Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/admin-guide/LSM/index.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) ===========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) Linux Security Module Usage
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) ===========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) The Linux Security Module (LSM) framework provides a mechanism for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) various security checks to be hooked by new kernel extensions. The name
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) "module" is a bit of a misnomer since these extensions are not actually
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) loadable kernel modules. Instead, they are selectable at build-time via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) ``"security=..."`` kernel command line argument, in the case where multiple
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) LSMs were built into a given kernel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) The primary users of the LSM interface are Mandatory Access Control
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) (MAC) extensions which provide a comprehensive security policy. Examples
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) MAC extensions, other extensions can be built using the LSM to provide
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) specific changes to system operation when these tweaks are not available
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) in the core functionality of Linux itself.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) The Linux capabilities modules will always be included. This may be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) followed by any number of "minor" modules and at most one "major" module.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) For more details on capabilities, see ``capabilities(7)`` in the Linux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) man-pages project.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) A list of the active security modules can be found by reading
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) ``/sys/kernel/security/lsm``. This is a comma separated list, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) will always include the capability module. The list reflects the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) order in which checks are made. The capability module will always
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) be first, followed by any "minor" modules (e.g. Yama) and then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) the one "major" module (e.g. SELinux) if there is one configured.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) Process attributes associated with "major" security modules should
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) be accessed and maintained using the special files in ``/proc/.../attr``.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) A security module may maintain a module specific subdirectory there,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) named after the module. ``/proc/.../attr/smack`` is provided by the Smack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) security module and contains all its special files. The files directly
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) in ``/proc/.../attr`` remain as legacy interfaces for modules that provide
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) subdirectories.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) .. toctree::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41)    :maxdepth: 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)    apparmor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)    LoadPin
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45)    SELinux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46)    Smack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47)    tomoyo
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)    Yama
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49)    SafeSetID
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.