From 504f231cda569b5e4e48d81a35376641552a5092 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sat, 13 May 2017 04:51:43 -0700 Subject: doc: ReSTify and split LSM.txt The existing LSM.txt file covered both usage and development, so split this into two files, one under admin-guide and one under kernel development. Cc: James Morris Signed-off-by: Kees Cook Signed-off-by: Jonathan Corbet --- Documentation/admin-guide/LSM/index.rst | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 Documentation/admin-guide/LSM/index.rst (limited to 'Documentation/admin-guide/LSM/index.rst') diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst new file mode 100644 index 000000000000..7e892b9b58aa --- /dev/null +++ b/Documentation/admin-guide/LSM/index.rst @@ -0,0 +1,31 @@ +=========================== +Linux Security Module Usage +=========================== + +The Linux Security Module (LSM) framework provides a mechanism for +various security checks to be hooked by new kernel extensions. The name +"module" is a bit of a misnomer since these extensions are not actually +loadable kernel modules. Instead, they are selectable at build-time via +CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the +``"security=..."`` kernel command line argument, in the case where multiple +LSMs were built into a given kernel. + +The primary users of the LSM interface are Mandatory Access Control +(MAC) extensions which provide a comprehensive security policy. Examples +include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger +MAC extensions, other extensions can be built using the LSM to provide +specific changes to system operation when these tweaks are not available +in the core functionality of Linux itself. + +Without a specific LSM built into the kernel, the default LSM will be the +Linux capabilities system. Most LSMs choose to extend the capabilities +system, building their checks on top of the defined capability hooks. +For more details on capabilities, see ``capabilities(7)`` in the Linux +man-pages project. + +A list of the active security modules can be found by reading +``/sys/kernel/security/lsm``. This is a comma separated list, and +will always include the capability module. The list reflects the +order in which checks are made. The capability module will always +be first, followed by any "minor" modules (e.g. Yama) and then +the one "major" module (e.g. SELinux) if there is one configured. -- cgit v1.2.3 From 229fd05c565eb931aa7c59c9d740e2047701a4ad Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sat, 13 May 2017 04:51:44 -0700 Subject: doc: ReSTify SELinux.txt Adjusts for ReST markup and moves under LSM admin guide. Cc: Paul Moore Signed-off-by: Kees Cook Signed-off-by: Jonathan Corbet --- Documentation/admin-guide/LSM/index.rst | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'Documentation/admin-guide/LSM/index.rst') diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index 7e892b9b58aa..cc0e04d63bf9 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -29,3 +29,8 @@ will always include the capability module. The list reflects the order in which checks are made. The capability module will always be first, followed by any "minor" modules (e.g. Yama) and then the one "major" module (e.g. SELinux) if there is one configured. + +.. toctree:: + :maxdepth: 1 + + SELinux -- cgit v1.2.3 From 26fccd9ed2e283add2849858c28bd14f84d9c48e Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sat, 13 May 2017 04:51:45 -0700 Subject: doc: ReSTify apparmor.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen Signed-off-by: Kees Cook Signed-off-by: Jonathan Corbet --- Documentation/admin-guide/LSM/index.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'Documentation/admin-guide/LSM/index.rst') diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index cc0e04d63bf9..a4db29410ea0 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -33,4 +33,5 @@ the one "major" module (e.g. SELinux) if there is one configured. .. toctree:: :maxdepth: 1 + apparmor SELinux -- cgit v1.2.3 From 5ea672c752d93ef3cfa9ce3ea1fbf204f7056a33 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sat, 13 May 2017 04:51:46 -0700 Subject: doc: ReSTify tomoyo.txt Adjusts for ReST markup and moves under LSM admin guide. Cc: Tetsuo Handa Signed-off-by: Kees Cook Signed-off-by: Jonathan Corbet --- Documentation/admin-guide/LSM/index.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'Documentation/admin-guide/LSM/index.rst') diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index a4db29410ea0..6aa4e0dc588b 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -35,3 +35,4 @@ the one "major" module (e.g. SELinux) if there is one configured. apparmor SELinux + tomoyo -- cgit v1.2.3 From 90bb766440f2147486a2acc3e793d7b8348b0c22 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sat, 13 May 2017 04:51:47 -0700 Subject: doc: ReSTify Yama.txt Adjusts for ReST markup and moves under LSM admin guide. Signed-off-by: Kees Cook Signed-off-by: Jonathan Corbet --- Documentation/admin-guide/LSM/index.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'Documentation/admin-guide/LSM/index.rst') diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index 6aa4e0dc588b..e5ba2c69b8ef 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -36,3 +36,4 @@ the one "major" module (e.g. SELinux) if there is one configured. apparmor SELinux tomoyo + Yama -- cgit v1.2.3 From 30da4f77aae99bf9ae5905d0ef89668391eea315 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sat, 13 May 2017 04:51:48 -0700 Subject: doc: ReSTify LoadPin.txt Adjusts for ReST markup and moves under LSM admin guide. Signed-off-by: Kees Cook Signed-off-by: Jonathan Corbet --- Documentation/admin-guide/LSM/index.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'Documentation/admin-guide/LSM/index.rst') diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index e5ba2c69b8ef..41f5262359f9 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -34,6 +34,7 @@ the one "major" module (e.g. SELinux) if there is one configured. :maxdepth: 1 apparmor + LoadPin SELinux tomoyo Yama -- cgit v1.2.3 From a5606ced286197cc280dbf3b880c6167bba9462d Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sat, 13 May 2017 04:51:49 -0700 Subject: doc: ReSTify Smack.txt Adjusts for ReST markup and moves under LSM admin guide. Acked-by: Casey Schaufler Signed-off-by: Kees Cook Signed-off-by: Jonathan Corbet --- Documentation/admin-guide/LSM/index.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'Documentation/admin-guide/LSM/index.rst') diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index 41f5262359f9..c980dfe9abf1 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -36,5 +36,6 @@ the one "major" module (e.g. SELinux) if there is one configured. apparmor LoadPin SELinux + Smack tomoyo Yama -- cgit v1.2.3