On 7/27/20 1:36 PM, James Morris wrote: > On Fri, 24 Jul 2020, Casey Schaufler wrote: > >> Create a new entry "display" in the procfs attr directory for >> controlling which LSM security information is displayed for a >> process. A process can only read or write its own display value. >> >> The name of an active LSM that supplies hooks for >> human readable data may be written to "display" to set the >> value. The name of the LSM currently in use can be read from >> "display". At this point there can only be one LSM capable >> of display active. A helper function lsm_task_display() is >> provided to get the display slot for a task_struct. >> >> Setting the "display" requires that all security modules using >> setprocattr hooks allow the action. Each security module is >> responsible for defining its policy. >> >> AppArmor hook provided by John Johansen <john.johansen@xxxxxxxxxxxxx> >> SELinux hook provided by Stephen Smalley <sds@xxxxxxxxxxxxx> >> >> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> >> Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx> >> Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> >> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > > jj: do you have any review/feedback on this? > yeah, I am working my way through it today
