1 .. SPDX-License-Identifier: GPL-2.0 2 .. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com> 3 .. Copyright (C) 2022 Intel Corporation 4 5 ===================================== 6 Linux Security Modules 7 ===================================== 8 9 :Author: Casey Schaufler 10 :Date: July 2023 11 12 Linux security modules (LSM) provide a mechanism to implement 13 additional access controls to the Linux security policies. 14 15 The various security modules may support any of these attributes: 16 17 ``LSM_ATTR_CURRENT`` is the current, active security context of the 18 process. 19 The proc filesystem provides this value in ``/proc/self/attr/current``. 20 This is supported by the SELinux, Smack and AppArmor security modules. 21 Smack also provides this value in ``/proc/self/attr/smack/current``. 22 AppArmor also provides this value in ``/proc/self/attr/apparmor/current``. 23 24 ``LSM_ATTR_EXEC`` is the security context of the process at the time the 25 current image was executed. 26 The proc filesystem provides this value in ``/proc/self/attr/exec``. 27 This is supported by the SELinux and AppArmor security modules. 28 AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``. 29 30 ``LSM_ATTR_FSCREATE`` is the security context of the process used when 31 creating file system objects. 32 The proc filesystem provides this value in ``/proc/self/attr/fscreate``. 33 This is supported by the SELinux security module. 34 35 ``LSM_ATTR_KEYCREATE`` is the security context of the process used when 36 creating key objects. 37 The proc filesystem provides this value in ``/proc/self/attr/keycreate``. 38 This is supported by the SELinux security module. 39 40 ``LSM_ATTR_PREV`` is the security context of the process at the time the 41 current security context was set. 42 The proc filesystem provides this value in ``/proc/self/attr/prev``. 43 This is supported by the SELinux and AppArmor security modules. 44 AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``. 45 46 ``LSM_ATTR_SOCKCREATE`` is the security context of the process used when 47 creating socket objects. 48 The proc filesystem provides this value in ``/proc/self/attr/sockcreate``. 49 This is supported by the SELinux security module. 50 51 Kernel interface 52 ================ 53 54 Set a security attribute of the current process 55 ----------------------------------------------- 56 57 .. kernel-doc:: security/lsm_syscalls.c 58 :identifiers: sys_lsm_set_self_attr 59 60 Get the specified security attributes of the current process 61 ------------------------------------------------------------ 62 63 .. kernel-doc:: security/lsm_syscalls.c 64 :identifiers: sys_lsm_get_self_attr 65 66 .. kernel-doc:: security/lsm_syscalls.c 67 :identifiers: sys_lsm_list_modules 68 69 Additional documentation 70 ======================== 71 72 * Documentation/security/lsm.rst 73 * Documentation/security/lsm-development.rst
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.