diff options
author | Casey Schaufler <casey@schaufler-ca.com> | 2017-01-18 17:09:05 -0800 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2017-01-19 13:18:29 +1100 |
commit | d69dece5f5b6bc7a5e39d2b6136ddc69469331fe (patch) | |
tree | b4c23177baf246a1f64b83442fc3359cbc0d8f38 /Documentation/security | |
parent | 3ccb76c5dfe0d25c1d0168d5b726d0b43d19a485 (diff) | |
download | lwn-d69dece5f5b6bc7a5e39d2b6136ddc69469331fe.tar.gz lwn-d69dece5f5b6bc7a5e39d2b6136ddc69469331fe.zip |
LSM: Add /sys/kernel/security/lsm
I am still tired of having to find indirect ways to determine
what security modules are active on a system. I have added
/sys/kernel/security/lsm, which contains a comma separated
list of the active security modules. No more groping around
in /proc/filesystems or other clever hacks.
Unchanged from previous versions except for being updated
to the latest security next branch.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r-- | Documentation/security/LSM.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt index 3db7e671c440..c2683f28ed36 100644 --- a/Documentation/security/LSM.txt +++ b/Documentation/security/LSM.txt @@ -22,6 +22,13 @@ system, building their checks on top of the defined capability hooks. For more details on capabilities, see capabilities(7) in the Linux man-pages project. +A list of the active security modules can be found by reading +/sys/kernel/security/lsm. This is a comma separated list, and +will always include the capability module. The list reflects the +order in which checks are made. The capability module will always +be first, followed by any "minor" modules (e.g. Yama) and then +the one "major" module (e.g. SELinux) if there is one configured. + Based on https://lkml.org/lkml/2007/10/26/215, a new LSM is accepted into the kernel when its intent (a description of what it tries to protect against and in what cases one would expect to |