74 lines
2.7 KiB
ReStructuredText
74 lines
2.7 KiB
ReStructuredText
.. SPDX-License-Identifier: GPL-2.0
|
|
.. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
|
|
.. Copyright (C) 2022 Intel Corporation
|
|
|
|
=====================================
|
|
Linux Security Modules
|
|
=====================================
|
|
|
|
:Author: Casey Schaufler
|
|
:Date: July 2023
|
|
|
|
Linux security modules (LSM) provide a mechanism to implement
|
|
additional access controls to the Linux security policies.
|
|
|
|
The various security modules may support any of these attributes:
|
|
|
|
``LSM_ATTR_CURRENT`` is the current, active security context of the
|
|
process.
|
|
The proc filesystem provides this value in ``/proc/self/attr/current``.
|
|
This is supported by the SELinux, Smack and AppArmor security modules.
|
|
Smack also provides this value in ``/proc/self/attr/smack/current``.
|
|
AppArmor also provides this value in ``/proc/self/attr/apparmor/current``.
|
|
|
|
``LSM_ATTR_EXEC`` is the security context of the process at the time the
|
|
current image was executed.
|
|
The proc filesystem provides this value in ``/proc/self/attr/exec``.
|
|
This is supported by the SELinux and AppArmor security modules.
|
|
AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``.
|
|
|
|
``LSM_ATTR_FSCREATE`` is the security context of the process used when
|
|
creating file system objects.
|
|
The proc filesystem provides this value in ``/proc/self/attr/fscreate``.
|
|
This is supported by the SELinux security module.
|
|
|
|
``LSM_ATTR_KEYCREATE`` is the security context of the process used when
|
|
creating key objects.
|
|
The proc filesystem provides this value in ``/proc/self/attr/keycreate``.
|
|
This is supported by the SELinux security module.
|
|
|
|
``LSM_ATTR_PREV`` is the security context of the process at the time the
|
|
current security context was set.
|
|
The proc filesystem provides this value in ``/proc/self/attr/prev``.
|
|
This is supported by the SELinux and AppArmor security modules.
|
|
AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``.
|
|
|
|
``LSM_ATTR_SOCKCREATE`` is the security context of the process used when
|
|
creating socket objects.
|
|
The proc filesystem provides this value in ``/proc/self/attr/sockcreate``.
|
|
This is supported by the SELinux security module.
|
|
|
|
Kernel interface
|
|
================
|
|
|
|
Set a security attribute of the current process
|
|
-----------------------------------------------
|
|
|
|
.. kernel-doc:: security/lsm_syscalls.c
|
|
:identifiers: sys_lsm_set_self_attr
|
|
|
|
Get the specified security attributes of the current process
|
|
------------------------------------------------------------
|
|
|
|
.. kernel-doc:: security/lsm_syscalls.c
|
|
:identifiers: sys_lsm_get_self_attr
|
|
|
|
.. kernel-doc:: security/lsm_syscalls.c
|
|
:identifiers: sys_lsm_list_modules
|
|
|
|
Additional documentation
|
|
========================
|
|
|
|
* Documentation/security/lsm.rst
|
|
* Documentation/security/lsm-development.rst
|