From d69dece5f5b6bc7a5e39d2b6136ddc69469331fe Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Wed, 18 Jan 2017 17:09:05 -0800 Subject: LSM: Add /sys/kernel/security/lsm I am still tired of having to find indirect ways to determine what security modules are active on a system. I have added /sys/kernel/security/lsm, which contains a comma separated list of the active security modules. No more groping around in /proc/filesystems or other clever hacks. Unchanged from previous versions except for being updated to the latest security next branch. Signed-off-by: Casey Schaufler Acked-by: John Johansen Acked-by: Paul Moore Acked-by: Kees Cook Signed-off-by: James Morris --- Documentation/security/LSM.txt | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'Documentation/security') diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt index 3db7e67..c2683f2 100644 --- a/Documentation/security/LSM.txt +++ b/Documentation/security/LSM.txt @@ -22,6 +22,13 @@ system, building their checks on top of the defined capability hooks. For more details on capabilities, see capabilities(7) in the Linux man-pages project. +A list of the active security modules can be found by reading +/sys/kernel/security/lsm. This is a comma separated list, and +will always include the capability module. The list reflects the +order in which checks are made. The capability module will always +be first, followed by any "minor" modules (e.g. Yama) and then +the one "major" module (e.g. SELinux) if there is one configured. + Based on https://lkml.org/lkml/2007/10/26/215, a new LSM is accepted into the kernel when its intent (a description of what it tries to protect against and in what cases one would expect to -- cgit v1.1