1 .. SPDX-License-Identifier: GPL-2.0 1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright (C) 2022 Casey Schaufler <casey@sc 2 .. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
3 .. Copyright (C) 2022 Intel Corporation 3 .. Copyright (C) 2022 Intel Corporation
4 4
5 ===================================== 5 =====================================
6 Linux Security Modules 6 Linux Security Modules
7 ===================================== 7 =====================================
8 8
9 :Author: Casey Schaufler 9 :Author: Casey Schaufler
10 :Date: July 2023 10 :Date: July 2023
11 11
12 Linux security modules (LSM) provide a mechani 12 Linux security modules (LSM) provide a mechanism to implement
13 additional access controls to the Linux securi 13 additional access controls to the Linux security policies.
14 14
15 The various security modules may support any o 15 The various security modules may support any of these attributes:
16 16
17 ``LSM_ATTR_CURRENT`` is the current, active se 17 ``LSM_ATTR_CURRENT`` is the current, active security context of the
18 process. 18 process.
19 The proc filesystem provides this value in ``/ 19 The proc filesystem provides this value in ``/proc/self/attr/current``.
20 This is supported by the SELinux, Smack and Ap 20 This is supported by the SELinux, Smack and AppArmor security modules.
21 Smack also provides this value in ``/proc/self 21 Smack also provides this value in ``/proc/self/attr/smack/current``.
22 AppArmor also provides this value in ``/proc/s 22 AppArmor also provides this value in ``/proc/self/attr/apparmor/current``.
23 23
24 ``LSM_ATTR_EXEC`` is the security context of t 24 ``LSM_ATTR_EXEC`` is the security context of the process at the time the
25 current image was executed. 25 current image was executed.
26 The proc filesystem provides this value in ``/ 26 The proc filesystem provides this value in ``/proc/self/attr/exec``.
27 This is supported by the SELinux and AppArmor 27 This is supported by the SELinux and AppArmor security modules.
28 AppArmor also provides this value in ``/proc/s 28 AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``.
29 29
30 ``LSM_ATTR_FSCREATE`` is the security context 30 ``LSM_ATTR_FSCREATE`` is the security context of the process used when
31 creating file system objects. 31 creating file system objects.
32 The proc filesystem provides this value in ``/ 32 The proc filesystem provides this value in ``/proc/self/attr/fscreate``.
33 This is supported by the SELinux security modu 33 This is supported by the SELinux security module.
34 34
35 ``LSM_ATTR_KEYCREATE`` is the security context 35 ``LSM_ATTR_KEYCREATE`` is the security context of the process used when
36 creating key objects. 36 creating key objects.
37 The proc filesystem provides this value in ``/ 37 The proc filesystem provides this value in ``/proc/self/attr/keycreate``.
38 This is supported by the SELinux security modu 38 This is supported by the SELinux security module.
39 39
40 ``LSM_ATTR_PREV`` is the security context of t 40 ``LSM_ATTR_PREV`` is the security context of the process at the time the
41 current security context was set. 41 current security context was set.
42 The proc filesystem provides this value in ``/ 42 The proc filesystem provides this value in ``/proc/self/attr/prev``.
43 This is supported by the SELinux and AppArmor 43 This is supported by the SELinux and AppArmor security modules.
44 AppArmor also provides this value in ``/proc/s 44 AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``.
45 45
46 ``LSM_ATTR_SOCKCREATE`` is the security contex 46 ``LSM_ATTR_SOCKCREATE`` is the security context of the process used when
47 creating socket objects. 47 creating socket objects.
48 The proc filesystem provides this value in ``/ 48 The proc filesystem provides this value in ``/proc/self/attr/sockcreate``.
49 This is supported by the SELinux security modu 49 This is supported by the SELinux security module.
50 50
51 Kernel interface 51 Kernel interface
52 ================ 52 ================
53 53
54 Set a security attribute of the current proces 54 Set a security attribute of the current process
55 ---------------------------------------------- 55 -----------------------------------------------
56 56
57 .. kernel-doc:: security/lsm_syscalls.c 57 .. kernel-doc:: security/lsm_syscalls.c
58 :identifiers: sys_lsm_set_self_attr 58 :identifiers: sys_lsm_set_self_attr
59 59
60 Get the specified security attributes of the c 60 Get the specified security attributes of the current process
61 ---------------------------------------------- 61 ------------------------------------------------------------
62 62
63 .. kernel-doc:: security/lsm_syscalls.c 63 .. kernel-doc:: security/lsm_syscalls.c
64 :identifiers: sys_lsm_get_self_attr 64 :identifiers: sys_lsm_get_self_attr
65 65
66 .. kernel-doc:: security/lsm_syscalls.c 66 .. kernel-doc:: security/lsm_syscalls.c
67 :identifiers: sys_lsm_list_modules 67 :identifiers: sys_lsm_list_modules
68 68
69 Additional documentation 69 Additional documentation
70 ======================== 70 ========================
71 71
72 * Documentation/security/lsm.rst 72 * Documentation/security/lsm.rst
73 * Documentation/security/lsm-development.rst 73 * Documentation/security/lsm-development.rst
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.