[PATCH v19 13/23] LSM: Specify which LSM to display

John Johansen john.johansen at canonical.com
Mon Jul 27 20:40:58 UTC 2020


On 7/27/20 1:36 PM, James Morris wrote:
> On Fri, 24 Jul 2020, Casey Schaufler wrote:
> 
>> Create a new entry "display" in the procfs attr directory for
>> controlling which LSM security information is displayed for a
>> process. A process can only read or write its own display value.
>>
>> The name of an active LSM that supplies hooks for
>> human readable data may be written to "display" to set the
>> value. The name of the LSM currently in use can be read from
>> "display". At this point there can only be one LSM capable
>> of display active. A helper function lsm_task_display() is
>> provided to get the display slot for a task_struct.
>>
>> Setting the "display" requires that all security modules using
>> setprocattr hooks allow the action. Each security module is
>> responsible for defining its policy.
>>
>> AppArmor hook provided by John Johansen <john.johansen at canonical.com>
>> SELinux hook provided by Stephen Smalley <sds at tycho.nsa.gov>
>>
>> Reviewed-by: Kees Cook <keescook at chromium.org>
>> Acked-by: Stephen Smalley <sds at tycho.nsa.gov>
>> Acked-by: Paul Moore <paul at paul-moore.com>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> 
> jj: do you have any review/feedback on this?
> 
yeah, I am working my way through it today



More information about the Linux-security-module-archive mailing list