LSM

Overview

Linux Security Modules (LSM) provide mandatory access control policies. Containers rely on LSMs to confine processes beyond UNIX permissions.

Common LSMs

Linux/Security/AppArmor: path-based profiles, common in Ubuntu. Linux/Security/SELinux: label-based MAC, common in RHEL/Fedora (also used on Android).

What LSMs Control

File access (read/write/execute). Process interactions (ptrace, signal). Network operations and capabilities.

Container Notes

Runtimes load per-container profiles (e.g., docker-default for AppArmor). LSMs can block actions even if namespaces/capabilities allow them.

Related

• Linux/Containerization
• Linux/Permissions