• Andrew Morton's avatar
    [PATCH] /proc/pid inode security labels · 20378c29
    Andrew Morton authored
    From: Stephen Smalley <sds@epoch.ncsc.mil>
    
    This patch against 2.5.69-bk adds a hook to proc_pid_make_inode to allow
    security modules to set the security attributes on /proc/pid inodes based on
    the security attributes of the associated task.  This is required by SELinux
    in order to control access to the process state accessible via /proc/pid
    inodes in accordance with the task's security label.
    
    An alternative approach that was considered was to implement an xattr handler
    for /proc/pid inodes.  That approach would still require a hook call from the
    xattr handler to the security module to obtain an xattr value based on the
    task security attributes, so it would add a further level of
    indirection/translation.  The only benefit of implementing an xattr handler
    for the /proc/pid inodes would be that the /proc/pid inode security labels
    could then be exported to userspace.  However, the /proc/pid inode security
    labels are only used internally by the security module for access control
    purposes, and userspace access to the full range of process attributes is
    already provided via the /proc/pid/attr interface.  Consequently, a simple
    hook in proc_pid_make_inode seemed preferable.
    20378c29
base.c 31.6 KB