LSM provides a general security system call that allows security modules to implement new calls for security-aware applications. Although modules can export information and operations via the /proc filesystem or by defining a new pseudo filesystem type, such an approach is inadequate for the needs of some security modules. For example, the SELinux module provides extended forms of a number of existing system calls that permit applications to specify or obtain security information associated with kernel objects and operations.
The security system call is a simple multiplexor fashioned after the existing Linux socketcall system call. It takes the following arguments: (unsigned int id, unsigned int call, unsigned long *args). Since the module defines the implementation of the system call, it can choose to interpret the arguments however it likes. These arguments are intended to be interpreted by the modules as a module identifier, a call identifier, and an argument array. By default, LSM provides a sys_security entry point function that simply calls a sys_security hook with the parameters. A security module that does not provide any new calls can define a sys_security hook function that returns -ENOSYS. Most security modules that want to provide new calls can place their call implementations in this hook function.
In some cases, the entry point function provided by LSM may be inadequate for a security module. For example, one of the new calls provided by SELinux requires access to the registers on the stack. The SELinux module implements its own entry point function to provide such access, and replaces the LSM entry point function with this function in the system call table during module initialization.