BPF LSM
What is BPF LSM?
BPF LSMA Linux Security Module that lets verified eBPF programs attach to LSM hooks and enforce custom Mandatory Access Control decisions on syscalls, files, sockets, and capabilities.
BPF LSM (BPF Linux Security Module) was merged in Linux 5.7 (2020) by KP Singh and others at Google. The Linux Security Module framework defines hundreds of security hooks across the kernel (inode_permission, socket_connect, bprm_check, file_open, capable, etc.) that traditional LSMs such as SELinux, AppArmor, Smack, and Tomoyo plug into. BPF LSM lets verified eBPF programs attach to those same hooks at runtime, so operators can ship policy as compiled bytecode rather than patching the kernel. Tools such as Cilium Tetragon, KubeArmor, and bpfd use BPF LSM to enforce MAC controls — for example denying execve of /tmp binaries inside a container or blocking ptrace on a sensitive process — while remaining hot-loadable and cgroup-aware. It complements rather than replaces SELinux and AppArmor.
● Examples
- 01
Loading a BPF LSM program via KubeArmor that denies execve of any binary not in /usr/bin inside a Kubernetes pod.
- 02
Using Tetragon to drop a ptrace attempt against a hardened process through the bpf/security_ptrace_access_check hook.
● Frequently asked questions
What is BPF LSM?
A Linux Security Module that lets verified eBPF programs attach to LSM hooks and enforce custom Mandatory Access Control decisions on syscalls, files, sockets, and capabilities. It belongs to the Identity & Access category of cybersecurity.
What does BPF LSM mean?
A Linux Security Module that lets verified eBPF programs attach to LSM hooks and enforce custom Mandatory Access Control decisions on syscalls, files, sockets, and capabilities.
How does BPF LSM work?
BPF LSM (BPF Linux Security Module) was merged in Linux 5.7 (2020) by KP Singh and others at Google. The Linux Security Module framework defines hundreds of security hooks across the kernel (inode_permission, socket_connect, bprm_check, file_open, capable, etc.) that traditional LSMs such as SELinux, AppArmor, Smack, and Tomoyo plug into. BPF LSM lets verified eBPF programs attach to those same hooks at runtime, so operators can ship policy as compiled bytecode rather than patching the kernel. Tools such as Cilium Tetragon, KubeArmor, and bpfd use BPF LSM to enforce MAC controls — for example denying execve of /tmp binaries inside a container or blocking ptrace on a sensitive process — while remaining hot-loadable and cgroup-aware. It complements rather than replaces SELinux and AppArmor.
How do you defend against BPF LSM?
Defences for BPF LSM typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BPF LSM?
Common alternative names include: LSM BPF, eBPF LSM.
● Related terms
- defense-ops№ 367
eBPF Security
The use of extended Berkeley Packet Filter (eBPF) programs running in the Linux kernel to provide deep observability and policy enforcement for processes, networking, and syscalls.
- identity-access№ 615
Linux Capabilities
A Linux kernel feature defined by POSIX.1e draft that splits the all-powerful root privilege into 40-plus discrete capabilities granted independently to processes and files.
- identity-access№ 585
Kernel Mode vs User Mode
The two CPU privilege levels enforced by modern operating systems — kernel mode (supervisor, ring 0) with full hardware access and user mode (ring 3) restricted to its own address space and limited instructions.
- cryptography№ 1006
SELinux
Security-Enhanced Linux, an NSA-developed mandatory access control framework implemented via the Linux Security Module hooks and a type-enforcement policy.
- cryptography№ 053
AppArmor
A path-based mandatory access control system for Linux, used by Ubuntu and SUSE as a simpler alternative to SELinux for confining individual programs.
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.