Linux Security Modules and the Current Threat Landscape (2025)

Linux has become a cornerstone of modern computing across servers, desktops, containers, and even critical infrastructure. With this ubiquity comes a pressing need for strong security mechanisms.

Linux Security Modules (LSMs), a kernel framework for enforcing security policies beyond DAC. Introduced in the early 2000s, the LSM interface allows pluggable security modules to mediate operations (file access, process execution, etc.) through hooks in the kernel. This enabled the integration of Mandatory Access Control (MAC) systems such as Security-Enhanced Linux (SELinux) and others into the mainline kernel. SELinux, initially released by the U.S. NSA, was merged into Linux and quickly became a flagship LSM, supported in multiple distributions by the mid-2000s.

This research report provides an in-depth review of Linux’s security modules (both mature and experimental) and examines how they address current popular attack vectors. We focus on technical details of mainline LSMs (with SELinux as a prime example) as well as new developments like eBPF-based security. I will also survey the prevailing threats, for instance: privilege escalation, unauthorized file modification, and rootkits, highlighting how Linux’s security features and recent academic research tackle these challenges. The goal is to offer a cutting-edge overview (circa late 2025) of the Linux security ecosystem, including capabilities, usage contexts (containers, desktops, critical infrastructure), and references to academic literature and CVE data to ground discussion.

You can download the full report right here.