Skip to content

Latest commit

 

History

History
73 lines (55 loc) · 2.69 KB

lsm.rst

File metadata and controls

73 lines (55 loc) · 2.69 KB

Linux Security Modules

Author: Casey Schaufler
Date: July 2023

Linux security modules (LSM) provide a mechanism to implement additional access controls to the Linux security policies.

The various security modules may support any of these attributes:

LSM_ATTR_CURRENT is the current, active security context of the process. The proc filesystem provides this value in /proc/self/attr/current. This is supported by the SELinux, Smack and AppArmor security modules. Smack also provides this value in /proc/self/attr/smack/current. AppArmor also provides this value in /proc/self/attr/apparmor/current.

LSM_ATTR_EXEC is the security context of the process at the time the current image was executed. The proc filesystem provides this value in /proc/self/attr/exec. This is supported by the SELinux and AppArmor security modules. AppArmor also provides this value in /proc/self/attr/apparmor/exec.

LSM_ATTR_FSCREATE is the security context of the process used when creating file system objects. The proc filesystem provides this value in /proc/self/attr/fscreate. This is supported by the SELinux security module.

LSM_ATTR_KEYCREATE is the security context of the process used when creating key objects. The proc filesystem provides this value in /proc/self/attr/keycreate. This is supported by the SELinux security module.

LSM_ATTR_PREV is the security context of the process at the time the current security context was set. The proc filesystem provides this value in /proc/self/attr/prev. This is supported by the SELinux and AppArmor security modules. AppArmor also provides this value in /proc/self/attr/apparmor/prev.

LSM_ATTR_SOCKCREATE is the security context of the process used when creating socket objects. The proc filesystem provides this value in /proc/self/attr/sockcreate. This is supported by the SELinux security module.

Kernel interface

Set a security attribute of the current process

.. kernel-doc:: security/lsm_syscalls.c
    :identifiers: sys_lsm_set_self_attr

Get the specified security attributes of the current process

.. kernel-doc:: security/lsm_syscalls.c
    :identifiers: sys_lsm_get_self_attr


.. kernel-doc:: security/lsm_syscalls.c
    :identifiers: sys_lsm_list_modules

Additional documentation

  • Documentation/security/lsm.rst
  • Documentation/security/lsm-development.rst