reasons are historical and are based on overhead, complexity and performance concerns.”h]”(hŒVThe POSIX.1e capabilities logic is maintained as a security module stored in the file ”…””}”(hjKhžhhŸNh Nubj&)”}”(hŒ``security/commoncap.c``”h]”hŒsecurity/commoncap.c”…””}”(hjShžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j%hjKubhŒ6. The capabilities module uses the order field of the ”…””}”(hjKhžhhŸNh Nubh)”}”(hŒ:c:type:`lsm_info`”h]”j&)”}”(hjgh]”hŒlsm_info”…””}”(hjihžhhŸNh Nubah}”(h]”h ]”(jGjHŒc-type”eh"]”h$]”h&]”uh1j%hjeubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jTŒ refdomain”jHŒreftype”Œtype”Œ refexplicit”‰Œrefwarn”‰jZŒlsm_info”uh1hhŸh¶h K}hjKubhX description to identify it as the first security module to be registered. The capabilities security module does not use the general security blobs, unlike other modules. The reasons are historical and are based on overhead, complexity and performance concerns.”…””}”(hjKhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K}hj:hžhubeh}”(h]”jñah ]”h"]”Œlsm capabilities module”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K{Œ referenced”Kubeh}”(h]”Œ7linux-security-modules-general-security-hooks-for-linux”ah ]”h"]”Œ8linux security modules: general security hooks for linux”ah$]”h&]”uh1h¡hhhžhhŸh¶h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h¶uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¦NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jÁŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h¶Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œlsm capabilities module”]”jàasŒrefids”}”Œnameids”}”(j›j˜j®j«j7j4j’jñuŒ nametypes”}”(j›‰j®‰j7‰j’‰uh}”(j˜h£j«jnj4j±jñj:uŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.