linux/Documentation/userspace-api/lsm.rst

.. SPDX-License-Identifier: GPL-2.0
.. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
.. Copyright (C) 2022 Intel Corporation

=====================================
Linux Security Modules
=====================================

:Author: Casey Schaufler
:Date: July 2023

Linux security modules (LSM) provide a mechanism to implement
additional access controls to the Linux security policies.

The various security modules may support any of these attributes:

``LSM_ATTR_CURRENT`` is the current, active security context of the
process.
The proc filesystem provides this value in ``/proc/self/attr/current``.
This is supported by the SELinux, Smack and AppArmor security modules.
Smack also provides this value in ``/proc/self/attr/smack/current``.
AppArmor also provides this value in ``/proc/self/attr/apparmor/current``.

``LSM_ATTR_EXEC`` is the security context of the process at the time the
current image was executed.
The proc filesystem provides this value in ``/proc/self/attr/exec``.
This is supported by the SELinux and AppArmor security modules.
AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``.

``LSM_ATTR_FSCREATE`` is the security context of the process used when
creating file system objects.
The proc filesystem provides this value in ``/proc/self/attr/fscreate``.
This is supported by the SELinux security module.

``LSM_ATTR_KEYCREATE`` is the security context of the process used when
creating key objects.
The proc filesystem provides this value in ``/proc/self/attr/keycreate``.
This is supported by the SELinux security module.

``LSM_ATTR_PREV`` is the security context of the process at the time the
current security context was set.
The proc filesystem provides this value in ``/proc/self/attr/prev``.
This is supported by the SELinux and AppArmor security modules.
AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``.

``LSM_ATTR_SOCKCREATE`` is the security context of the process used when
creating socket objects.
The proc filesystem provides this value in ``/proc/self/attr/sockcreate``.
This is supported by the SELinux security module.

Kernel interface
================

Set a security attribute of the current process
-----------------------------------------------

.. kernel-doc:: security/lsm_syscalls.c
    :identifiers: sys_lsm_set_self_attr

Get the specified security attributes of the current process
------------------------------------------------------------

.. kernel-doc:: security/lsm_syscalls.c
    :identifiers: sys_lsm_get_self_attr

.. kernel-doc:: security/lsm_syscalls.c
    :identifiers: sys_lsm_list_modules

Additional documentation
========================

* Documentation/security/lsm.rst
* Documentation/security/lsm-development.rst
LSM: syscalls for current process attributes Create a system call lsm_get_self_attr() to provide the security module maintained attributes of the current process. Create a system call lsm_set_self_attr() to set a security module maintained attribute of the current process. Historically these attributes have been exposed to user space via entries in procfs under /proc/self/attr. The attribute value is provided in a lsm_ctx structure. The structure identifies the size of the attribute, and the attribute value. The format of the attribute value is defined by the security module. A flags field is included for LSM specific information. It is currently unused and must be 0. The total size of the data, including the lsm_ctx structure and any padding, is maintained as well. struct lsm_ctx { __u64 id; __u64 flags; __u64 len; __u64 ctx_len; __u8 ctx[]; }; Two new LSM hooks are used to interface with the LSMs. security_getselfattr() collects the lsm_ctx values from the LSMs that support the hook, accounting for space requirements. security_setselfattr() identifies which LSM the attribute is intended for and passes it along. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-09-12 13:56:49 -07:00			`.. SPDX-License-Identifier: GPL-2.0`
			`.. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>`
			`.. Copyright (C) 2022 Intel Corporation`

			`=====================================`
			`Linux Security Modules`
			`=====================================`

			`:Author: Casey Schaufler`
			`:Date: July 2023`

			`Linux security modules (LSM) provide a mechanism to implement`
			`additional access controls to the Linux security policies.`

			`The various security modules may support any of these attributes:`

			``LSM_ATTR_CURRENT`` is the current, active security context of the
			`process.`
			The proc filesystem provides this value in ``/proc/self/attr/current``.
			`This is supported by the SELinux, Smack and AppArmor security modules.`
			Smack also provides this value in ``/proc/self/attr/smack/current``.
			AppArmor also provides this value in ``/proc/self/attr/apparmor/current``.

			``LSM_ATTR_EXEC`` is the security context of the process at the time the
			`current image was executed.`
			The proc filesystem provides this value in ``/proc/self/attr/exec``.
			`This is supported by the SELinux and AppArmor security modules.`
			AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``.

			``LSM_ATTR_FSCREATE`` is the security context of the process used when
			`creating file system objects.`
			The proc filesystem provides this value in ``/proc/self/attr/fscreate``.
			`This is supported by the SELinux security module.`

			``LSM_ATTR_KEYCREATE`` is the security context of the process used when
			`creating key objects.`
			The proc filesystem provides this value in ``/proc/self/attr/keycreate``.
			`This is supported by the SELinux security module.`

			``LSM_ATTR_PREV`` is the security context of the process at the time the
			`current security context was set.`
			The proc filesystem provides this value in ``/proc/self/attr/prev``.
			`This is supported by the SELinux and AppArmor security modules.`
			AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``.

			``LSM_ATTR_SOCKCREATE`` is the security context of the process used when
			`creating socket objects.`
			The proc filesystem provides this value in ``/proc/self/attr/sockcreate``.
			`This is supported by the SELinux security module.`

			`Kernel interface`
			`================`

			`Set a security attribute of the current process`
			`-----------------------------------------------`

			`.. kernel-doc:: security/lsm_syscalls.c`
			`:identifiers: sys_lsm_set_self_attr`

			`Get the specified security attributes of the current process`
			`------------------------------------------------------------`

			`.. kernel-doc:: security/lsm_syscalls.c`
			`:identifiers: sys_lsm_get_self_attr`

LSM: Create lsm_list_modules system call Create a system call to report the list of Linux Security Modules that are active on the system. The list is provided as an array of LSM ID numbers. The calling application can use this list determine what LSM specific actions it might take. That might include choosing an output format, determining required privilege or bypassing security module specific behavior. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-09-12 13:56:50 -07:00			`.. kernel-doc:: security/lsm_syscalls.c`
			`:identifiers: sys_lsm_list_modules`

LSM: syscalls for current process attributes Create a system call lsm_get_self_attr() to provide the security module maintained attributes of the current process. Create a system call lsm_set_self_attr() to set a security module maintained attribute of the current process. Historically these attributes have been exposed to user space via entries in procfs under /proc/self/attr. The attribute value is provided in a lsm_ctx structure. The structure identifies the size of the attribute, and the attribute value. The format of the attribute value is defined by the security module. A flags field is included for LSM specific information. It is currently unused and must be 0. The total size of the data, including the lsm_ctx structure and any padding, is maintained as well. struct lsm_ctx { __u64 id; __u64 flags; __u64 len; __u64 ctx_len; __u8 ctx[]; }; Two new LSM hooks are used to interface with the LSMs. security_getselfattr() collects the lsm_ctx values from the LSMs that support the hook, accounting for space requirements. security_setselfattr() identifies which LSM the attribute is intended for and passes it along. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-09-12 13:56:49 -07:00			`Additional documentation`
			`========================`

			`* Documentation/security/lsm.rst`
			`* Documentation/security/lsm-development.rst`