ContextQMD
Back to Linux

Linux Security Modules

Documentation/userspace-api/lsm.rst

7.02.7 KB
Original Source

.. SPDX-License-Identifier: GPL-2.0 .. Copyright (C) 2022 Casey Schaufler [email protected] .. Copyright (C) 2022 Intel Corporation

===================================== Linux Security Modules

:Author: Casey Schaufler :Date: July 2023

Linux security modules (LSM) provide a mechanism to implement additional access controls to the Linux security policies.

The various security modules may support any of these attributes:

LSM_ATTR_CURRENT is the current, active security context of the process. The proc filesystem provides this value in /proc/self/attr/current. This is supported by the SELinux, Smack and AppArmor security modules. Smack also provides this value in /proc/self/attr/smack/current. AppArmor also provides this value in /proc/self/attr/apparmor/current.

LSM_ATTR_EXEC is the security context of the process at the time the current image was executed. The proc filesystem provides this value in /proc/self/attr/exec. This is supported by the SELinux and AppArmor security modules. AppArmor also provides this value in /proc/self/attr/apparmor/exec.

LSM_ATTR_FSCREATE is the security context of the process used when creating file system objects. The proc filesystem provides this value in /proc/self/attr/fscreate. This is supported by the SELinux security module.

LSM_ATTR_KEYCREATE is the security context of the process used when creating key objects. The proc filesystem provides this value in /proc/self/attr/keycreate. This is supported by the SELinux security module.

LSM_ATTR_PREV is the security context of the process at the time the current security context was set. The proc filesystem provides this value in /proc/self/attr/prev. This is supported by the SELinux and AppArmor security modules. AppArmor also provides this value in /proc/self/attr/apparmor/prev.

LSM_ATTR_SOCKCREATE is the security context of the process used when creating socket objects. The proc filesystem provides this value in /proc/self/attr/sockcreate. This is supported by the SELinux security module.

Kernel interface

Set a security attribute of the current process

.. kernel-doc:: security/lsm_syscalls.c :identifiers: sys_lsm_set_self_attr

Get the specified security attributes of the current process

.. kernel-doc:: security/lsm_syscalls.c :identifiers: sys_lsm_get_self_attr

.. kernel-doc:: security/lsm_syscalls.c :identifiers: sys_lsm_list_modules

Additional documentation

  • Documentation/security/lsm.rst
  • Documentation/security/lsm-development.rst