1.. SPDX-License-Identifier: GPL-2.0 2.. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com> 3.. Copyright (C) 2022 Intel Corporation 4 5===================================== 6Linux Security Modules 7===================================== 8 9:Author: Casey Schaufler 10:Date: July 2023 11 12Linux security modules (LSM) provide a mechanism to implement 13additional access controls to the Linux security policies. 14 15The various security modules may support any of these attributes: 16 17``LSM_ATTR_CURRENT`` is the current, active security context of the 18process. 19The proc filesystem provides this value in ``/proc/self/attr/current``. 20This is supported by the SELinux, Smack and AppArmor security modules. 21Smack also provides this value in ``/proc/self/attr/smack/current``. 22AppArmor also provides this value in ``/proc/self/attr/apparmor/current``. 23 24``LSM_ATTR_EXEC`` is the security context of the process at the time the 25current image was executed. 26The proc filesystem provides this value in ``/proc/self/attr/exec``. 27This is supported by the SELinux and AppArmor security modules. 28AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``. 29 30``LSM_ATTR_FSCREATE`` is the security context of the process used when 31creating file system objects. 32The proc filesystem provides this value in ``/proc/self/attr/fscreate``. 33This is supported by the SELinux security module. 34 35``LSM_ATTR_KEYCREATE`` is the security context of the process used when 36creating key objects. 37The proc filesystem provides this value in ``/proc/self/attr/keycreate``. 38This is supported by the SELinux security module. 39 40``LSM_ATTR_PREV`` is the security context of the process at the time the 41current security context was set. 42The proc filesystem provides this value in ``/proc/self/attr/prev``. 43This is supported by the SELinux and AppArmor security modules. 44AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``. 45 46``LSM_ATTR_SOCKCREATE`` is the security context of the process used when 47creating socket objects. 48The proc filesystem provides this value in ``/proc/self/attr/sockcreate``. 49This is supported by the SELinux security module. 50 51Kernel interface 52================ 53 54Set a security attribute of the current process 55----------------------------------------------- 56 57.. kernel-doc:: security/lsm_syscalls.c 58 :identifiers: sys_lsm_set_self_attr 59 60Get the specified security attributes of the current process 61------------------------------------------------------------ 62 63.. kernel-doc:: security/lsm_syscalls.c 64 :identifiers: sys_lsm_get_self_attr 65 66.. kernel-doc:: security/lsm_syscalls.c 67 :identifiers: sys_lsm_list_modules 68 69Additional documentation 70======================== 71 72* Documentation/security/lsm.rst 73* Documentation/security/lsm-development.rst 74