cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

index.rst (2123B)

      1===========================
      2Linux Security Module Usage
      3===========================
      4
      5The Linux Security Module (LSM) framework provides a mechanism for
      6various security checks to be hooked by new kernel extensions. The name
      7"module" is a bit of a misnomer since these extensions are not actually
      8loadable kernel modules. Instead, they are selectable at build-time via
      9CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the
     10``"security=..."`` kernel command line argument, in the case where multiple
     11LSMs were built into a given kernel.
     12
     13The primary users of the LSM interface are Mandatory Access Control
     14(MAC) extensions which provide a comprehensive security policy. Examples
     15include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger
     16MAC extensions, other extensions can be built using the LSM to provide
     17specific changes to system operation when these tweaks are not available
     18in the core functionality of Linux itself.
     19
     20The Linux capabilities modules will always be included. This may be
     21followed by any number of "minor" modules and at most one "major" module.
     22For more details on capabilities, see ``capabilities(7)`` in the Linux
     23man-pages project.
     24
     25A list of the active security modules can be found by reading
     26``/sys/kernel/security/lsm``. This is a comma separated list, and
     27will always include the capability module. The list reflects the
     28order in which checks are made. The capability module will always
     29be first, followed by any "minor" modules (e.g. Yama) and then
     30the one "major" module (e.g. SELinux) if there is one configured.
     31
     32Process attributes associated with "major" security modules should
     33be accessed and maintained using the special files in ``/proc/.../attr``.
     34A security module may maintain a module specific subdirectory there,
     35named after the module. ``/proc/.../attr/smack`` is provided by the Smack
     36security module and contains all its special files. The files directly
     37in ``/proc/.../attr`` remain as legacy interfaces for modules that provide
     38subdirectories.
     39
     40.. toctree::
     41   :maxdepth: 1
     42
     43   apparmor
     44   LoadPin
     45   SELinux
     46   Smack
     47   tomoyo
     48   Yama
     49   SafeSetID