• Casey Schaufler's avatar
    LSM: syscalls for current process attributes · a04a1198
    Casey Schaufler authored
    Create a system call lsm_get_self_attr() to provide the security
    module maintained attributes of the current process.
    Create a system call lsm_set_self_attr() to set a security
    module maintained attribute of the current process.
    Historically these attributes have been exposed to user space via
    entries in procfs under /proc/self/attr.
    
    The attribute value is provided in a lsm_ctx structure. The structure
    identifies the size of the attribute, and the attribute value. The format
    of the attribute value is defined by the security module. A flags field
    is included for LSM specific information. It is currently unused and must
    be 0. The total size of the data, including the lsm_ctx structure and any
    padding, is maintained as well.
    
    struct lsm_ctx {
            __u64 id;
            __u64 flags;
            __u64 len;
            __u64 ctx_len;
            __u8 ctx[];
    };
    
    Two new LSM hooks are used to interface with the LSMs.
    security_getselfattr() collects the lsm_ctx values from the
    LSMs that support the hook, accounting for space requirements.
    security_setselfattr() identifies which LSM the attribute is
    intended for and passes it along.
    Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    Reviewed-by: default avatarKees Cook <keescook@chromium.org>
    Reviewed-by: default avatarSerge Hallyn <serge@hallyn.com>
    Reviewed-by: default avatarJohn Johansen <john.johansen@canonical.com>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    a04a1198
lsm.rst 2.61 KB