| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 |
- .. SPDX-License-Identifier: GPL-2.0
- .. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
- .. Copyright (C) 2022 Intel Corporation
- =====================================
- Linux Security Modules
- =====================================
- :Author: Casey Schaufler
- :Date: July 2023
- Linux security modules (LSM) provide a mechanism to implement
- additional access controls to the Linux security policies.
- The various security modules may support any of these attributes:
- ``LSM_ATTR_CURRENT`` is the current, active security context of the
- process.
- The proc filesystem provides this value in ``/proc/self/attr/current``.
- This is supported by the SELinux, Smack and AppArmor security modules.
- Smack also provides this value in ``/proc/self/attr/smack/current``.
- AppArmor also provides this value in ``/proc/self/attr/apparmor/current``.
- ``LSM_ATTR_EXEC`` is the security context of the process at the time the
- current image was executed.
- The proc filesystem provides this value in ``/proc/self/attr/exec``.
- This is supported by the SELinux and AppArmor security modules.
- AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``.
- ``LSM_ATTR_FSCREATE`` is the security context of the process used when
- creating file system objects.
- The proc filesystem provides this value in ``/proc/self/attr/fscreate``.
- This is supported by the SELinux security module.
- ``LSM_ATTR_KEYCREATE`` is the security context of the process used when
- creating key objects.
- The proc filesystem provides this value in ``/proc/self/attr/keycreate``.
- This is supported by the SELinux security module.
- ``LSM_ATTR_PREV`` is the security context of the process at the time the
- current security context was set.
- The proc filesystem provides this value in ``/proc/self/attr/prev``.
- This is supported by the SELinux and AppArmor security modules.
- AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``.
- ``LSM_ATTR_SOCKCREATE`` is the security context of the process used when
- creating socket objects.
- The proc filesystem provides this value in ``/proc/self/attr/sockcreate``.
- This is supported by the SELinux security module.
- Kernel interface
- ================
- Set a security attribute of the current process
- -----------------------------------------------
- .. kernel-doc:: security/lsm_syscalls.c
- :identifiers: sys_lsm_set_self_attr
- Get the specified security attributes of the current process
- ------------------------------------------------------------
- .. kernel-doc:: security/lsm_syscalls.c
- :identifiers: sys_lsm_get_self_attr
- .. kernel-doc:: security/lsm_syscalls.c
- :identifiers: sys_lsm_list_modules
- Additional documentation
- ========================
- * Documentation/security/lsm.rst
- * Documentation/security/lsm-development.rst
|
