-
Notifications
You must be signed in to change notification settings - Fork 3
Home
Solar1s. edited this page May 7, 2026
·
4 revisions
Scriptable operating systems with Lua.
Lua-LSM runs LSM hooks inside an embedded Lua VM so you can ship, load, and update security policy at runtime via securityfs.
local logo = [==[
__ __ ____
/\ \ /\ \ /\ _`\ /'\_/`\
\ \ \ __ __ __ \ \ \ \ \,\L\_\/\ \
\ \ \ __/\ \/\ \ /'__`\ _______\ \ \ __\/_\__ \\ \ \__\ \
\ \ \L\ \ \ \_\ \/\ \L\.\_/\______\\ \ \L\ \ /\ \L\ \ \ \_/\ \
\ \____/\ \____/\ \__/\.\_\/______/ \ \____/ \ `\____\ \_\\ \_\
\/___/ \/___/ \/__/\/_/ \/___/ \/_____/\/_/ \/_/
]==]- Enable kernel config options:
CONFIG_LUA=yCONFIG_SECURITY_LUA_LSM=y- Optional:
CONFIG_SECURITY_LUA_LSM_STATS=y - Optional:
CONFIG_SECURITY_LUA_LSM_DEBUG=y
-
Ensure
luais in the active LSM list (CONFIG_LSM orlsm=on the kernel command line). SeeDocumentation/security/lsm.rstfor details. -
Mount securityfs if it is not already mounted:
mount -t securityfs securityfs /sys/kernel/security
- Load a module:
cat demo.lua > /sys/kernel/security/lua/register
- Verify and unload:
cat /sys/kernel/security/lua/modules
echo demo > /sys/kernel/security/lua/unregister
A minimal policy module that denies reads of /etc/shadow
local errno = require("errno")
local M = {
name = "demo",
author = "example",
description = "Deny reads of /etc/shadow",
license = "GPL-2.0",
version = 1,
}
function M.file_open(file, cred)
local path = file:path()
if path and path:match("^/etc/shadow$") then
return false, errno.EPERM
end
return true
end
return MA lightweight runtime mitigation Copy Fail (CVE-2026-31431)
local errno = require("errno")
return {
name = "cf",
description = "Block AF_ALG to mitigate CVE-2026-31431",
license = "GPL-2.0",
version = 1,
socket_create = function(f)
if f==38 then
return false
end
end
}- USAGE.md - build/enable and runtime management
- API.md - module format, hook returns, and core APIs
- OBSERVABILITY.md - stats, debug logs, and troubleshooting data