[PATCH v2] lsm: adds process attribute getter for Landlock
Casey Schaufler
casey at schaufler-ca.com
Tue May 30 19:05:07 UTC 2023
On 5/30/2023 11:02 AM, Jeff Xu wrote:
>>>> As I believe we are in the latter stages of review for the syscall
>>>> API, perhaps you could take a look and ensure that the current
>>>> proposed API works for what you are envisioning with Landlock?
>>>>
>>> Which review/patch to look for the proposed API ?
>> https://lore.kernel.org/lkml/20230428203417.159874-3-casey@schaufler-ca.com/T/
>>
>>
> How easy is it to add a customized LSM with new APIs?
I haven't found it difficult, but that was in the pre-syscall era.
Look at Landlock for an example of LSM specific syscalls, if you want
to go that route.
> I'm asking because there are some hard-coded constant/macro, i.e.
>
> +#define LSM_ID_LANDLOCK 111
> (Do IDs need to be sequential ?)
No, but I would want a good reason for doing otherwise.
> + define LSM_CONFIG_COUNT
>
> Today, only security/Kconfig change is needed to add a new LSM, I think ?
That's correct. The syscall patches make it a trifle more difficult,
requiring they be acknowledged in security.c. We could probably work
around that, but it's really a small price to pay to get a constant
value.
More information about the Linux-security-module-archive
mailing list