a04a119808
Create a system call lsm_get_self_attr() to provide the security module maintained attributes of the current process. Create a system call lsm_set_self_attr() to set a security module maintained attribute of the current process. Historically these attributes have been exposed to user space via entries in procfs under /proc/self/attr. The attribute value is provided in a lsm_ctx structure. The structure identifies the size of the attribute, and the attribute value. The format of the attribute value is defined by the security module. A flags field is included for LSM specific information. It is currently unused and must be 0. The total size of the data, including the lsm_ctx structure and any padding, is maintained as well. struct lsm_ctx { __u64 id; __u64 flags; __u64 len; __u64 ctx_len; __u8 ctx[]; }; Two new LSM hooks are used to interface with the LSMs. security_getselfattr() collects the lsm_ctx values from the LSMs that support the hook, accounting for space requirements. security_setselfattr() identifies which LSM the attribute is intended for and passes it along. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
31 lines
936 B
Makefile
31 lines
936 B
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# Makefile for the kernel security code
|
|
#
|
|
|
|
obj-$(CONFIG_KEYS) += keys/
|
|
|
|
# always enable default capabilities
|
|
obj-y += commoncap.o
|
|
obj-$(CONFIG_SECURITY) += lsm_syscalls.o
|
|
obj-$(CONFIG_MMU) += min_addr.o
|
|
|
|
# Object file lists
|
|
obj-$(CONFIG_SECURITY) += security.o
|
|
obj-$(CONFIG_SECURITYFS) += inode.o
|
|
obj-$(CONFIG_SECURITY_SELINUX) += selinux/
|
|
obj-$(CONFIG_SECURITY_SMACK) += smack/
|
|
obj-$(CONFIG_SECURITY) += lsm_audit.o
|
|
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
|
|
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
|
|
obj-$(CONFIG_SECURITY_YAMA) += yama/
|
|
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
|
|
obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
|
|
obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
|
|
obj-$(CONFIG_CGROUPS) += device_cgroup.o
|
|
obj-$(CONFIG_BPF_LSM) += bpf/
|
|
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
|
|
|
|
# Object integrity file lists
|
|
obj-$(CONFIG_INTEGRITY) += integrity/
|