On 10/29/2019 7:44 AM, Simon McVittie wrote:

On Thu, 24 Oct 2019 at 13:52:16 -0700, Casey Schaufler wrote:

quoted

Create a new entry "display" in /proc/.../attr for controlling
which LSM security information is displayed for a process.

It still isn't immediately obvious to me from the commit message whether
the "..." stands for the pid of the process that will read LSM information,
or the pid of the process whose LSM information will be read.

For all practical purposes "..." will be "self". You can read the
attr/display of another process, but I don't know where that would
be useful. You can't write to the attr/display of an different process.

I believe the intended meaning was the former? So perhaps

    Create a new entry "display" in /proc/$reader/attr that controls
    which LSM security information will be displayed when the process
    $reader reads LSM information.

    (Note that when $reader reads /proc/$subject/attr/current for
    $reader != $subject, it is /proc/$reader/attr/display that controls
    what is displayed there, not /proc/$subject/attr/display.)

The commit that introduces /proc/.../attr/context could probably
benefit from similar treatment - maybe it could be referred to as
/proc/$subject/attr/context?

Thanks. I'll work on making it clearer.

    smcv