loongshield lua-lsm manages Lua-LSM policies through the kernel securityfs
ABI at /sys/kernel/security/lua.
Lua-LSM support is experimental. Loongshield does not auto-load policies during install or startup. Loading a policy is always an explicit operator action.
loongshield lua-lsm <command> [options]status: show whether the Lua-LSM securityfs ABI is present.doctor: run readiness checks for securityfs, active LSM order, and kernel config.list: show loaded Lua-LSM modules.load <policy.lua>: validate policy metadata and write the policy toregister.unload <name>: write the module name tounregister.hooks: printlsm_funcswhenCONFIG_SECURITY_LUA_LSM_STATS=y.stats: print VM/cache stats whenCONFIG_SECURITY_LUA_LSM_STATS=y.
--root <path>: override the Lua-LSM securityfs root.--config <path>: override the kernel config path used bydoctor.--no-validate: skip userspace metadata validation beforeload.--log-level <level>: set log level.-h,--help: show command help.
LOONGSHIELD_LUA_LSM_SECURITYFS_ROOT: defaults to/sys/kernel/security/lua.LOONGSHIELD_LUA_LSM_SECURITYFS_MOUNT: defaults to the parent of the root.LOONGSHIELD_LUA_LSM_CONFIG_FILE: kernel config used bydoctor.LOONGSHIELD_LUA_LSM_ASSUME_CAP_MAC_ADMIN: test-only capability bypass.
The running kernel must provide:
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_LUA=y
CONFIG_SECURITY_LUA_LSM=y
CONFIG_LSM=...,lua,...
The load and unload commands require effective CAP_MAC_ADMIN, matching the
kernel-side securityfs write check.
loongshield lua-lsm doctor
loongshield lua-lsm status
loongshield lua-lsm list
loongshield lua-lsm load /etc/loongshield/lua-lsm/policies.d/deny_tmp_marker.lua
loongshield lua-lsm unload deny_tmp_marker0: command completed successfully.1: CLI error, readiness failure, missing ABI file, validation failure, missing capability, or kernel write failure.