Re: [PATCH v22 12/23] LSM: Specify which LSM to display
From: Greg KH <gregkh@linuxfoundation.org>
Date: 2020-11-07 09:15:38
Also in:
linux-api, lkml, selinux
Possibly related (same subject, not in this thread)
- 2020-11-05 · [PATCH v22 12/23] LSM: Specify which LSM to display · Casey Schaufler <casey@schaufler-ca.com>
On Fri, Nov 06, 2020 at 04:20:43PM -0800, Casey Schaufler wrote:
On 11/5/2020 1:22 AM, Greg KH wrote:quoted
On Wed, Nov 04, 2020 at 03:41:03PM -0800, Casey Schaufler wrote:quoted
Create a new entry "display" in the procfs attr directory for controlling which LSM security information is displayed for a process. A process can only read or write its own display value. The name of an active LSM that supplies hooks for human readable data may be written to "display" to set the value. The name of the LSM currently in use can be read from "display". At this point there can only be one LSM capable of display active. A helper function lsm_task_display() is provided to get the display slot for a task_struct. Setting the "display" requires that all security modules using setprocattr hooks allow the action. Each security module is responsible for defining its policy. AppArmor hook provided by John Johansen [off-list ref] SELinux hook provided by Stephen Smalley [off-list ref] Reviewed-by: Kees Cook <redacted> Acked-by: Stephen Smalley <redacted> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-api@vger.kernel.org --- fs/proc/base.c | 1 + include/linux/lsm_hooks.h | 17 +++ security/apparmor/include/apparmor.h | 3 +- security/apparmor/lsm.c | 32 +++++ security/security.c | 169 ++++++++++++++++++++++++--- security/selinux/hooks.c | 11 ++ security/selinux/include/classmap.h | 2 +- security/smack/smack_lsm.c | 7 ++ 8 files changed, 223 insertions(+), 19 deletions(-)diff --git a/fs/proc/base.c b/fs/proc/base.c index 0f707003dda5..7432f24f0132 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c@@ -2806,6 +2806,7 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "fscreate", 0666), ATTR(NULL, "keycreate", 0666), ATTR(NULL, "sockcreate", 0666), + ATTR(NULL, "display", 0666),That's a vague name, any chance it can be more descriptive?Sure. How about lsm_display, or display_lsm? I wouldn't say that any of the files in /proc/*/attr have especially descriptive names, but that's hardly an excuse.
I still don't understand what "display" means in this context. Perhaps documentation will help clear it up? thanks, greg k-h