diff options
| author | Daniel Vetter <daniel.vetter@ffwll.ch> | 2017-07-26 13:23:10 +0200 |
|---|---|---|
| committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2017-07-26 13:43:33 +0200 |
| commit | af055598542670c8533a58582813b1419949cae0 (patch) | |
| tree | 901fa1bf635d5c1e91d08f9f4c2e4943516dbb71 /Documentation/admin-guide/LSM/index.rst | |
| parent | 9f15a4ab19ab33658dbc9fd37be5210e8c1ac622 (diff) | |
| parent | 2d62c799f8ffac4f7ffba6a4e7f148827dfc24c7 (diff) | |
| download | linux-next-af055598542670c8533a58582813b1419949cae0.tar.gz | |
Merge airlied/drm-next into drm-misc-next
I need this to be able to apply the deferred fbdev setup patches, I
need the relevant prep work that landed through the drm-intel tree.
Also squash in conflict fixup from Laurent Pinchart.
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Diffstat (limited to 'Documentation/admin-guide/LSM/index.rst')
| -rw-r--r-- | Documentation/admin-guide/LSM/index.rst | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst new file mode 100644 index 000000000000..c980dfe9abf1 --- /dev/null +++ b/Documentation/admin-guide/LSM/index.rst @@ -0,0 +1,41 @@ +=========================== +Linux Security Module Usage +=========================== + +The Linux Security Module (LSM) framework provides a mechanism for +various security checks to be hooked by new kernel extensions. The name +"module" is a bit of a misnomer since these extensions are not actually +loadable kernel modules. Instead, they are selectable at build-time via +CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the +``"security=..."`` kernel command line argument, in the case where multiple +LSMs were built into a given kernel. + +The primary users of the LSM interface are Mandatory Access Control +(MAC) extensions which provide a comprehensive security policy. Examples +include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger +MAC extensions, other extensions can be built using the LSM to provide +specific changes to system operation when these tweaks are not available +in the core functionality of Linux itself. + +Without a specific LSM built into the kernel, the default LSM will be the +Linux capabilities system. Most LSMs choose to extend the capabilities +system, building their checks on top of the defined capability hooks. +For more details on capabilities, see ``capabilities(7)`` in the Linux +man-pages project. + +A list of the active security modules can be found by reading +``/sys/kernel/security/lsm``. This is a comma separated list, and +will always include the capability module. The list reflects the +order in which checks are made. The capability module will always +be first, followed by any "minor" modules (e.g. Yama) and then +the one "major" module (e.g. SELinux) if there is one configured. + +.. toctree:: + :maxdepth: 1 + + apparmor + LoadPin + SELinux + Smack + tomoyo + Yama |