azqzazq1/lid

LID stands for Linux Integrity Drift, and the repository is a security-research write-up of three kernel code paths in Linux that perform security-sensitive operations without consulting the Linux Security Module (LSM) framework. The LSM framework is the layer that AppArmor, SELinux, Smack, and similar tools plug into to enforce policy. The author's point is not that LSM itself is broken, but that some kernel subsystems do work that should pass through LSM hooks and quietly do not, so the policy engine never sees the action. The README is careful to separate two questions about each finding. The first is the policy visibility gap: what AppArmor or SELinux actually sees, what the audit log records, and what a SIEM or EDR can observe. The second is the practical escalation path: whether the issue lets an attacker cross a privilege boundary, or whether the attacker already needs root or a specific capability. The author argues these are different things, and a finding can be a serious visibility gap even when it does not by itself grant new privilege. Three findings are documented. LID-001 uses an eBPF kprobe to rewrite a filename argument before AppArmor's path-based check runs, so AppArmor evaluates the wrong path; it needs root or CAP_BPF plus CAP_PERFMON. LID-002 uses io_uring's MSG_RING with SEND_FD to pass a file descriptor in a way that skips security_file_receive(), and notably this one works from unprivileged userspace. LID-003 uses the newer mount API (fsopen and fsmount) which the author says never calls security_sb_mount(), making AppArmor's mount policy unenforceable on that path; it needs CAP_SYS_ADMIN in a user namespace. A reproducibility matrix lists the exact kernel versions, kernel configs, privilege levels, lockdown modes, sysctls, and target LSM for each finding. A quick reference table shows which findings work on Ubuntu, Debian, RHEL/Fedora, locked-down systems, unprivileged users, and containers. SELinux is noted as not vulnerable to LID-001 or LID-003 because it is inode-based rather than path-based. The project is MIT licensed and has a Zenodo DOI for the write-up. The README ends mid-section on the LID-001 deep dive in the clip shown here.